Class OA2Client
- java.lang.Object
-
- edu.uiuc.ncsa.security.core.util.IdentifiableImpl
-
- edu.uiuc.ncsa.security.storage.data.Monitored
-
- org.oa4mp.delegation.common.clients.storage.BaseClient
-
- org.oa4mp.delegation.common.clients.storage.Client
-
- org.oa4mp.server.loader.oauth2.storage.clients.OA2Client
-
- All Implemented Interfaces:
OA2ClientScopes
,edu.uiuc.ncsa.security.core.DateComparable
,edu.uiuc.ncsa.security.core.Identifiable
,Serializable
,Cloneable
public class OA2Client extends Client implements OA2ClientScopes
OAuth2 Open ID connect protocol requires that sites register callback uris and that incoming requests must include a callback that matches one of the registered ones.Created by Jeff Gaynor
on 3/14/14 at 11:04 AM- See Also:
- Serialized Form
-
-
Field Summary
Fields Modifier and Type Field Description protected String
ACCESS_TOKENS_KEY
static String
CLIENT_COMMENT_TAG
protected String
config
protected net.sf.json.JSONObject
extended_attributes
protected String
ID_TOKENS_KEY
protected net.sf.json.JSONObject
jsonConfig
protected String
oa4mp_attributes
protected String
oidc_cm_attributes
protected boolean
publicClient
protected String
REFRESH_TOKENS_KEY
protected String
TOKENS_KEY
static long
USE_SERVER_DEFAULT
protected String
xoauth_attributes
-
Constructor Summary
Constructors Constructor Description OA2Client(edu.uiuc.ncsa.security.core.Identifier identifier)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description OA2Client
clone()
boolean
equals(Object obj)
AccessTokenConfig
getAccessTokensConfig()
long
getAtLifetime()
Collection<String>
getAudience()
Collection<String>
getCallbackURIs()
List<String>
getComment()
net.sf.json.JSONObject
getConfig()
The JSON configuration object.long
getDfInterval()
long
getDfLifetime()
net.sf.json.JSONObject
getExtendedAttributes()
Extended attributes base call.List<String>
getGrantTypes()
IDTokenClientConfig
getIDTokenConfig()
String
getIssuer()
Collection<LDAPConfiguration>
getLdaps()
long
getMaxATLifetime()
The maximum lifetime, if different from the server max, for this client.long
getMaxRTLifetime()
The maximum lifetime, if different from the server max, for this client.protected net.sf.json.JSONObject
getNamedAttributes(String name)
protected List<String>
getNamedList(String component, String key)
protected Object
getNamedProperty(String component, String key)
protected net.sf.json.JSONObject
getOA4MPAttributes()
net.sf.json.JSONObject
getOIDC_CM_Attributes()
List<edu.uiuc.ncsa.security.core.Identifier>
getPrototypes()
Collection<String>
getProxyClaimsList()
This is a string that tells what claims in addition to the subject to take from the proxy claims.Collection<String>
getProxyRequestScopes()
If the client needs a subset of scopes from the proxy, they go here.String
getRawConfig()
RefreshTokenConfig
getRefreshTokensConfig()
List<URI>
getResource()
List<String>
getResponseTypes()
long
getRtGracePeriod()
long
getRtLifetime()
Collection<String>
getScopes()
protected net.sf.json.JSONObject
getXOAuthExtendedAttributes()
boolean
hasAccessTokenConfig()
boolean
hasConfig()
boolean
hasDriverConfig()
boolean
hasExtendedAttributes()
boolean
hasExtendedAttributeSupport()
Extended attributes refers to allowing the client pass in NS qualified additional parameters in the request.boolean
hasIDTokenConfig()
boolean
hasOIDC_CM_Attributes()
protected boolean
hasPayloadConfig(String root, String path)
boolean
hasPrototypes()
boolean
hasRefreshTokenConfig()
boolean
hasRequestScopes()
boolean
hasScript()
boolean
isErsatzClient()
boolean
isExtendsProvisioners()
If the ersatz client should simply extend all provisioners.boolean
isForwardScopesToProxy()
boolean
isOIDCClient()
boolean
isPublicClient()
boolean
isRTLifetimeEnabled()
This returns whether or not this client is configured to return refresh tokens.boolean
isSignTokens()
boolean
isSkipServerScripts()
static void
main(String[] args)
protected void
populateClone(BaseClient c)
void
removeOIDC_CM_Attributes()
void
setAccessTokenConfig(AccessTokenConfig cfg)
void
setAtLifetime(long atLifetime)
void
setAudience(Collection<String> audience)
void
setCallbackURIs(Collection<String> callbackURIs)
void
setComment(String comment)
void
setComment(List<String> comments)
void
setConfig(net.sf.json.JSONObject config)
void
setDfInterval(long dfInterval)
void
setDfLifetime(long dfLifetime)
void
setErsatzClient(boolean ersatzClient)
void
setExtendedAttributes(net.sf.json.JSONObject eas)
void
setExtendedAttributeSupport(boolean b)
void
setExtendsProvisioners(boolean extendsProvisioners)
void
setForwardScopesToProxy(boolean forwardScopesToProxy)
void
setGrantTypes(List<String> grantTypes)
void
setIDTokenConfig(IDTokenClientConfig idTokenClientConfig)
void
setIssuer(String issuer)
void
setLdaps(Collection<LDAPConfiguration> ldaps)
void
setMaxATLifetime(long maxATLifetime)
void
setMaxRTLifetime(long maxRTLifetime)
protected void
setNamedAttributes(String name, net.sf.json.JSONObject jsonObject)
protected void
setNamedList(String component, String key, List<String> list)
protected void
setNamedProperty(String component, String key, Object property)
void
setOIDC_CM_attributes(net.sf.json.JSONObject attr)
protected void
setPayloadConfig(AbstractPayloadConfig apc, String root, String path)
void
setPrototypes(List<edu.uiuc.ncsa.security.core.Identifier> prototypes)
void
setProxyClaimsList(Collection<String> proxyClaimsList)
void
setProxyRequestScopes(Collection<String> proxyRequestScopes)
void
setPublicClient(boolean publicClient)
void
setRawConfig(String rawConfig)
void
setRefreshTokensConfig(RefreshTokenConfig refreshTokenConfig)
void
setResource(List<URI> resource)
void
setResponseTypes(List<String> responseTypes)
void
setRtGracePeriod(long rtGracePeriod)
void
setRtLifetime(long rtLifetime)
void
setScopes(Collection<String> scopes)
void
setSignTokens(boolean signTokens)
void
setSkipServerScripts(boolean skipServerScripts)
void
setStrictscopes(boolean newValue)
protected AbstractPayloadConfig
setupPayloadConfig(AbstractPayloadConfig pc, String root, String path)
String
toString()
boolean
useStrictScopes()
Strict scopes means that the list of scopes must match exactly for the given client.-
Methods inherited from class edu.uiuc.ncsa.oa4mp.delegation.common.storage.Client
getErrorUri, getHomeUri, isProxyLimited, setErrorUri, setHomeUri, setProxyLimited
-
Methods inherited from class edu.uiuc.ncsa.oa4mp.delegation.common.storage.BaseClient
getCreationTS, getEmail, getLastModifiedTS, getName, getSecret, isDebugOn, setCreationTS, setDebugOn, setEmail, setLastModifiedTS, setName, setSecret
-
Methods inherited from class edu.uiuc.ncsa.security.storage.data.Monitored
getLastAccessed, setLastAccessed
-
-
-
-
Field Detail
-
USE_SERVER_DEFAULT
public static final long USE_SERVER_DEFAULT
- See Also:
- Constant Field Values
-
publicClient
protected boolean publicClient
-
xoauth_attributes
protected String xoauth_attributes
-
oa4mp_attributes
protected String oa4mp_attributes
-
oidc_cm_attributes
protected String oidc_cm_attributes
-
TOKENS_KEY
protected String TOKENS_KEY
-
ACCESS_TOKENS_KEY
protected String ACCESS_TOKENS_KEY
-
REFRESH_TOKENS_KEY
protected String REFRESH_TOKENS_KEY
-
ID_TOKENS_KEY
protected String ID_TOKENS_KEY
-
CLIENT_COMMENT_TAG
public static String CLIENT_COMMENT_TAG
-
config
protected String config
-
jsonConfig
protected net.sf.json.JSONObject jsonConfig
-
extended_attributes
protected net.sf.json.JSONObject extended_attributes
-
-
Method Detail
-
clone
public OA2Client clone()
-
getMaxATLifetime
public long getMaxATLifetime()
The maximum lifetime, if different from the server max, for this client. Note that once set, no AT lifetime can exceed this. Set to <= 0 to use the server max. as the client max.- Returns:
-
setMaxATLifetime
public void setMaxATLifetime(long maxATLifetime)
-
getMaxRTLifetime
public long getMaxRTLifetime()
The maximum lifetime, if different from the server max, for this client. Note that once set, no RT lifetime can exceed this. Set to <= 0 to use the server max. as the client max.- Returns:
-
setMaxRTLifetime
public void setMaxRTLifetime(long maxRTLifetime)
-
populateClone
protected void populateClone(BaseClient c)
- Overrides:
populateClone
in classClient
-
setComment
public void setComment(String comment)
-
getPrototypes
public List<edu.uiuc.ncsa.security.core.Identifier> getPrototypes()
-
setPrototypes
public void setPrototypes(List<edu.uiuc.ncsa.security.core.Identifier> prototypes)
-
hasPrototypes
public boolean hasPrototypes()
-
isErsatzClient
public boolean isErsatzClient()
-
setErsatzClient
public void setErsatzClient(boolean ersatzClient)
-
isExtendsProvisioners
public boolean isExtendsProvisioners()
If the ersatz client should simply extend all provisioners. This means you do not have to set thesetPrototypes(List)
for this object. If you do set it, those will be processed first then the provisioners.- Returns:
-
setExtendsProvisioners
public void setExtendsProvisioners(boolean extendsProvisioners)
-
isSkipServerScripts
public boolean isSkipServerScripts()
-
setSkipServerScripts
public void setSkipServerScripts(boolean skipServerScripts)
-
isPublicClient
public boolean isPublicClient()
-
isOIDCClient
public boolean isOIDCClient()
-
setPublicClient
public void setPublicClient(boolean publicClient)
-
isSignTokens
public boolean isSignTokens()
-
setSignTokens
public void setSignTokens(boolean signTokens)
-
getIssuer
public String getIssuer()
-
setIssuer
public void setIssuer(String issuer)
-
getCallbackURIs
public Collection<String> getCallbackURIs()
-
setCallbackURIs
public void setCallbackURIs(Collection<String> callbackURIs)
-
getRtLifetime
public long getRtLifetime()
-
setRtLifetime
public void setRtLifetime(long rtLifetime)
-
getAtLifetime
public long getAtLifetime()
-
setAtLifetime
public void setAtLifetime(long atLifetime)
-
isRTLifetimeEnabled
public boolean isRTLifetimeEnabled()
This returns whether or not this client is configured to return refresh tokens. Zero means no refresh tokens, positive is the lifetime, negativeUSE_SERVER_DEFAULT
means to use the server default. Disabled means the lifetime is set to zero. See alsogetMaxRTLifetime()
- Returns:
-
getAudience
public Collection<String> getAudience()
-
setAudience
public void setAudience(Collection<String> audience)
-
getScopes
public Collection<String> getScopes()
- Specified by:
getScopes
in interfaceOA2ClientScopes
-
setScopes
public void setScopes(Collection<String> scopes)
-
getLdaps
public Collection<LDAPConfiguration> getLdaps()
-
setLdaps
public void setLdaps(Collection<LDAPConfiguration> ldaps)
-
setupPayloadConfig
protected AbstractPayloadConfig setupPayloadConfig(AbstractPayloadConfig pc, String root, String path)
-
setPayloadConfig
protected void setPayloadConfig(AbstractPayloadConfig apc, String root, String path)
-
hasAccessTokenConfig
public boolean hasAccessTokenConfig()
-
getAccessTokensConfig
public AccessTokenConfig getAccessTokensConfig()
-
hasDriverConfig
public boolean hasDriverConfig()
-
setAccessTokenConfig
public void setAccessTokenConfig(AccessTokenConfig cfg)
-
setRefreshTokensConfig
public void setRefreshTokensConfig(RefreshTokenConfig refreshTokenConfig)
-
hasRefreshTokenConfig
public boolean hasRefreshTokenConfig()
-
getRefreshTokensConfig
public RefreshTokenConfig getRefreshTokensConfig()
-
hasIDTokenConfig
public boolean hasIDTokenConfig()
-
getIDTokenConfig
public IDTokenClientConfig getIDTokenConfig()
-
setIDTokenConfig
public void setIDTokenConfig(IDTokenClientConfig idTokenClientConfig)
-
getNamedAttributes
protected net.sf.json.JSONObject getNamedAttributes(String name)
-
setNamedAttributes
protected void setNamedAttributes(String name, net.sf.json.JSONObject jsonObject)
-
hasOIDC_CM_Attributes
public boolean hasOIDC_CM_Attributes()
-
getOIDC_CM_Attributes
public net.sf.json.JSONObject getOIDC_CM_Attributes()
-
setOIDC_CM_attributes
public void setOIDC_CM_attributes(net.sf.json.JSONObject attr)
-
removeOIDC_CM_Attributes
public void removeOIDC_CM_Attributes()
-
getOA4MPAttributes
protected net.sf.json.JSONObject getOA4MPAttributes()
-
getXOAuthExtendedAttributes
protected net.sf.json.JSONObject getXOAuthExtendedAttributes()
-
hasExtendedAttributeSupport
public boolean hasExtendedAttributeSupport()
Extended attributes refers to allowing the client pass in NS qualified additional parameters in the request. Normally, these are ignored (as per spec). However, we can accept additional parameters (as per spec too), so if this is set to true, then those prefixed correctly will be added to the transaction for later processing. The default is false for this option.Note
These reside in the JSON configuration as part of a separate extra attributes object. So in the configuration you should have something like{"cfg":["comments"], "extraAttributes":{"extendedAttributesEnabled":true}, ... other stuff. }
- Returns:
-
setExtendedAttributeSupport
public void setExtendedAttributeSupport(boolean b)
-
useStrictScopes
public boolean useStrictScopes()
Strict scopes means that the list of scopes must match exactly for the given client. Typically this isfalse
for WLCG and other clients that can pass in arbitrary scopes.- Returns:
-
setStrictscopes
public void setStrictscopes(boolean newValue)
-
getConfig
public net.sf.json.JSONObject getConfig()
The JSON configuration object. The format is as follows:{ "config":"comment", "claims":{"sources":[JSON], "logic":[JSON], "source_config":[JSON], "processing":[JSON]}, "sci_tokens":{"usernameClaimKey":"value", "templates":[...], "qdl":{...}}, "id_tokens":{"qdl":{...}}, "wlcg_token":{"qdl":{...}}, "isSaved":true|false }
Note that the "claims" entry is deprecated and mostly refers to the old JFunctor scripting. Don't use in new configurations. The isSaved entry too relates to JFunctors and is ignored by all other components.
See the
ClientJSONConfigUtil
JSON may be either a single JSON object or an array of them. If a single, it is converted to an array of a single object before processing.As of now (version 4.3), the claims block which is simple functor scripting is deprecated in favor of the new qdl block. JSON may be a logic block (which consists of various JSON functors.
{ "$if":conditionals, "$then":"actions", "$else":"other actions" }
conditionals, actions and other actions are JSON objects or arrays of them as well. Note that the conditional must be a functor that evaluates to a logical value.
- Returns:
-
hasConfig
public boolean hasConfig()
-
setConfig
public void setConfig(net.sf.json.JSONObject config)
-
setRawConfig
public void setRawConfig(String rawConfig)
-
getRawConfig
public String getRawConfig()
-
getExtendedAttributes
public net.sf.json.JSONObject getExtendedAttributes()
Extended attributes base call. ThegetConfig()
gets user-facing configuration, like scripts and maybe other things not related to OAuth. Extended attributes are for core configuration such as more grant types and such that come from specifications and are generally not open to change. The reason for this is simple: as OA4MP evolves, more and more attributes must be managed and rather than keep adding more database columns (and also have to update other store types too, with all the management that implies), just have a central place and leave all logic for them otherwise in software. Setters and getters are added to this class which store their information in a JSON blob.Structure
The structure is a flat list of attributes as:{ "xoauth_attributes":{"grant_type":[....}, <-- attributes for OAuth "oa4mp_attributes":{"foo":"bar",...} <-- attributes relating to OA4MP "oidc-cm":{"x":"y",...} <-- unused attributes RFC7951, so we have them ... etc }
- Returns:
-
setExtendedAttributes
public void setExtendedAttributes(net.sf.json.JSONObject eas)
-
hasExtendedAttributes
public boolean hasExtendedAttributes()
-
main
public static void main(String[] args)
-
hasScript
public boolean hasScript()
-
getDfLifetime
public long getDfLifetime()
-
setDfLifetime
public void setDfLifetime(long dfLifetime)
-
getDfInterval
public long getDfInterval()
-
setDfInterval
public void setDfInterval(long dfInterval)
-
getProxyClaimsList
public Collection<String> getProxyClaimsList()
This is a string that tells what claims in addition to the subject to take from the proxy claims. Default is just to take the subject. Options are- (empty) - default = just take the sub claim
- [*] - all
- [c0, c1, c2,...] - a list
- Returns:
-
setProxyClaimsList
public void setProxyClaimsList(Collection<String> proxyClaimsList)
-
getProxyRequestScopes
public Collection<String> getProxyRequestScopes()
If the client needs a subset of scopes from the proxy, they go here.- Returns:
-
setProxyRequestScopes
public void setProxyRequestScopes(Collection<String> proxyRequestScopes)
-
hasRequestScopes
public boolean hasRequestScopes()
-
isForwardScopesToProxy
public boolean isForwardScopesToProxy()
-
setForwardScopesToProxy
public void setForwardScopesToProxy(boolean forwardScopesToProxy)
-
getRtGracePeriod
public long getRtGracePeriod()
-
setRtGracePeriod
public void setRtGracePeriod(long rtGracePeriod)
-
-