Class AuthorizeRestWebServiceImpl
- java.lang.Object
-
- io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl
-
- All Implemented Interfaces:
AuthorizeRestWebService
@Path("/") public class AuthorizeRestWebServiceImpl extends Object implements AuthorizeRestWebServiceImplementation for request authorization through REST web services.- Version:
- March 17, 2022
- Author:
- Javier Rojas Blum
-
-
Constructor Summary
Constructors Constructor Description AuthorizeRestWebServiceImpl()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description voidcheckOfflineAccessScopes(List<io.jans.as.model.common.ResponseType> responseTypes, List<io.jans.as.model.common.Prompt> prompts, io.jans.as.common.model.registration.Client client, Set<String> scopes)voidcheckPromptCreate(AuthzRequest authzRequest)voidcheckPromptLogin(AuthzRequest authzRequest)static Map<String,String>getGenericRequestMap(jakarta.servlet.http.HttpServletRequest httpRequest)jakarta.ws.rs.core.ResponserequestAuthorizationGet(String scope, String responseType, String clientId, String redirectUri, String state, String responseMode, String nonce, String display, String prompt, Integer maxAge, String uiLocales, String idTokenHint, String loginHint, String acrValues, String amrValues, String request, String requestUri, String sessionId, String originHeaders, String codeChallenge, String codeChallengeMethod, String customResponseHeaders, String claims, String authReqId, String dpopJkt, String authorizationDetails, jakarta.servlet.http.HttpServletRequest httpRequest, jakarta.servlet.http.HttpServletResponse httpResponse, jakarta.ws.rs.core.SecurityContext securityContext)Requests authorization.jakarta.ws.rs.core.ResponserequestAuthorizationPost(String scope, String responseType, String clientId, String redirectUri, String state, String responseMode, String nonce, String display, String prompt, Integer maxAge, String uiLocales, String idTokenHint, String loginHint, String acrValues, String amrValues, String request, String requestUri, String sessionId, String originHeaders, String codeChallenge, String codeChallengeMethod, String customResponseHeaders, String claims, String authReqId, String dpopJkt, String authorizationDetails, jakarta.servlet.http.HttpServletRequest httpRequest, jakarta.servlet.http.HttpServletResponse httpResponse, jakarta.ws.rs.core.SecurityContext securityContext)Requests authorization.
-
-
-
Method Detail
-
requestAuthorizationGet
public jakarta.ws.rs.core.Response requestAuthorizationGet(String scope, String responseType, String clientId, String redirectUri, String state, String responseMode, String nonce, String display, String prompt, Integer maxAge, String uiLocales, String idTokenHint, String loginHint, String acrValues, String amrValues, String request, String requestUri, String sessionId, String originHeaders, String codeChallenge, String codeChallengeMethod, String customResponseHeaders, String claims, String authReqId, String dpopJkt, String authorizationDetails, jakarta.servlet.http.HttpServletRequest httpRequest, jakarta.servlet.http.HttpServletResponse httpResponse, jakarta.ws.rs.core.SecurityContext securityContext)
Description copied from interface:AuthorizeRestWebServiceRequests authorization.- Specified by:
requestAuthorizationGetin interfaceAuthorizeRestWebService- Parameters:
scope- The scope of the access request.responseType- The response type informs the authorization server of the desired response type: code, token, id_token a combination of them. The response type parameter is mandatory.clientId- The client identifier.redirectUri- Redirection URIstate- An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used for preventing cross-site request forgery.responseMode- Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.nonce- A string value used to associate a user agent session with an ID Token, and to mitigate replay attacks.display- An ASCII string value that specifies how the Authorization Server displays the authentication page to the End-User.prompt- A space delimited list of ASCII strings that can contain the values login, consent, select_account, and none.maxAge- Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated.uiLocales- End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.idTokenHint- Previously issued ID Token passed to the Authorization Server as a hint about the End-User's current or past authenticated session with the Client.loginHint- Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).acrValues- Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.amrValues- Requested Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification.The amr value is an array of case sensitive strings.request- A JWT encoded OpenID Request Object.requestUri- An URL that points to an OpenID Request Object.sessionId- session idoriginHeaders- origin headerscodeChallenge- PKCE code challengecodeChallengeMethod- PKCE code challenge methodauthReqId- A unique identifier to identify the CIBA authentication request made by the Client.dpopJkt- The value of the dpop_jkt authorization request parameter is the JSON Web Key (JWK) Thumbprint of the proof-of-possession public key using the SHA-256 hash function - the same value as used for the jkt confirmation method definedauthorizationDetails- The request parameter authorization_details contains, in JSON notation, an array of objects. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. The type of resource or access requirement is determined by the type field.httpRequest- http requestsecurityContext- An injectable interface that provides access to security related information.- Returns:
When the responseType parameter is set to code:
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format:
- code
- The authorization code generated by the authorization server.
- state
- If the state parameter was present in the client authorization request. The exact value received from the client.
When the responseType parameter is set to token:
If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format.
- access_token
- The access token issued by the authorization server.
- token_type
- The type of the token issued. Value is case insensitive.
- expires_in
- The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
- scope
- The scope of the access token.
- state
- If the state parameter was present in the client authorization request. The exact value received from the client.
-
requestAuthorizationPost
public jakarta.ws.rs.core.Response requestAuthorizationPost(String scope, String responseType, String clientId, String redirectUri, String state, String responseMode, String nonce, String display, String prompt, Integer maxAge, String uiLocales, String idTokenHint, String loginHint, String acrValues, String amrValues, String request, String requestUri, String sessionId, String originHeaders, String codeChallenge, String codeChallengeMethod, String customResponseHeaders, String claims, String authReqId, String dpopJkt, String authorizationDetails, jakarta.servlet.http.HttpServletRequest httpRequest, jakarta.servlet.http.HttpServletResponse httpResponse, jakarta.ws.rs.core.SecurityContext securityContext)
Description copied from interface:AuthorizeRestWebServiceRequests authorization.- Specified by:
requestAuthorizationPostin interfaceAuthorizeRestWebService- Parameters:
scope- The scope of the access request.responseType- The response type informs the authorization server of the desired response type: code, token, id_token a combination of them. The response type parameter is mandatory.clientId- The client identifier.redirectUri- Redirection URIstate- An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used for preventing cross-site request forgery.responseMode- Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.nonce- A string value used to associate a user agent session with an ID Token, and to mitigate replay attacks.display- An ASCII string value that specifies how the Authorization Server displays the authentication page to the End-User.prompt- A space delimited list of ASCII strings that can contain the values login, consent, select_account, and none.maxAge- Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated.uiLocales- End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.idTokenHint- Previously issued ID Token passed to the Authorization Server as a hint about the End-User's current or past authenticated session with the Client.loginHint- Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).acrValues- Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.amrValues- Requested Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification.The amr value is an array of case sensitive strings.request- A JWT encoded OpenID Request Object.requestUri- An URL that points to an OpenID Request Object.sessionId- session idoriginHeaders- origin headerscodeChallenge- PKCE code challengecodeChallengeMethod- PKCE code challenge methodauthReqId- A unique identifier to identify the CIBA authentication request made by the Client.dpopJkt- The value of the dpop_jkt authorization request parameter is the JSON Web Key (JWK) Thumbprint of the proof-of-possession public key using the SHA-256 hash function - the same value as used for the jkt confirmation method definedauthorizationDetails- The request parameter authorization_details contains, in JSON notation, an array of objects. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. The type of resource or access requirement is determined by the type field.httpRequest- http requestsecurityContext- An injectable interface that provides access to security related information.- Returns:
When the responseType parameter is set to code:
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format:
- code
- The authorization code generated by the authorization server.
- state
- If the state parameter was present in the client authorization request. The exact value received from the client.
When the responseType parameter is set to token:
If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format.
- access_token
- The access token issued by the authorization server.
- token_type
- The type of the token issued. Value is case insensitive.
- expires_in
- The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
- scope
- The scope of the access token.
- state
- If the state parameter was present in the client authorization request. The exact value received from the client.
-
checkPromptCreate
public void checkPromptCreate(AuthzRequest authzRequest)
-
checkPromptLogin
public void checkPromptLogin(AuthzRequest authzRequest)
-
checkOfflineAccessScopes
public void checkOfflineAccessScopes(List<io.jans.as.model.common.ResponseType> responseTypes, List<io.jans.as.model.common.Prompt> prompts, io.jans.as.common.model.registration.Client client, Set<String> scopes)
-
-