Package com.nimbusds.openid.connect.sdk.federation.entities

Class EntityStatementClaimsSet

java.lang.Object

com.nimbusds.openid.connect.sdk.claims.ClaimsSet

com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet

com.nimbusds.openid.connect.sdk.federation.entities.CommonFederationClaimsSet

com.nimbusds.openid.connect.sdk.federation.entities.EntityStatementClaimsSet

All Implemented Interfaces:

net.minidev.json.JSONAware

public class EntityStatementClaimsSet
extends CommonFederationClaimsSet

Federation entity statement claims set, serialisable to a JSON object.

Example claims set:

 {
   "iss": "https://feide.no",
   "sub": "https://ntnu.no",
   "iat": 1516239022,
   "exp": 1516298022,
   "crit": ["jti"],
   "jti": "7l2lncFdY6SlhNia",
   "policy_language_crit": ["regexp"],
   "metadata": {
      "openid_provider": {
         "issuer": "https://ntnu.no",
         "organization_name": "NTNU",
      },
      "oauth_client": {
         "organization_name": "NTNU"
      }
   },
   "metadata_policy": {
      "openid_provider": {
         "id_token_signing_alg_values_supported": {
             "subset_of": ["RS256", "RS384", "RS512"]
         },
         "op_policy_uri": {
             "regexp": "^https:\/\/[\\w-]+\\.example\\.com\/[\\w-]+\\.html"}
         },
      "oauth_client": {
         "grant_types": {
         "subset_of": ["authorization_code", "client_credentials"]},
         "scope": {
         "subset_of": ["openid", "profile", "email", "phone"]}
      }
   },
   "constraints": {
      "max_path_length": 2
   },
   "jwks": {
      "keys": [
         {
            "alg": "RS256",
            "e": "AQAB",
            "key_ops": ["verify"],
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
         }
      ]
   }
 }
 

Related specifications:

• OpenID Connect Federation 1.0, section 3.1.

Field Summary

Fields

Modifier and Type	Field	Description
static String	AUTHORITY_HINTS_CLAIM_NAME	The authority hints claim name.
static String	CONSTRAINTS_CLAIM_NAME	The constraints claim name.
static String	CRITICAL_CLAIM_NAME	The critical claim name.
static String	JWKS_CLAIM_NAME	The JWK set claim name.
static String	METADATA_POLICY_CLAIM_NAME	The metadata policy claim name.
static String	POLICY_LANGUAGE_CRITICAL_CLAIM_NAME	The policy critical claim name.
static String	TRUST_ANCHOR_ID_CLAIM_NAME	The assumed trust anchor in a explicit client registration.
static String	TRUST_MARKS_ISSUERS_CLAIM_NAME	The trust marks issuers claim name.

Fields inherited from class com.nimbusds.openid.connect.sdk.federation.entities.CommonFederationClaimsSet

EXP_CLAIM_NAME, METADATA_CLAIM_NAME, TRUST_MARKS_CLAIM_NAME

Fields inherited from class com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet

IAT_CLAIM_NAME, SUB_CLAIM_NAME

Fields inherited from class com.nimbusds.openid.connect.sdk.claims.ClaimsSet

AUD_CLAIM_NAME, claims, ISS_CLAIM_NAME

Constructor Summary

Constructors

Constructor	Description
EntityStatementClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet)	Creates a new federation entity statement claims set from the specified JWT claims set.
EntityStatementClaimsSet(Issuer iss, Subject sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)	Creates a new federation entity statement claims set with the minimum required claims.
EntityStatementClaimsSet(EntityID iss, EntityID sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)	Creates a new federation entity statement claims set with the minimum required claims.

Method Summary

Modifier and Type	Method	Description
List<EntityID>	getAuthorityHints()	Gets the entity IDs of the intermediate entities or trust anchors.
TrustChainConstraints	getConstraints()	Gets the trust chain constraints for subordinate entities.
List<String>	getCriticalExtensionClaims()	Gets the names of the critical extension claims.
List<String>	getCriticalPolicyExtensions()	Gets the names of the critical policy extensions.
com.nimbusds.jose.jwk.JWKSet	getJWKSet()	Gets the entity JWK set.
net.minidev.json.JSONObject	getMetadata(EntityType type)	Gets the metadata for the specified entity type.
MetadataPolicy	getMetadataPolicy(EntityType type)	Gets the metadata policy for the specified type.
net.minidev.json.JSONObject	getMetadataPolicyJSONObject()	Gets the complete metadata policy JSON object.
static Set<String>	getStandardClaimNames()	Gets the names of the standard top-level claims.
EntityID	getTrustAnchorID()	Gets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0.
Map<Identifier,List<Issuer>>	getTrustMarksIssuers()	Gets the trust marks issuers.
boolean	hasMetadata()	Returns true if a metadata field is present.
boolean	isSelfStatement()	Returns true if this is a self-statement (issuer and subject match).
void	setASMetadata(AuthorizationServerMetadata asMetadata)	Sets the OAuth 2.0 authorisation server metadata if present for this entity.
void	setAuthorityHints(List<EntityID> trustChain)	Sets the entity IDs of the intermediate entities or trust anchors.
void	setConstraints(TrustChainConstraints constraints)	Sets the trust chain constraint for subordinate entities.
void	setCriticalExtensionClaims(List<String> claimNames)	Sets the names of the critical extension claims.
void	setCriticalPolicyExtensions(List<String> extNames)	Sets the names of the critical policy extensions.
void	setFederationEntityMetadata(FederationEntityMetadata entityMetadata)	Sets the federation entity metadata if present for this entity.
void	setMetadata(EntityType type, net.minidev.json.JSONObject metadata)	Sets the metadata for the specified entity type.
void	setMetadataPolicy(EntityType type, MetadataPolicy metadataPolicy)	Sets the metadata policy for the specified type.
void	setMetadataPolicyJSONObject(net.minidev.json.JSONObject metadataPolicy)	Sets the complete metadata policy JSON object.
void	setOAuthClientMetadata(ClientMetadata clientMetadata)	Sets the OAuth 2.0 client metadata if present for this entity.
void	setOPMetadata(OIDCProviderMetadata opMetadata)	Gets the OpenID provider metadata if present for this entity.
void	setRPMetadata(OIDCClientMetadata rpMetadata)	Sets the OpenID relying party metadata if present for this entity.
void	setTrustAnchorID(EntityID trustAnchorID)	Sets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0.
void	setTrustMarkIssuerMetadata(TrustMarkIssuerMetadata trustMarkIssuerMetadata)	Deprecated.
void	setTrustMarks(List<TrustMarkEntry> marks)	Sets the trust marks.
void	setTrustMarksIssuers(Map<Identifier,List<Issuer>> issuers)	Sets the trust marks issuers.
void	validateRequiredClaimsPresence()	Validates this claims set for having all minimum required claims for an entity statement.

Methods inherited from class com.nimbusds.openid.connect.sdk.federation.entities.CommonFederationClaimsSet

getASMetadata, getExpirationTime, getFederationEntityMetadata, getIssuerEntityID, getOAuthClientMetadata, getOPMetadata, getRPMetadata, getSubjectEntityID, getTrustMarkIssuerMetadata, getTrustMarks

Methods inherited from class com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet

getIssueTime, getSubject

Methods inherited from class com.nimbusds.openid.connect.sdk.claims.ClaimsSet

equals, getAudience, getBooleanClaim, getClaim, getClaim, getDateClaim, getIssuer, getJSONArrayClaim, getJSONObjectClaim, getLangTaggedClaim, getNumberClaim, getStringClaim, getStringClaim, getStringListClaim, getURIClaim, getURLClaim, hashCode, putAll, putAll, setAudience, setAudience, setClaim, setClaim, setDateClaim, setIssuer, setURIClaim, setURLClaim, toJSONObject, toJSONString, toJWTClaimsSet, toString

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

JWKS_CLAIM_NAME

public static final String JWKS_CLAIM_NAME

The JWK set claim name.

See Also:

Constant Field Values

AUTHORITY_HINTS_CLAIM_NAME

public static final String AUTHORITY_HINTS_CLAIM_NAME

The authority hints claim name.

See Also:

Constant Field Values

METADATA_POLICY_CLAIM_NAME

public static final String METADATA_POLICY_CLAIM_NAME

The metadata policy claim name.

See Also:

Constant Field Values

TRUST_ANCHOR_ID_CLAIM_NAME

public static final String TRUST_ANCHOR_ID_CLAIM_NAME

The assumed trust anchor in a explicit client registration. Intended for entity statements issued by an OP for RP performing explicit client registration only.

See Also:

Constant Field Values

CONSTRAINTS_CLAIM_NAME

public static final String CONSTRAINTS_CLAIM_NAME

The constraints claim name.

See Also:

Constant Field Values

TRUST_MARKS_ISSUERS_CLAIM_NAME

public static final String TRUST_MARKS_ISSUERS_CLAIM_NAME

The trust marks issuers claim name.

See Also:

Constant Field Values

CRITICAL_CLAIM_NAME

public static final String CRITICAL_CLAIM_NAME

The critical claim name.

See Also:

Constant Field Values

POLICY_LANGUAGE_CRITICAL_CLAIM_NAME

public static final String POLICY_LANGUAGE_CRITICAL_CLAIM_NAME

The policy critical claim name.

See Also:

Constant Field Values

Constructor Detail

EntityStatementClaimsSet

public EntityStatementClaimsSet(Issuer iss,
                                Subject sub,
                                Date iat,
                                Date exp,
                                com.nimbusds.jose.jwk.JWKSet jwks)

Creates a new federation entity statement claims set with the minimum required claims.

Parameters:

iss - The issuer. Must not be null.

sub - The subject. Must not be null.

iat - The issue time. Must not be null.

exp - The expiration time. Must not be null.

jwks - The entity public JWK set, null if not required.

EntityStatementClaimsSet

public EntityStatementClaimsSet(EntityID iss,
                                EntityID sub,
                                Date iat,
                                Date exp,
                                com.nimbusds.jose.jwk.JWKSet jwks)

Creates a new federation entity statement claims set with the minimum required claims.

Parameters:

iss - The issuer. Must not be null.

sub - The subject. Must not be null.

iat - The issue time. Must not be null.

exp - The expiration time. Must not be null.

jwks - The entity public JWK set, null if not required.

EntityStatementClaimsSet

public EntityStatementClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet)
                         throws ParseException

Creates a new federation entity statement claims set from the specified JWT claims set.

Parameters:

jwtClaimsSet - The JWT claims set. Must not be null.

Throws:

ParseException - If the JWT claims set doesn't represent a valid federation entity statement claims set.

Method Detail

getStandardClaimNames

public static Set<String> getStandardClaimNames()

Gets the names of the standard top-level claims.

Returns:

The names of the standard top-level claims (read-only set).

validateRequiredClaimsPresence

public void validateRequiredClaimsPresence()
                                    throws ParseException

Validates this claims set for having all minimum required claims for an entity statement. If a selt-statement check for the presence of metadata. If critical extension claims are listed their presence is also checked.

Overrides:

validateRequiredClaimsPresence in class CommonFederationClaimsSet

Throws:

ParseException - If the validation failed and a required claim is missing.

isSelfStatement

public boolean isSelfStatement()

Returns true if this is a self-statement (issuer and subject match).

Returns:

true for a self-statement, false if not.

getJWKSet

public com.nimbusds.jose.jwk.JWKSet getJWKSet()

Gets the entity JWK set. Corresponds to the jwks claim.

Returns:

The entity JWK set, null if not specified or parsing failed.

getAuthorityHints

public List<EntityID> getAuthorityHints()

Gets the entity IDs of the intermediate entities or trust anchors. Corresponds to the authority_hints claim.

Returns:

The entity IDs, null or empty list for a trust anchor, or if parsing failed.

setAuthorityHints

public void setAuthorityHints(List<EntityID> trustChain)

Sets the entity IDs of the intermediate entities or trust anchors. Corresponds to the authority_hints claim.

Parameters:

trustChain - The entity IDs, null or empty list for a trust anchor.

hasMetadata

public boolean hasMetadata()

Returns true if a metadata field is present. Corresponds to the metadata claim.

Returns:

true if a metadata field for an OpenID relying party, an OpenID provider, an OAuth authorisation server, an OAuth client, an OAuth protected resource, a federation entity, or a trust mark issuer is present.

getMetadata

public net.minidev.json.JSONObject getMetadata(EntityType type)

Gets the metadata for the specified entity type. Use a typed getter, such as CommonFederationClaimsSet.getRPMetadata(), when available. Corresponds to the metadata claim.

Overrides:

getMetadata in class CommonFederationClaimsSet

Parameters:

type - The entity type. Must not be null.

Returns:

The metadata, null if not specified or if parsing failed.

setMetadata

public void setMetadata(EntityType type,
                        net.minidev.json.JSONObject metadata)

Sets the metadata for the specified entity type. Use a typed setter, such as setRPMetadata(com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata), when available. Corresponds to the metadata claim.

Parameters:

type - The type. Must not be null.

metadata - The metadata, null if not specified.

setRPMetadata

public void setRPMetadata(OIDCClientMetadata rpMetadata)

Sets the OpenID relying party metadata if present for this entity. Corresponds to the metadata.openid_relying_party claim.

Parameters:

rpMetadata - The RP metadata, null if not specified.

setOPMetadata

public void setOPMetadata(OIDCProviderMetadata opMetadata)

Gets the OpenID provider metadata if present for this entity. Corresponds to the metadata.openid_provider claim.

Parameters:

opMetadata - The OP metadata, null if not specified.

setOAuthClientMetadata

public void setOAuthClientMetadata(ClientMetadata clientMetadata)

Sets the OAuth 2.0 client metadata if present for this entity. Corresponds to the metadata.oauth_client claim.

Parameters:

clientMetadata - The client metadata, null if not specified.

setASMetadata

public void setASMetadata(AuthorizationServerMetadata asMetadata)

Sets the OAuth 2.0 authorisation server metadata if present for this entity. Corresponds to the metadata.oauth_authorization_server claim.

Parameters:

asMetadata - The AS metadata, null if not specified.

setFederationEntityMetadata

public void setFederationEntityMetadata(FederationEntityMetadata entityMetadata)

Sets the federation entity metadata if present for this entity. Corresponds to the metadata.federation_entity claim.

Parameters:

entityMetadata - The federation entity metadata, null if not specified.

setTrustMarkIssuerMetadata

@Deprecated
public void setTrustMarkIssuerMetadata(TrustMarkIssuerMetadata trustMarkIssuerMetadata)

Deprecated.

Sets the trust mark issuer metadata for this entity. Corresponds to the metadata.trust_mark_issuer claim.

Parameters:

trustMarkIssuerMetadata - The trust mark issuer metadata, null if not specified.

getMetadataPolicyJSONObject

public net.minidev.json.JSONObject getMetadataPolicyJSONObject()

Gets the complete metadata policy JSON object. Corresponds to the metadata_policy claim.

Returns:

The metadata policy JSON object, null if not specified or if parsing failed.

setMetadataPolicyJSONObject

public void setMetadataPolicyJSONObject(net.minidev.json.JSONObject metadataPolicy)

Sets the complete metadata policy JSON object. Corresponds to the metadata_policy claim.

Parameters:

metadataPolicy - The metadata policy JSON object, null if not specified.

getMetadataPolicy

public MetadataPolicy getMetadataPolicy(EntityType type)
                                 throws PolicyViolationException

Gets the metadata policy for the specified type. Corresponds to the metadata_policy claim.

Parameters:

type - The entity type. Must not be null.

Returns:

The metadata policy, null or if JSON parsing failed.

Throws:

PolicyViolationException - On a policy violation.

setMetadataPolicy

public void setMetadataPolicy(EntityType type,
                              MetadataPolicy metadataPolicy)

Sets the metadata policy for the specified type. Corresponds to the metadata_policy claim.

Parameters:

type - The entity type. Must not be null.

metadataPolicy - The metadata policy, null if not specified.

getTrustAnchorID

public EntityID getTrustAnchorID()

Gets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only. Corresponds to the trust_anchor_id claim.

Returns:

The trust anchor ID, null if not specified.

setTrustAnchorID

public void setTrustAnchorID(EntityID trustAnchorID)

Sets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only. Corresponds to the trust_anchor_id claim.

Parameters:

trustAnchorID - The trust anchor ID, null if not specified.

getConstraints

public TrustChainConstraints getConstraints()

Gets the trust chain constraints for subordinate entities. Corresponds to the constraints claim.

Returns:

The trust chain constraints, null if not specified or if parsing failed.

setConstraints

public void setConstraints(TrustChainConstraints constraints)

Sets the trust chain constraint for subordinate entities. Corresponds to the constraints claim.

Parameters:

constraints - The trust chain constraints, null if not specified.

setTrustMarks

public void setTrustMarks(List<TrustMarkEntry> marks)

Sets the trust marks. Corresponds to the trust_marks claim.

Overrides:

setTrustMarks in class CommonFederationClaimsSet

Parameters:

marks - The trust marks, null if not specified.

getTrustMarksIssuers

public Map<Identifier,List<Issuer>> getTrustMarksIssuers()

Gets the trust marks issuers. Corresponds to the trust_marks_issuers claim.

Returns:

The trust marks issuers, null if not specified or parsing failed.

setTrustMarksIssuers

public void setTrustMarksIssuers(Map<Identifier,List<Issuer>> issuers)

Sets the trust marks issuers. Corresponds to the trust_marks_issuers claim.

Parameters:

issuers - The trust marks issuers, null if not specified.

getCriticalExtensionClaims

public List<String> getCriticalExtensionClaims()

Gets the names of the critical extension claims. Corresponds to the crit claim.

Returns:

The names of the critical extension claims, null if not specified or if parsing failed.

setCriticalExtensionClaims

public void setCriticalExtensionClaims(List<String> claimNames)

Sets the names of the critical extension claims. Corresponds to the crit claim.

Parameters:

claimNames - The names of the critical extension claims, null if not specified. Must not be an empty list.

getCriticalPolicyExtensions

public List<String> getCriticalPolicyExtensions()

Gets the names of the critical policy extensions. Corresponds to the policy_language_crit claim.

Returns:

The names of the critical policy extensions or if parsing failed.

setCriticalPolicyExtensions

public void setCriticalPolicyExtensions(List<String> extNames)

Sets the names of the critical policy extensions. Corresponds to the policy_language_crit claim.

Parameters:

extNames - The names of the critical policy extensions, null if not specified. Must not be an empty list.