Package org.oa4mp.server.loader.oauth2.claims

Class IDTokenHandler

    • Method Detail

      • getPayload

        public net.sf.json.JSONObject getPayload()
        Description copied from interface: PayloadHandler
        The payload for this is the actual token created (payload is the middle of a JWT, e.g.)
        Specified by:
        getPayload in interface PayloadHandler
        Returns:

      • setIssuer

        protected void setIssuer​(javax.servlet.http.HttpServletRequest request)

      • refreshAccountingInformation

        public void refreshAccountingInformation()
        Description copied from interface: PayloadHandler
        This is used on refresh only. It will reset all the standard accounting information (such as timestamps) for an existing claims object.

        Usage

        Create an instance of the handler with the constructor for any state, then invoke this method.
        Specified by:
        refreshAccountingInformation in interface PayloadHandler

      • NEWrefreshAccountingInformation

        protected void NEWrefreshAccountingInformation()

      • setAccountingInformation

        public void setAccountingInformation()
        Description copied from interface: PayloadHandler
        This sets the accounting information (such as the expiration and such) for a token. This is called when a token is created or refreshed.
        Specified by:
        setAccountingInformation in interface PayloadHandler

      • addRequestState

        public void addRequestState​(edu.uiuc.ncsa.security.util.scripting.ScriptRunRequest req)
                     throws Throwable
        Description copied from interface: PayloadHandler
        Marshall any resources this script needs to make a request. I.e., add specific state (if needed) from this handler to the ScriptRunRequest.
        Specified by:
        addRequestState in interface PayloadHandler
        Throws:
        Throwable

      • checkClaims

        public void checkClaims()
                 throws Throwable
        Description copied from interface: PayloadHandler
        Called after the runner has gotten the claims so that this class can check integrity. For instance, an OIDC server would need to see that the subject is set properly. SciTokens needs to check that its scopes (aka resource permissions) were set
        Specified by:
        checkClaims in interface PayloadHandler
        Throws:
        Throwable

      • finish

        public void finish​(String execPhase)
            throws Throwable
        For CIL-499. It is possible to remove key claims with functors and return unusable claims objects. This method will check that claims that must be present are there or will raise a server-side exception.
        Specified by:
        finish in interface PayloadHandler
        Parameters:
        execPhase - - the current execution phase.
        Throws:
        Throwable

      • getScopes

        public Collection<String> getScopes()
        Contract is to return the current scopes. If these are not overridden, return the original scopes, which as still in effect.
        Returns:

      • restrictiveFinish

        protected void restrictiveFinish​(Collection<String> scopes,
                                 String execPhase)
                          throws Throwable
        Restrictive finish = user must explicitly request things and will be limited to them. The model here is that the claim source gets whatever, but the results are filtered to a restricted subset.
        Parameters:
        execPhase -
        Throws:
        Throwable

      • permissiveFinish

        protected void permissiveFinish​(Collection<String> configuredScopes,
                                String execPhase)
                         throws Throwable
        Permissive finish = whittle down certain claims that are not explicit, and pass back everything else. This is needed for scripting where claims may be simply added. If a client is set to strict scopes, adding claims in a script will have them stripped off. CILogon uses this by default since the scopes they get come from SAML assertions
        Parameters:
        execPhase -
        Throws:
        Throwable

      • setCurrentClaim

        protected void setCurrentClaim​(net.sf.json.JSONObject currentClaims,
                               net.sf.json.JSONObject finalClaims,
                               String key)

      • saveState

        public void saveState​(String execPhase)
               throws Throwable
        Description copied from interface: PayloadHandler
        Called at the end of each block, this lets the handler save its state. Note that for OA4MP, the state is saved in the transaction which is saved once after the handlers run. Only put actual save code in here if needed, since it is apt to get called a lot.
        Specified by:
        saveState in interface PayloadHandler
        Overrides:
        saveState in class AbstractPayloadHandler
        Throws:
        Throwable

      • checkRequiredScopes

        protected void checkRequiredScopes​(OA2ServiceTransaction t)
                            throws Throwable
        Use this to check for any requires scopes that the request must have. It is usually best to check these in the transaction since they have been normalized there, but the request is supplied too for completeness.
        Parameters:
        t -
        Throws:
        Throwable

      • checkClaim

        protected void checkClaim​(net.sf.json.JSONObject claims,
                          String claimKey)
        Enforces that the claim exists in the claims argument. This is mostly used for the openid scope. An error is raised if ths claim is missing.
        Parameters:
        claims -
        claimKey -

      • execute

        public net.sf.json.JSONObject execute​(ClaimSource source,
                                      net.sf.json.JSONObject claims)
                               throws Throwable
        Description copied from interface: PayloadHandler
        Runs this specific claim source against the internal state of this class. Note that the contract is that it returns the updated claims and if there are no new claims, it should just return its claims argument.
        Specified by:
        execute in interface PayloadHandler
        Overrides:
        execute in class AbstractPayloadHandler
        Returns:
        Throws:
        Throwable

      • getSignedPayload

        public IDTokenImpl getSignedPayload​(edu.uiuc.ncsa.security.util.jwk.JSONWebKey key,
                                    String headerType)
        Description copied from interface: PayloadHandler
        Take the payload of this and sign it with the given key, using the header as needed.
        Specified by:
        getSignedPayload in interface PayloadHandler
        Returns: