Package com.sap.cloud.security.xsuaa.token

Interface Token

All Superinterfaces:
Serializable, org.springframework.security.core.userdetails.UserDetails
All Known Implementing Classes:
XsuaaToken
public interface Token extends org.springframework.security.core.userdetails.UserDetails

  • Method Details

    • getSubaccountId

      String getSubaccountId()
      Return subaccount identifier which is in most cases same like the identity zone. DO only use this for metering purposes. DO NOT longer use this method to get the unique tenant id! For that use getZoneId().
      Returns:
      the subaccount identifier.

    • getZoneId

      String getZoneId()
      Return zone identifier which should be used as tenant discriminator (tenant id). For most of the old subaccounts this matches the id returned by getSubaccountId().
      Returns:
      the zone identifier.

    • getSubdomain

      String getSubdomain()
      Returns the subdomain of the calling tenant's subaccount.
      Returns:
      the subdomain of the tenant the JWT belongs to.

    • getClientId

      String getClientId()
      Returns the OAuth2 client identifier of the authentication token if present. Following OpenID Connect 1.0 standard specifications, client identifier is obtained from "azp" claim if present or when "azp" is not present from "aud" claim, but only in case there is one audience.
      Returns:
      the OAuth client ID.

    • getGrantType

      String getGrantType()
      Returns the OAuth2.0 grant type used for retrieving / creating this token.
      Returns:
      the grant type

    • getLogonName

      @Nullable String getLogonName()
      Returns a unique user name of a user (user_name claim), using information from the JWT. For tokens that were issued as a result of a client credentials flow, the OAuth client ID will be returned in a special format. The following information is required to uniquely identify a user:
      • user login name: name of the user in an identity provider, provided by this method.
      • origin: alias to an identity provider, see getOrigin().
      • zone id: identifier for the zone, see getZoneId().
      Returns:
      unique principal name or null if it can not be determined.

    • getGivenName

      @Nullable String getGivenName()
      Returns the given name of the user if present. Will try to find it first in the ext_attr.given_name claim before trying to find a given_name claim.
      Returns:
      the given name if present.

    • getFamilyName

      @Nullable String getFamilyName()
      Returns the family name of the user if present. Will try to find it first in the ext_attr.family_name claim before trying to find a family_name claim.
      Returns:
      the family name if present.

    • getEmail

      @Nullable String getEmail()
      Returns the email address of the user, if present.
      Returns:
      The email address if present.

    • getOrigin

      @Nullable String getOrigin()
      Returns the user origin. The origin is an alias that refers to a user store in which the user is persisted. For example, users that are authenticated by the UAA itself with a username / password combination have their origin set to the value "uaa".

      May be null in case this JWT was not created with OAuth 2.0 client credentials flow.

      Returns:
      the user origin if present.

    • getXSUserAttribute

      @Nullable String[] getXSUserAttribute(String attributeName)
      Returns the value of an attribute from the 'xs.user.attributes' claim. Will first try to find the attribute in 'ext_ctx' claim.
      Parameters:
      attributeName - name of the attribute inside 'ext_ctx' or 'xs.user.attributes'.
      Returns:
      the attribute values array or null if there exists no such attribute.

    • getAdditionalAuthAttribute

      @Nullable String getAdditionalAuthAttribute(String attributeName)
      Additional custom authentication attributes included by the OAuth client component. Note: this is data controlled by the requester of a token. Might be not trustworthy.
      Parameters:
      attributeName - name of the authentication attribute
      Returns:
      additional attribute value if present.

    • getCloneServiceInstanceId

      @Nullable String getCloneServiceInstanceId()
      Returns the XSUAA clone instance ID, if present. This will only be set for tokens that were issued by an XSUAA with plan broker. Contains the service instance id if present.
      Returns:
      the XSUAA clone service instance id if present.

    • getAppToken

      String getAppToken()
      Get the encoded authentication token, e.g. for token forwarding to another app.

      Never expose this token via log or via HTTP.

      Returns:
      token

    • getScopes

      Collection<String> getScopes()
      Returns list of scopes with appId prefix, e.g. "<my-app!t123>.Display".
      Returns:
      all scopes

    • getAuthorities

      Collection<? extends org.springframework.security.core.GrantedAuthority> getAuthorities()
      Returns by default list of scopes getScopes().

      The default behavior can be adapted as part of TokenAuthenticationConverter class

      Specified by:
      getAuthorities in interface org.springframework.security.core.userdetails.UserDetails
      Returns:
      all authorities such as scopes or an empty list

    • getExpiration

      @Nullable Instant getExpiration()
      Returns the moment in time when the token will be expired.
      Returns:
      the expiration point in time if present.