001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.as; 019 020 021import java.net.URI; 022import java.util.List; 023import java.util.Map; 024 025import com.nimbusds.oauth2.sdk.rar.AuthorizationType; 026import net.minidev.json.JSONObject; 027 028import com.nimbusds.jose.EncryptionMethod; 029import com.nimbusds.jose.JWEAlgorithm; 030import com.nimbusds.jose.JWSAlgorithm; 031import com.nimbusds.jose.jwk.JWKSet; 032import com.nimbusds.langtag.LangTag; 033import com.nimbusds.oauth2.sdk.GrantType; 034import com.nimbusds.oauth2.sdk.ResponseMode; 035import com.nimbusds.oauth2.sdk.ResponseType; 036import com.nimbusds.oauth2.sdk.Scope; 037import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; 038import com.nimbusds.oauth2.sdk.ciba.BackChannelTokenDeliveryMode; 039import com.nimbusds.oauth2.sdk.client.ClientType; 040import com.nimbusds.oauth2.sdk.id.Issuer; 041import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod; 042import com.nimbusds.openid.connect.sdk.Prompt; 043import com.nimbusds.openid.connect.sdk.federation.registration.ClientRegistrationType; 044import com.nimbusds.openid.connect.sdk.op.EndpointName; 045 046 047/** 048 * Read-only OAuth 2.0 Authorisation Server (AS) metadata. 049 * 050 * <p>Related specifications: 051 * 052 * <ul> 053 * <li>OAuth 2.0 Authorization Server Metadata (RFC 8414) 054 * <li>OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound 055 * Access Tokens (RFC 8705) 056 * <li>The OAuth 2.0 Authorization Framework: JWT-Secured Authorization 057 * Request (JAR) (RFC 9101) 058 * <li>OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer 059 * (DPoP) (RFC 9449) 060 * <li>Financial-grade API: JWT Secured Authorization Response Mode for 061 * OAuth 2.0 (JARM) 062 * <li>OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) 063 * <li>Financial-grade API - Part 2: Read and Write API Security Profile 064 * <li>OAuth 2.0 Pushed Authorization Requests (RFC 9126) 065 * <li>OAuth 2.0 Rich Authorization Requests (RFC 9396) 066 * <li>OAuth 2.0 Device Authorization Grant (RFC 8628) 067 * <li>OpenID Connect Client Initiated Backchannel Authentication Flow - 068 * Core 1.0 069 * <li>OAuth 2.0 Incremental Authorization 070 * (draft-ietf-oauth-incremental-authz) 071 * <li>Initiating User Registration via OpenID Connect 1.0 072 * <li>OpenID Connect Federation 1.0 073 * </ul> 074 */ 075public interface ReadOnlyAuthorizationServerMetadata extends ReadOnlyAuthorizationServerEndpointMetadata { 076 077 078 /** 079 * Gets the issuer identifier. Corresponds to the {@code issuer} 080 * metadata field. 081 * 082 * @return The issuer identifier. 083 */ 084 Issuer getIssuer(); 085 086 087 /** 088 * Gets the JSON Web Key (JWK) set URI. Corresponds to the 089 * {@code jwks_uri} metadata field. 090 * 091 * @return The JWK set URI, {@code null} if not specified. 092 */ 093 URI getJWKSetURI(); 094 095 096 /** 097 * Gets the supported scope values. Corresponds to the 098 * {@code scopes_supported} metadata field. 099 * 100 * @return The supported scope values, {@code null} if not specified. 101 */ 102 Scope getScopes(); 103 104 105 /** 106 * Gets the supported response type values. Corresponds to the 107 * {@code response_types_supported} metadata field. 108 * 109 * @return The supported response type values, {@code null} if not 110 * specified. 111 */ 112 List<ResponseType> getResponseTypes(); 113 114 115 /** 116 * Gets the supported response mode values. Corresponds to the 117 * {@code response_modes_supported}. 118 * 119 * @return The supported response mode values, {@code null} if not 120 * specified. 121 */ 122 List<ResponseMode> getResponseModes(); 123 124 125 /** 126 * Gets the supported OAuth 2.0 grant types. Corresponds to the 127 * {@code grant_types_supported} metadata field. 128 * 129 * @return The supported grant types, {@code null} if not specified. 130 */ 131 List<GrantType> getGrantTypes(); 132 133 134 /** 135 * Gets the supported authorisation code challenge methods for PKCE. 136 * Corresponds to the {@code code_challenge_methods_supported} metadata 137 * field. 138 * 139 * @return The supported code challenge methods, {@code null} if not 140 * specified. 141 */ 142 List<CodeChallengeMethod> getCodeChallengeMethods(); 143 144 145 /** 146 * Gets the supported token endpoint authentication methods. 147 * Corresponds to the {@code token_endpoint_auth_methods_supported} 148 * metadata field. 149 * 150 * @return The supported token endpoint authentication methods, 151 * {@code null} if not specified. 152 */ 153 List<ClientAuthenticationMethod> getTokenEndpointAuthMethods(); 154 155 156 /** 157 * Gets the supported JWS algorithms for the {@code private_key_jwt} 158 * and {@code client_secret_jwt} token endpoint authentication methods. 159 * Corresponds to the 160 * {@code token_endpoint_auth_signing_alg_values_supported} metadata 161 * field. 162 * 163 * @return The supported JWS algorithms, {@code null} if not specified. 164 */ 165 List<JWSAlgorithm> getTokenEndpointJWSAlgs(); 166 167 168 /** 169 * Gets the supported introspection endpoint authentication methods. 170 * Corresponds to the 171 * {@code introspection_endpoint_auth_methods_supported} metadata 172 * field. 173 * 174 * @return The supported introspection endpoint authentication methods, 175 * {@code null} if not specified. 176 */ 177 List<ClientAuthenticationMethod> getIntrospectionEndpointAuthMethods(); 178 179 180 /** 181 * Gets the supported JWS algorithms for the {@code private_key_jwt} 182 * and {@code client_secret_jwt} introspection endpoint authentication 183 * methods. Corresponds to the 184 * {@code introspection_endpoint_auth_signing_alg_values_supported} 185 * metadata field. 186 * 187 * @return The supported JWS algorithms, {@code null} if not specified. 188 */ 189 List<JWSAlgorithm> getIntrospectionEndpointJWSAlgs(); 190 191 192 /** 193 * Gets the supported revocation endpoint authentication methods. 194 * Corresponds to the 195 * {@code revocation_endpoint_auth_methods_supported} metadata field. 196 * 197 * @return The supported revocation endpoint authentication methods, 198 * {@code null} if not specified. 199 */ 200 List<ClientAuthenticationMethod> getRevocationEndpointAuthMethods(); 201 202 203 /** 204 * Gets the supported JWS algorithms for the {@code private_key_jwt} 205 * and {@code client_secret_jwt} revocation endpoint authentication 206 * methods. Corresponds to the 207 * {@code revocation_endpoint_auth_signing_alg_values_supported} 208 * metadata field. 209 * 210 * @return The supported JWS algorithms, {@code null} if not specified. 211 */ 212 List<JWSAlgorithm> getRevocationEndpointJWSAlgs(); 213 214 215 /** 216 * Gets the supported JWS algorithms for request objects. Corresponds 217 * to the {@code request_object_signing_alg_values_supported} metadata 218 * field. 219 * 220 * @return The supported JWS algorithms, {@code null} if not specified. 221 */ 222 List<JWSAlgorithm> getRequestObjectJWSAlgs(); 223 224 225 /** 226 * Gets the supported JWE algorithms for request objects. Corresponds 227 * to the {@code request_object_encryption_alg_values_supported} 228 * metadata field. 229 * 230 * @return The supported JWE algorithms, {@code null} if not specified. 231 */ 232 List<JWEAlgorithm> getRequestObjectJWEAlgs(); 233 234 235 /** 236 * Gets the supported encryption methods for request objects. 237 * Corresponds to the 238 * {@code request_object_encryption_enc_values_supported} metadata 239 * field. 240 * 241 * @return The supported encryption methods, {@code null} if not 242 * specified. 243 */ 244 List<EncryptionMethod> getRequestObjectJWEEncs(); 245 246 247 /** 248 * Gets the support for the {@code request} authorisation request 249 * parameter. Corresponds to the {@code request_parameter_supported} 250 * metadata field. 251 * 252 * @return {@code true} if the {@code reqeust} parameter is supported, 253 * else {@code false}. 254 */ 255 boolean supportsRequestParam(); 256 257 258 /** 259 * Gets the support for the {@code request_uri} authorisation request 260 * parameter. Corresponds to the 261 * {@code request_uri_parameter_supported} metadata field. 262 * 263 * @return {@code true} if the {@code request_uri} parameter is 264 * supported, else {@code false}. 265 */ 266 boolean supportsRequestURIParam(); 267 268 269 /** 270 * Gets the requirement for the {@code request_uri} parameter 271 * pre-registration. Corresponds to the 272 * {@code require_request_uri_registration} metadata field. 273 * 274 * @return {@code true} if the {@code request_uri} parameter values 275 * must be pre-registered, else {@code false}. 276 */ 277 boolean requiresRequestURIRegistration(); 278 279 280 /** 281 * Gets the requirement whether authorisation requests must be 282 * protected as a signed request object. Corresponds to the 283 * {@code require_signed_request_object} metadata field. 284 * 285 * @return {@code true} if authorisation requests must be protected as 286 * a signed request object, else {@code false}. 287 */ 288 boolean requiresSignedRequestObject(); 289 290 291 /** 292 * Gets the support for the {@code iss} authorisation response 293 * parameter. Corresponds to the 294 * {@code authorization_response_iss_parameter_supported} metadata 295 * field. 296 * 297 * @return {@code true} if the {@code iss} authorisation response 298 * parameter is provided, else {@code false}. 299 */ 300 boolean supportsAuthorizationResponseIssuerParam(); 301 302 303 /** 304 * Gets the supported UI locales. Corresponds to the 305 * {@code ui_locales_supported} metadata field. 306 * 307 * @return The supported UI locales, {@code null} if not specified. 308 */ 309 List<LangTag> getUILocales(); 310 311 312 /** 313 * Gets the service documentation URI. Corresponds to the 314 * {@code service_documentation} metadata field. 315 * 316 * @return The service documentation URI, {@code null} if not 317 * specified. 318 */ 319 URI getServiceDocsURI(); 320 321 322 /** 323 * Gets the provider's policy regarding relying party use of data. 324 * Corresponds to the {@code op_policy_uri} metadata field. 325 * 326 * @return The policy URI, {@code null} if not specified. 327 */ 328 URI getPolicyURI(); 329 330 331 /** 332 * Gets the provider's terms of service. Corresponds to the 333 * {@code op_tos_uri} metadata field. 334 * 335 * @return The terms of service URI, {@code null} if not specified. 336 */ 337 URI getTermsOfServiceURI(); 338 339 340 /** 341 * Gets the aliases for communication with mutual TLS. Corresponds to 342 * the {@code mtls_endpoint_aliases} metadata field. 343 * 344 * @return The aliases for communication with mutual TLS, {@code null} 345 * when no aliases are defined. 346 */ 347 ReadOnlyAuthorizationServerEndpointMetadata getReadOnlyMtlsEndpointAliases(); 348 349 350 /** 351 * Gets the support for TLS client certificate bound access tokens. 352 * Corresponds to the 353 * {@code tls_client_certificate_bound_access_tokens} metadata field. 354 * 355 * @return {@code true} if TLS client certificate bound access tokens 356 * are supported, else {@code false}. 357 */ 358 boolean supportsTLSClientCertificateBoundAccessTokens(); 359 360 361 /** 362 * Gets the support for TLS client certificate bound access tokens. 363 * Corresponds to the 364 * {@code tls_client_certificate_bound_access_tokens} metadata field. 365 * 366 * @return {@code true} if TLS client certificate bound access tokens 367 * are supported, else {@code false}. 368 */ 369 @Deprecated 370 boolean supportsMutualTLSSenderConstrainedAccessTokens(); 371 372 373 /** 374 * Gets the supported JWS algorithms for Demonstrating 375 * Proof-of-Possession at the Application Layer (DPoP). Corresponds to 376 * the "dpop_signing_alg_values_supported" metadata field. 377 * 378 * @return The supported JWS algorithms for DPoP, {@code null} if none. 379 */ 380 List<JWSAlgorithm> getDPoPJWSAlgs(); 381 382 383 /** 384 * Gets the supported JWS algorithms for JWT-encoded authorisation 385 * responses. Corresponds to the 386 * {@code authorization_signing_alg_values_supported} metadata field. 387 * 388 * @return The supported JWS algorithms, {@code null} if not specified. 389 */ 390 List<JWSAlgorithm> getAuthorizationJWSAlgs(); 391 392 393 /** 394 * Gets the supported JWE algorithms for JWT-encoded authorisation 395 * responses. Corresponds to the 396 * {@code authorization_encryption_alg_values_supported} metadata 397 * field. 398 * 399 * @return The supported JWE algorithms, {@code null} if not specified. 400 */ 401 List<JWEAlgorithm> getAuthorizationJWEAlgs(); 402 403 404 /** 405 * Gets the supported encryption methods for JWT-encoded authorisation 406 * responses. Corresponds to the 407 * {@code authorization_encryption_enc_values_supported} metadata 408 * field. 409 * 410 * @return The supported encryption methods, {@code null} if not 411 * specified. 412 */ 413 List<EncryptionMethod> getAuthorizationJWEEncs(); 414 415 416 /** 417 * Gets the requirement for pushed authorisation requests (PAR). 418 * Corresponds to the {@code pushed_authorization_request_endpoint} 419 * metadata field. 420 * 421 * @return {@code true} if PAR is required, else {@code false}. 422 */ 423 boolean requiresPushedAuthorizationRequests(); 424 425 426 /** 427 * Gets the supported authorisation details types for Rich 428 * Authorisation Requests (RAR). Corresponds to the 429 * {@code authorization_details_types_supported} metadata field. 430 * 431 * @return The supported authorisation types, {@code null} if not 432 * specified. 433 */ 434 List<AuthorizationType> getAuthorizationDetailsTypes(); 435 436 437 /** 438 * Gets the supported OAuth 2.0 client types for incremental 439 * authorisation. Corresponds to the 440 * {@code incremental_authz_types_supported} metadata field. 441 * 442 * @return The supported client types for incremental authorisation, 443 * {@code null} if not specified. 444 */ 445 List<ClientType> getIncrementalAuthorizationTypes(); 446 447 448 /** 449 * Gets the supported CIBA token delivery modes. Corresponds to the 450 * {@code backchannel_token_delivery_modes_supported} metadata field. 451 * 452 * @return The CIBA token delivery modes, {@code null} if not 453 * specified. 454 */ 455 List<BackChannelTokenDeliveryMode> getBackChannelTokenDeliveryModes(); 456 457 458 /** 459 * Gets the supported JWS algorithms for CIBA requests. Corresponds to 460 * the {@code backchannel_authentication_request_signing_alg_values_supported} 461 * metadata field. 462 * 463 * @return The supported JWS algorithms, {@code null} if not specified. 464 */ 465 List<JWSAlgorithm> getBackChannelAuthenticationRequestJWSAlgs(); 466 467 468 /** 469 * Gets the support for the {@code user_code} CIBA request parameter. 470 * Corresponds to the {@code backchannel_user_code_parameter_supported} 471 * metadata field. 472 * 473 * @return {@code true} if the {@code user_code} parameter is 474 * supported, else {@code false}. 475 */ 476 boolean supportsBackChannelUserCodeParam(); 477 478 479 /** 480 * Gets the supported {@link Prompt.Type prompt types}. Corresponds to 481 * the {@code prompt_values_supported} metadata field. 482 * 483 * @return The supported prompt types, {@code null} if not specified. 484 */ 485 List<Prompt.Type> getPromptTypes(); 486 487 488 489 490 491 /** 492 * Gets the organisation name (OpenID Connect Federation 1.0). 493 * Corresponds to the {@code organization_name} metadata field. 494 * 495 * @return The organisation name, {@code null} if not specified. 496 */ 497 String getOrganizationName(); 498 499 500 /** 501 * Gets the JWK set (OpenID Connect Federation 1.0). Corresponds to the 502 * {@code jwks} metadata field. 503 * 504 * @return The JWK set, {@code null} if not specified. 505 */ 506 JWKSet getJWKSet(); 507 508 509 /** 510 * Gets the signed JWK set URI (OpenID Connect Federation 1.0). 511 * Corresponds to the {@code signed_jwks_uri} metadata field. 512 * 513 * @return The signed JWK set URI, {@code null} if not specified. 514 */ 515 URI getSignedJWKSetURI(); 516 517 518 /** 519 * Gets the supported OpenID Connect Federation 1.0 client registration 520 * types. Corresponds to the 521 * {@code client_registration_types_supported} metadata field. 522 * 523 * @return The supported client registration types, {@code null} if not 524 * specified. 525 */ 526 List<ClientRegistrationType> getClientRegistrationTypes(); 527 528 529 /** 530 * Gets the supported request authentication methods for automatic 531 * OpenID Connect Federation 1.0 client registration. Corresponds to 532 * the {@code request_authentication_methods_supported} field. 533 * 534 * @return The supported request authentication methods for automatic 535 * federation client registration, {@code null} if not specified. 536 */ 537 Map<EndpointName, List<ClientAuthenticationMethod>> getClientRegistrationAuthnMethods(); 538 539 540 /** 541 * Gets the supported JWS algorithms for authenticating automatic 542 * OpenID Connect Federation 1.0 client registration requests. 543 * Corresponds to the 544 * {@code request_authentication_signing_alg_values_supported}. 545 * 546 * @return The supported JWS algorithms, {@code null} if not specified. 547 */ 548 List<JWSAlgorithm> getClientRegistrationAuthnJWSAlgs(); 549 550 551 /** 552 * Gets the specified custom (not registered) parameter. 553 * 554 * @param name The parameter name. Must not be {@code null}. 555 * @return The parameter value, {@code null} if not specified. 556 */ 557 Object getCustomParameter(String name); 558 559 560 /** 561 * Gets the specified custom (not registered) URI parameter. 562 * 563 * @param name The parameter name. Must not be {@code null}. 564 * @return The parameter URI value, {@code null} if not specified. 565 */ 566 URI getCustomURIParameter(String name); 567 568 569 /** 570 * Gets the custom (not registered) parameters. 571 * 572 * @return The custom parameters, empty JSON object if none. 573 */ 574 JSONObject getCustomParameters(); 575 576 577 /** 578 * Returns the JSON object representation of the metadata. 579 * 580 * @return The JSON object representation. 581 */ 582 JSONObject toJSONObject(); 583}