Package io.jans.as.server.service
Class ClientIdMetadataService
java.lang.Object
io.jans.as.server.service.ClientIdMetadataService
OAuth Client ID Metadata Document (CIMD) Service.
Handles URL-based client_id resolution per IETF draft spec.
Fetched clients are persisted to the database with TTL-based expiry.
On TTL expiry, the client metadata is re-downloaded from the URL.
- Author:
- Yuriy Z
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classResult of fetching a CIMD document. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionjakarta.ws.rs.WebApplicationExceptionbadRequest(String msg) protected io.jans.as.common.model.registration.ClientbuildClientFromRequest(io.jans.as.client.RegisterRequest registerRequest, String clientIdUrl) Build a Client from a RegisterRequest using the same DCR mapping path (RegisterService).protected intcalculateTtl(String cacheControl) static StringCompute a stable, LDAP-safe inum from a CIMD URL.protected ClientIdMetadataService.FetchResultio.jans.as.common.model.registration.ClientFetch (or return persisted), validate, and return Client from CIMD URL.booleanisCimdClientId(String clientId) Check if client_id is a CIMD URL candidate.booleanCheck if CIMD feature is enabled.booleanisPrivateAddress(InetAddress address) Check if an IP address is private/internal.protected io.jans.as.common.model.registration.ClientparseToClient(String json, String clientIdUrl) Parse metadata JSON and build a Client.voidvalidateClientIdUrl(String clientIdUrl) Validate the client_id URL for SSRF and policy compliance.
-
Constructor Details
-
ClientIdMetadataService
public ClientIdMetadataService()
-
-
Method Details
-
isCimdClientId
Check if client_id is a CIMD URL candidate.- Parameters:
clientId- the client_id to check- Returns:
- true if CIMD feature is enabled and client_id is a valid URL with allowed scheme
-
isFeatureEnabled
public boolean isFeatureEnabled()Check if CIMD feature is enabled.- Returns:
- true if CLIENT_ID_METADATA_DOCUMENT feature flag is enabled
-
getClient
Fetch (or return persisted), validate, and return Client from CIMD URL. Persists the client with a TTL. On TTL expiry, re-downloads the metadata.- Parameters:
clientIdUrl- the URL-based client_id- Returns:
- Client object populated from the CIMD document
- Throws:
jakarta.ws.rs.WebApplicationException- if validation fails or fetch fails
-
validateClientIdUrl
Validate the client_id URL for SSRF and policy compliance.- Parameters:
clientIdUrl- the URL to validate- Throws:
jakarta.ws.rs.WebApplicationException- if validation fails
-
isPrivateAddress
Check if an IP address is private/internal.- Parameters:
address- the address to check- Returns:
- true if private/internal
-
doFetch
-
buildClientFromRequest
protected io.jans.as.common.model.registration.Client buildClientFromRequest(io.jans.as.client.RegisterRequest registerRequest, String clientIdUrl) Build a Client from a RegisterRequest using the same DCR mapping path (RegisterService). This ensures all RFC 7591 fields are applied consistently with dynamic registration. -
parseToClient
protected io.jans.as.common.model.registration.Client parseToClient(String json, String clientIdUrl) Parse metadata JSON and build a Client. Convenience wrapper used by tests. -
calculateTtl
-
computeId
Compute a stable, LDAP-safe inum from a CIMD URL. Uses SHA-256 hex digest to avoid special characters in LDAP DNs. -
badRequest
-