Package com.nimbusds.openid.connect.sdk.federation.entities

Class EntityStatementClaimsSet

java.lang.Object

com.nimbusds.openid.connect.sdk.claims.ClaimsSet

com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet

com.nimbusds.openid.connect.sdk.federation.entities.EntityStatementClaimsSet

All Implemented Interfaces:

net.minidev.json.JSONAware

public class EntityStatementClaimsSet
extends CommonClaimsSet

Federation entity statement claims set, serialisable to a JSON object.

Example claims set:

 {
   "iss": "https://feide.no",
   "sub": "https://ntnu.no",
   "iat": 1516239022,
   "exp": 1516298022,
   "crit": ["jti"],
   "jti": "7l2lncFdY6SlhNia",
   "policy_language_crit": ["regexp"],
   "metadata_policy": {
     "openid_provider": {
       "issuer": {"value": "https://ntnu.no"},
       "organization_name": {"value": "NTNU"},
       "id_token_signing_alg_values_supported":
         {"subset_of": ["RS256", "RS384", "RS512"]},
       "op_policy_uri": {
         "regexp": "^https:\/\/[\w-]+\.example\.com\/[\w-]+\.html"}
     },
     "openid_relying_party": {
       "organization_name": {"value": "NTNU"},
       "grant_types_supported": {
         "subset_of": ["authorization_code", "implicit"]},
       "scopes": {
         "subset_of": ["openid", "profile", "email", "phone"]}
     }
   },
   "constraints": {
     "max_path_length": 2
   }
   "jwks": {
     "keys": [
       {
         "alg": "RS256",
         "e": "AQAB",
         "ext": true,
         "key_ops": ["verify"],
         "kid": "key1",
         "kty": "RSA",
         "n": "pnXBOusEANuug6ewezb9J_...",
         "use": "sig"
       }
     ]
   },
   "authority_hints": [
     "https://edugain.org/federation"
   ]
 }
 

Related specifications:

• OpenID Connect Federation 1.0, section 2.1.

Field Summary

Fields

Modifier and Type	Field	Description
static String	AUTHORITY_HINTS_CLAIM_NAME	The authority hints claim name.
static String	CONSTRAINTS_CLAIM_NAME	The constraints claim name.
static String	CRITICAL_CLAIM_NAME	The critical claim name.
static String	EXP_CLAIM_NAME	The expiration time claim name.
static String	JWKS_CLAIM_NAME	The JWK set claim name.
static String	METADATA_CLAIM_NAME	The metadata claim name.
static String	METADATA_POLICY_CLAIM_NAME	The metadata policy claim name.
static String	POLICY_LANGUAGE_CRITICAL_CLAIM_NAME	The policy critical claim name.
static String	TRUST_ANCHOR_ID_CLAIM_NAME	The assumed trust anchor in a explicit client registration.

Fields inherited from class com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet

IAT_CLAIM_NAME, SUB_CLAIM_NAME

Fields inherited from class com.nimbusds.openid.connect.sdk.claims.ClaimsSet

AUD_CLAIM_NAME, claims, ISS_CLAIM_NAME

Constructor Summary

Constructors

Constructor	Description
EntityStatementClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet)	Creates a new federation entity statement claims set from the specified JWT claims set.
EntityStatementClaimsSet(Issuer iss, Subject sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)	Creates a new federation entity statement claims set with the minimum required claims.
EntityStatementClaimsSet(EntityID iss, EntityID sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)	Creates a new federation entity statement claims set with the minimum required claims.

Method Summary

Modifier and Type	Method	Description
AuthorizationServerMetadata	getASMetadata()	Gets the OAuth 2.0 authorisation server metadata if present for this entity.
List<EntityID>	getAuthorityHints()	Gets the entity IDs of the intermediate entities or trust anchors.
TrustChainConstraints	getConstraints()	Gets the trust chain constraints for subordinate entities.
List<String>	getCriticalExtensionClaims()	Gets the names of the critical extension claims.
List<String>	getCriticalPolicyExtensions()	Gets the names of the critical policy extensions.
Date	getExpirationTime()	Gets the entity statement expiration time.
FederationEntityMetadata	getFederationEntityMetadata()	Gets the federation entity metadata if present for this entity.
EntityID	getIssuerEntityID()	Returns the issuer as entity ID.
com.nimbusds.jose.jwk.JWKSet	getJWKSet()	Gets the entity JWK set.
net.minidev.json.JSONObject	getMetadata(FederationMetadataType type)	Gets the metadata for the specified type.
MetadataPolicy	getMetadataPolicy(FederationMetadataType type)	Gets the metadata policy for the specified type.
net.minidev.json.JSONObject	getMetadataPolicyJSONObject()	Gets the complete metadata policy JSON object.
ClientMetadata	getOAuthClientMetadata()	Gets the OAuth 2.0 client metadata if present for this entity.
OIDCProviderMetadata	getOPMetadata()	Gets the OpenID provider metadata if present for this entity.
OIDCClientMetadata	getRPMetadata()	Gets the OpenID relying party metadata if present for this entity.
EntityID	getSubjectEntityID()	Returns the subject as entity ID.
EntityID	getTrustAnchorID()	Gets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0.
boolean	hasMetadata()	Returns true if a metadata field is present.
boolean	isSelfStatement()	Returns true if this is a self-statement (issuer and subject match).
void	setASMetadata(AuthorizationServerMetadata asMetadata)	Sets the OAuth 2.0 authorisation server metadata if present for this entity.
void	setAuthorityHints(List<EntityID> trustChain)	Sets the entity IDs of the intermediate entities or trust anchors.
void	setConstraints(TrustChainConstraints constraints)	Sets the trust chain constraint for subordinate entities.
void	setCriticalExtensionClaims(List<String> claimNames)	Sets the names of the critical extension claims.
void	setCriticalPolicyExtensions(List<String> extNames)	Sets the names of the critical policy extensions.
void	setFederationEntityMetadata(FederationEntityMetadata entityMetadata)	Sets the federation entity metadata if present for this entity.
void	setMetadata(FederationMetadataType type, net.minidev.json.JSONObject metadata)	Sets the metadata for the specified type.
void	setMetadataPolicy(FederationMetadataType type, MetadataPolicy metadataPolicy)	Sets the metadata policy for the specified type.
void	setMetadataPolicyJSONObject(net.minidev.json.JSONObject metadataPolicy)	Sets the complete metadata policy JSON object.
void	setOAuthClientMetadata(ClientMetadata clientMetadata)	Sets the OAuth 2.0 client metadata if present for this entity.
void	setOPMetadata(OIDCProviderMetadata opMetadata)	Gets the OpenID provider metadata if present for this entity.
void	setRPMetadata(OIDCClientMetadata rpMetadata)	Sets the OpenID relying party metadata if present for this entity.
void	setTrustAnchorID(EntityID trustAnchorID)	Sets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0.
void	validateRequiredClaimsPresence()	Validates this claims set for having all minimum required claims for an entity statement.

Methods inherited from class com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet

getIssueTime, getStandardClaimNames, getSubject

Methods inherited from class com.nimbusds.openid.connect.sdk.claims.ClaimsSet

getAudience, getBooleanClaim, getClaim, getClaim, getDateClaim, getIssuer, getJSONObjectClaim, getLangTaggedClaim, getNumberClaim, getStringClaim, getStringClaim, getStringListClaim, getURIClaim, getURLClaim, putAll, putAll, setAudience, setAudience, setClaim, setClaim, setDateClaim, setIssuer, setURIClaim, setURLClaim, toJSONObject, toJSONString, toJWTClaimsSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

EXP_CLAIM_NAME

public static final String EXP_CLAIM_NAME

The expiration time claim name.

See Also:

Constant Field Values

JWKS_CLAIM_NAME

public static final String JWKS_CLAIM_NAME

The JWK set claim name.

See Also:

Constant Field Values

AUTHORITY_HINTS_CLAIM_NAME

public static final String AUTHORITY_HINTS_CLAIM_NAME

The authority hints claim name.

See Also:

Constant Field Values

METADATA_CLAIM_NAME

public static final String METADATA_CLAIM_NAME

The metadata claim name.

See Also:

Constant Field Values

METADATA_POLICY_CLAIM_NAME

public static final String METADATA_POLICY_CLAIM_NAME

The metadata policy claim name.

See Also:

Constant Field Values

TRUST_ANCHOR_ID_CLAIM_NAME

public static final String TRUST_ANCHOR_ID_CLAIM_NAME

The assumed trust anchor in a explicit client registration. Intended for entity statements issued by an OP for RP performing explicit client registration only.

See Also:

Constant Field Values

CONSTRAINTS_CLAIM_NAME

public static final String CONSTRAINTS_CLAIM_NAME

The constraints claim name.

See Also:

Constant Field Values

CRITICAL_CLAIM_NAME

public static final String CRITICAL_CLAIM_NAME

The critical claim name.

See Also:

Constant Field Values

POLICY_LANGUAGE_CRITICAL_CLAIM_NAME

public static final String POLICY_LANGUAGE_CRITICAL_CLAIM_NAME

The policy critical claim name.

See Also:

Constant Field Values

Constructor Detail

EntityStatementClaimsSet

public EntityStatementClaimsSet(Issuer iss,
                                Subject sub,
                                Date iat,
                                Date exp,
                                com.nimbusds.jose.jwk.JWKSet jwks)

Creates a new federation entity statement claims set with the minimum required claims.

Parameters:

iss - The issuer. Must not be null.

sub - The subject. Must not be null.

iat - The issue time. Must not be null.

exp - The expiration time. Must not be null.

jwks - The entity public JWK set, null if not required.

EntityStatementClaimsSet

public EntityStatementClaimsSet(EntityID iss,
                                EntityID sub,
                                Date iat,
                                Date exp,
                                com.nimbusds.jose.jwk.JWKSet jwks)

Creates a new federation entity statement claims set with the minimum required claims.

Parameters:

iss - The issuer. Must not be null.

sub - The subject. Must not be null.

iat - The issue time. Must not be null.

exp - The expiration time. Must not be null.

jwks - The entity public JWK set, null if not required.

EntityStatementClaimsSet

public EntityStatementClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet)
                         throws ParseException

Creates a new federation entity statement claims set from the specified JWT claims set.

Parameters:

jwtClaimsSet - The JWT claims set. Must not be null.

Throws:

ParseException - If the JWT claims set doesn't represent a valid federation entity statement claims set.

Method Detail

validateRequiredClaimsPresence

public void validateRequiredClaimsPresence()
                                    throws ParseException

Validates this claims set for having all minimum required claims for an entity statement. If a selt-statement check for the presence of metadata. If critical extension claims are listed their presence is also checked.

Throws:

ParseException - If the validation failed and a required claim is missing.

isSelfStatement

public boolean isSelfStatement()

Returns true if this is a self-statement (issuer and subject match).

Returns:

true for a self-statement, false if not.

getIssuerEntityID

public EntityID getIssuerEntityID()

Returns the issuer as entity ID.

Returns:

The issuer as entity ID.

getSubjectEntityID

public EntityID getSubjectEntityID()

Returns the subject as entity ID.

Returns:

The subject as entity ID.

getExpirationTime

public Date getExpirationTime()

Gets the entity statement expiration time. Corresponds to the exp claim.

Returns:

The expiration time, null if not specified or parsing failed.

getJWKSet

public com.nimbusds.jose.jwk.JWKSet getJWKSet()

Gets the entity JWK set.

Returns:

The entity JWK set, null if not specified or parsing failed.

getAuthorityHints

public List<EntityID> getAuthorityHints()

Gets the entity IDs of the intermediate entities or trust anchors.

Returns:

The entity IDs, null or empty list for a trust anchor, or if parsing failed.

setAuthorityHints

public void setAuthorityHints(List<EntityID> trustChain)

Sets the entity IDs of the intermediate entities or trust anchors.

Parameters:

trustChain - The entity IDs, null or empty list for a trust anchor.

hasMetadata

public boolean hasMetadata()

Returns true if a metadata field is present.

Returns:

true if for a metadata field for an OpenID relying party, OpenID provider, OAuth authorisation server, OAuth client, OAuth protected resource or a federation entity is present.

getMetadata

public net.minidev.json.JSONObject getMetadata(FederationMetadataType type)

Gets the metadata for the specified type. Use a typed getter, such as getRPMetadata(), when available.

Parameters:

type - The type. Must not be null.

Returns:

The metadata, null if not specified.

setMetadata

public void setMetadata(FederationMetadataType type,
                        net.minidev.json.JSONObject metadata)

Sets the metadata for the specified type. Use a typed setter, such as setRPMetadata(com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata), when available.

Parameters:

type - The type. Must not be null.

metadata - The metadata, null if not specified.

getRPMetadata

public OIDCClientMetadata getRPMetadata()

Gets the OpenID relying party metadata if present for this entity.

Returns:

The RP metadata, null if not specified or if parsing failed.

setRPMetadata

public void setRPMetadata(OIDCClientMetadata rpMetadata)

Sets the OpenID relying party metadata if present for this entity.

Parameters:

rpMetadata - The RP metadata, null if not specified.

getOPMetadata

public OIDCProviderMetadata getOPMetadata()

Gets the OpenID provider metadata if present for this entity.

Returns:

The OP metadata, null if not specified or if parsing failed.

setOPMetadata

public void setOPMetadata(OIDCProviderMetadata opMetadata)

Gets the OpenID provider metadata if present for this entity.

Parameters:

opMetadata - The OP metadata, null if not specified.

getOAuthClientMetadata

public ClientMetadata getOAuthClientMetadata()

Gets the OAuth 2.0 client metadata if present for this entity.

Returns:

The client metadata, null if not specified or if parsing failed.

setOAuthClientMetadata

public void setOAuthClientMetadata(ClientMetadata clientMetadata)

Sets the OAuth 2.0 client metadata if present for this entity.

Parameters:

clientMetadata - The client metadata, null if not specified.

getASMetadata

public AuthorizationServerMetadata getASMetadata()

Gets the OAuth 2.0 authorisation server metadata if present for this entity.

Returns:

The AS metadata, null if not specified or if parsing failed.

setASMetadata

public void setASMetadata(AuthorizationServerMetadata asMetadata)

Sets the OAuth 2.0 authorisation server metadata if present for this entity.

Parameters:

asMetadata - The AS metadata, null if not specified.

getFederationEntityMetadata

public FederationEntityMetadata getFederationEntityMetadata()

Gets the federation entity metadata if present for this entity.

Returns:

The federation entity metadata, null if not specified or if parsing failed.

setFederationEntityMetadata

public void setFederationEntityMetadata(FederationEntityMetadata entityMetadata)

Sets the federation entity metadata if present for this entity.

Parameters:

entityMetadata - The federation entity metadata, null if not specified.

getMetadataPolicyJSONObject

public net.minidev.json.JSONObject getMetadataPolicyJSONObject()

Gets the complete metadata policy JSON object.

Returns:

The metadata policy JSON object, null if not specified or if parsing failed.

setMetadataPolicyJSONObject

public void setMetadataPolicyJSONObject(net.minidev.json.JSONObject metadataPolicy)

Sets the complete metadata policy JSON object.

Parameters:

metadataPolicy - The metadata policy JSON object, null if not specified.

getMetadataPolicy

public MetadataPolicy getMetadataPolicy(FederationMetadataType type)
                                 throws PolicyViolationException

Gets the metadata policy for the specified type.

Parameters:

type - The type. Must not be null.

Returns:

The metadata policy, null or if JSON parsing failed.

Throws:

PolicyViolationException - On a policy violation.

setMetadataPolicy

public void setMetadataPolicy(FederationMetadataType type,
                              MetadataPolicy metadataPolicy)

Sets the metadata policy for the specified type.

Parameters:

type - The type. Must not be null.

metadataPolicy - The metadata policy, null if not specified.

getTrustAnchorID

public EntityID getTrustAnchorID()

Gets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only.Corresponds to the trust_anchor_id client metadata field.

Returns:

The trust anchor ID, null if not specified.

setTrustAnchorID

public void setTrustAnchorID(EntityID trustAnchorID)

Sets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only.Corresponds to the trust_anchor_id client metadata field.

Parameters:

trustAnchorID - The trust anchor ID, null if not specified.

getConstraints

public TrustChainConstraints getConstraints()

Gets the trust chain constraints for subordinate entities.

Returns:

The trust chain constraints, null if not specified or if parsing failed.

setConstraints

public void setConstraints(TrustChainConstraints constraints)

Sets the trust chain constraint for subordinate entities.

Parameters:

constraints - The trust chain constraints, null if not specified.

getCriticalExtensionClaims

public List<String> getCriticalExtensionClaims()

Gets the names of the critical extension claims.

Returns:

The names of the critical extension claims, null if not specified or if parsing failed.

setCriticalExtensionClaims

public void setCriticalExtensionClaims(List<String> claimNames)

Sets the names of the critical extension claims.

Parameters:

claimNames - The names of the critical extension claims, null if not specified. Must not be an empty list.

getCriticalPolicyExtensions

public List<String> getCriticalPolicyExtensions()

Gets the names of the critical policy extensions.

Returns:

The names of the critical policy extensions or if parsing failed.

setCriticalPolicyExtensions

public void setCriticalPolicyExtensions(List<String> extNames)

Sets the names of the critical policy extensions.

Parameters:

extNames - The names of the critical policy extensions, null if not specified. Must not be an empty list.