Package org.oa4mp.server.loader.oauth2.storage.clients

Class OA2Client

  • All Implemented Interfaces:
    edu.uiuc.ncsa.security.core.DateComparable, edu.uiuc.ncsa.security.core.Identifiable, Serializable, Cloneable, org.oa4mp.delegation.server.server.OA2ClientScopes
    public class OA2Client
extends Client
implements org.oa4mp.delegation.server.server.OA2ClientScopes
    OAuth2 Open ID connect protocol requires that sites register callback uris and that incoming requests must include a callback that matches one of the registered ones.

    Created by Jeff Gaynor
    on 3/14/14 at 11:04 AM

    See Also:
    Serialized Form

    • Field Detail

      • DISABLE_REFRESH_TOKENS

        public static final long DISABLE_REFRESH_TOKENS
        See Also:
        Constant Field Values

      • publicClient

        protected boolean publicClient

      • xoauth_attributes

        protected String xoauth_attributes

      • oa4mp_attributes

        protected String oa4mp_attributes

      • oidc_cm_attributes

        protected String oidc_cm_attributes

      • TOKENS_KEY

        protected String TOKENS_KEY

      • ACCESS_TOKENS_KEY

        protected String ACCESS_TOKENS_KEY

      • REFRESH_TOKENS_KEY

        protected String REFRESH_TOKENS_KEY

      • ID_TOKENS_KEY

        protected String ID_TOKENS_KEY

      • CLIENT_COMMENT_TAG

        public static String CLIENT_COMMENT_TAG

      • config

        protected String config

      • jsonConfig

        protected net.sf.json.JSONObject jsonConfig

      • extended_attributes

        protected net.sf.json.JSONObject extended_attributes

    • Constructor Detail

      • OA2Client

        public OA2Client​(edu.uiuc.ncsa.security.core.Identifier identifier)

    • Method Detail

      • clone

        public OA2Client clone()
        Specified by:
        clone in interface edu.uiuc.ncsa.security.core.Identifiable
        Overrides:
        clone in class Client

      • getMaxATLifetime

        public long getMaxATLifetime()
        The maximum lifetime, if different from the server max, for this client. Note that once set, no AT lifetime can exceed this. Set to <= 0 to use the server max. as the client max.
        Returns:

      • setMaxATLifetime

        public void setMaxATLifetime​(long maxATLifetime)

      • getMaxRTLifetime

        public long getMaxRTLifetime()
        The maximum lifetime, if different from the server max, for this client. Note that once set, no RT lifetime can exceed this. Set to <= 0 to use the server max. as the client max.
        Returns:

      • setMaxRTLifetime

        public void setMaxRTLifetime​(long maxRTLifetime)

      • setComment

        public void setComment​(String comment)

      • getPrototypes

        public List<edu.uiuc.ncsa.security.core.Identifier> getPrototypes()

      • setPrototypes

        public void setPrototypes​(List<edu.uiuc.ncsa.security.core.Identifier> prototypes)

      • hasPrototypes

        public boolean hasPrototypes()

      • isErsatzClient

        public boolean isErsatzClient()

      • setErsatzClient

        public void setErsatzClient​(boolean ersatzClient)

      • isExtendsProvisioners

        public boolean isExtendsProvisioners()
        If the ersatz client should simply extend all provisioners. This means you do not have to set the setPrototypes(List) for this object. If you do set it, those will be processed first then the provisioners.
        Returns:

      • setExtendsProvisioners

        public void setExtendsProvisioners​(boolean extendsProvisioners)

      • isSkipServerScripts

        public boolean isSkipServerScripts()

      • setSkipServerScripts

        public void setSkipServerScripts​(boolean skipServerScripts)

      • isPublicClient

        public boolean isPublicClient()

      • isOIDCClient

        public boolean isOIDCClient()

      • setPublicClient

        public void setPublicClient​(boolean publicClient)

      • isSignTokens

        public boolean isSignTokens()

      • setSignTokens

        public void setSignTokens​(boolean signTokens)

      • getIssuer

        public String getIssuer()

      • setIssuer

        public void setIssuer​(String issuer)

      • setCallbackURIs

        public void setCallbackURIs​(Collection<String> callbackURIs)

      • getRtLifetime

        public long getRtLifetime()

      • setRtLifetime

        public void setRtLifetime​(long rtLifetime)

      • getAtLifetime

        public long getAtLifetime()

      • setAtLifetime

        public void setAtLifetime​(long atLifetime)

      • getIdTokenLifetime

        public long getIdTokenLifetime()

      • setIdTokenLifetime

        public void setIdTokenLifetime​(long idTokenLifetime)

      • getMaxIDTLifetime

        public long getMaxIDTLifetime()

      • setMaxIDTLifetime

        public void setMaxIDTLifetime​(long maxIDTLifetime)

      • isRTLifetimeEnabled

        public boolean isRTLifetimeEnabled()
        This returns whether or not this client is configured to return refresh tokens. Zero means no refresh tokens, positive is the lifetime, negative USE_SERVER_DEFAULT means to use the server default. Disabled means the lifetime is set to zero. See also getMaxRTLifetime()
        Returns:

      • useServerDefaultRTLifetime

        public boolean useServerDefaultRTLifetime()

      • getResource

        public List<URI> getResource()

      • setResource

        public void setResource​(List<URI> resource)

      • getLdaps

        public Collection<org.oa4mp.delegation.server.server.config.LDAPConfiguration> getLdaps()

      • setLdaps

        public void setLdaps​(Collection<org.oa4mp.delegation.server.server.config.LDAPConfiguration> ldaps)

      • hasPayloadConfig

        protected boolean hasPayloadConfig​(String root,
                                   String path)

      • hasAccessTokenConfig

        public boolean hasAccessTokenConfig()

      • hasDriverConfig

        public boolean hasDriverConfig()

      • setRefreshTokensConfig

        public void setRefreshTokensConfig​(RefreshTokenConfig refreshTokenConfig)

      • hasRefreshTokenConfig

        public boolean hasRefreshTokenConfig()

      • hasIDTokenConfig

        public boolean hasIDTokenConfig()

      • getNamedAttributes

        protected net.sf.json.JSONObject getNamedAttributes​(String name)

      • setNamedAttributes

        protected void setNamedAttributes​(String name,
                                  net.sf.json.JSONObject jsonObject)

      • hasOIDC_CM_Attributes

        public boolean hasOIDC_CM_Attributes()

      • getOIDC_CM_Attributes

        public net.sf.json.JSONObject getOIDC_CM_Attributes()

      • setOIDC_CM_attributes

        public void setOIDC_CM_attributes​(net.sf.json.JSONObject attr)

      • removeOIDC_CM_Attributes

        public void removeOIDC_CM_Attributes()

      • getOA4MPAttributes

        protected net.sf.json.JSONObject getOA4MPAttributes()

      • getXOAuthExtendedAttributes

        protected net.sf.json.JSONObject getXOAuthExtendedAttributes()

      • hasExtendedAttributeSupport

        public boolean hasExtendedAttributeSupport()
        Extended attributes refers to allowing the client pass in NS qualified additional parameters in the request. Normally, these are ignored (as per spec). However, we can accept additional parameters (as per spec too), so if this is set to true, then those prefixed correctly will be added to the transaction for later processing. The default is false for this option.

        Note

        These reside in the JSON configuration as part of a separate extra attributes object. So in the configuration you should have something like 
             {"cfg":["comments"],
       "extraAttributes":{"extendedAttributesEnabled":true},
       ... other stuff.
     }
        Returns:

      • setExtendedAttributeSupport

        public void setExtendedAttributeSupport​(boolean b)

      • useStrictScopes

        public boolean useStrictScopes()
        Strict scopes means that the list of scopes must match exactly for the given client. Typically this is false for WLCG and other clients that can pass in arbitrary scopes.
        Returns:

      • setStrictscopes

        public void setStrictscopes​(boolean newValue)

      • setNamedProperty

        protected void setNamedProperty​(String component,
                                String key,
                                Object property)

      • getGrantTypes

        public List<String> getGrantTypes()

      • setGrantTypes

        public void setGrantTypes​(List<String> grantTypes)

      • setComment

        public void setComment​(List<String> comments)

      • getResponseTypes

        public List<String> getResponseTypes()

      • setResponseTypes

        public void setResponseTypes​(List<String> responseTypes)

      • getConfig

        public net.sf.json.JSONObject getConfig()
        The JSON configuration object. The format is as follows: 
         {
   "config":"comment",
   "claims":{"sources":[JSON],
             "logic":[JSON],
             "source_config":[JSON],
             "processing":[JSON]},
    "sci_tokens":{"usernameClaimKey":"value", "templates":[...], "qdl":{...}},
    "id_tokens":{"qdl":{...}},
    "wlcg_token":{"qdl":{...}},
    "isSaved":true|false
 }

        Note that the "claims" entry is deprecated and mostly refers to the old JFunctor scripting. Don't use in new configurations. The isSaved entry too relates to JFunctors and is ignored by all other components.

        See the ClientJSONConfigUtil JSON may be either a single JSON object or an array of them. If a single, it is converted to an array of a single object before processing.

        As of now (version 4.3), the claims block which is simple functor scripting is deprecated in favor of the new qdl block. JSON may be a logic block (which consists of various JSON functors. 

         {
   "$if":conditionals,
   "$then":"actions",
   "$else":"other actions"
 }

        conditionals, actions and other actions are JSON objects or arrays of them as well. Note that the conditional must be a functor that evaluates to a logical value.

        Returns:

      • hasConfig

        public boolean hasConfig()

      • setConfig

        public void setConfig​(net.sf.json.JSONObject config)

      • setRawConfig

        public void setRawConfig​(String rawConfig)

      • getRawConfig

        public String getRawConfig()

      • getExtendedAttributes

        public net.sf.json.JSONObject getExtendedAttributes()
        Extended attributes base call. The getConfig() gets user-facing configuration, like scripts and maybe other things not related to OAuth. Extended attributes are for core configuration such as more grant types and such that come from specifications and are generally not open to change. The reason for this is simple: as OA4MP evolves, more and more attributes must be managed and rather than keep adding more database columns (and also have to update other store types too, with all the management that implies), just have a central place and leave all logic for them otherwise in software. Setters and getters are added to this class which store their information in a JSON blob.

        Structure

        The structure is a flat list of attributes as: 
             {
      "xoauth_attributes":{"grant_type":[....},  <-- attributes for OAuth
      "oa4mp_attributes":{"foo":"bar",...}       <-- attributes relating to OA4MP
      "oidc-cm":{"x":"y",...}                    <-- unused attributes RFC7951, so we have them
     ... etc
     }
        Returns:

      • setExtendedAttributes

        public void setExtendedAttributes​(net.sf.json.JSONObject eas)

      • hasExtendedAttributes

        public boolean hasExtendedAttributes()

      • main

        public static void main​(String[] args)

      • hasScript

        public boolean hasScript()

      • getDfLifetime

        public long getDfLifetime()

      • setDfLifetime

        public void setDfLifetime​(long dfLifetime)

      • getDfInterval

        public long getDfInterval()

      • setDfInterval

        public void setDfInterval​(long dfInterval)

      • getProxyClaimsList

        public Collection<String> getProxyClaimsList()
        This is a string that tells what claims in addition to the subject to take from the proxy claims. Default is just to take the subject. Options are
        • (empty) - default = just take the sub claim
        • [*] - all
        • [c0, c1, c2,...] - a list
        Returns:

      • setProxyClaimsList

        public void setProxyClaimsList​(Collection<String> proxyClaimsList)

      • getProxyRequestScopes

        public Collection<String> getProxyRequestScopes()
        Send the scopes explicitly in the client configuration, not the vetted scopes.
        Returns:

      • setProxyRequestScopes

        public void setProxyRequestScopes​(Collection<String> proxyRequestScopes)

      • hasRequestScopes

        public boolean hasRequestScopes()

      • isForwardScopesToProxy

        public boolean isForwardScopesToProxy()
        The scopes sentr to the proxy as the vetted scopes requested by the client. This may include scopes for access or refresh tokens
        Returns:

      • setForwardScopesToProxy

        public void setForwardScopesToProxy​(boolean forwardScopesToProxy)

      • getRtGracePeriod

        public long getRtGracePeriod()

      • setRtGracePeriod

        public void setRtGracePeriod​(long rtGracePeriod)

      • isErsatzInheritIDToken

        public boolean isErsatzInheritIDToken()
        If this is an ersatz client, should it inherit the id token of its provisioner when forking the flow? If true, then yes, if false, then no.

        There are many times when the ersatz client needs some information in the id token of the provisioner (such as job id or other accounting information) and times when no information should be shared. Since this is generally undecideable, a flag si supplied.

        Returns:

      • setErsatzInheritIDToken

        public void setErsatzInheritIDToken​(boolean ersatzInheritIDToken)

      • isAllowPromptNone

        public boolean isAllowPromptNone()

      • setAllowPromptNone

        public void setAllowPromptNone​(boolean allowPromptNone)