com.authlete.common.dto

Class BackchannelAuthenticationResponse

java.lang.Object

com.authlete.common.dto.ApiResponse

com.authlete.common.dto.BackchannelAuthenticationResponse

All Implemented Interfaces:

Serializable

public class BackchannelAuthenticationResponse
extends ApiResponse

Response from Authlete's /api/backchannel/authentication API.

Authlete's /api/backchannel/authentication API returns JSON which can be mapped to this class. The authorization server implementation should retrieve the value of action from the response and take the following steps according to the value.

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the backchannel authentication request from the client application was wrong.

The authorization server implementation should generate a response to the client application with 400 Bad Request and application/json.

The getResponseContent() method returns a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the authorization server implementation should generate and return to the client application.

 HTTP/1.1 400 Bad Request
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that client authentication of the backchannel authentication request failed. Note that client authentication is always required at the backchannel authentication endpoint. This implies that public clients are not allowed to use the backchannel authentication endpoint.

The authorization server implementation should generate a response to the client application with 401 Unauthorized and application/json.

The getResponseContent() method returns a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the authorization server implementation should generate and return to the client application.

 HTTP/1.1 401 Unauthorized
 WWW-Authenticate: (challenge)
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the API call from the authorization server implementation was wrong or that an error occurred in Authlete.

In either case, from a viewpoint of the client application, it is an error on the server side. Therefore, the authorization server implementation should generate a response to the client application with 500 Internal Server Error and application/json.

The getResponseContent() method returns a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the authorization server implementation should generate and return to the client application.

 HTTP/1.1 500 Internal Server Error
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

USER_IDENTIFICATION

When the value of action is USER_IDENTIFICATION, it means that the backchannel authentication request from the client application is valid. The authorization server implementation has to follow the steps below.

1. [END-USER IDENTIFICATION]

   
   

   The first step is to determine the subject (= unique identifier) of the end-user from whom the client application wants to get authorization.

   
   

   According to the CIBA specification, a backchannel authentication request contains one (and only one) of the login_hint_token, id_token_hint and login_hint request parameters as a hint by which the authorization server identifies the subject of an end-user.

   
   

   The authorization server implementation can know which hint is included in the backchannel authentication request by calling the getHintType() method. The method returns a UserIdentificationHintType instance that indicates which hint is included. For example, when the method returns LOGIN_HINT, it means that the backchannel authentication request contains the login_hint request parameter as a hint.

   
   

   The getHint() method returns the value of the hint. For example, when the getHintType() method returns LOGIN_HINT, the getHint() method returns the value of the login_hint request parameter.

   
   

   It is up to the authorization server implementation how to determine the subject of the end-user from the hint. There are few things Authlete can help. Only one thing Authlete can do is to let the getSub() method return the value of the sub claim in the id_token_hint request parameter when the request parameter is used.

   
   
   

2. [END-USER IDENTIFICATION ERROR]

   
   

   There are some cases where the authorization server implementation encounters an error during the user identification process. In any error case, the authorization server implementation has to return an HTTP response with the error response parameter to the client application. The following is an example of such error responses.

   
   

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
   
    {"error":"unknown_user_id"}

   
   

   Authlete provides /api/backchannel/authentication/fail API that builds the response body (JSON) of an error response. However, because it is easy to build an error response manually, you may choose not to call the API. One good thing in using the API is that the API call can trigger deletion of the ticket which has been issued from Authlete's /api/backchannel/authentication API. If you don't call /api/backchannel/authentication/fail API, the ticket will continue to exist in the database until it is cleaned up by the batch program after the ticket expires.

   
   

   Possible error cases that the authorization server implementation itself has to handle are as follows. Other error cases have already been covered by /api/backchannel/authentication API.

   
   

   error	description
   expired_login_hint_token	The authorization server implementation detected that the hint presented by the login_hint_token request parameter has expired. Note that the format of login_hint_token is not described in the CIBA Core spec at all and so there is no consensus on how to detect expiration of login_hint_token. Interpretation of login_hint_token is left to each authorization server implementation.
   unknown_user_id	The authorization server implementation could not determine the subject of the end-user by the presented hint.
   unauthorized_client	The authorization server implementation has custom rules to reject backchannel authentication requests from some particular clients and found that the client which has made the backchannel authentication request is one of the particular clients. Note that /api/backchannel/authentication API does not return action=USER_IDENTIFICATION in cases where the client does not exist or client authentication has failed. Therefore, the authorization server implementation will never have to use the error code unauthorized_client unless the server has intentionally implemented custom rules to reject backchannel authentication requests based on clients.
   missing_user_code	The authorization server implementation has custom rules to require that a backchannel authentication request include a user code for some particular users and found that the user identified by the hint is one of the particular users. Note that /api/backchannel/authentication API does not return action=USER_IDENTIFICATION when both the backchannel_user_code_parameter_supported metadata of the server and the backchannel_user_code_parameter metadata of the client are true and the backchannel authentication request does not include the user_code request parameter. In this case, /api/backchannel/authentication API returns action=BAD_REQUEST with JSON containing "error":"missing_user_code". Therefore, the authorization server implementation will never have to use the error code missing_user_code unless the server has intentionally implemented custom rules to require a user code based on users even in the case where the backchannel_user_code_parameter metadata of the client which has made the backchannel authentication request is false.
   invalid_user_code	The authorization server implementation detected that the presented user code is invalid. Note that the format of user_code is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a user code is valid or not. It is up to each authorization server implementation how to handle user codes.
   invalid_binding_message	The authorization server implementation detected that the presented binding message is invalid. Note that the format of binding_message is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a binding message is valid or not. It is up to each authorization server implementation how to handle binding messages.
   access_denined	The authorization server implementation has custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request in some particular cases and found that the backchannel authentication request is one of the particular cases. The authorization server implementation will never have to use the error code access_denied at this timing unless the server has intentionally implemented custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request.

   
   
   

3. [AUTH_REQ_ID ISSUE]

   
   

   If the authorization server implementation has successfully determined the subject of the end-user, the next action is to return an HTTP response to the client application which contains auth_req_id.

   
   

   Authlete provides /api/backchannel/authentication/issue API which generates a JSON containing auth_req_id, so, your next action is (1) call the API, (2) receive the response from the API, (3) build a response to the client application using the content of the API response, and (4) return the response to the client application. See the description of /api/backchannel/authentication/issue API for details.

   
   
   

4. [END-USER AUTHENTICATION AND AUTHORIZATION]

   
   

   After sending a JSON containing auth_req_id back to the client application, the authorization server implementation starts to communicate with an authentication device of the end-user. It is assumed that end-user authentication is performed on the authentication device and the end-user confirms the content of the backchannel authentication request and grants authorization to the client application if everything is okay. The authorization server implementation must be able to receive the result of the end-user authentication and authorization from the authentication device.

   
   

   How to communicate with an authentication device and achieve end-user authentication and authorization is up to each authorization server implementation, but the following request parameters of the backchannel authentication request should be taken into consideration in any implementation.

   
   

   parameter	method	description
   acr_values	getAcrs()	A backchannel authentication request may contain an array of ACRs (Authentication Context Class References) in preference order. If multiple authentication devices are registered for the end-user, the authorization server implementation should take the ACRs into consideration when selecting the best authentication device.
   scope	getScopes()	A backchannel authentication request always contains a list of scopes. At least, openid is included in the list (otherwise /api/backchannel/authentication API returns action=BAD_REQUEST). It would be better to show the requested scopes to the end-user on the authentication device or somewhere appropriate. If the scope request parameter contains address, email, phone and/or profile, they are interpreted as defined in 5.4. Requesting Claims using Scope Values of OpenID Connect Core 1.0. That is, they are expanded into a list of claim names. The getClaimNames() method returns the expanded result.
   binding_message	getBindingMessage()	A backchannel authentication request may contain a binding message. It is a human readable identifier or message intended to be displayed on both the consumption device (client application) and the authentication device.
   user_code	getUserCode()	A backchannel authentication request may contain a user code. It is a secret code, such as password or pin, known only to the end-user but verifiable by the authorization server. The user code should be used to authorize sending a request to the authentication device.

   
   
   

5. [END-USER AUTHENTICATION AND AUTHORIZATION COMPLETION]

   
   

   After receiving the result of end-user authentication and authorization, the authorization server implementation must call Authlete's /api/backchannel/authentication/complete to tell Authlete the result and pass necessary data so that Authlete can generate an ID token, an access token and optionally a refresh token. See the description of the API for details.

   
   
   

6. [CLIENT NOTIFICATION]

   
   

   When the backchannel token delivery mode is either ping or push, the authorization server implementation must send a notification to the pre-registered notification endpoint of the client after the end-user authentication and authorization. In this case, getAction() method of BackchannelAuthenticationCompleteResponse (a response from /api/backchannel/authentication/complete API) returns NOTIFICATION. See the description of /api/backchannel/authentication/complete API for details.

   
   
   

7. [TOKEN REQUEST]

   
   

   When the backchannel token delivery mode is either ping or poll, the client application will make a token request to the token endpoint to get an ID token, an access token and optionally a refresh token.

   
   

   A token request that corresponds to a backchannel authentication request uses urn:openid:params:grant-type:ciba as the value of the grant_type request parameter. Authlete's /api/auth/token API recognizes the grant type automatically and behaves properly, so the existing token endpoint implementation does not have to be changed to support CIBA.

Since:

2.32

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	BackchannelAuthenticationResponse.Action The next action that the OpenID provider implementation should take.

Constructor Summary

Constructors

Constructor and Description
BackchannelAuthenticationResponse()

Method Summary

Modifier and Type	Method and Description
String[]	getAcrs() Get the list of ACR values requested by the backchannel authentication request.
BackchannelAuthenticationResponse.Action	getAction() Get the next action that the implementation of the backchannel authentication endpoint should take.
String	getBindingMessage() Get the binding message included in the backchannel authentication request.
String[]	getClaimNames() Get the names of the claims which were requested indirectly via some special scopes.
ClientAuthMethod	getClientAuthMethod() Get the client authentication method that should be performed at the backchannel authentication endpoint.
long	getClientId() Get the client ID of the client application that has made the backchannel authentication request.
String	getClientIdAlias() Get the client ID alias of the client application that has made the backchannel authentication request.
String	getClientIdentifier() Get the client identifier used in the backchannel authentication request.
String	getClientName() Get the name of the client application which has made the backchannel authentication request.
String	getClientNotificationToken() Get the client notification token included in the backchannel authentication request.
DeliveryMode	getDeliveryMode() Get the backchannel token delivery mode of the client application.
String	getHint() Get the value of the hint for end-user identification.
UserIdentificationHintType	getHintType() Get the type of the hint for end-user identification which was included in the backchannel authentication request.
String	getRequestContext() Get the request context of the backchannel authentication request.
int	getRequestedExpiry() Get the requested expiry for the authentication request ID (auth_req_id).
String	getResponseContent() Get the content that can be used to generate a response to the client application.
Scope[]	getScopes() Get the scopes requested by the backchannel authentication request.
String	getSub() Get the value of the "sub" claim contained in the ID token hint included in the backchannel authentication request.
String	getTicket() Get the ticket that is necessary for the implementation of the backchannel authentication endpoint to call /api/backchannel/authentication/* API.
String	getUserCode() Get the user code included in the backchannel authentication request.
String[]	getWarnings() Get the warnings raised during processing the backchannel authentication request.
boolean	isClientIdAliasUsed() Get the flag which indicates whether the client ID alias was used in the backchannel authentication request.
boolean	isUserCodeRequired() Get the flag which indicates whether a user code is required.
BackchannelAuthenticationResponse	setAcrs(String[] acrs) Set the list of ACR values requested by the backchannel authentication request.
BackchannelAuthenticationResponse	setAction(BackchannelAuthenticationResponse.Action action) Set the next action that the implementation of the backchannel authentication endpoint should take.
BackchannelAuthenticationResponse	setBindingMessage(String message) Set the binding message included in the backchannel authentication request.
BackchannelAuthenticationResponse	setClaimNames(String[] names) Set the names of the claims which were requested indirectly via some special scopes.
BackchannelAuthenticationResponse	setClientAuthMethod(ClientAuthMethod method) Set the client authentication method that should be performed at the backchannel authentication endpoint.
BackchannelAuthenticationResponse	setClientId(long clientId) Set the client ID of the client application that has made the backchannel authentication request.
BackchannelAuthenticationResponse	setClientIdAlias(String alias) Set the client ID alias of the client application that has made the backchannel authentication request.
BackchannelAuthenticationResponse	setClientIdAliasUsed(boolean used) Set the flag which indicates whether the client ID alias was used in the backchannel authentication request.
BackchannelAuthenticationResponse	setClientName(String name) Set the name of the client application which has made the backchannel authentication request.
BackchannelAuthenticationResponse	setClientNotificationToken(String token) Set the client notification token included in the backchannel authentication request.
BackchannelAuthenticationResponse	setDeliveryMode(DeliveryMode mode) Set the backchannel token delivery mode of the client application.
BackchannelAuthenticationResponse	setHint(String hint) Set the value of the hint for end-user identification.
BackchannelAuthenticationResponse	setHintType(UserIdentificationHintType hintType) Set the type of the hint for end-user identification which was included in the backchannel authentication request.
BackchannelAuthenticationResponse	setRequestContext(String context) Set the request context of the backchannel authentication request.
BackchannelAuthenticationResponse	setRequestedExpiry(int seconds) Set the requested expiry for the authentication request ID (auth_req_id).
BackchannelAuthenticationResponse	setResponseContent(String responseContent) Set the content that can be used to generate a response to the client application.
BackchannelAuthenticationResponse	setScopes(Scope[] scopes) Set the scopes requested by the backchannel authentication request.
BackchannelAuthenticationResponse	setSub(String sub) Set the value of the "sub" claim contained in the ID token hint included in the backchannel authentication request.
BackchannelAuthenticationResponse	setTicket(String ticket) Set the ticket that is necessary for the implementation of the backchannel authentication endpoint to call /api/backchannel/authentication/* API.
BackchannelAuthenticationResponse	setUserCode(String userCode) Set the user code included in the backchannel authentication request.
BackchannelAuthenticationResponse	setUserCodeRequired(boolean required) Set the flag which indicates whether a user code is required.
BackchannelAuthenticationResponse	setWarnings(String[] warnings) Set the warnings raised during processing the backchannel authentication request.

Methods inherited from class com.authlete.common.dto.ApiResponse

getResultCode, getResultMessage, setResultCode, setResultMessage

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

BackchannelAuthenticationResponse

public BackchannelAuthenticationResponse()

Method Detail

getAction

public BackchannelAuthenticationResponse.Action getAction()

Get the next action that the implementation of the backchannel authentication endpoint should take.

Returns:

The next action.

setAction

public BackchannelAuthenticationResponse setAction(BackchannelAuthenticationResponse.Action action)

Set the next action that the implementation of the backchannel authentication endpoint should take.

Parameters:

action - The next action.

Returns:

this object.

getResponseContent

public String getResponseContent()

Get the content that can be used to generate a response to the client application.

When this method returns a non-null value, it is JSON containing error information. When getAction() returns USER_IDENTIFICATION, this method returns null.

Returns:

The content of a response to the client.

setResponseContent

public BackchannelAuthenticationResponse setResponseContent(String responseContent)

Set the content that can be used to generate a response to the client application.

Parameters:

responseContent - The content of a response to the client.

Returns:

this object.

getClientId

public long getClientId()

Get the client ID of the client application that has made the backchannel authentication request.

Returns:

The client ID of the client application.

setClientId

public BackchannelAuthenticationResponse setClientId(long clientId)

Set the client ID of the client application that has made the backchannel authentication request.

Parameters:

clientId - The client ID of the client application.

Returns:

this object.

getClientIdAlias

public String getClientIdAlias()

Get the client ID alias of the client application that has made the backchannel authentication request.

Returns:

The client ID alias of the client application.

setClientIdAlias

public BackchannelAuthenticationResponse setClientIdAlias(String alias)

Set the client ID alias of the client application that has made the backchannel authentication request.

Parameters:

alias - The client ID alias of the client application.

Returns:

this object.

isClientIdAliasUsed

public boolean isClientIdAliasUsed()

Get the flag which indicates whether the client ID alias was used in the backchannel authentication request.

Returns:

true if the client ID alias was used in the request.

setClientIdAliasUsed

public BackchannelAuthenticationResponse setClientIdAliasUsed(boolean used)

Set the flag which indicates whether the client ID alias was used in the backchannel authentication request.

Parameters:

used - true to indicate that the client ID alias was used in the request.

Returns:

this object.

getClientIdentifier

public String getClientIdentifier()

Get the client identifier used in the backchannel authentication request.

When isClientIdAliasUsed() returns true, this method returns the same value as getClientIdAlias() does. Otherwise, this method returns the string representation of the value returned from getClientId().

Returns:

The client identifier used in the backchannel authentication request.

getClientName

public String getClientName()

Get the name of the client application which has made the backchannel authentication request.

Returns:

The name of the client application.

setClientName

public BackchannelAuthenticationResponse setClientName(String name)

Set the name of the client application which has made the backchannel authentication request.

Parameters:

name - The name of the client application.

Returns:

this object.

getClientAuthMethod

public ClientAuthMethod getClientAuthMethod()

Get the client authentication method that should be performed at the backchannel authentication endpoint.

If the client could not be identified by the information in the request, this method returns null.

Returns:

The client authentication method that should be performed at the backchannel authentication endpoint.

Since:

2.50

setClientAuthMethod

public BackchannelAuthenticationResponse setClientAuthMethod(ClientAuthMethod method)

Set the client authentication method that should be performed at the backchannel authentication endpoint.

Parameters:

method - The client authentication method that should be performed at the backchannel authentication endpoint.

Returns:

this object.

Since:

2.50

getDeliveryMode

public DeliveryMode getDeliveryMode()

Get the backchannel token delivery mode of the client application.

Returns:

The backchannel token delivery mode.

setDeliveryMode

public BackchannelAuthenticationResponse setDeliveryMode(DeliveryMode mode)

Set the backchannel token delivery mode of the client application.

Parameters:

mode - The backchannel token delivery mode.

Returns:

this object.

getScopes

public Scope[] getScopes()

Get the scopes requested by the backchannel authentication request.

Basically, this method returns the value of the "scope" request parameter in the backchannel authentication request. However, because unregistered scopes are dropped on Authlete side, if the "scope" request parameter contains unknown scopes, the list returned by this method becomes different from the value of the "scope" request parameter.

Note that Scope.getDescription() method and Scope.getDescriptions() method of each element (Scope instance) in the array returned from this method always return null even if descriptions of the scopes are registered.

Returns:

The requested scopes.

setScopes

public BackchannelAuthenticationResponse setScopes(Scope[] scopes)

Set the scopes requested by the backchannel authentication request.

Parameters:

scopes - The requested scopes.

Returns:

this object.

getClaimNames

public String[] getClaimNames()

Get the names of the claims which were requested indirectly via some special scopes. See 5.4. Requesting Claims using Scope Values in OpenID Connect Core 1.0 for details.

Returns:

The names of the requested claims.

setClaimNames

public BackchannelAuthenticationResponse setClaimNames(String[] names)

Set the names of the claims which were requested indirectly via some special scopes.

Parameters:

names - The names of the requested claims.

Returns:

this object.

getClientNotificationToken

public String getClientNotificationToken()

Get the client notification token included in the backchannel authentication request. It is the value of the client_notification_token request parameter.

When the backchannel token delivery mode is "ping" or "push", the backchannel authentication request must include a client notification token.

Returns:

The client notification token included in the backchannel authentication request.

setClientNotificationToken

public BackchannelAuthenticationResponse setClientNotificationToken(String token)

Set the client notification token included in the backchannel authentication request. It is the value of the client_notification_token request parameter.

When the backchannel token delivery mode is "ping" or "push", the backchannel authentication request must include a client notification token.

Parameters:

token - The client notification token included in the backchannel authentication request.

Returns:

this object.

getAcrs

public String[] getAcrs()

Get the list of ACR values requested by the backchannel authentication request.

Basically, this method returns the value of the "acr_values" request parameter in the backchannel authentication request. However, because unsupported ACR values are dropped on Authlete side, if the "acr_values" request parameter contains unrecognized ACR values, the list returned by this method becomes different from the value of the "acr_values" request parameter.

Returns:

The list of requested ACR values.

setAcrs

public BackchannelAuthenticationResponse setAcrs(String[] acrs)

Set the list of ACR values requested by the backchannel authentication request.

Parameters:

acrs - The list of requested ACR values.

Returns:

this object.

getHintType

public UserIdentificationHintType getHintType()

Get the type of the hint for end-user identification which was included in the backchannel authentication request.

When the backchannel authentication request contains "id_token_hint", this method returns ID_TOKEN_HINT. Likewise, this method returns LOGIN_HINT when the request contains "login_hint", or returns LOGIN_HINT_TOKEN when the request contains "login_hint_token".

Note that a backchannel authentication request must include one and only one hint among "id_token_hint", "login_hint" and "login_hint_token".

Returns:

The type of the hint for end-user identification.

setHintType

public BackchannelAuthenticationResponse setHintType(UserIdentificationHintType hintType)

Set the type of the hint for end-user identification which was included in the backchannel authentication request.

Parameters:

hintType - The type of the hint for end-user identification.

Returns:

this object.

getHint

public String getHint()

Get the value of the hint for end-user identification.

When getHintType() returns ID_TOKEN_HINT, this method returns the value of the "id_token_hint" request parameter. Likewise, this method returns the value of the "login_hint" request parameter when getHintType() returns LOGIN_HINT, or returns the value of the "login_hint_token" request parameter when getHintType() returns LOGIN_HINT_TOKEN.

Returns:

The value of the hint for end-user identification.

setHint

public BackchannelAuthenticationResponse setHint(String hint)

Set the value of the hint for end-user identification.

Parameters:

hint - The value of the hint for end-user identification.

Returns:

this object.

getSub

public String getSub()

Get the value of the "sub" claim contained in the ID token hint included in the backchannel authentication request.

This method works only when the backchannel authentication request contains the "id_token_hint" request parameter.

Returns:

The value of the "sub" claim contained in the ID token hint.

setSub

public BackchannelAuthenticationResponse setSub(String sub)

Set the value of the "sub" claim contained in the ID token hint included in the backchannel authentication request.

Parameters:

sub - The value of the "sub" claim contained in the ID token hint.

Returns:

this object.

getUserCode

public String getUserCode()

Get the user code included in the backchannel authentication request. It is the value of the "user_code" request parameter.

Returns:

The user code.

setUserCode

public BackchannelAuthenticationResponse setUserCode(String userCode)

Set the user code included in the backchannel authentication request. It is the value of the "user_code" request parameter.

Parameters:

userCode - The user code.

Returns:

this object.

getRequestedExpiry

public int getRequestedExpiry()

Get the requested expiry for the authentication request ID (auth_req_id). It is the value of the "requested_expiry" request parameter.

Returns:

The requested expiry in seconds.

Since:

2.35

setRequestedExpiry

public BackchannelAuthenticationResponse setRequestedExpiry(int seconds)

Set the requested expiry for the authentication request ID (auth_req_id). It is the value of the "requested_expiry" request parameter.

Parameters:

seconds - The requested expiry in seconds.

Returns:

this object.

Since:

2.35

isUserCodeRequired

public boolean isUserCodeRequired()

Get the flag which indicates whether a user code is required.

This method returns true when both the backchannel_user_code_parameter metadata of the client (= Client's bcUserCodeRequired property) and the backchannel_user_code_parameter_supported metadata of the service (= Service's backchannelUserCodeParameterSupported property) are true.

Returns:

true when a user code is required.

Since:

2.33

setUserCodeRequired

public BackchannelAuthenticationResponse setUserCodeRequired(boolean required)

Set the flag which indicates whether a user code is required.

Parameters:

required - true to indicate that a user code is required.

Returns:

this object.

Since:

2.33

getBindingMessage

public String getBindingMessage()

Get the binding message included in the backchannel authentication request. It is the value of the "binding_message" request parameter.

Returns:

The binding message.

setBindingMessage

public BackchannelAuthenticationResponse setBindingMessage(String message)

Set the binding message included in the backchannel authentication request. It is the value of the "binding_message" request parameter.

Parameters:

message - The binding message.

Returns:

this object.

getRequestContext

public String getRequestContext()

Get the request context of the backchannel authentication request. It is the value of the "request_context" claim in the signed authentication request and its format is JSON. "request_context" is a new claim added by the FAPI-CIBA profile.

This method returns null if the backchannel authentication request does not include a "request" request parameter or the JWT specified by the request parameter does not include a "request_context" claim.

Returns:

The request context in JSON format.

Since:

2.45

setRequestContext

public BackchannelAuthenticationResponse setRequestContext(String context)

Set the request context of the backchannel authentication request. It is the value of the "request_context" claim in the signed authentication request and its format is JSON. "request_context" is a new claim added by the FAPI-CIBA profile.

Parameters:

context - The request context in JSON format.

Returns:

this object.

Since:

2.45

getWarnings

public String[] getWarnings()

Get the warnings raised during processing the backchannel authentication request.

Returns:

Warnings. This may be null.

setWarnings

public BackchannelAuthenticationResponse setWarnings(String[] warnings)

Set the warnings raised during processing the backchannel authentication request.

Parameters:

warnings - Warnings.

Returns:

this object.

getTicket

public String getTicket()

Get the ticket that is necessary for the implementation of the backchannel authentication endpoint to call /api/backchannel/authentication/* API.

Returns:

The ticket issued from /api/backchannel/authentication API.

setTicket

public BackchannelAuthenticationResponse setTicket(String ticket)

Set the ticket that is necessary for the implementation of the backchannel authentication endpoint to call /api/backchannel/authentication/* API.

Parameters:

ticket - The ticket issued from /api/backchannel/authentication API.

Returns:

this object.