com.authlete.common.dto

Class UserInfoResponse

java.lang.Object

com.authlete.common.dto.ApiResponse

com.authlete.common.dto.UserInfoResponse

All Implemented Interfaces:

Serializable

public class UserInfoResponse
extends ApiResponse

Response from Authlete's /auth/userinfo API.

Authlete's /auth/userinfo API returns JSON which can be mapped to this class. The service implementation should retrieve the value of "action" from the response and take the following steps according to the value.

INTERNAL_SERVER_ERROR

When the value of "action" is "INTERNAL_SERVER_ERROR", it means that the request from the service implementation was wrong or that an error occurred in Authlete.

In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with the HTTP status of "500 Internal Server Error".

getResponseContent() returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the UserInfo Endpoint implementation of your service can use the string returned from the method as the value of WWW-Authenticate header.

The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from UserInfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Error Response for details.

 HTTP/1.1 500 Internal Server Error
 WWW-Authenticate: (The value returned from getResponseContent())
 Cache-Control: no-store
 Pragma: no-cache

BAD_REQUEST

When the value of "action" is "BAD_REQUEST", it means that the request from the client application does not contain an access token (= the request from the service implementation to Authlete does not contain "token" parameter).

getResponseContent() returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the UserInfo Endpoint implementation of your service can use the string returned from the method as the value of WWW-Authenticate header.

The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from UserInfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Error Response for details.

 HTTP/1.1 400 Bad Request
 WWW-Authenticate: (The value returned from getResponseContent())
 Cache-Control: no-store
 Pragma: no-cache

UNAUTHORIZED

When the value of "action" is "UNAUTHORIZED", it means that the access token does not exist, has expired, or is not associated with any subject (= any user account).

getResponseContent() returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the UserInfo Endpoint implementation of your service can use the string returned from the method as the value of WWW-Authenticate header.

The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from UserInfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Error Response for details.

 HTTP/1.1 401 Unauthorized
 WWW-Authenticate: (The value returned from getResponseContent())
 Cache-Control: no-store
 Pragma: no-cache

FORBIDDEN

When the value of "action" is "FORBIDDEN", it means that the access token does not include the "openid" scope.

getResponseContent() returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the UserInfo Endpoint implementation of your service can use the string returned from the method as the value of WWW-Authenticate header.

The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from UserInfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Error Response for details.

 HTTP/1.1 403 Forbidden
 WWW-Authenticate: (The value returned from getResponseContent())
 Cache-Control: no-store
 Pragma: no-cache

OK

When the value of "action" is "OK", it means that the access token which the client application presented is valid. To be concrete, it means that the access token exists, has not expired, includes the "openid" scope, and is associated with a subject (= a user account).

What the UserInfo Endpoint of your service should do next is to collect information about the subject (user) from your database. The value of the subject can be obtained from getSubject(), and the names of data, i.e., the claims names can be obtained from getClaims(). For example, if getSubject() returns "joe123" and getClaims() returns ["given_name", "email"], you need to extract information about joe123's given name and email from your database.

Then, call Authlete's /auth/userinfo/issue API with the collected information and the access token in order to make Authlete generate a userinfo response. See the descriptions of UserInfoIssueRequest and UserInfoIssueResponse for details about /auth/userinfo/issue API.

If an error occurred during the above steps, generate an error response to the client. The response should comply with RFC 6750. For example, if the subject associated with the access token does not exist in your database any longer, you may feel like generating a response like below.

 HTTP/1.1 400 Bad Request
 WWW-Authenticate: Bearer error="invalid_token",
  error_description="The subject associated with the access token does not exist."
 Cache-Control: no-store
 Pragma: no-cache

Also, an error might occur on database access. If you treat the error as an internal server error, then the response would be like the following.

 HTTP/1.1 500 Internal Server Error
 WWW-Authenticate: Bearer error="server_error",
  error_description="Failed to extract information about the subject from the database."
 Cache-Control: no-store
 Pragma: no-cache

Author:

Takahiko Kawasaki

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	UserInfoResponse.Action The next action the service implementation should take.

Constructor Summary

Constructors

Constructor and Description
UserInfoResponse()

Method Summary

Modifier and Type	Method and Description
UserInfoResponse.Action	getAction() Get the next action the service implementation should take.
String[]	getClaims() Get the list of claims that the client application requests to be embedded in the userinfo response.
long	getClientId() Get the client ID.
String	getClientIdAlias() Get the client ID alias when the authorization request for the access token was made.
Property[]	getProperties() Get the extra properties associated with the access token.
String	getResponseContent() Get the response content which can be used as a part of the response to the client application.
String[]	getScopes() Get the scopes covered by the access token.
String	getSubject() Get the subject (= resource owner's ID).
String	getToken() Get the access token that came along with the userinfo request.
boolean	isClientIdAliasUsed() Get the flag which indicates whether the client ID alias was used when the authorization request for the access token was made.
void	setAction(UserInfoResponse.Action action) Set the next action the service implementation should take.
void	setClaims(String[] claims) Set the list of claims that the client application requests to be embedded in the ID token.
void	setClientId(long clientId) Set the client ID.
void	setClientIdAlias(String alias) Set the client ID alias when the authorization request for the access token was made.
void	setClientIdAliasUsed(boolean used) Set the flag which indicates whether the client ID alias was used when the authorization request for the access token was made.
void	setProperties(Property[] properties) Set the extra properties associated with the access token.
void	setResponseContent(String responseContent) Set the response content which can be used as a part of the response to the client application.
void	setScopes(String[] scopes) Set the scopes covered by the access token.
void	setSubject(String subject) Set the subject (= resource owner's ID).
void	setToken(String accessToken) Set the access token that came along with the userinfo request.
String	summarize() Get the summary of this instance.

Methods inherited from class com.authlete.common.dto.ApiResponse

getResultCode, getResultMessage, setResultCode, setResultMessage

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

UserInfoResponse

public UserInfoResponse()

Method Detail

getAction

public UserInfoResponse.Action getAction()

Get the next action the service implementation should take.

setAction

public void setAction(UserInfoResponse.Action action)

Set the next action the service implementation should take.

getClientId

public long getClientId()

Get the client ID.

setClientId

public void setClientId(long clientId)

Set the client ID.

getSubject

public String getSubject()

Get the subject (= resource owner's ID).

setSubject

public void setSubject(String subject)

Set the subject (= resource owner's ID).

getScopes

public String[] getScopes()

Get the scopes covered by the access token.

setScopes

public void setScopes(String[] scopes)

Set the scopes covered by the access token.

getClaims

public String[] getClaims()

Get the list of claims that the client application requests to be embedded in the userinfo response. The value comes from "scope" and "claims" request parameters of the original authorization request.

See Also:

OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values, OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter

setClaims

public void setClaims(String[] claims)

Set the list of claims that the client application requests to be embedded in the ID token.

getToken

public String getToken()

Get the access token that came along with the userinfo request.

setToken

public void setToken(String accessToken)

Set the access token that came along with the userinfo request.

getResponseContent

public String getResponseContent()

Get the response content which can be used as a part of the response to the client application.

setResponseContent

public void setResponseContent(String responseContent)

Set the response content which can be used as a part of the response to the client application.

summarize

public String summarize()

Get the summary of this instance.

getProperties

public Property[] getProperties()

Get the extra properties associated with the access token.

Returns:

Extra properties. This method returns null when no extra property is associated with the access token.

Since:

2.5

setProperties

public void setProperties(Property[] properties)

Set the extra properties associated with the access token.

Parameters:

properties - Extra properties.

Since:

2.5

getClientIdAlias

public String getClientIdAlias()

Get the client ID alias when the authorization request for the access token was made. Note that this value may be different from the current client ID alias.

Returns:

The client ID alias when the authorization request for the access token was made.

Since:

2.5

setClientIdAlias

public void setClientIdAlias(String alias)

Set the client ID alias when the authorization request for the access token was made.

Parameters:

alias - The client ID alias.

Since:

2.5

isClientIdAliasUsed

public boolean isClientIdAliasUsed()

Get the flag which indicates whether the client ID alias was used when the authorization request for the access token was made.

Returns:

true if the client ID alias was used when the authorization request for the access token was made.

Since:

2.5

setClientIdAliasUsed

public void setClientIdAliasUsed(boolean used)

Set the flag which indicates whether the client ID alias was used when the authorization request for the access token was made.

Parameters:

used - true if the client ID alias was used when the authorization request for the access token was made.

Since:

2.5