Package org.gcube.common.iam

Interface IAMResponse

All Known Implementing Classes:
AbstractIAMResponse, D4ScienceIAMClientAuthn, D4ScienceIAMClientAuthn4Client, D4ScienceIAMClientAuthn4User, D4ScienceIAMClientAuthz, OIDCBearerAuth
public interface IAMResponse
Interface for D4Science IAM response handling. Provides methods to access tokens, custom claims, and authentication information.
Author:
Mauro Mugnaini (Nubisware S.r.l.)

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    canBeRefreshed()
    Check if the current response can be refreshed
    void
    exchangeAccessToken(String clientId, String clientSecret, String audience, String scope)
    Exchanges and updates the current response with new one obtained with parameters provided.
    org.gcube.common.keycloak.model.AccessToken
    getAccessToken()
    Returns the access token in the response.
    String
    getAccessTokenString()
    Returns the access token in the response as string.
    String
    getContactOrganization()
    Returns the client's contact organization from the token
    String
    getContactPerson()
    Returns the client's contact person from the token
    String
    getContext()
    Returns the token context is issued for This is done by checking in the order: If the token contains the d4s_context claim, as specified also in KeycloakClient.D4S_DYNAMIC_SCOPE_NAME_TOKEN_CLAIM If the token contains a d4s-context:[context] valid dynamic scope, the value specified The value of the aud claim if contains a single value (for retro-compatibility) It returns null if none of the options are satisfied and the context cannot be determined.
    Set<String>
    getContextRoles()
    Returns the resource roles for the resource specified in the token context
    Set<String>
    getGlobalRoles()
    Returns the realm roles in the token
    String
    getName()
    Returns the client's name from the token
    Set<String>
    getResourceRoles(String resource)
    Returns the resource roles for the resource specified in the resource parameter
    Set<String>
    getRoles()
    Returns all the roles, realm and from all the resources in the token in the same set
    boolean
    isAccessTokenValid()
    Quick way to check if the access token is valid by checking the digital signature and the token expiration
    boolean
    isAccessTokenValid(boolean checkExpiration)
    Quick way to check if the access token is valid by checking the digital signature and the token expiration if the checkExpiration parameter is true
    boolean
    isExpired()
    Check if the current response is expired
    boolean
    isRefreshTokenValid()
    Quick way to check if the refresh token present in the current response and it is valid by checking the digital signature and the token expiration
    boolean
    isRefreshTokenValid(boolean checkExpiration)
    Quick way to check if the refresh token present in the current response and it is valid by checking the digital signature and the token expiration if the checkExpiration parameter is true
    void
    refresh()
    Refreshes the current response, new data can be obtained again with accessors.
    void
    verifyAccessToken()
    Verifies the access token integrity and validity; token digital signature and expiration are reported via specific exceptions.
    void
    verifyAccessToken(boolean checkExpiration)
    Verifies the access token integrity and optionally for expiration; token digital signature and expiration are reported via specific exceptions.
    void
    verifyRefreshToken()
    Verifies the refresh token integrity and validity; token digital signature and expiration are reported via specific exceptions.
    void
    verifyRefreshToken(boolean checkExpiration)
    Verifies the refresh token integrity and validity; token digital signature and expiration are reported via specific exceptions.

  • Method Details

    • getAccessToken

      org.gcube.common.keycloak.model.AccessToken getAccessToken() throws D4ScienceIAMClientException
      Returns the access token in the response.
      Returns:
      The access token
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getAccessTokenString

      String getAccessTokenString()
      Returns the access token in the response as string.
      Returns:
      The access token as string

    • isExpired

      boolean isExpired() throws D4ScienceIAMClientException
      Check if the current response is expired
      Returns:
      true if the response is expired, false otherwise
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • canBeRefreshed

      boolean canBeRefreshed() throws D4ScienceIAMClientException
      Check if the current response can be refreshed
      Returns:
      true if the response can be refreshed, false otherwise
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • refresh

      void refresh() throws D4ScienceIAMClientException
      Refreshes the current response, new data can be obtained again with accessors.
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token refresh

    • getContext

      String getContext() throws D4ScienceIAMClientException
      Returns the token context is issued for This is done by checking in the order:
      • If the token contains the d4s_context claim, as specified also in KeycloakClient.D4S_DYNAMIC_SCOPE_NAME_TOKEN_CLAIM
      • If the token contains a d4s-context:[context] valid dynamic scope, the value specified
      • The value of the aud claim if contains a single value (for retro-compatibility)
      It returns null if none of the options are satisfied and the context cannot be determined.
      Returns:
      the token context or null
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getContextRoles

      Set<String> getContextRoles() throws D4ScienceIAMClientException
      Returns the resource roles for the resource specified in the token context
      Returns:
      the token context's roles
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getResourceRoles

      Set<String> getResourceRoles(String resource) throws D4ScienceIAMClientException
      Returns the resource roles for the resource specified in the resource parameter
      Parameters:
      resource - the resource of which obtain the roles
      Returns:
      the roles for the resource
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getRoles

      Set<String> getRoles() throws D4ScienceIAMClientException
      Returns all the roles, realm and from all the resources in the token in the same set
      Returns:
      the union of all the roles in the token
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getGlobalRoles

      Set<String> getGlobalRoles() throws D4ScienceIAMClientException
      Returns the realm roles in the token
      Returns:
      the realm roles
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getContactOrganization

      String getContactOrganization() throws D4ScienceIAMClientException
      Returns the client's contact organization from the token
      Returns:
      the contact organization string
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getContactPerson

      String getContactPerson() throws D4ScienceIAMClientException
      Returns the client's contact person from the token
      Returns:
      the contact person string
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • getName

      String getName() throws D4ScienceIAMClientException
      Returns the client's name from the token
      Returns:
      the name string
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token decoding or JSON parsing

    • isAccessTokenValid

      boolean isAccessTokenValid() throws D4ScienceIAMClientException
      Quick way to check if the access token is valid by checking the digital signature and the token expiration
      Returns:
      true if the access token is valid, false otherwise
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token validity checks

    • isAccessTokenValid

      boolean isAccessTokenValid(boolean checkExpiration) throws D4ScienceIAMClientException
      Quick way to check if the access token is valid by checking the digital signature and the token expiration if the checkExpiration parameter is true
      Parameters:
      checkExpiration - checks also if the token is expired
      Returns:
      true if the access token is valid, false otherwise
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token validity checks

    • verifyAccessToken

      void verifyAccessToken() throws org.gcube.io.jsonwebtoken.security.SignatureException, org.gcube.io.jsonwebtoken.ExpiredJwtException, D4ScienceIAMClientException
      Verifies the access token integrity and validity; token digital signature and expiration are reported via specific exceptions.
      Throws:
      org.gcube.io.jsonwebtoken.security.SignatureException - if the token has been tampered and/or signature is invalid
      org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token validity is expired
      D4ScienceIAMClientException - if something else goes wrong during the token verification

    • verifyAccessToken

      void verifyAccessToken(boolean checkExpiration) throws org.gcube.io.jsonwebtoken.security.SignatureException, org.gcube.io.jsonwebtoken.ExpiredJwtException, D4ScienceIAMClientException
      Verifies the access token integrity and optionally for expiration; token digital signature and expiration are reported via specific exceptions.
      Parameters:
      checkExpiration - if false token expiration check is disabled
      Throws:
      org.gcube.io.jsonwebtoken.security.SignatureException - if the token has been tampered and/or signature is invalid
      org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token validity is expired if the checkExpiration argument is true
      D4ScienceIAMClientException - if something else goes wrong during the token verification

    • isRefreshTokenValid

      boolean isRefreshTokenValid() throws D4ScienceIAMClientException
      Quick way to check if the refresh token present in the current response and it is valid by checking the digital signature and the token expiration
      Returns:
      true if the refresh token is valid, false otherwise
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token validity checks

    • isRefreshTokenValid

      boolean isRefreshTokenValid(boolean checkExpiration) throws D4ScienceIAMClientException
      Quick way to check if the refresh token present in the current response and it is valid by checking the digital signature and the token expiration if the checkExpiration parameter is true
      Parameters:
      checkExpiration - checks also if the token is expired
      Returns:
      true if the refresh token is valid, false otherwise
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token validity checks

    • verifyRefreshToken

      void verifyRefreshToken() throws org.gcube.io.jsonwebtoken.security.SignatureException, org.gcube.io.jsonwebtoken.ExpiredJwtException, D4ScienceIAMClientException
      Verifies the refresh token integrity and validity; token digital signature and expiration are reported via specific exceptions.
      Throws:
      org.gcube.io.jsonwebtoken.security.SignatureException - if the token has been tampered and/or signature is invalid
      org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token validity is expired
      D4ScienceIAMClientException - if something else goes wrong during the token verification

    • verifyRefreshToken

      void verifyRefreshToken(boolean checkExpiration) throws org.gcube.io.jsonwebtoken.security.SignatureException, org.gcube.io.jsonwebtoken.ExpiredJwtException, D4ScienceIAMClientException
      Verifies the refresh token integrity and validity; token digital signature and expiration are reported via specific exceptions.
      Parameters:
      checkExpiration - if false token expiration check is disabled
      Throws:
      org.gcube.io.jsonwebtoken.security.SignatureException - if the token has been tampered and/or signature is invalid
      org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token validity is expired if the checkExpiration argument is true
      D4ScienceIAMClientException - if something else goes wrong during the token verification

    • exchangeAccessToken

      void exchangeAccessToken(String clientId, String clientSecret, String audience, String scope) throws D4ScienceIAMClientException
      Exchanges and updates the current response with new one obtained with parameters provided.
      Parameters:
      clientId - the client id to be used for the exchange
      clientSecret - the client secret to be used for the exchange
      audience - the audience to specify in the exchange, can be null
      scope - the scope (as standard space separated list) to specify in the exchange, can be null
      Throws:
      D4ScienceIAMClientException - if something goes wrong during the token exchange