authlete
diff --git a/‎pom.xml‎
Lines changed: 1 addition & 1 deletion b/‎pom.xml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionEndpoint.java‎
Lines changed: 9 additions & 8 deletions b/‎src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionEndpoint.java‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionHandlerSpiImpl.java‎
Lines changed: 130 additions & 4 deletions b/‎src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionHandlerSpiImpl.java‎
Lines changed: 130 additions & 4 deletions
diff --git a/‎src/main/java/com/authlete/jaxrs/server/api/AuthorizationRequestHandlerSpiImpl.java‎
Lines changed: 5 additions & 7 deletions b/‎src/main/java/com/authlete/jaxrs/server/api/AuthorizationRequestHandlerSpiImpl.java‎
Lines changed: 5 additions & 7 deletions
@@ -12,7 +12,7 @@
  <properties>
  <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
- <authlete.java.common.version>2.24</authlete.java.common.version>
+ <authlete.java.common.version>2.26</authlete.java.common.version>
  <authlete.java.jaxrs.version>2.10</authlete.java.jaxrs.version>
  <javax.servlet-api.version>3.0.1</javax.servlet-api.version>
  <jersey.version>2.22.1</jersey.version>
 
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Authlete, Inc.
+ * Copyright (C) 2016-2018 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@
 
 
 import java.util.Date;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import javax.ws.rs.Consumes;
@@ -77,15 +76,17 @@ public Response post(
 
  // Retrieve some variables from the session. See the implementation
  // of AuthorizationRequestHandlerSpiImpl.getAuthorizationPage().
- String ticket = (String) takeAttribute(session, "ticket");
- String[] claimNames = (String[])takeAttribute(session, "claimNames");
- String[] claimLocales = (String[])takeAttribute(session, "claimLocales");
- User user = getUser(session, parameters);
- Date authTime = (Date)session.getAttribute("authTime");
+ String ticket = (String) takeAttribute(session, "ticket");
+ String[] claimNames = (String[])takeAttribute(session, "claimNames");
+ String[] claimLocales = (String[])takeAttribute(session, "claimLocales");
+ String idTokenClaims = (String) takeAttribute(session, "idTokenClaims");
+ User user = getUser(session, parameters);
+ Date authTime = (Date)session.getAttribute("authTime");
 
  // Handle the end-user's decision.
  return handle(AuthleteApiFactory.getDefaultApi(),
- new AuthorizationDecisionHandlerSpiImpl(parameters, user, authTime),
+ new AuthorizationDecisionHandlerSpiImpl(
+ parameters, user, authTime, idTokenClaims),
  ticket, claimNames, claimLocales);
  }
 
 
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Authlete, Inc.
+ * Copyright (C) 2016-2018 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,11 +18,11 @@
 
 
 import java.util.Date;
-
+import java.util.Map;
 import javax.ws.rs.core.MultivaluedMap;
-
 import com.authlete.common.dto.Property;
 import com.authlete.common.types.User;
+import com.authlete.common.util.Utils;
 import com.authlete.jaxrs.spi.AuthorizationDecisionHandlerSpiAdapter;
 
 
@@ -65,6 +65,14 @@ class AuthorizationDecisionHandlerSpiImpl extends AuthorizationDecisionHandlerSp
  private String mUserSubject;
 
 
+ /**
+ * The value of the "id_token" property in the "claims" request parameter
+ * (or in the "claims" property in the request object) contained in the
+ * original authorization request.
+ */
+ private Map<String, Object> mIdTokenClaims;
+
+
  /**
  * Constructor with a request from the form in the authorization page.
  *
@@ -73,7 +81,9 @@ class AuthorizationDecisionHandlerSpiImpl extends AuthorizationDecisionHandlerSp
  * {@code password} in {@code parameters}.
  * </p>
  */
- public AuthorizationDecisionHandlerSpiImpl(MultivaluedMap<String, String> parameters, User user, Date userAuthenticatedAt)
+ public AuthorizationDecisionHandlerSpiImpl(
+ MultivaluedMap<String, String> parameters, User user,
+ Date userAuthenticatedAt, String idTokenClaims)
  {
  // If the end-user clicked the "Authorize" button, "authorized"
  // is contained in the request.
@@ -106,6 +116,12 @@ public AuthorizationDecisionHandlerSpiImpl(MultivaluedMap<String, String> parame
 
  // The subject (= unique identifier) of the end-user.
  mUserSubject = mUser.getSubject();
+
+ // The value of the "id_token" property in the "claims" request parameter
+ // (or in the "claims" property in the request object) contained in the
+ // original authorization request. See '5.5. Requesting Claims using the
+ // "claims" Request Parameter' in OpenID Connect Core 1.0 for details.
+ mIdTokenClaims = parseJson(idTokenClaims);
  }
 
 
@@ -137,6 +153,16 @@ public String getUserSubject()
  @Override
  public Object getUserClaim(String claimName, String languageTag)
  {
+ // First, check if the claim is a custom one.
+ Object value = getCustomClaim(claimName, languageTag);
+
+ // If the value for the custom claim was obtained.
+ if (value != null)
+ {
+ // Return the value of the custom claim.
+ return value;
+ }
+
  // getUserClaim() is called only when getUserSubject() has returned
  // a non-null value. So, mUser is not null when the flow reaches here.
  return mUser.getClaim(claimName, languageTag);
@@ -152,4 +178,104 @@ public Property[] getProperties()
  // that may be issued as a result of the authorization request.
  return null;
  }
+
+
+ @SuppressWarnings("unchecked")
+ private static Map<String, Object> parseJson(String json)
+ {
+ if (json == null)
+ {
+ return null;
+ }
+
+ try
+ {
+ return (Map<String, Object>)Utils.fromJson(json, Map.class);
+ }
+ catch (Exception e)
+ {
+ // Failed to parse the input as JSON.
+ return null;
+ }
+ }
+
+
+ private Object getCustomClaim(String claimName, String languageTag)
+ {
+ // Special behavior for Open Banking Profile.
+ if ("openbanking_intent_id".equals(claimName))
+ {
+ // The Open Banking Profile requires that an authorization
+ // request contains the "openbanking_intent_id" claim and
+ // the authorization server embeds the value of the claim
+ // in an ID token.
+ return getValueFromIdTokenClaims(claimName);
+ }
+
+ return null;
+ }
+
+
+ private Object getValueFromIdTokenClaims(String claimName)
+ {
+ // Try to extract the entry for the claim from the "id_token"
+ // property in the "claims" (which was contained in the original
+ // authorization request).
+ Map<String, Object> entry = getEntryFromIdTokenClaims(claimName);
+
+ // If an entry for the claim is not available.
+ if (entry == null)
+ {
+ // The value of the claim is not available.
+ return null;
+ }
+
+ // This method expects that the entry has a "value" property.
+ return entry.get("value");
+ }
+
+
+ @SuppressWarnings("unchecked")
+ private Map<String, Object> getEntryFromIdTokenClaims(String claimName)
+ {
+ // If the original authorization request does not include
+ // the "id_token" property in the "claims" request parameter
+ // (or in the "claims" property in the request object).
+ if (mIdTokenClaims == null)
+ {
+ // No entry for the claim.
+ return null;
+ }
+
+ // Extract the entry for the claim from the "id_token" property.
+ Object entry = mIdTokenClaims.get(claimName);
+
+ // If the claim is not included.
+ if (entry == null)
+ {
+ // No entry for the claim.
+ return null;
+ }
+
+ // The expected format of a claim in the "id_token" property is
+ // as follows. See '5.5. Requesting Claims using the "claims"
+ // Request Parameter' in OpenID Connect Core 1.0 for details.
+ //
+ // "claim_name" : {
+ // "essential": <boolean>, // Optional
+ // "value": <value>, // Optional
+ // "values": [<values>] // Optional
+ // }
+ //
+ // Therefore, 'entry' should be able to be parsed as Map.
+
+ if (!(entry instanceof Map))
+ {
+ // The format of the claim is invalid.
+ return null;
+ }
+
+ // Found the entry for the claim.
+ return (Map<String, Object>)entry;
+ }
 }
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Authlete, Inc.
+ * Copyright (C) 2016-2018 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,14 +20,11 @@
 import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-
 import org.glassfish.jersey.server.mvc.Viewable;
-
 import com.authlete.common.dto.AuthorizationResponse;
 import com.authlete.common.types.Prompt;
 import com.authlete.common.types.User;
@@ -92,9 +89,10 @@ public Response generateAuthorizationPage(AuthorizationResponse info)
 
  // Store some variables into the session so that they can be
  // referred to later in AuthorizationDecisionEndpoint.
- session.setAttribute("ticket", info.getTicket());
- session.setAttribute("claimNames", info.getClaims());
- session.setAttribute("claimLocales", info.getClaimsLocales());
+ session.setAttribute("ticket", info.getTicket());
+ session.setAttribute("claimNames", info.getClaims());
+ session.setAttribute("claimLocales", info.getClaimsLocales());
+ session.setAttribute("idTokenClaims", info.getIdTokenClaims());
 
  // Clear the current user information in the session if necessary.
  clearCurrentUserInfoInSessionIfNecessary(info, session);