Package com.pingidentity.sdk.authorizationdetails

Interface AuthorizationDetailProcessor

All Superinterfaces:

ConfigurablePlugin, DescribablePlugin, Plugin

public interface AuthorizationDetailProcessor
extends Plugin

This interface defines the methods that the PingFederate server calls to support OAuth 2.0 Rich Authorization Requests

Since:

11.2

Method Summary

Modifier and Type	Method	Description
AuthorizationDetail	enrich(AuthorizationDetail authorizationDetail, AuthorizationDetailContext authorizationDetailContext, Map<String,Object> inParameters)	Provides an opportunity to enrich the authorization detail prior to user consent and any attribute mapping.
String	getUserConsentDescription(AuthorizationDetail authorizationDetail, AuthorizationDetailContext authorizationDetailContext, Map<String,Object> inParameters)	The user-friendly consent description for the enriched authorization detail.
boolean	isEqualOrSubset(AuthorizationDetail requestedAuthorizationDetail, AuthorizationDetail acceptedAuthorizationDetail, AuthorizationDetailContext authorizationDetailContext, Map<String,Object> inParameters)	This method is invoked to determine whether the authorization detail requested subsumes the previously accepted authorization detail by the resource owner.
AuthorizationDetailValidationResult	validate(AuthorizationDetail authorizationDetail, AuthorizationDetailContext authorizationDetailContext, Map<String,Object> inParameters)	Validates whether the incoming authorization detail contains unknown fields, fields of the wrong type, or is missing required fields.

Methods inherited from interface com.pingidentity.sdk.ConfigurablePlugin

configure

Methods inherited from interface com.pingidentity.sdk.DescribablePlugin

getPluginDescriptor

Method Detail

validate

AuthorizationDetailValidationResult validate(AuthorizationDetail authorizationDetail,
                                             AuthorizationDetailContext authorizationDetailContext,
                                             Map<String,Object> inParameters)

Validates whether the incoming authorization detail contains unknown fields, fields of the wrong type, or is missing required fields. The method is only invoked to validate the authorization details received in the token request.

Parameters:

authorizationDetail - The incoming authorization detail.

authorizationDetailContext - Additional AuthorizationDetailContext to provide further information that can be used to enrich the authorization detail.

inParameters - A map that contains a set of input parameters. The input parameters provided are detailed in this class, prefixed with IN_PARAMETER_NAME_*

Returns:

An AuthorizationDetailValidationResult instance, using AuthorizationDetailValidationResult.createInvalidResult(String) will cause PingFederate to response with an 'invalid_authorization_details' error to the client.

Since:

11.2

enrich

AuthorizationDetail enrich(AuthorizationDetail authorizationDetail,
                           AuthorizationDetailContext authorizationDetailContext,
                           Map<String,Object> inParameters)
                    throws AuthorizationDetailProcessingException

Provides an opportunity to enrich the authorization detail prior to user consent and any attribute mapping. This enrichment step will always be invoked regardless if consent is required or not.

Parameters:

authorizationDetail - The incoming authorization detail.

authorizationDetailContext - Additional AuthorizationDetailContext to provide further information that can be used to enrich the authorization detail.

inParameters - A map that contains a set of input parameters. The input parameters provided are detailed in this class, prefixed with IN_PARAMETER_NAME_*

Returns:

The enriched authorization detail that will be provided to getUserConsentDescription(com.pingidentity.sdk.authorizationdetails.AuthorizationDetail, com.pingidentity.sdk.authorizationdetails.AuthorizationDetailContext, java.util.Map<java.lang.String, java.lang.Object>) or an external consent application.

Throws:

AuthorizationDetailProcessingException - if there are errors processing the authorization detail.

Since:

11.2

getUserConsentDescription

String getUserConsentDescription(AuthorizationDetail authorizationDetail,
                                 AuthorizationDetailContext authorizationDetailContext,
                                 Map<String,Object> inParameters)
                          throws AuthorizationDetailProcessingException

The user-friendly consent description for the enriched authorization detail. The method is still invoked when external consent is configured, the descriptions are provided to the adapter; it is up to the adapter facilitating the consent and whether to use the descriptions or not.

Parameters:

authorizationDetail - The enrich(com.pingidentity.sdk.authorizationdetails.AuthorizationDetail, com.pingidentity.sdk.authorizationdetails.AuthorizationDetailContext, java.util.Map<java.lang.String, java.lang.Object>) enriched authorization detail.

authorizationDetailContext - Additional AuthorizationDetailContext to provide further information that can be used to generate the consent message.

inParameters - A map that contains a set of input parameters. The input parameters provided are detailed in this class, prefixed with IN_PARAMETER_NAME_*

Returns:

The consent message to be displayed to the user.

Throws:

AuthorizationDetailProcessingException - if there are errors processing the authorization detail.

Since:

11.2

isEqualOrSubset

boolean isEqualOrSubset(AuthorizationDetail requestedAuthorizationDetail,
                        AuthorizationDetail acceptedAuthorizationDetail,
                        AuthorizationDetailContext authorizationDetailContext,
                        Map<String,Object> inParameters)
                 throws AuthorizationDetailProcessingException

This method is invoked to determine whether the authorization detail requested subsumes the previously accepted authorization detail by the resource owner. When invoked by AccessGrantManager (e.g. AccessGrantManager.getByAccessGrantCriteria(com.pingidentity.sdk.accessgrant.AccessGrantCriteria) default method), the AuthorizationDetailContext will not contain HttpServletRequest. The method is also invoked when PingFederate is configured to use its default consent user interface to confirm the authorization details approved are a subset of the ones requested.

Parameters:

requestedAuthorizationDetail - The incoming authorization detail.

acceptedAuthorizationDetail - The persisted authorization detail that was previously accepted by the resource owner.

authorizationDetailContext - Additional AuthorizationDetailContext to provide further information that can be used to compare the authorization details.

inParameters - A map that contains a set of input parameters. The input parameters provided are detailed in this class, prefixed with IN_PARAMETER_NAME_*

Returns:

Whether the authorization detail requested subsumes the accepted authorization detail.

Throws:

AuthorizationDetailProcessingException - if there are errors processing the authorization detail.

Since:

11.2