com.authlete.common.dto

Class TokenResponse

java.lang.Object

com.authlete.common.dto.ApiResponse

com.authlete.common.dto.TokenResponse

All Implemented Interfaces:

Serializable

public class TokenResponse
extends ApiResponse

Response from Authlete's /auth/token API.

Authlete's /auth/token API returns JSON which can be mapped to this class. The service implementation should retrieve the value of "action" from the response and take the following steps according to the value.

INVALID_CLIENT

When the value of "action" is "INVALID_CLIENT", it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either "400 Bad Request" or "401 Unauthorized". This requirement comes from RFC 6749, 5.2. Error Response. The description about "invalid_client" shown below is an excerpt from RFC 6749.

invalid_client

Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

In either case, the JSON string returned by getResponseContent() can be used as the entity body of the response to the client application.

The following illustrate the response which the service implementation should generate and return to the client application.

 HTTP/1.1 400 Bad Request
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

 HTTP/1.1 401 Unauthorized
 WWW-Authenticate: (challenge)
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

INTERNAL_SERVER_ERROR

When the value of "action" is "INTERNAL_SERVER_ERROR", it means that the request from the service implementation (AuthorizationIssueRequest) was wrong or that an error occurred in Authlete.

In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with the HTTP status of "500 Internal Server Error".

getResponseContent() returns a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

 HTTP/1.1 500 Internal Server Error
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

BAD_REQUEST

When the value of "action" is "BAD_REQUEST", it means that the request from the client application is invalid.

The HTTP status of the response returned to the client application must be "400 Bad Request" and the content type must be "application/json".

getResponseContent() returns a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

 HTTP/1.1 400 Bad Request
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

PASSWORD

When the value of "action" is "PASSWORD", it means that the request from the client application is valid and grant_type is "password". That is, the flow is "Resource Owner Password Credentials".

In this case, getUsername() returns the value of "username" request parameter and getPassword() returns the value of "password" request parameter which were contained in the token request from the client application. The service implementation must validate the credentials of the resource owner (= end-user) and take either of the actions below according to the validation result.

1. When the credentials are valid, call Authlete's /auth/token/issue API to generate an access token for the client application. The API requires "ticket" request parameter and "subject" request parameter. Use the value returned from getTicket() method as the value for "ticket" parameter.

   
   

   The response from /auth/token/issue API (TokenIssueResponse) contains data (an access token and others) which should be returned to the client application. Use the data to generate a response to the client application.

   
   

2. When the credentials are invalid, call Authlete's /auth/token/fail API with reason=INVALID_RESOURCE_OWNER_CREDENTIALS to generate an error response for the client application. The API requires "ticket" request parameter. Use the value returned from getTicket() method as the value for "ticket" parameter.

   
   

   The response from /auth/token/fail API (TokenFailResponse) contains error information which should be returned to the client application. Use it to generate a response to the client application.

OK

When the value of "action" is "OK", it means that the request from the client application is valid and an access token, and optionally an ID token, is ready to be issued.

The HTTP status of the response returned to the client application must be "200 OK" and the content type must be "application/json".

getResponseContent() returns a JSON string which contains an access token (and optionally an ID token), so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

 HTTP/1.1 200 OK
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

Author:

Takahiko Kawasaki

See Also:

RFC 6749, OAuth 2.0, Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	TokenResponse.Action The next action that the service implementation should take.

Constructor Summary

Constructors

Constructor and Description
TokenResponse()

Method Summary

Modifier and Type	Method and Description
String	getAccessToken() Get the newly issued access token.
long	getAccessTokenDuration() Get the duration of the access token in seconds.
long	getAccessTokenExpiresAt() Get the date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.
TokenResponse.Action	getAction() Get the next action that the service implementation should take.
ClientAuthMethod	getClientAuthMethod() Get the client authentication method that should be performed at the token endpoint.
long	getClientId() Get the client ID.
String	getClientIdAlias() Get the client ID alias when the token request was made.
GrantType	getGrantType() Get the grant type of the token request.
String	getIdToken() Get the ID token.
String	getJwtAccessToken() Get the newly issued access token in JWT format.
String	getPassword() Get the value of "password" request parameter.
Property[]	getProperties() Get the extra properties associated with the access token.
String	getRefreshToken() Get the newly issued refresh token.
long	getRefreshTokenDuration() Get the duration of the refresh token in seconds.
long	getRefreshTokenExpiresAt() Get the date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire.
String	getResponseContent() Get the response content which can be used as the entity body of the response returned to the client application.
String[]	getScopes() Get the scopes covered by the access token.
String	getSubject() Get the subject (= resource owner's ID) of the access token.
String	getTicket() Get the ticket issued from Authlete's /auth/token endpoint.
String	getUsername() Get the value of "username" request parameter.
boolean	isClientIdAliasUsed() Get the flag which indicates whether the client ID alias was used when the token request was made.
void	setAccessToken(String accessToken) Set the newly issued access token.
void	setAccessTokenDuration(long duration) Set the duration of the access token in seconds.
void	setAccessTokenExpiresAt(long expiresAt) Set the date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.
void	setAction(TokenResponse.Action action) Set the next action that the service implementation should take.
void	setClientAuthMethod(ClientAuthMethod method) Set the client authentication method that should be performed at the token endpoint.
void	setClientId(long clientId) Set the client ID.
void	setClientIdAlias(String alias) Set the client ID alias when the token request was made.
void	setClientIdAliasUsed(boolean used) Set the flag which indicates whether the client ID alias was used when the token request was made.
void	setGrantType(GrantType grantType) Set the grant type of the token request.
void	setIdToken(String idToken) Set the ID token.
void	setJwtAccessToken(String jwtAccessToken) Set the newly issued access token in JWT format.
void	setPassword(String password) Set the value of "password" request parameter.
void	setProperties(Property[] properties) Set the extra properties associated with the access token.
void	setRefreshToken(String refreshToken) Set the newly issued refresh token.
void	setRefreshTokenDuration(long duration) Set the duration of the refresh token in seconds.
void	setRefreshTokenExpiresAt(long expiresAt) Set the date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire.
void	setResponseContent(String responseContent) Set the response content which can be used as the entity body of the response returned to the client application.
void	setScopes(String[] scopes) Set the scopes covered by the access token.
void	setSubject(String subject) Set the subject (= resource owner's ID) of the access token.
void	setTicket(String ticket) Set the ticket used for /auth/token/issue API or /auth/token/fail API.
void	setUsername(String username) Set the value of "username" request parameter.
String	summarize() Get the summary of this instance.

Methods inherited from class com.authlete.common.dto.ApiResponse

getResultCode, getResultMessage, setResultCode, setResultMessage

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TokenResponse

public TokenResponse()

Method Detail

getAction

public TokenResponse.Action getAction()

Get the next action that the service implementation should take.

setAction

public void setAction(TokenResponse.Action action)

Set the next action that the service implementation should take.

getResponseContent

public String getResponseContent()

Get the response content which can be used as the entity body of the response returned to the client application.

setResponseContent

public void setResponseContent(String responseContent)

Set the response content which can be used as the entity body of the response returned to the client application.

getUsername

public String getUsername()

Get the value of "username" request parameter.

This method returns a non-null value only when the value of "grant_type" request parameter in the token request is "password".

getSubject() method was renamed to getUsername() on version 1.13.

Since:

1.13

See Also:

RFC 6749, 4.3.2. Access Token Request

setUsername

public void setUsername(String username)

Set the value of "username" request parameter.

setSubject(String} was renamed to setUsername(String) on version 1.13.

Since:

1.13

getPassword

public String getPassword()

Get the value of "password" request parameter.

This method returns a non-null value only when the value of "grant_type" request parameter in the token request is "password".

See Also:

RFC 6749, 4.3.2. Access Token Request

setPassword

public void setPassword(String password)

Set the value of "password" request parameter.

getTicket

public String getTicket()

Get the ticket issued from Authlete's /auth/token endpoint. The value is to be used as the value of "ticket" request parameter for /auth/token/issue API or /auth/token/fail API.

This method returns a non-null value only when "action" is PASSWORD.

setTicket

public void setTicket(String ticket)

Set the ticket used for /auth/token/issue API or /auth/token/fail API.

summarize

public String summarize()

Get the summary of this instance.

getAccessToken

public String getAccessToken()

Get the newly issued access token. This method returns a non-null value only when getAction() returns TokenResponse.Action.OK.

If the service is configured to issue JWT-based access tokens, a JWT-based access token is issued additionally. In the case, getJwtAccessToken() returns the JWT-based access token.

Returns:

The newly issued access token.

Since:

1.34

See Also:

getJwtAccessToken()

setAccessToken

public void setAccessToken(String accessToken)

Set the newly issued access token.

Parameters:

accessToken - The newly issued access token.

Since:

1.34

getAccessTokenExpiresAt

public long getAccessTokenExpiresAt()

Get the date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.

Returns:

The expiration date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.

Since:

1.34

setAccessTokenExpiresAt

public void setAccessTokenExpiresAt(long expiresAt)

Set the date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.

Parameters:

expiresAt - The expiration date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.

Since:

1.34

getAccessTokenDuration

public long getAccessTokenDuration()

Get the duration of the access token in seconds.

Returns:

Duration in seconds.

Since:

1.34

setAccessTokenDuration

public void setAccessTokenDuration(long duration)

Set the duration of the access token in seconds.

Parameters:

duration - Duration in seconds.

Since:

1.34

getRefreshToken

public String getRefreshToken()

Get the newly issued refresh token. This method returns a non-null value only when getAction() returns TokenResponse.Action.OK and the service supports the refresh token flow.

Returns:

The newly issued refresh token.

Since:

1.34

setRefreshToken

public void setRefreshToken(String refreshToken)

Set the newly issued refresh token.

Parameters:

refreshToken - The newly issued refresh token.

Since:

1.34

getRefreshTokenExpiresAt

public long getRefreshTokenExpiresAt()

Get the date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire.

Returns:

The expiration date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire. If the refresh token is null, this method returns 0.

Since:

1.34

setRefreshTokenExpiresAt

public void setRefreshTokenExpiresAt(long expiresAt)

Set the date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire.

Parameters:

expiresAt - The expiration date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire. If the refresh token is null, this method returns 0.

Since:

1.34

getRefreshTokenDuration

public long getRefreshTokenDuration()

Get the duration of the refresh token in seconds.

Returns:

Duration in seconds.

Since:

1.34

setRefreshTokenDuration

public void setRefreshTokenDuration(long duration)

Set the duration of the refresh token in seconds.

Parameters:

duration - Duration in seconds.

Since:

1.34

getIdToken

public String getIdToken()

Get the ID token.

An ID token is issued from a token endpoint when the authorization code flow is used and "openid" is included in the scope list.

Returns:

ID token.

Since:

1.34

See Also:

Authentication using the Authorization Code Flow

setIdToken

public void setIdToken(String idToken)

Set the ID token.

Parameters:

idToken - ID token.

Since:

1.34

getGrantType

public GrantType getGrantType()

Get the grant type of the token request.

Since:

2.8

setGrantType

public void setGrantType(GrantType grantType)

Set the grant type of the token request.

Parameters:

grantType - Grant type of the token request.

Since:

2.8

getClientId

public long getClientId()

Get the client ID.

Since:

2.8

setClientId

public void setClientId(long clientId)

Set the client ID.

Since:

2.8

getClientIdAlias

public String getClientIdAlias()

Get the client ID alias when the token request was made.

If the client did not have an alias, this method returns null. Also, if the token request was invalid and it failed to identify a client, this method returns null.

Returns:

The client ID alias.

Since:

2.8

setClientIdAlias

public void setClientIdAlias(String alias)

Set the client ID alias when the token request was made.

Parameters:

alias - The client ID alias.

Since:

2.8

isClientIdAliasUsed

public boolean isClientIdAliasUsed()

Get the flag which indicates whether the client ID alias was used when the token request was made.

Returns:

true if the client ID alias was used when the token request was made.

Since:

2.8

setClientIdAliasUsed

public void setClientIdAliasUsed(boolean used)

Set the flag which indicates whether the client ID alias was used when the token request was made.

Parameters:

used - true if the client ID alias was used when the token request was made.

Since:

2.8

getSubject

public String getSubject()

Get the subject (= resource owner's ID) of the access token.

Even if an access token has been issued by the call of /api/auth/token API, this method returns null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

Since:

2.8

setSubject

public void setSubject(String subject)

Set the subject (= resource owner's ID) of the access token.

Since:

2.8

getScopes

public String[] getScopes()

Get the scopes covered by the access token.

Since:

2.8

setScopes

public void setScopes(String[] scopes)

Set the scopes covered by the access token.

Since:

2.8

getProperties

public Property[] getProperties()

Get the extra properties associated with the access token. This method returns null when no extra property is associated with the issued access token.

Returns:

Extra properties associated with the issued access token.

Since:

2.8

setProperties

public void setProperties(Property[] properties)

Set the extra properties associated with the access token.

Parameters:

properties - Extra properties.

Since:

2.8

getJwtAccessToken

public String getJwtAccessToken()

Get the newly issued access token in JWT format.

If the authorization server is configured to issue JWT-based access tokens (= if Service.getAccessTokenSignAlg() returns a non-null value), a JWT-based access token is issued along with the original random-string one.

Regarding the detailed format of the JWT-based access token, see the description of the Service class.

Returns:

The newly issued access token in JWT format. If the service is not configured to issue JWT-based access tokens, this method always returns null.

Since:

2.37

See Also:

getAccessToken()

setJwtAccessToken

public void setJwtAccessToken(String jwtAccessToken)

Set the newly issued access token in JWT format.

Parameters:

jwtAccessToken - The newly issued access token in JWT format.

Since:

2.37

getClientAuthMethod

public ClientAuthMethod getClientAuthMethod()

Get the client authentication method that should be performed at the token endpoint.

If the client could not be identified by the information in the request, this method returns null.

Returns:

The client authentication method that should be performed at the token endpoint.

Since:

2.50

setClientAuthMethod

public void setClientAuthMethod(ClientAuthMethod method)

Set the client authentication method that should be performed at the token endpoint.

Parameters:

method - The client authentication method that should be performed at the token endpoint.

Since:

2.50