Package com.nimbusds.oauth2.sdk.ciba

Class CIBARequest

java.lang.Object
com.nimbusds.oauth2.sdk.AbstractRequest
com.nimbusds.oauth2.sdk.AbstractAuthenticatedRequest
com.nimbusds.oauth2.sdk.ciba.CIBARequest
All Implemented Interfaces:
Message, Request
@Immutable public class CIBARequest extends AbstractAuthenticatedRequest

CIBA request to an OpenID provider / OAuth 2.0 authorisation server backend authentication endpoint. Supports plan as well as signed (JWT) requests.

Example HTTP request: 

 POST /bc-authorize HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded

 scope=openid%20email%20example-scope&
 client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255&
 binding_message=W4SCT&
 login_hint_token=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
 zdWJfaWQiOnsic3ViamVjdF90eXBlIjoicGhvbmUiLCJwaG9uZSI6IisxMzMwMjg
 xODAwNCJ9fQ.Kk8jcUbHjJAQkRSHyDuFQr3NMEOSJEZc85VfER74tX6J9CuUllr8
 9WKUHUR7MA0-mWlptMRRhdgW1ZDt7g1uwQ&
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
 client-assertion-type%3Ajwt-bearer&
 client_assertion=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
 pc3MiOiJzNkJoZFJrcXQzIiwic3ViIjoiczZCaGRSa3F0MyIsImF1ZCI6Imh0dHB
 zOi8vc2VydmVyLmV4YW1wbGUuY29tIiwianRpIjoiYmRjLVhzX3NmLTNZTW80RlN
 6SUoyUSIsImlhdCI6MTUzNzgxOTQ4NiwiZXhwIjoxNTM3ODE5Nzc3fQ.Ybr8mg_3
 E2OptOSsA8rnelYO_y1L-yFaF_j1iemM3ntB61_GN3APe5cl_-5a6cvGlP154XAK
 7fL-GaZSdnd9kg

Related specifications:

  • OpenID Connect CIBA Flow - Core 1.0
  • Financial-grade API: Client Initiated Backchannel Authentication Profile (draft 02)

  • Field Details

  • Constructor Details

    • CIBARequest

      @Deprecated public CIBARequest(URI endpoint, ClientAuthentication clientAuth, Scope scope, BearerAccessToken clientNotificationToken, List<ACR> acrValues, String loginHintTokenString, com.nimbusds.jwt.JWT idTokenHint, String loginHint, String bindingMessage, Secret userCode, Integer requestedExpiry, Map<String,List<String>> customParams)
      Deprecated.
      Creates a new CIBA request.
      Parameters:
      endpoint - The URI of the CIBA endpoint. May be null if the toHTTPRequest() method is not going to be used.
      clientAuth - The client authentication. Must not be null.
      scope - The requested scope. Must not be empty or null.
      clientNotificationToken - The client notification token, null if not specified.
      acrValues - The requested ACR values, null if not specified.
      loginHintTokenString - The login hint token string, null if not specified.
      idTokenHint - The ID Token hint, null if not specified.
      loginHint - The login hint, null if not specified.
      bindingMessage - The binding message, null if not specified.
      userCode - The user code, null if not specified.
      requestedExpiry - The required expiry (as positive integer), null if not specified.
      customParams - Custom parameters, empty or null if not specified.

    • CIBARequest

      @Deprecated public CIBARequest(URI endpoint, ClientAuthentication clientAuth, Scope scope, BearerAccessToken clientNotificationToken, List<ACR> acrValues, String loginHintTokenString, com.nimbusds.jwt.JWT idTokenHint, String loginHint, String bindingMessage, Secret userCode, Integer requestedExpiry, OIDCClaimsRequest claims, Map<String,List<String>> customParams)
      Deprecated.
      Creates a new CIBA request.
      Parameters:
      endpoint - The URI of the CIBA endpoint. May be null if the toHTTPRequest() method is not going to be used.
      clientAuth - The client authentication. Must not be null.
      scope - The requested scope. Must not be empty or null.
      clientNotificationToken - The client notification token, null if not specified.
      acrValues - The requested ACR values, null if not specified.
      loginHintTokenString - The login hint token string, null if not specified.
      idTokenHint - The ID Token hint, null if not specified.
      loginHint - The login hint, null if not specified.
      bindingMessage - The binding message, null if not specified.
      userCode - The user code, null if not specified.
      requestedExpiry - The required expiry (as positive integer), null if not specified.
      claims - The individual claims to be returned, null if not specified.
      customParams - Custom parameters, empty or null if not specified.

    • CIBARequest

      @Deprecated public CIBARequest(URI endpoint, ClientAuthentication clientAuth, Scope scope, BearerAccessToken clientNotificationToken, List<ACR> acrValues, String loginHintTokenString, com.nimbusds.jwt.JWT idTokenHint, String loginHint, String bindingMessage, Secret userCode, Integer requestedExpiry, OIDCClaimsRequest claims, List<com.nimbusds.langtag.LangTag> claimsLocales, String purpose, List<URI> resources, Map<String,List<String>> customParams)
      Deprecated.
      Creates a new CIBA request.
      Parameters:
      endpoint - The URI of the CIBA endpoint. May be null if the toHTTPRequest() method is not going to be used.
      clientAuth - The client authentication. Must not be null.
      scope - The requested scope. Must not be empty or null.
      clientNotificationToken - The client notification token, null if not specified.
      acrValues - The requested ACR values, null if not specified.
      loginHintTokenString - The login hint token string, null if not specified.
      idTokenHint - The ID Token hint, null if not specified.
      loginHint - The login hint, null if not specified.
      bindingMessage - The binding message, null if not specified.
      userCode - The user code, null if not specified.
      requestedExpiry - The required expiry (as positive integer), null if not specified.
      claims - The individual claims to be returned, null if not specified.
      claimsLocales - The preferred languages and scripts for claims being returned, null if not specified.
      purpose - The transaction specific purpose, null if not specified.
      resources - The resource URI(s), null if not specified.
      customParams - Custom parameters, empty or null if not specified.

    • CIBARequest

      @Deprecated public CIBARequest(URI endpoint, ClientAuthentication clientAuth, Scope scope, BearerAccessToken clientNotificationToken, List<ACR> acrValues, String loginHintTokenString, com.nimbusds.jwt.JWT idTokenHint, String loginHint, String bindingMessage, Secret userCode, Integer requestedExpiry, OIDCClaimsRequest claims, List<com.nimbusds.langtag.LangTag> claimsLocales, String purpose, List<AuthorizationDetail> authorizationDetails, List<URI> resources, Map<String,List<String>> customParams)
      Deprecated.
      Creates a new CIBA request.
      Parameters:
      endpoint - The URI of the CIBA endpoint. May be null if the toHTTPRequest() method is not going to be used.
      clientAuth - The client authentication. Must not be null.
      scope - The requested scope. Must not be empty or null.
      clientNotificationToken - The client notification token, null if not specified.
      acrValues - The requested ACR values, null if not specified.
      loginHintTokenString - The login hint token string, null if not specified.
      idTokenHint - The ID Token hint, null if not specified.
      loginHint - The login hint, null if not specified.
      bindingMessage - The binding message, null if not specified.
      userCode - The user code, null if not specified.
      requestedExpiry - The required expiry (as positive integer), null if not specified.
      claims - The individual claims to be returned, null if not specified.
      claimsLocales - The preferred languages and scripts for claims being returned, null if not specified.
      purpose - The transaction specific purpose, null if not specified.
      authorizationDetails - The Rich Authorisation Request (RAR) details, null if not specified.
      resources - The resource URI(s), null if not specified.
      customParams - Custom parameters, empty or null if not specified.

    • CIBARequest

      public CIBARequest(URI endpoint, ClientAuthentication clientAuth, Scope scope, BearerAccessToken clientNotificationToken, List<ACR> acrValues, LoginHintToken loginHintToken, com.nimbusds.jwt.JWT idTokenHint, String loginHint, String bindingMessage, Secret userCode, Integer requestedExpiry, OIDCClaimsRequest claims, List<com.nimbusds.langtag.LangTag> claimsLocales, String purpose, List<AuthorizationDetail> authorizationDetails, List<URI> resources, net.minidev.json.JSONObject requestContext, Map<String,List<String>> customParams)
      Creates a new CIBA request.
      Parameters:
      endpoint - The URI of the CIBA endpoint. May be null if the toHTTPRequest() method is not going to be used.
      clientAuth - The client authentication. Must not be null.
      scope - The requested scope. Must not be empty or null.
      clientNotificationToken - The client notification token, null if not specified.
      acrValues - The requested ACR values, null if not specified.
      loginHintToken - The login hint token, null if not specified.
      idTokenHint - The ID Token hint, null if not specified.
      loginHint - The login hint, null if not specified.
      bindingMessage - The binding message, null if not specified.
      userCode - The user code, null if not specified.
      requestedExpiry - The required expiry (as positive integer), null if not specified.
      claims - The individual claims to be returned, null if not specified.
      claimsLocales - The preferred languages and scripts for claims being returned, null if not specified.
      purpose - The transaction specific purpose, null if not specified.
      authorizationDetails - The Rich Authorisation Request (RAR) details, null if not specified.
      resources - The resource URI(s), null if not specified.
      requestContext - The request context, null if not specified.
      customParams - Custom parameters, empty or null if not specified.

    • CIBARequest

      public CIBARequest(URI endpoint, ClientAuthentication clientAuth, com.nimbusds.jwt.SignedJWT signedRequest)
      Creates a new CIBA signed request.
      Parameters:
      endpoint - The URI of the CIBA endpoint. May be null if the toHTTPRequest() method is not going to be used.
      clientAuth - The client authentication. Must not be null.
      signedRequest - The signed request JWT. Must not be null.

  • Method Details

    • getRegisteredParameterNames

      public static Set<String> getRegisteredParameterNames()
      Returns the registered (standard) CIBA request parameter names.
      Returns:
      The registered CIBA request parameter names, as an unmodifiable set.

    • getScope

      public Scope getScope()
      Returns the scope. Corresponds to the optional scope parameter.
      Returns:
      The scope, null if not specified.

    • getClientNotificationToken

      public BearerAccessToken getClientNotificationToken()
      Returns the client notification token, required for the CIBA ping and push token delivery modes. Corresponds to the client_notification_token parameter.
      Returns:
      The client notification token, null if not specified.

    • getACRValues

      public List<ACR> getACRValues()
      Returns the requested Authentication Context Class Reference values. Corresponds to the optional acr_values parameter.
      Returns:
      The requested ACR values, null if not specified.

    • getHintType

      public CIBAHintType getHintType()
      Returns the hint type.
      Returns:
      The hint type.

    • getLoginHintToken

      public LoginHintToken getLoginHintToken()
      Returns the login hint token, containing information identifying the end-user for whom authentication is being requested. Corresponds to the login_hint_token parameter.
      Returns:
      The login hint token, null if not specified.

    • getLoginHintTokenString

      @Deprecated public String getLoginHintTokenString()
      Deprecated.
      Returns the login hint token string, containing information identifying the end-user for whom authentication is being requested. Corresponds to the login_hint_token parameter.
      Returns:
      The login hint token string, null if not specified.

    • getIDTokenHint

      public com.nimbusds.jwt.JWT getIDTokenHint()
      Returns the ID Token hint, passed as a hint to identify the end-user for whom authentication is being requested. Corresponds to the id_token_hint parameter.
      Returns:
      The ID Token hint, null if not specified.

    • getLoginHint

      public String getLoginHint()
      Returns the login hint (email address, phone number, etc), about the end-user for whom authentication is being requested. Corresponds to the login_hint parameter.
      Returns:
      The login hint, null if not specified.

    • getBindingMessage

      public String getBindingMessage()
      Returns the human-readable binding message for the display at the consumption and authentication devices. Corresponds to the binding_message parameter.
      Returns:
      The binding message, null if not specified.

    • getUserCode

      public Secret getUserCode()
      Returns the user secret code (password, PIN, etc.) to authorise the CIBA request with the authentication device. Corresponds to the user_code parameter.
      Returns:
      The user code, null if not specified.

    • getRequestedExpiry

      public Integer getRequestedExpiry()
      Returns the requested expiration for the auth_req_id. Corresponds to the requested_expiry parameter.
      Returns:
      The required expiry (as positive integer), null if not specified.

    • getOIDCClaims

      public OIDCClaimsRequest getOIDCClaims()
      Returns the individual claims to be returned. Corresponds to the optional claims parameter.
      Returns:
      The individual claims to be returned, null if not specified.

    • getClaimsLocales

      public List<com.nimbusds.langtag.LangTag> getClaimsLocales()
      Returns the end-user's preferred languages and scripts for the claims being returned, ordered by preference. Corresponds to the optional claims_locales parameter.
      Returns:
      The preferred claims locales, null if not specified.

    • getPurpose

      public String getPurpose()
      Returns the transaction specific purpose. Corresponds to the optional purpose parameter.
      Returns:
      The purpose, null if not specified.

    • getAuthorizationDetails

      public List<AuthorizationDetail> getAuthorizationDetails()
      Returns the Rich Authorisation Request (RAR) details.
      Returns:
      The authorisation details, null if not specified.

    • getResources

      public List<URI> getResources()
      Returns the resource server URI.
      Returns:
      The resource URI(s), null if not specified.

    • getContext

      public net.minidev.json.JSONObject getContext()
      Returns the request context.
      Returns:
      The request context, null if not specified.

    • getCustomParameters

      public Map<String,List<String>> getCustomParameters()
      Returns the additional custom parameters.
      Returns:
      The additional custom parameters as an unmodifiable map, empty map if none.

    • getCustomParameter

      public List<String> getCustomParameter(String name)
      Returns the specified custom parameter.
      Parameters:
      name - The parameter name. Must not be null.
      Returns:
      The parameter value(s), null if not specified.

    • isSigned

      public boolean isSigned()
      Returns true if this request is signed.
      Returns:
      true for a signed request, false for a plain request.

    • getRequestJWT

      public com.nimbusds.jwt.SignedJWT getRequestJWT()
      Returns the JWT for a signed request.
      Returns:
      The request JWT.

    • toParameters

      public Map<String,List<String>> toParameters()
      Returns the for parameters for this CIBA request. Parameters which are part of the client authentication are not included.
      Returns:
      The parameters.

    • toJWTClaimsSet

      public com.nimbusds.jwt.JWTClaimsSet toJWTClaimsSet()
      Returns the parameters for this CIBA request as a JSON Web Token (JWT) claims set. Intended for creating a signed CIBA request.
      Returns:
      The parameters as JWT claim set.

    • toHTTPRequest

      public HTTPRequest toHTTPRequest()
      Returns the matching HTTP request.
      Returns:
      The HTTP request.

    • parse

      public static CIBARequest parse(HTTPRequest httpRequest) throws ParseException
      Parses a CIBA request from the specified HTTP request.
      Parameters:
      httpRequest - The HTTP request. Must not be null.
      Returns:
      The CIBA request.
      Throws:
      ParseException - If parsing failed.