Package org.projectnessie.client.auth.oauth2

Interface TokenExchangeConfig

@Immutable
public interface TokenExchangeConfig

Configuration for OAuth2 token exchange.

STILL IN BETA. API MAY CHANGE.

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static interface	TokenExchangeConfig.Builder

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CURRENT_ACCESS_TOKEN
static final String	CURRENT_REFRESH_TOKEN
static final TokenExchangeConfig	DISABLED
static final String	NO_TOKEN
static final List<String>	SCOPES_INHERIT

Method Summary

Modifier and Type	Method	Description
static TokenExchangeConfig.Builder	builder()
static TokenExchangeConfig	fromConfigSupplier(Function<String,String> config)
default BiFunction<AccessToken,RefreshToken,TypedToken>	getActorTokenProvider()	The actor token provider.
Optional<String>	getAudience()	The logical name of the target service where the client intends to use the requested security token.
Optional<String>	getClientId()	An alternate client ID to use for token exchanges only.
Optional<Secret>	getClientSecret()	An alternate client secret to use for token exchanges only.
Optional<URI>	getIssuerUrl()	The root URL of an alternate OpenID Connect identity issuer provider, which will be used for discovering supported endpoints and their locations, for token exchange only.
default URI	getRequestedTokenType()	The type of the requested security token.
Optional<URI>	getResource()	A URI that indicates the target service or resource where the client intends to use the requested security token.
default List<String>	getScopes()	The OAuth2 scopes.
default BiFunction<AccessToken,RefreshToken,TypedToken>	getSubjectTokenProvider()	The subject token provider.
Optional<URI>	getTokenEndpoint()	An alternate OAuth2 token endpoint, for token exchange only.
default boolean	isEnabled()	Whether token exchange is enabled.

Field Details

SCOPES_INHERIT

static final List<String> SCOPES_INHERIT

DISABLED

static final TokenExchangeConfig DISABLED

CURRENT_ACCESS_TOKEN

static final String CURRENT_ACCESS_TOKEN

See Also:

• Constant Field Values

CURRENT_REFRESH_TOKEN

static final String CURRENT_REFRESH_TOKEN

See Also:

• Constant Field Values

NO_TOKEN

static final String NO_TOKEN

See Also:

• Constant Field Values

Method Details

fromConfigSupplier

static TokenExchangeConfig fromConfigSupplier(Function<String,String> config)

isEnabled

@Default
default boolean isEnabled()

Whether token exchange is enabled. If enabled, the access token obtained from the OAuth2 server will be exchanged for a new token, using the token endpoint and the token exchange grant type, as defined in RFC 8693.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ENABLED

getClientId

Optional<String> getClientId()

An alternate client ID to use for token exchanges only. If not provided, the global client ID will be used. If provided, and if the client is confidential, then its secret must be provided with getClientSecret() – the global client secret will NOT be used.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_CLIENT_ID

getClientSecret

Optional<Secret> getClientSecret()

An alternate client secret to use for token exchanges only. Required if the alternate client obtained from getClientId() is confidential.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_CLIENT_SECRET

getIssuerUrl

Optional<URI> getIssuerUrl()

The root URL of an alternate OpenID Connect identity issuer provider, which will be used for discovering supported endpoints and their locations, for token exchange only.

If neither this property nor getTokenEndpoint() are defined, the global token endpoint will be used. This means that the same authorization server will be used for both the initial token request and the token exchange.

Endpoint discovery is performed using the OpenID Connect Discovery metadata published by the issuer. See OpenID Connect Discovery 1.0 for more information.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ISSUER_URL

getTokenEndpoint

Optional<URI> getTokenEndpoint()

An alternate OAuth2 token endpoint, for token exchange only.

If neither this property nor getIssuerUrl() are defined, the global token endpoint will be used. This means that the same authorization server will be used for both the initial token request and the token exchange.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_TOKEN_ENDPOINT

getRequestedTokenType

@Default
default URI getRequestedTokenType()

The type of the requested security token. By default, TypedToken.URN_ACCESS_TOKEN.

Currently, it is not possible to request any other token type, so this property is not configurable through system properties.

getResource

Optional<URI> getResource()

A URI that indicates the target service or resource where the client intends to use the requested security token.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_RESOURCE

getAudience

Optional<String> getAudience()

The logical name of the target service where the client intends to use the requested security token. This serves a purpose similar to the resource parameter but with the client providing a logical name for the target service.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_AUDIENCE

getScopes

@Default
default List<String> getScopes()

The OAuth2 scopes. Optional.

The special value SCOPES_INHERIT (default) means that the scopes will be inherited from the global OAuth2 configuration.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SCOPES

getSubjectTokenProvider

@Default
@Auxiliary
default BiFunction<AccessToken,RefreshToken,TypedToken> getSubjectTokenProvider()

The subject token provider. The provider will be invoked with the current access token (never null) and the current refresh token, or null if none available; and should return a TypedToken representing the subject token. It must NOT return null.

By default, the provider will return the access token itself. This should be suitable for most cases.

This property cannot be set through configuration, but only programmatically. The configuration exposes two options: the subject token and its type. These options allow to pass a static subject token only.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SUBJECT_TOKEN
• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE

getActorTokenProvider

@Default
@Auxiliary
default BiFunction<AccessToken,RefreshToken,TypedToken> getActorTokenProvider()

The actor token provider. The provider will be invoked with the current access token (never null) and the current refresh token, or null if none available; and should return a TypedToken representing the actor token. If the provider returns null, then no actor token will be used.

Actor tokens are useful in delegation scenarios. By default, no actor token is used.

This property cannot be set through configuration, but only programmatically. The configuration exposes two options: the actor token and its type. These options allow to pass a static actor token only.

See Also:

• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ACTOR_TOKEN
• NessieConfigConstants.CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ACTOR_TOKEN_TYPE

builder

static TokenExchangeConfig.Builder builder()