com.authlete.common.dto

Class Service

java.lang.Object

com.authlete.common.dto.Service

All Implemented Interfaces:

Serializable

public class Service
extends Object
implements Serializable

Information about a service.

Some properties correspond to the ones listed in OpenID Provider Metadata in OpenID Connect Discovery 1.0

JWT-based access token

When getAccessTokenSignAlg() returns a non-null value, access tokens issued by this service become JWTs. The value returned by the method is used as the signature algorithm of the JWTs. When the method returns null, access tokens issued by this service are random strings as before.

A JWT-based access token has the following claims.

claim name	type	description
scope	string	Space-delimited scope names.
client_id	string	Client ID.
exp	integer	Time at which this access token will expire. Seconds since the Unix epoch.
iat	integer	Time at which this access token was issued. Seconds since the Unix epoch.
sub	string	The subject (unique identifier) of the resource owner who approved issue of this access token. This claim does not exist or its value is null if this access token was issued by resource owner password credentials flow.
iss	string	The issuer identifier of this service.
jti	string	The unique identifier of this JWT. The value of this claim itself is the random-string version of this access token.
cnf	object	If this access token is bound to a client certificate, this claim is included. The type of its value is object and the sub object contains a "x5t#S256" claim. The value of the "x5t#S256" claim is the X.509 Certificate SHA-256 thumbprint of the client certificate. See "3.1. X.509 Certificate Thumbprint Confirmation Method for JWT" of "OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens" for details.

Visible (= not-hidden) extra properties of the access token are embedded in the JWT as custom claims. Regarding extra properties, see the Authlete API document.

The feature of JWT-based access token is available since Authlete 2.1. Access tokens issued by older Authlete versions are always random strings.

See Also:

OpenID Connect Discovery 1.0, Serialized Form

Constructor Summary

Constructors

Constructor and Description
Service()

Method Summary

Modifier and Type	Method and Description
long	getAccessTokenDuration() Get the duration of access tokens in seconds; the value of expires_in in access token responses.
JWSAlg	getAccessTokenSignAlg() Get the signature algorithm of access tokens.
String	getAccessTokenSignatureKeyId() Get the key ID to identify a JWK used for signing access tokens.
String	getAccessTokenType() Get the access token type; the value of token_type in access token responses.
int	getAllowableClockSkew() Get the allowable clock skew between the server and clients in seconds.
long	getApiKey() Get the API key.
String	getApiSecret() Get the API secret.
String	getAuthenticationCallbackApiKey() Get the API key to access the authentication callback endpoint.
String	getAuthenticationCallbackApiSecret() Get the API secret to access the authentication callback endpoint.
URI	getAuthenticationCallbackEndpoint() Get the URI of the authentication callback endpoint.
URI	getAuthorizationEndpoint() Get the URI of the authorization endpoint.
long	getAuthorizationResponseDuration() Get the duration of authorization response JWTs.
String	getAuthorizationSignatureKeyId() Get the key ID to identify a JWK used for signing authorization responses using an asymmetric key.
URI	getBackchannelAuthenticationEndpoint() Get the URI of the backchannel authentication endpoint.
int	getBackchannelAuthReqIdDuration() Get the duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds.
int	getBackchannelPollingInterval() Get the minimum interval between polling requests to the token endpoint from client applications in seconds.
int	getClientsPerDeveloper() Get the number of client applications that one developer can create.
long	getCreatedAt() Get the time at which this service was created.
String	getDescription() Get the description.
String	getDeveloperAuthenticationCallbackApiKey() Get the API key to access the developer authentication callback endpoint.
String	getDeveloperAuthenticationCallbackApiSecret() Get the API secret to access the developer authentication callback endpoint.
URI	getDeveloperAuthenticationCallbackEndpoint() Get the URI of the developer authentication callback endpoint.
SnsCredentials[]	getDeveloperSnsCredentials() Get the list of SNS credentials that Authlete uses to support social login at the developer console.
URI	getDeviceAuthorizationEndpoint() Get the URI of the device authorization endpoint.
int	getDeviceFlowCodeDuration() Get the duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds.
int	getDeviceFlowPollingInterval() Get the minimum interval between polling requests to the token endpoint from client applications in seconds in device flow.
URI	getDeviceVerificationUri() Get the verification URI for the device flow.
URI	getDeviceVerificationUriComplete() Get the verification URI for the device flow with a placeholder for a user code.
long	getIdTokenDuration() Get the duration of ID tokens in seconds.
String	getIdTokenSignatureKeyId() Get the key ID to identify a JWK used for ID token signature using an asymmetric key.
URI	getIntrospectionEndpoint() Get the URI of the introspection endpoint.
URI	getIssuer() Get the issuer identifier of this OpenID provider.
String	getJwks() Get the JSON Web Key Set of the service.
URI	getJwksUri() Get the URI of the service's JSON Web Key Set.
Pair[]	getMetadata() Get metadata.
long	getModifiedAt() Get the time at which this service was last modified.
NamedUri[]	getMtlsEndpointAliases() Get the MTLS endpoint aliases.
int	getNumber() Get the service number.
URI	getPolicyUri() Get the URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP.
long	getPushedAuthReqDuration() Get the duration of pushed authorization requests.
long	getRefreshTokenDuration() Get the duration of refresh tokens in seconds.
URI	getRegistrationEndpoint() Get the URI of the registration endpoint.
URI	getRegistrationManagementEndpoint() Get the URI of the registration management endpoint.
URI	getRequestObjectEndpoint() Get the URI of the request object endpoint.
URI	getRevocationEndpoint() Get the URI of the token revocation endpoint.
URI	getServiceDocumentation() Get the URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider.
String	getServiceName() Get the service name.
int	getServiceOwnerNumber() Get the service owner number.
SnsCredentials[]	getSnsCredentials() Get the list of SNS credentials that Authlete uses to support social login.
String[]	getSupportedAcrs() Get the supported ACRs (authentication context class references).
DeliveryMode[]	getSupportedBackchannelTokenDeliveryModes() Get the supported backchannel token delivery modes.
String[]	getSupportedClaimLocales() Get the supported claim locales.
String[]	getSupportedClaims() Get the supported claims.
ClaimType[]	getSupportedClaimTypes() Get the supported claim types.
Sns[]	getSupportedDeveloperSnses() Get the list of supported SNSes for social login at the developer console.
Display[]	getSupportedDisplays() Get the supported values of display parameter passed to the authorization endpoint.
GrantType[]	getSupportedGrantTypes() Get the supported grant types.
ClientAuthMethod[]	getSupportedIntrospectionAuthMethods() Get client authentication methods supported at the introspection endpoint.
ResponseType[]	getSupportedResponseTypes() Get the supported response types.
ClientAuthMethod[]	getSupportedRevocationAuthMethods() Get client authentication methods supported at the revocation endpoint.
Scope[]	getSupportedScopes() Get the supported scopes.
ServiceProfile[]	getSupportedServiceProfiles() Get the supported service profiles.
Sns[]	getSupportedSnses() Get the list of supported SNSes for social login at the authorization endpoint.
ClientAuthMethod[]	getSupportedTokenAuthMethods() Get the supported client authentication methods at the token endpoint.
String[]	getSupportedUiLocales() Get the supported UI locales.
URI	getTokenEndpoint() Get the URI of the token endpoint.
URI	getTosUri() Get the URI that the OpenID Provider provides to the person registering the client to read about the OP's terms of service.
String[]	getTrustedRootCertificates() Get the list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
UserCodeCharset	getUserCodeCharset() Get the character set for end-user verification codes (user_code) for Device Flow.
int	getUserCodeLength() Get the length of end-user verification codes (user_code) for Device Flow.
URI	getUserInfoEndpoint() Get the URI of the user info endpoint.
String	getUserInfoSignatureKeyId() Get the key ID to identify a JWK used for user info signature using an asymmetric key.
boolean	isBackchannelBindingMessageRequiredInFapi() Get the boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.
boolean	isBackchannelUserCodeParameterSupported() Get the boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint.
boolean	isClientIdAliasEnabled() Get the flag which indicates whether the 'Client ID Alias' feature is enabled or not.
boolean	isDirectAuthorizationEndpointEnabled() Get the flag which indicates whether the direct authorization endpoint is enabled or not.
boolean	isDirectIntrospectionEndpointEnabled() Get the flag which indicates whether the direct introspection endpoint is enabled or not.
boolean	isDirectJwksEndpointEnabled() Get the flag which indicates whether the direct jwks endpoint is enabled or not.
boolean	isDirectRevocationEndpointEnabled() Get the flag which indicates whether the direct revocation endpoint is enabled or not.
boolean	isDirectTokenEndpointEnabled() Get the flag which indicates whether the direct token endpoint is enabled or not.
boolean	isDirectUserInfoEndpointEnabled() Get the flag which indicates whether the direct userinfo endpoint is enabled or not.
boolean	isDynamicRegistrationSupported() Get the flag which indicates whether the dynamic client registration is supported.
boolean	isErrorDescriptionOmitted() Get the flag which indicates whether the error_description response parameter is omitted.
boolean	isErrorUriOmitted() Get the flag which indicates whether the error_uri response parameter is omitted.
boolean	isMutualTlsValidatePkiCertChain() Determine whether this service validates certificate chains during PKI-based client mutual TLS authentication.
boolean	isPkceRequired() Get the flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.
boolean	isPkceS256Required() Get the flag which indicates whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.
boolean	isRefreshTokenKept() Get the flag which indicates whether a refresh token remains valid or gets renewed after its use.
boolean	isSingleAccessTokenPerSubject() Get the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.
boolean	isTlsClientCertificateBoundAccessTokens() Does this service support issuing TLS client certificate bound access tokens?
Service	setAccessTokenDuration(long duration) Set the duration of access tokens in seconds; the value of expires_in in access token responses.
Service	setAccessTokenSignAlg(JWSAlg alg) Set the signature algorithm of access tokens.
Service	setAccessTokenSignatureKeyId(String keyId) Set the key ID to identify a JWK used for signing access tokens.
Service	setAccessTokenType(String type) Set the access token type; the value of token_type in access token responses.
Service	setAllowableClockSkew(int seconds) Set the allowable clock skew between the server and clients in seconds.
Service	setApiKey(long apiKey) Set the API key.
Service	setApiSecret(String apiSecret) Set the API secret.
Service	setAuthenticationCallbackApiKey(String apiKey) Set the API key to access the authentication callback endpoint.
Service	setAuthenticationCallbackApiSecret(String apiSecret) Set the API secret to access the authentication callback endpoint.
Service	setAuthenticationCallbackEndpoint(URI endpoint) Set the URI of the authentication callback endpoint.
Service	setAuthorizationEndpoint(URI endpoint) Set the URI of the authorization endpoint.
Service	setAuthorizationResponseDuration(long duration) Set the duration of authorization response JWTs.
Service	setAuthorizationSignatureKeyId(String keyId) Set the key ID to identify a JWK used for signing authorization responses using an asymmetric key.
Service	setBackchannelAuthenticationEndpoint(URI endpoint) Set the URI of the backchannel authentication endpoint.
Service	setBackchannelAuthReqIdDuration(int duration) Set the duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds.
Service	setBackchannelBindingMessageRequiredInFapi(boolean required) Set the boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.
Service	setBackchannelPollingInterval(int interval) Set the minimum interval between polling requests to the token endpoint from client applications in seconds.
Service	setBackchannelUserCodeParameterSupported(boolean supported) Set the boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint.
Service	setClientIdAliasEnabled(boolean enabled) Enable/disable the 'Client ID Alias' feature.
Service	setClientsPerDeveloper(int count) Set the number of client applications that one developer can create.
Service	setCreatedAt(long createdAt) Set the time at which this service was created.
Service	setDescription(String description) Set the description.
Service	setDeveloperAuthenticationCallbackApiKey(String apiKey) Set the API key to access the developer authentication callback endpoint.
Service	setDeveloperAuthenticationCallbackApiSecret(String apiSecret) Set the API secret to access the developer authentication callback endpoint.
Service	setDeveloperAuthenticationCallbackEndpoint(URI endpoint) Set the URI of the developer authentication callback endpoint.
Service	setDeveloperSnsCredentials(SnsCredentials[] snsCredentials) Set the list of SNS credentials that Authlete uses to support social login at the developer console.
Service	setDeviceAuthorizationEndpoint(URI endpoint) Set the URI of the device authorization endpoint.
Service	setDeviceFlowCodeDuration(int duration) Set the duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds.
Service	setDeviceFlowPollingInterval(int interval) Set the minimum interval between polling requests to the token endpoint from client applications in seconds in device flow.
Service	setDeviceVerificationUri(URI uri) Set the verification URI for the device flow.
Service	setDeviceVerificationUriComplete(URI uri) Set the verification URI for the device flow with a placeholder for a user code.
Service	setDirectAuthorizationEndpointEnabled(boolean enabled) Set the flag which indicates whether the direct authorization endpoint is enabled or not.
Service	setDirectIntrospectionEndpointEnabled(boolean enabled) Set the flag which indicates whether the direct introspection endpoint is enabled or not.
Service	setDirectJwksEndpointEnabled(boolean enabled) Set the flag which indicates whether the direct jwks endpoint is enabled or not.
Service	setDirectRevocationEndpointEnabled(boolean enabled) Set the flag which indicates whether the direct revocation endpoint is enabled or not.
Service	setDirectTokenEndpointEnabled(boolean enabled) Set the flag which indicates whether the direct token endpoint is enabled or not.
Service	setDirectUserInfoEndpointEnabled(boolean enabled) Set the flag which indicates whether the direct userinfo endpoint is enabled or not.
Service	setDynamicRegistrationSupported(boolean enabled) Set the flag which indicates whether dynamic client registration is supported.
Service	setErrorDescriptionOmitted(boolean omitted) Omit or embed the error_description response parameter in error responses.
Service	setErrorUriOmitted(boolean omitted) Omit or embed the error_uri response parameter in error responses.
Service	setIdTokenDuration(long duration) Set the duration of ID tokens in seconds.
Service	setIdTokenSignatureKeyId(String keyId) Set the key ID to identify a JWK used for ID token signature using an asymmetric key.
Service	setIntrospectionEndpoint(URI endpoint) Set the URI of the introspection endpoint.
Service	setIssuer(URI issuer) Set the issuer identifier of this OpenID provider.
Service	setJwks(String jwks) Set the JSON Web Key Set of the service.
Service	setJwksUri(URI uri) Set the URI of the service's JSON Web Key Set.
Service	setMetadata(Pair[] metadata) Set metadata.
Service	setModifiedAt(long modifiedAt) Set the time at which this service was last modified.
Service	setMtlsEndpointAliases(NamedUri[] aliases) Set the MTLS endpoint aliases.
Service	setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain) Set whether this service validates certificate chains during PKI-based client mutual TLS authentication.
Service	setNumber(int number) Set the service number.
Service	setPkceRequired(boolean required) Set the flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.
Service	setPkceS256Required(boolean required) Set the flag which indicates whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.
Service	setPolicyUri(URI uri) Set the URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP.
Service	setPushedAuthReqDuration(long duration) Set the duration of pushed authorization requests.
Service	setRefreshTokenDuration(long duration) Set the duration of refresh tokens in seconds.
Service	setRefreshTokenKept(boolean kept) Set the flag which indicates whether a refresh token remains valid or gets renewed after its use.
Service	setRegistrationEndpoint(URI endpoint) Set the URI of the registration endpoint.
Service	setRegistrationManagementEndpoint(URI endpoint) Set the URI of the registration management endpoint.
Service	setRequestObjectEndpoint(URI endpoint) Set the URI of the request object endpoint.
Service	setRevocationEndpoint(URI endpoint) Set the URI of the token revocation endpoint.
Service	setServiceDocumentation(URI uri) Set the URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider.
Service	setServiceName(String serviceName) Set the service name.
Service	setServiceOwnerNumber(int serviceOwnerNumber) Set the service owner number
Service	setSingleAccessTokenPerSubject(boolean single) Set the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.
Service	setSnsCredentials(SnsCredentials[] snsCredentials) Set the list of SNS credentials that Authlete uses to support social login.
Service	setSupportedAcrs(String[] acrs) Set the supported ACRs (authentication context class references).
Service	setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes) Get the supported backchannel token delivery modes.
Service	setSupportedClaimLocales(String[] supportedClaimLocales) Set the supported claim locales.
Service	setSupportedClaims(String[] supportedClaims) Set the supported claims.
Service	setSupportedClaimTypes(ClaimType[] claimTypes) Set the supported claim types.
Service	setSupportedDeveloperSnses(Sns[] supportedSnses) Set the list of supported SNSes for social login at the developer console.
Service	setSupportedDisplays(Display[] displays) Set the supported values of display parameter passed to the authorization endpoint.
Service	setSupportedGrantTypes(GrantType[] grantTypes) Set the supported grant types.
Service	setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods) Set client authentication methods supported at the introspection endpoint.
Service	setSupportedResponseTypes(ResponseType[] responseTypes) Set the supported response types.
Service	setSupportedRevocationAuthMethods(ClientAuthMethod[] methods) Set client authentication methods supported at the revocation endpoint.
Service	setSupportedScopes(Scope[] supportedScopes) Set the supported scopes.
Service	setSupportedServiceProfiles(Iterable<ServiceProfile> profiles) Set the supported service profiles.
Service	setSupportedServiceProfiles(ServiceProfile[] profiles) Set the supported service profiles.
Service	setSupportedSnses(Sns[] supportedSnses) Set the list of supported SNSes for social login at the authorization endpoint.
Service	setSupportedTokenAuthMethods(ClientAuthMethod[] methods) Set the number of client authentication methods at the token endpoint.
Service	setSupportedUiLocales(String[] supportedUiLocales) Set the supported UI locales.
Service	setTlsClientCertificateBoundAccessTokens(boolean enabled) Enable or disable support for TLS client certificate bound access tokens.
Service	setTokenEndpoint(URI endpoint) Set the URI of the token endpoint.
Service	setTosUri(URI uri) Set the URI that the OpenID Provider provides to the person registering the client to read about the OP's terms of service.
Service	setTrustedRootCertificates(String[] trustedRootCertificates) Get the list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
Service	setUserCodeCharset(UserCodeCharset charset) Set the character set for end-user verification codes (user_code) for Device Flow.
Service	setUserCodeLength(int length) Set the length of end-user verification codes (user_code) for Device Flow.
Service	setUserInfoEndpoint(URI endpoint) Set the URI of the user info endpoint.
Service	setUserInfoSignatureKeyId(String keyId) Set the key ID to identify a JWK used for user info signature using an asymmetric key.
boolean	supports(ServiceProfile profile) Check if this service supports the specified profile.
boolean	supportsAll(Iterable<ServiceProfile> profiles) Check if this service supports all the specified service profiles.
boolean	supportsAll(ServiceProfile... profiles) Check if this service supports all the specified service profiles.
boolean	supportsAny(Iterable<ServiceProfile> profiles) Check if this service any of the specified service profiles.
boolean	supportsAny(ServiceProfile... profiles) Check if this service any of the specified service profiles.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

Service

public Service()

Method Detail

getNumber

public int getNumber()

Get the service number.

Returns:

The service number.

setNumber

public Service setNumber(int number)

Set the service number.

Parameters:

number - The service number.

Returns:

this object.

getServiceOwnerNumber

public int getServiceOwnerNumber()

Get the service owner number.

Returns:

The service owner number.

setServiceOwnerNumber

public Service setServiceOwnerNumber(int serviceOwnerNumber)

Set the service owner number

Parameters:

serviceOwnerNumber - The service owner number.

Returns:

this object.

getServiceName

public String getServiceName()

Get the service name.

Returns:

The service name.

setServiceName

public Service setServiceName(String serviceName)

Set the service name.

Parameters:

serviceName - The service name.

Returns:

this object.

getApiKey

public long getApiKey()

Get the API key.

Returns:

The API key.

setApiKey

public Service setApiKey(long apiKey)

Set the API key.

Parameters:

apiKey - The API key.

Returns:

this object.

getApiSecret

public String getApiSecret()

Get the API secret.

Returns:

The API secret.

setApiSecret

public Service setApiSecret(String apiSecret)

Set the API secret.

Parameters:

apiSecret - The API secret.

Returns:

this object.

getIssuer

public URI getIssuer()

Get the issuer identifier of this OpenID provider.

Returns:

The issuer identifier.

setIssuer

public Service setIssuer(URI issuer)

Set the issuer identifier of this OpenID provider.

Parameters:

issuer - The issuer identifier.

Returns:

this object.

getAuthorizationEndpoint

public URI getAuthorizationEndpoint()

Get the URI of the authorization endpoint.

Returns:

The URI of the authorization endpoint.

setAuthorizationEndpoint

public Service setAuthorizationEndpoint(URI endpoint)

Set the URI of the authorization endpoint.

Parameters:

endpoint - The URI of the authorization endpoint.

Returns:

this object.

getTokenEndpoint

public URI getTokenEndpoint()

Get the URI of the token endpoint.

Returns:

The URI of the token endpoint.

setTokenEndpoint

public Service setTokenEndpoint(URI endpoint)

Set the URI of the token endpoint.

Parameters:

endpoint - The URI of the token endpoint.

Returns:

this object.

getRevocationEndpoint

public URI getRevocationEndpoint()

Get the URI of the token revocation endpoint.

Returns:

The URI of the token revocation endpoint.

Since:

1.16

See Also:

RFC 7009: OAuth 2.0 Token Revocation

getSupportedRevocationAuthMethods

public ClientAuthMethod[] getSupportedRevocationAuthMethods()

Get client authentication methods supported at the revocation endpoint.

Returns:

Client authentication methods supported at the revocation endpoint.

Since:

2.13

setSupportedRevocationAuthMethods

public Service setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)

Set client authentication methods supported at the revocation endpoint.

Parameters:

methods - Client authentication methods.

Returns:

this object.

Since:

2.13

setRevocationEndpoint

public Service setRevocationEndpoint(URI endpoint)

Set the URI of the token revocation endpoint.

Parameters:

endpoint - The URI of the token revocation endpoint.

Returns:

this object.

Since:

1.16

See Also:

RFC 7009: OAuth 2.0 Token Revocation

getUserInfoEndpoint

public URI getUserInfoEndpoint()

Get the URI of the user info endpoint.

Returns:

The URI of the user info endpoint.

setUserInfoEndpoint

public Service setUserInfoEndpoint(URI endpoint)

Set the URI of the user info endpoint.

Parameters:

endpoint - The URI of the user info endpoint.

Returns:

this object.

getJwksUri

public URI getJwksUri()

Get the URI of the service's JSON Web Key Set.

Returns:

The URI of the service's JSON Web Key Set.

setJwksUri

public Service setJwksUri(URI uri)

Set the URI of the service's JSON Web Key Set.

Parameters:

uri - The URI of the service's JSON Web Key Set.

Returns:

this object.

getJwks

public String getJwks()

Get the JSON Web Key Set of the service.

Returns:

The JSON Web Key Set of the service.

setJwks

public Service setJwks(String jwks)

Set the JSON Web Key Set of the service.

Parameters:

jwks - The JSON Web Key Set of the service.

Returns:

this object.

getRegistrationEndpoint

public URI getRegistrationEndpoint()

Get the URI of the registration endpoint.

Returns:

The URI of the registration endpoint.

setRegistrationEndpoint

public Service setRegistrationEndpoint(URI endpoint)

Set the URI of the registration endpoint.

Parameters:

endpoint - The URI of the registration endpoint.

Returns:

this object.

getRegistrationManagementEndpoint

public URI getRegistrationManagementEndpoint()

Get the URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.

Returns:

The base URI of the registration management endpoint.

Since:

2.39

setRegistrationManagementEndpoint

public Service setRegistrationManagementEndpoint(URI endpoint)

Set the URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.

Parameters:

endpoint - The base URI of the registration management endpoint.

Returns:

this object.

Since:

2.39

getSupportedScopes

public Scope[] getSupportedScopes()

Get the supported scopes.

Returns:

The supported scopes.

setSupportedScopes

public Service setSupportedScopes(Scope[] supportedScopes)

Set the supported scopes.

Parameters:

supportedScopes - The supported scopes.

Returns:

this object.

getSupportedResponseTypes

public ResponseType[] getSupportedResponseTypes()

Get the supported response types.

Returns:

The supported response types.

setSupportedResponseTypes

public Service setSupportedResponseTypes(ResponseType[] responseTypes)

Set the supported response types.

Parameters:

responseTypes - The supported response types.

Returns:

this object.

getSupportedGrantTypes

public GrantType[] getSupportedGrantTypes()

Get the supported grant types.

Returns:

The supported grant types.

setSupportedGrantTypes

public Service setSupportedGrantTypes(GrantType[] grantTypes)

Set the supported grant types.

Parameters:

grantTypes - The supported grant types.

Returns:

this object.

getSupportedAcrs

public String[] getSupportedAcrs()

Get the supported ACRs (authentication context class references).

Returns:

The supported ACRs.

setSupportedAcrs

public Service setSupportedAcrs(String[] acrs)

Set the supported ACRs (authentication context class references).

Parameters:

acrs - The supported ACRs.

Returns:

this object.

getSupportedTokenAuthMethods

public ClientAuthMethod[] getSupportedTokenAuthMethods()

Get the supported client authentication methods at the token endpoint.

Returns:

The supported client authentication methods.

setSupportedTokenAuthMethods

public Service setSupportedTokenAuthMethods(ClientAuthMethod[] methods)

Set the number of client authentication methods at the token endpoint.

Parameters:

methods - The supported client authentication methods.

Returns:

this object.

getSupportedDisplays

public Display[] getSupportedDisplays()

Get the supported values of display parameter passed to the authorization endpoint.

Returns:

The supported values of display parameter.

setSupportedDisplays

public Service setSupportedDisplays(Display[] displays)

Set the supported values of display parameter passed to the authorization endpoint.

Parameters:

displays - The supported values of display parameter.

Returns:

this object.

getSupportedClaimTypes

public ClaimType[] getSupportedClaimTypes()

Get the supported claim types.

Returns:

The supported claim types.

setSupportedClaimTypes

public Service setSupportedClaimTypes(ClaimType[] claimTypes)

Set the supported claim types.

Parameters:

claimTypes - The supported claim types.

Returns:

this object.

getSupportedClaims

public String[] getSupportedClaims()

Get the supported claims.

Returns:

The supported claims.

setSupportedClaims

public Service setSupportedClaims(String[] supportedClaims)

Set the supported claims.

Parameters:

supportedClaims - The supported claims.

Returns:

this object.

getServiceDocumentation

public URI getServiceDocumentation()

Get the URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider.

Returns:

The URI of the service documentation.

setServiceDocumentation

public Service setServiceDocumentation(URI uri)

Set the URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider.

Parameters:

uri - The URI of the service documentation.

Returns:

this object.

getSupportedClaimLocales

public String[] getSupportedClaimLocales()

Get the supported claim locales.

Returns:

The supported claim locales.

setSupportedClaimLocales

public Service setSupportedClaimLocales(String[] supportedClaimLocales)

Set the supported claim locales.

Parameters:

supportedClaimLocales - The supported claim locales.

Returns:

this object.

getSupportedUiLocales

public String[] getSupportedUiLocales()

Get the supported UI locales.

Returns:

The supported UI locales.

setSupportedUiLocales

public Service setSupportedUiLocales(String[] supportedUiLocales)

Set the supported UI locales.

Parameters:

supportedUiLocales - The supported UI locales.

Returns:

this object.

getPolicyUri

public URI getPolicyUri()

Get the URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP.

Returns:

The URI of the policy page.

setPolicyUri

public Service setPolicyUri(URI uri)

Set the URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP.

Parameters:

uri - The URI of the policy page.

Returns:

this object.

getTosUri

public URI getTosUri()

Get the URI that the OpenID Provider provides to the person registering the client to read about the OP's terms of service.

Returns:

The URI of the Terms-of-Service page.

setTosUri

public Service setTosUri(URI uri)

Set the URI that the OpenID Provider provides to the person registering the client to read about the OP's terms of service.

Parameters:

uri - The URI of the Terms-of-Service page.

Returns:

this object.

getDescription

public String getDescription()

Get the description.

Returns:

The description.

setDescription

public Service setDescription(String description)

Set the description.

Parameters:

description - The description.

Returns:

this object.

getAccessTokenType

public String getAccessTokenType()

Get the access token type; the value of token_type in access token responses.

Returns:

The access token type.

See Also:

RFC 6749 (OAuth 2.0), 7.1. Access Token Types, RFC 6749 (OAuth 2.0), 5.1. Successful Response, RFC 6750 (OAuth 2.0 Bearer Token Usage)

setAccessTokenType

public Service setAccessTokenType(String type)

Set the access token type; the value of token_type in access token responses.

Parameters:

type - The access token type.

Returns:

this object.

See Also:

RFC 6749 (OAuth 2.0), 7.1. Access Token Types, RFC 6749 (OAuth 2.0), 5.1. Successful Response, RFC 6750 (OAuth 2.0 Bearer Token Usage)

getAccessTokenSignAlg

public JWSAlg getAccessTokenSignAlg()

Get the signature algorithm of access tokens.

When this method returns null, access tokens issued by this service are just random strings. On the other hand, when this method returns a non-null value, access tokens issued by this service are JWTs and the value returned from this method represents the signature algorithm of the JWTs. Regarding the format, see the description of this Service class.

This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.

Returns:

The signature algorithm of JWT-based access tokens. When null is returned, access tokens are not JWTs but just random strings.

Since:

2.37

setAccessTokenSignAlg

public Service setAccessTokenSignAlg(JWSAlg alg)

Set the signature algorithm of access tokens.

When null is set, access tokens issued by this service are just random strings. On the other hand, when a non-null value is set, access tokens issued by this service are JWTs and the value set by this method is used as the signature algorithm of the JWTs. Regarding the format, see the description of this Service class.

This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.

Parameters:

alg - The signature algorithm of JWT-based access tokens. When null is given, access tokens are not JWTs but just random strings. Note that symmetric algorithms (HS256, HS384 and HS512) are not supported.

Returns:

this object.

Since:

2.37

getAccessTokenDuration

public long getAccessTokenDuration()

Get the duration of access tokens in seconds; the value of expires_in in access token responses.

Returns:

The duration of access tokens in seconds.

See Also:

RFC 6749 (OAuth 2.0), 5.1. Successful Response

setAccessTokenDuration

public Service setAccessTokenDuration(long duration)

Set the duration of access tokens in seconds; the value of expires_in in access token responses.

Parameters:

duration - The duration of access tokens in seconds.

Returns:

this object.

See Also:

RFC 6749 (OAuth 2.0), 5.1. Successful Response

getRefreshTokenDuration

public long getRefreshTokenDuration()

Get the duration of refresh tokens in seconds.

Returns:

The duration of refresh tokens in seconds.

setRefreshTokenDuration

public Service setRefreshTokenDuration(long duration)

Set the duration of refresh tokens in seconds.

Parameters:

duration - The duration of refresh tokens in seconds.

Returns:

this object.

getIdTokenDuration

public long getIdTokenDuration()

Get the duration of ID tokens in seconds.

Returns:

The duration of ID tokens in seconds.

setIdTokenDuration

public Service setIdTokenDuration(long duration)

Set the duration of ID tokens in seconds.

Parameters:

duration - The duration of ID tokens in seconds.

Returns:

this object.

getAuthorizationResponseDuration

public long getAuthorizationResponseDuration()

Get the duration of authorization response JWTs.

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

Returns:

The duration of authorization response JWTs in seconds.

Since:

2.28

setAuthorizationResponseDuration

public Service setAuthorizationResponseDuration(long duration)

Set the duration of authorization response JWTs.

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

Parameters:

duration - The duration of authorization response JWTs in seconds.

Returns:

this object.

Since:

2.28

getPushedAuthReqDuration

public long getPushedAuthReqDuration()

Get the duration of pushed authorization requests.

"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called "pushed authorization request endpoint") which client applications can register authorization requests into and get corresponding URIs (called "request URIs") from. The issued URIs represent the registered authorization requests. The client applications can use the URIs as the value of the request_uri request parameter in an authorization request.

The value returned from this method represents the duration of registered authorization requests and is used as the value of the expires_in parameter in responses from the pushed authorization request endpoint.

Returns:

The duration of pushed authorization requests in seconds.

Since:

2.51

setPushedAuthReqDuration

public Service setPushedAuthReqDuration(long duration)

Set the duration of pushed authorization requests.

"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called "pushed authorization request endpoint") which client applications can register authorization requests into and get corresponding URIs (called "request URIs") from. The issued URIs represent the registered authorization requests. The client applications can use the URIs as the value of the request_uri request parameter in an authorization request.

The value given to this method represents the duration of registered authorization requests and is used as the value of the expires_in parameter in responses from the pushed authorization request endpoint.

Parameters:

duration - The duration of pushed authorization requests.

Returns:

this object.

Since:

2.51

getAuthenticationCallbackEndpoint

public URI getAuthenticationCallbackEndpoint()

Get the URI of the authentication callback endpoint.

Returns:

The URI of the authentication callback endpoint.

Since:

1.1

setAuthenticationCallbackEndpoint

public Service setAuthenticationCallbackEndpoint(URI endpoint)

Set the URI of the authentication callback endpoint.

Parameters:

endpoint - The URI of the authentication callback endpoint.

Returns:

this object.

Since:

1.1

getAuthenticationCallbackApiKey

public String getAuthenticationCallbackApiKey()

Get the API key to access the authentication callback endpoint.

Returns:

The API key to access the authentication callback endpoint.

Since:

1.1

setAuthenticationCallbackApiKey

public Service setAuthenticationCallbackApiKey(String apiKey)

Set the API key to access the authentication callback endpoint.

Parameters:

apiKey - The API key to access the authentication callback endpoint.

Returns:

this object.

Since:

1.1

getAuthenticationCallbackApiSecret

public String getAuthenticationCallbackApiSecret()

Get the API secret to access the authentication callback endpoint.

Returns:

The API secret to access the authentication callback endpoint.

Since:

1.1

setAuthenticationCallbackApiSecret

public Service setAuthenticationCallbackApiSecret(String apiSecret)

Set the API secret to access the authentication callback endpoint.

Parameters:

apiSecret - The API secret to access the authentication callback endpoint.

Returns:

this object.

Since:

1.1

getSupportedSnses

public Sns[] getSupportedSnses()

Get the list of supported SNSes for social login at the authorization endpoint.

Returns:

The list of SNSes.

Since:

1.3

setSupportedSnses

public Service setSupportedSnses(Sns[] supportedSnses)

Set the list of supported SNSes for social login at the authorization endpoint.

Parameters:

supportedSnses - The list of SNSes.

Returns:

this object.

Since:

1.3

getSnsCredentials

public SnsCredentials[] getSnsCredentials()

Get the list of SNS credentials that Authlete uses to support social login.

Returns:

The list of SNS credentials.

Since:

1.3

setSnsCredentials

public Service setSnsCredentials(SnsCredentials[] snsCredentials)

Set the list of SNS credentials that Authlete uses to support social login.

Parameters:

snsCredentials - The list of SNS credentials.

Returns:

this object.

Since:

1.3

getCreatedAt

public long getCreatedAt()

Get the time at which this service was created.

Returns:

The time at which this service was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

Since:

1.6

setCreatedAt

public Service setCreatedAt(long createdAt)

Set the time at which this service was created.

Parameters:

createdAt - The time at which this service was created.

Returns:

this object.

Since:

1.6

getModifiedAt

public long getModifiedAt()

Get the time at which this service was last modified.

Returns:

The time at which this service was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

Since:

1.6

setModifiedAt

public Service setModifiedAt(long modifiedAt)

Set the time at which this service was last modified.

Parameters:

modifiedAt - The time at which this service was modified.

Returns:

this object.

Since:

1.6

getMetadata

public Pair[] getMetadata()

Get metadata.

The content of the returned array depends on contexts.

Predefined Service Metadata

Key	Description
"clientCount"	The number of client applications which belong to this service.

Returns:

Metadata. The type is an array of Pair.

Since:

1.39

setMetadata

public Service setMetadata(Pair[] metadata)

Set metadata.

Parameters:

metadata - Metadata. The type is an array of Pair. null may be returned.

Returns:

this object.

Since:

1.39

getDeveloperAuthenticationCallbackEndpoint

public URI getDeveloperAuthenticationCallbackEndpoint()

Get the URI of the developer authentication callback endpoint.

Returns:

The URI of the developer authentication callback endpoint.

Since:

1.9

setDeveloperAuthenticationCallbackEndpoint

public Service setDeveloperAuthenticationCallbackEndpoint(URI endpoint)

Set the URI of the developer authentication callback endpoint.

Parameters:

endpoint - The URI of the developer authentication callback endpoint.

Returns:

this object.

Since:

1.9

getDeveloperAuthenticationCallbackApiKey

public String getDeveloperAuthenticationCallbackApiKey()

Get the API key to access the developer authentication callback endpoint.

Returns:

The API key to access the developer authentication callback endpoint.

Since:

1.9

setDeveloperAuthenticationCallbackApiKey

public Service setDeveloperAuthenticationCallbackApiKey(String apiKey)

Set the API key to access the developer authentication callback endpoint.

Parameters:

apiKey - The API key to access the developer authentication callback endpoint.

Returns:

this object.

Since:

1.9

getDeveloperAuthenticationCallbackApiSecret

public String getDeveloperAuthenticationCallbackApiSecret()

Get the API secret to access the developer authentication callback endpoint.

Returns:

The API secret to access the developer authentication callback endpoint.

Since:

1.9

setDeveloperAuthenticationCallbackApiSecret

public Service setDeveloperAuthenticationCallbackApiSecret(String apiSecret)

Set the API secret to access the developer authentication callback endpoint.

Parameters:

apiSecret - The API secret to access the developer authentication callback endpoint.

Returns:

this object.

Since:

1.9

getSupportedDeveloperSnses

public Sns[] getSupportedDeveloperSnses()

Get the list of supported SNSes for social login at the developer console.

Returns:

The list of SNSes.

Since:

1.10

setSupportedDeveloperSnses

public Service setSupportedDeveloperSnses(Sns[] supportedSnses)

Set the list of supported SNSes for social login at the developer console.

Parameters:

supportedSnses - The list of SNSes.

Returns:

this object.

Since:

1.10

getDeveloperSnsCredentials

public SnsCredentials[] getDeveloperSnsCredentials()

Get the list of SNS credentials that Authlete uses to support social login at the developer console.

Returns:

The list of SNS credentials.

Since:

1.10

setDeveloperSnsCredentials

public Service setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)

Set the list of SNS credentials that Authlete uses to support social login at the developer console.

Parameters:

snsCredentials - The list of SNS credentials.

Returns:

this object.

Since:

1.10

getClientsPerDeveloper

public int getClientsPerDeveloper()

Get the number of client applications that one developer can create. 0 means that developers can create as many client applications as they want.

Returns:

The number of client applications that one developer can create. 0 means no limit.

Since:

1.16

setClientsPerDeveloper

public Service setClientsPerDeveloper(int count)

Set the number of client applications that one developer can create. 0 means that developers can create as many client applications as they want.

Parameters:

count - The number of client applications that one developer can create. 0 means no limit.

Returns:

this object.

Since:

1.16

isDirectAuthorizationEndpointEnabled

public boolean isDirectAuthorizationEndpointEnabled()

Get the flag which indicates whether the direct authorization endpoint is enabled or not. The path of the endpoint is /api/auth/authorization/direct/{serviceApiKey}

Returns:

true if enabled.

Since:

1.16

setDirectAuthorizationEndpointEnabled

public Service setDirectAuthorizationEndpointEnabled(boolean enabled)

Set the flag which indicates whether the direct authorization endpoint is enabled or not. The path of the endpoint is /api/auth/authorization/direct/{serviceApiKey}

Parameters:

enabled - true to enable the direct endpoint.

Returns:

this object.

Since:

1.16

isDirectTokenEndpointEnabled

public boolean isDirectTokenEndpointEnabled()

Get the flag which indicates whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/{serviceApiKey}

Returns:

true if enabled.

Since:

1.16

setDirectTokenEndpointEnabled

public Service setDirectTokenEndpointEnabled(boolean enabled)

Set the flag which indicates whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/{serviceApiKey}

Parameters:

enabled - true to enable the direct endpoint.

Returns:

this object.

Since:

1.16

isDirectRevocationEndpointEnabled

public boolean isDirectRevocationEndpointEnabled()

Get the flag which indicates whether the direct revocation endpoint is enabled or not. The path of the endpoint is /api/auth/revocation/direct/{serviceApiKey}

Returns:

true if enabled.

Since:

1.16

setDirectRevocationEndpointEnabled

public Service setDirectRevocationEndpointEnabled(boolean enabled)

Set the flag which indicates whether the direct revocation endpoint is enabled or not. The path of the endpoint is /api/auth/revocation/direct/{serviceApiKey}

Parameters:

enabled - true to enable the direct endpoint.

Returns:

this object.

Since:

1.16

isDirectUserInfoEndpointEnabled

public boolean isDirectUserInfoEndpointEnabled()

Get the flag which indicates whether the direct userinfo endpoint is enabled or not. The path of the endpoint is /api/auth/userinfo/direct/{serviceApiKey}

Returns:

true if enabled.

Since:

1.16

setDirectUserInfoEndpointEnabled

public Service setDirectUserInfoEndpointEnabled(boolean enabled)

Set the flag which indicates whether the direct userinfo endpoint is enabled or not. The path of the endpoint is /api/auth/userinfo/direct/{serviceApiKey}

Parameters:

enabled - true to enable the direct endpoint.

Returns:

this object.

Since:

1.16

isDirectJwksEndpointEnabled

public boolean isDirectJwksEndpointEnabled()

Get the flag which indicates whether the direct jwks endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/{serviceApiKey}

Returns:

true if enabled.

Since:

1.16

setDirectJwksEndpointEnabled

public Service setDirectJwksEndpointEnabled(boolean enabled)

Set the flag which indicates whether the direct jwks endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/{serviceApiKey}

Parameters:

enabled - true to enable the direct endpoint.

Returns:

this object.

Since:

1.16

isDirectIntrospectionEndpointEnabled

public boolean isDirectIntrospectionEndpointEnabled()

Get the flag which indicates whether the direct introspection endpoint is enabled or not. The path of the endpoint is /api/auth/introspection/direct/{serviceApiKey}

Returns:

true if enabled.

Since:

1.39

setDirectIntrospectionEndpointEnabled

public Service setDirectIntrospectionEndpointEnabled(boolean enabled)

Set the flag which indicates whether the direct introspection endpoint is enabled or not. The path of the endpoint is /api/auth/introspection/direct/{serviceApiKey}

Parameters:

enabled - true to enable the direct endpoint.

Returns:

this object.

Since:

1.39

isSingleAccessTokenPerSubject

public boolean isSingleAccessTokenPerSubject()

Get the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.

If this flag is true, an attempt to issue a new access token invalidates existing access tokens associated with the same subject and the same client.

Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.

Returns:

true if the number of access tokens per subject (and per client) is at most one.

Since:

1.20

setSingleAccessTokenPerSubject

public Service setSingleAccessTokenPerSubject(boolean single)

Set the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.

If true is set, an attempt to issue a new access token invalidates existing access tokens associated with the same subject and the same client.

Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.

Parameters:

single - true to set the maximum number of access tokens per subject (and per client) to 1.

Returns:

this object.

Since:

1.20

isPkceRequired

public boolean isPkceRequired()

Get the flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow. See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details.

Returns:

true if PKCE is always required for authorization requests by Authorization Code Flow.

Since:

1.21

See Also:

RFC 7636

setPkceRequired

public Service setPkceRequired(boolean required)

Set the flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow. See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients for details.

Parameters:

required - true to always require PKCE for authorization requests by Authorization Code Flow.

Returns:

this object.

Since:

1.21

isPkceS256Required

public boolean isPkceS256Required()

Get the flag which indicates whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.

If this flag is true, code_challenge_method=S256 must be included in the authorization request whenever it includes the code_challenge request parameter. Neither omission of the code_challenge_method request parameter nor use of plain (code_challenge_method=plain) is allowed.

Returns:

true if S256 is always required as the code challenge method whenever PKCE is used.

Since:

2.46

See Also:

RFC 7636

setPkceS256Required

public Service setPkceS256Required(boolean required)

Set the flag which indicates whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.

If true is set, code_challenge_method=S256 must be included in the authorization request whenever it includes the code_challenge request parameter. Neither omission of the code_challenge_method request parameter nor use of plain (code_challenge_method=plain) is allowed.

Parameters:

required - true to require S256 as the code challenge method whenever PKCE is used.

Returns:

this object.

Since:

2.46

See Also:

RFC 7636

isRefreshTokenKept

public boolean isRefreshTokenKept()

Get the flag which indicates whether a refresh token remains valid or gets renewed after its use.

Returns:

true if a refresh token remains valid after its use. false if a new refresh token is issued after its use.

Since:

1.33

setRefreshTokenKept

public Service setRefreshTokenKept(boolean kept)

Set the flag which indicates whether a refresh token remains valid or gets renewed after its use.

Parameters:

kept - true to keep a refresh token valid after its use. false to renew a refresh token after its use.

Returns:

this object.

Since:

1.33

isErrorDescriptionOmitted

public boolean isErrorDescriptionOmitted()

Get the flag which indicates whether the error_description response parameter is omitted.

According to RFC 6749, authorization servers may include the error_description response parameter in error responses. When this errorDescriptionOmitted property is true, Authlete does not embed the error_description response parameter in error responses.

Returns:

true if the error_description response parameter is omitted. false if the error_description response parameter is included in error responses from the authorization server.

Since:

1.39

setErrorDescriptionOmitted

public Service setErrorDescriptionOmitted(boolean omitted)

Omit or embed the error_description response parameter in error responses.

Parameters:

omitted - true to omit the error_description response parameter. false to embed the parameter.

Returns:

this object.

Since:

1.39

isErrorUriOmitted

public boolean isErrorUriOmitted()

Get the flag which indicates whether the error_uri response parameter is omitted.

According to RFC 6749, authorization servers may include the error_uri response parameter in error responses. When this errorUriOmitted property is true, Authlete does not embed the error_uri response parameter in error responses.

Returns:

true if the error_uri response parameter is omitted. false if the error_uri response parameter is included in error responses from the authorization server.

Since:

1.39

setErrorUriOmitted

public Service setErrorUriOmitted(boolean omitted)

Omit or embed the error_uri response parameter in error responses.

Parameters:

omitted - true to omit the error_uri response parameter. false to embed the parameter.

Returns:

this object.

Since:

1.39

isClientIdAliasEnabled

public boolean isClientIdAliasEnabled()

Get the flag which indicates whether the 'Client ID Alias' feature is enabled or not.

Returns:

true if the 'Client ID Alias' feature is enabled. false if the feature is disabled.

Since:

2.2

setClientIdAliasEnabled

public Service setClientIdAliasEnabled(boolean enabled)

Enable/disable the 'Client ID Alias' feature.

When a new client is created, Authlete generates a numeric value and assigns it as a client ID to the newly created client. In addition to the client ID, each client can have a client ID alias. The client ID alias is, however, recognized only when this property (clientIdAliasEnabled) is true.

Parameters:

enabled - true to enable the 'Client ID Alias' feature. false to disable it.

Returns:

this object.

Since:

2.2

getAccessTokenSignatureKeyId

public String getAccessTokenSignatureKeyId()

Get the key ID to identify a JWK used for signing access tokens.

A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based access token (see getAccessTokenSignAlg() for details about JWT-based access token). Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for access token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

This accessTokenSignatureKeyId property exists for the purpose described above.

Returns:

A key ID of a JWK. This may be null.

Since:

2.37

setAccessTokenSignatureKeyId

public Service setAccessTokenSignatureKeyId(String keyId)

Set the key ID to identify a JWK used for signing access tokens.

See the description of getAccessTokenSignatureKeyId() for details.

Parameters:

keyId - A key ID of a JWK. This may be null.

Returns:

this object.

Since:

2.37

getAuthorizationSignatureKeyId

public String getAuthorizationSignatureKeyId()

Get the key ID to identify a JWK used for signing authorization responses using an asymmetric key.

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) has added new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is used, response parameters returned from the authorization endpoint will be packed into a JWT. The JWT is always signed. For the signature of the JWT, Authlete Server has to pick up one JWK from the service's JWK Set.

Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.

Returns:

A key ID of a JWK. This may be null.

Since:

2.28

setAuthorizationSignatureKeyId

public Service setAuthorizationSignatureKeyId(String keyId)

Set the key ID to identify a JWK used for signing authorization responses using an asymmetric key.

See the description of getAuthorizationSignatureKeyId() for details.

Parameters:

keyId - A key ID of a JWK. This may be null.

Returns:

this object.

Since:

2.28

getIdTokenSignatureKeyId

public String getIdTokenSignatureKeyId()

Get the key ID to identify a JWK used for ID token signature using an asymmetric key.

A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

This idTokenSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

Returns:

A key ID of a JWK. This may be null.

Since:

2.1

setIdTokenSignatureKeyId

public Service setIdTokenSignatureKeyId(String keyId)

Set the key ID to identify a JWK used for ID token signature using an asymmetric key.

See the description of getIdTokenSignatureKeyId() for details.

Parameters:

keyId - A key ID of a JWK. This may be null.

Returns:

this object.

Since:

2.1

getUserInfoSignatureKeyId

public String getUserInfoSignatureKeyId()

Get the key ID to identify a JWK used for user info signature using an asymmetric key.

A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

This userInfoSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

Returns:

A key ID of a JWK. This may be null.

Since:

2.1

setUserInfoSignatureKeyId

public Service setUserInfoSignatureKeyId(String keyId)

Set the key ID to identify a JWK used for user info signature using an asymmetric key.

See the description of getUserInfoSignatureKeyId() for details.

Parameters:

keyId - A key ID of a JWK. This may be null.

Returns:

this object.

Since:

2.1

getSupportedServiceProfiles

public ServiceProfile[] getSupportedServiceProfiles()

Get the supported service profiles.

Returns:

Supported service profiles.

Since:

2.12

setSupportedServiceProfiles

public Service setSupportedServiceProfiles(ServiceProfile[] profiles)

Set the supported service profiles.

Parameters:

profiles - Supported service profiles.

Returns:

this object.

Since:

2.12

setSupportedServiceProfiles

public Service setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)

Set the supported service profiles.

Parameters:

profiles - Supported service profiles.

Returns:

this object.

Since:

2.12

supports

public boolean supports(ServiceProfile profile)

Check if this service supports the specified profile. If null is given, false is returned. If the supported service profiles are not set to this service, false is returned.

Parameters:

profile - A service profile.

Returns:

true if this service supports the service profile.

Since:

2.12

supportsAll

public boolean supportsAll(ServiceProfile... profiles)

Check if this service supports all the specified service profiles. If null is given, true is returned. If an empty array is given, true is returned.

Parameters:

profiles - Service profiles.

Returns:

true if this service supports all the specified service profiles.

Since:

2.12

supportsAll

public boolean supportsAll(Iterable<ServiceProfile> profiles)

Check if this service supports all the specified service profiles. If null is given, true is returned. If an empty collection is given, true is returned.

Parameters:

profiles - Service profiles.

Returns:

true if this service supports all the specified service profiles.

Since:

2.12

supportsAny

public boolean supportsAny(ServiceProfile... profiles)

Check if this service any of the specified service profiles. If null is given, false is returned. If an empty array is given, false is returned.

Parameters:

profiles - Service profiles.

Returns:

true if this service supports any of the specified service profiles.

Since:

2.12

supportsAny

public boolean supportsAny(Iterable<ServiceProfile> profiles)

Check if this service any of the specified service profiles. If null is given, false is returned. If an empty collection is given, false is returned.

Parameters:

profiles - Service profiles.

Returns:

true if this service supports any of the specified service profiles.

Since:

2.12

isTlsClientCertificateBoundAccessTokens

public boolean isTlsClientCertificateBoundAccessTokens()

Does this service support issuing TLS client certificate bound access tokens?

Returns:

true if this service supports issuing TLS client certificate bound access tokens.

Since:

2.19

setTlsClientCertificateBoundAccessTokens

public Service setTlsClientCertificateBoundAccessTokens(boolean enabled)

Enable or disable support for TLS client certificate bound access tokens.

Parameters:

enabled - true to enable TLS client certificate bound access tokens.

Returns:

this object.

Since:

2.19

getIntrospectionEndpoint

public URI getIntrospectionEndpoint()

Get the URI of the introspection endpoint.

Returns:

The URI of the introspection endpoint.

Since:

2.13

See Also:

RFC 7662: OAuth 2.0 Token Introspection

setIntrospectionEndpoint

public Service setIntrospectionEndpoint(URI endpoint)

Set the URI of the introspection endpoint.

Parameters:

endpoint - The URI of the introspection endpoint.

Returns:

this object.

Since:

2.13

See Also:

RFC 7662: OAuth 2.0 Token Introspection

getSupportedIntrospectionAuthMethods

public ClientAuthMethod[] getSupportedIntrospectionAuthMethods()

Get client authentication methods supported at the introspection endpoint.

Returns:

Client authentication methods supported at the introspection endpoint.

Since:

2.13

setSupportedIntrospectionAuthMethods

public Service setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)

Set client authentication methods supported at the introspection endpoint.

Parameters:

methods - Client authentication methods.

Returns:

this object.

Since:

2.13

isMutualTlsValidatePkiCertChain

public boolean isMutualTlsValidatePkiCertChain()

Determine whether this service validates certificate chains during PKI-based client mutual TLS authentication.

Returns:

true if this service requires clients using PKI MTLS to present their certificate chain to the API during authentication, false otherwise.

Since:

2.15

setMutualTlsValidatePkiCertChain

public Service setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)

Set whether this service validates certificate chains during PKI-based client mutual TLS authentication.

Parameters:

mutualTlsValidatePkiCertChain - true if this service requires clients using PKI MTLS to present their certificate chain to the API during authentication, false otherwise.

Returns:

this object.

Since:

2.15

getTrustedRootCertificates

public String[] getTrustedRootCertificates()

Get the list of root certificates trusted by this service for PKI-based client mutual TLS authentication.

Returns:

The list of root certificates trusted by this service in PEM format.

Since:

2.15

setTrustedRootCertificates

public Service setTrustedRootCertificates(String[] trustedRootCertificates)

Get the list of root certificates trusted by this service for PKI-based client mutual TLS authentication.

Parameters:

trustedRootCertificates - The list of root certificates trusted by this service in PEM format.

Returns:

this object.

Since:

2.15

getSupportedBackchannelTokenDeliveryModes

public DeliveryMode[] getSupportedBackchannelTokenDeliveryModes()

Get the supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.

Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

Returns:

Supported backchannel token delivery modes.

Since:

2.32

setSupportedBackchannelTokenDeliveryModes

public Service setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)

Get the supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.

Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

Parameters:

modes - Supported backchannel token delivery modes.

Returns:

this object.

Since:

2.32

getBackchannelAuthenticationEndpoint

public URI getBackchannelAuthenticationEndpoint()

Get the URI of the backchannel authentication endpoint.

Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

Returns:

The URI of the backchannel authentication endpoint.

Since:

2.32

setBackchannelAuthenticationEndpoint

public Service setBackchannelAuthenticationEndpoint(URI endpoint)

Set the URI of the backchannel authentication endpoint.

Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

Parameters:

endpoint - The URI of the backchannel authentication endpoint.

Returns:

this object.

Since:

2.32

isBackchannelUserCodeParameterSupported

public boolean isBackchannelUserCodeParameterSupported()

Get the boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.

Returns:

true if the "user_code" request parameter is supported at the backchannel authentication endpoint.

Since:

2.32

setBackchannelUserCodeParameterSupported

public Service setBackchannelUserCodeParameterSupported(boolean supported)

Set the boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.

Parameters:

supported - true to indicate that the "user_code" request parameter is supported.

Returns:

this object.

Since:

2.32

getBackchannelAuthReqIdDuration

public int getBackchannelAuthReqIdDuration()

Get the duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.

Returns:

The duration of backchannel authentication request IDs in seconds.

Since:

2.32

setBackchannelAuthReqIdDuration

public Service setBackchannelAuthReqIdDuration(int duration)

Set the duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.

Parameters:

duration - The duration of backchannel authentication request IDs in seconds.

Returns:

this object.

Since:

2.32

getBackchannelPollingInterval

public int getBackchannelPollingInterval()

Get the minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.

Returns:

The minimum interval between polling requests in seconds.

Since:

2.32

setBackchannelPollingInterval

public Service setBackchannelPollingInterval(int interval)

Set the minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.

Parameters:

interval - The minimum interval between polling requests in seconds. Must be in between 0 and 65,535.

Returns:

this object.

Since:

2.32

isBackchannelBindingMessageRequiredInFapi

public boolean isBackchannelBindingMessageRequiredInFapi()

Get the boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.

Returns:

true if the binding_message request parameter is required whenever a backchannel authentication request is judged as a request for Financial-grade API.

Since:

2.48

setBackchannelBindingMessageRequiredInFapi

public Service setBackchannelBindingMessageRequiredInFapi(boolean required)

Set the boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.

The FAPI-CIBA profile requires that the authorization server "shall ensure unique authorization context exists in the authorization request or require a binding_message in the authorization request" (FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is to set true to this property.

If false is set to this property, the binding_message request parameter remains optional even in FAPI context, but in exchange, your authorization server must implement a custom mechanism that ensures each backchannel authentication request has unique context.

Parameters:

required - true to require the binding_message request parameter whenever a backchannel authentication request is judged as a request for Financial-grade API.

Returns:

this object.

Since:

2.48

getAllowableClockSkew

public int getAllowableClockSkew()

Get the allowable clock skew between the server and clients in seconds.

The clock skew is taken into consideration when time-related claims in a JWT (e.g. "exp", "iat", "nbf") are verified.

Returns:

Allowable clock skew in seconds.

Since:

2.32

setAllowableClockSkew

public Service setAllowableClockSkew(int seconds)

Set the allowable clock skew between the server and clients in seconds.

The clock skew is taken into consideration when time-related claims in a JWT (e.g. "exp", "iat", "nbf") are verified.

Parameters:

seconds - Allowable clock skew in seconds. Must be in between 0 and 65,535.

Returns:

this object.

Since:

2.32

isDynamicRegistrationSupported

public boolean isDynamicRegistrationSupported()

Get the flag which indicates whether the dynamic client registration is supported.

Returns:

true if enabled.

Since:

2.39

setDynamicRegistrationSupported

public Service setDynamicRegistrationSupported(boolean enabled)

Set the flag which indicates whether dynamic client registration is supported.

Parameters:

enabled - true to enable dynamic client registration

Returns:

this object.

Since:

2.39

getDeviceAuthorizationEndpoint

public URI getDeviceAuthorizationEndpoint()

Get the URI of the device authorization endpoint.

Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.

Returns:

The URI of the device authorization endpoint.

Since:

2.42

setDeviceAuthorizationEndpoint

public Service setDeviceAuthorizationEndpoint(URI endpoint)

Set the URI of the device authorization endpoint.

Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.

Parameters:

endpoint - The URI of the device authorization endpoint.

Returns:

this object.

Since:

2.42

getDeviceVerificationUri

public URI getDeviceVerificationUri()

Get the verification URI for the device flow. This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint.

Returns:

The verification URI.

Since:

2.42

setDeviceVerificationUri

public Service setDeviceVerificationUri(URI uri)

Set the verification URI for the device flow. This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint.

Parameters:

uri - The verification URI.

Returns:

this object.

Since:

2.42

getDeviceVerificationUriComplete

public URI getDeviceVerificationUriComplete()

Get the verification URI for the device flow with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint.

Returns:

The verification URI with a placeholder for a user code.

Since:

2.42

setDeviceVerificationUriComplete

public Service setDeviceVerificationUriComplete(URI uri)

Set the verification URI for the device flow with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint.

It is expected that the URI contains a fixed string USER_CODE somewhere as a placeholder for a user code. For example, like the following.

 https://example.com/device?user_code=USER_CODE
 

The fixed string is replaced with an actual user code when Authlete builds a verification URI with a user code for the verification_uri_complete parameter.

If this URI is not set, the verification_uri_complete parameter won't appear in device authorization responses.

Parameters:

uri - The verification URI with a placeholder for a user code.

Returns:

this object.

Since:

2.42

getDeviceFlowCodeDuration

public int getDeviceFlowCodeDuration()

Get the duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint.

Returns:

The duration of device verification codes and end-user verification codes in seconds.

Since:

2.42

setDeviceFlowCodeDuration

public Service setDeviceFlowCodeDuration(int duration)

Set the duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint.

Parameters:

duration - The duration of device verification codes and end-user verification codes in seconds.

Returns:

this object.

Since:

2.42

getDeviceFlowPollingInterval

public int getDeviceFlowPollingInterval()

Get the minimum interval between polling requests to the token endpoint from client applications in seconds in device flow. This is used as the value of the interval property in responses from the device authorization endpoint.

Returns:

The minimum interval between polling requests in seconds in device flow.

Since:

2.42

setDeviceFlowPollingInterval

public Service setDeviceFlowPollingInterval(int interval)

Set the minimum interval between polling requests to the token endpoint from client applications in seconds in device flow. This is used as the value of the interval property in responses from the device authorization endpoint.

Parameters:

interval - The minimum interval between polling requests in seconds in device flow. Must be in between 0 and 65,535.

Returns:

this object.

Since:

2.42

getUserCodeCharset

public UserCodeCharset getUserCodeCharset()

Get the character set for end-user verification codes (user_code) for Device Flow.

Returns:

The character set for end-user verification codes (user_code) for Device Flow.

Since:

2.43

setUserCodeCharset

public Service setUserCodeCharset(UserCodeCharset charset)

Set the character set for end-user verification codes (user_code) for Device Flow.

Parameters:

charset - The character set for end-user verification codes (user_code) for Device Flow.

Returns:

this object.

Since:

2.43

getUserCodeLength

public int getUserCodeLength()

Get the length of end-user verification codes (user_code) for Device Flow.

Returns:

The length of end-user verification codes (user_code) for Device Flow.

Since:

2.43

setUserCodeLength

public Service setUserCodeLength(int length)

Set the length of end-user verification codes (user_code) for Device Flow.

Parameters:

length - The length of end-user verification codes (user_code) for Device Flow. The value must not be negative and must not be larger than 255.

Returns:

this object.

Since:

2.43

getRequestObjectEndpoint

public URI getRequestObjectEndpoint()

Get the URI of the request object endpoint.

This property corresponds to the request_object_endpoint metadata defined in "7.5. OpenID Provider Discovery Metadata" of FAPI Part 2.

Returns:

The URI of the request object endpoint.

Since:

2.46

See Also:

FAPI Part 2, 7.5. OpenID Provider Discovery Metadata

setRequestObjectEndpoint

public Service setRequestObjectEndpoint(URI endpoint)

Set the URI of the request object endpoint.

This property corresponds to the request_object_endpoint metadata defined in "7.5. OpenID Provider Discovery Metadata" of FAPI Part 2.

Parameters:

endpoint - The URI of the request object endpoint.

Returns:

this object.

Since:

2.46

See Also:

FAPI Part 2, 7.5. OpenID Provider Discovery Metadata

getMtlsEndpointAliases

public NamedUri[] getMtlsEndpointAliases()

Get the MTLS endpoint aliases.

This property corresponds to the mtls_endpoint_aliases metadata defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens.

Returns:

MTLS endpoint aliases.

Since:

2.49

setMtlsEndpointAliases

public Service setMtlsEndpointAliases(NamedUri[] aliases)

Set the MTLS endpoint aliases.

This property corresponds to the mtls_endpoint_aliases metadata defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens.

The aliases will be embedded in the response from the discovery endpoint like the following.

 {
     ......,
     "mtls_endpoint_aliases": {
         "token_endpoint":         "https://mtls.example.com/token",
         "revocation_endpoint":    "https://mtls.example.com/revo",
         "introspection_endpoint": "https://mtls.example.com/introspect"
     }
 }
 

Parameters:

aliases - MTLS endpoint aliases.

Returns:

this object.

Since:

2.49