Package net.datenwerke.oidc.server.provider

Class Nimbus

java.lang.Object
net.datenwerke.oidc.server.provider.Nimbus
All Implemented Interfaces:
OidcProvider, OidcProvider
Functional Interface:
This is a functional interface and can therefore be used as the assignment target for a lambda expression or method reference.
public class Nimbus extends Object implements OidcProvider
Default implementation of OidcProvider based on Nimbus OAuth 2.0 / OIDC SDK.

Provides functionality for:

  • Access token introspection via the OIDC provider’s introspection endpoint.
  • Optional end-session redirection to the provider’s logout endpoint.

  • Constructor Details

    • Nimbus

      public Nimbus(OidcConfigurationService config) throws GeneralException, IOException
      Constructs a new OidcProviderImpl instance using the provided configuration and discovery services.

      This constructor is annotated with

      invalid reference 
      Inject
      , which allows Guice to provide this dependency automatically.
      Parameters:
      config - The configuration service providing validated client credentials and issuer URI.
      Throws:
      GeneralException
      IOException

  • Method Details

    • fetchMetadata

      public void fetchMetadata() throws GeneralException, IOException
      Specified by:
      fetchMetadata in interface OidcProvider
      Throws:
      GeneralException
      IOException

    • introspectToken

      public TokenIntrospection introspectToken(String token)
      Introspects the given OAuth 2.0 access token using the OIDC provider's token introspection endpoint as defined in RFC 7662.

      Token introspection is a mechanism that allows a protected resource to query the authorization server for metadata about an access token, including whether the token is currently active (valid) and additional claims describing the token's context.

      Implementations are expected to throw an IllegalStateException if the token is invalid, inactive, or if the introspection request fails for any reason (network error, malformed response, missing endpoint, etc.).

      Specified by:
      introspectToken in interface OidcProvider
      Parameters:
      token - The access token to validate. Must be a non-null, non-empty string.
      Returns:
      A map of token claims as defined by RFC 7662, if the token is valid and active. The returned map is guaranteed to contain the active claim, as mandated by RFC 7662, and may include additional claims such as exp, scope, client_id, sub, etc., depending on the OIDC provider and token type.

    • parseToken

      public DecodedToken parseToken(String token)
      Specified by:
      parseToken in interface OidcProvider

    • endSession

      public void endSession(String idToken)
      Description copied from interface: OidcProvider
      Ends the authenticated user’s session with the OpenID Connect (OIDC) provider without redirecting the user’s browser.

      This variant calls the provider’s end-session (logout) endpoint directly using the id_token_hint parameter to identify the session to terminate. It is used in backend logout scenarios or when the application needs to trigger logout silently without user interaction, e.g. on errors.

      Specified by:
      endSession in interface OidcProvider
      Parameters:
      idToken - the ID token of the authenticated user, used as id_token_hint in the logout request. Must not be null.

    • getLogoutUrl

      public String getLogoutUrl(String redirectUri)
      Returns the url that needs to be called to terminate the session of the implementing oidc provider containing the redirect uri where the user is redirected to after logout.
      Specified by:
      getLogoutUrl in interface OidcProvider
      Parameters:
      redirectUri - The redirect uri to be included in the logout url.
      Returns:
      The oidc logout url including the redirect uri.

    • getToken

      public String getToken()
      Returns the jwt access token as string associated with the current session if any or null otherwise.
      Specified by:
      getToken in interface OidcProvider
      Returns:
      The jwt access token or null if no session.

    • getIdToken

      public String getIdToken()
      Returns the OpenID Connect (OIDC) ID token associated with the current user session.

      The ID token is a token issued by the OIDC provider during authentication. It primarily contains identity information about the authenticated user (e.g. sub, preferred_username, email).

      Unlike the access token, which is used to authorize API calls and can be introspected by the resource server, the ID token is meant for the client itself to verify the user’s identity.

      Specified by:
      getIdToken in interface OidcProvider
      Returns:
      the ID token or null if no ID token is available

    • login

      public void login(String locale)
      Login method called when hitting the oidc login button. This method redirects to the actual login of the implementing oidc provider.
      Specified by:
      login in interface OidcProvider
      Parameters:
      locale - The locale to be used on oidc provider login page.

    • registerCallback

      public void registerCallback(OidcCallback callback)
      Register any OidcCallback at the implementing oidc provider.
      Specified by:
      registerCallback in interface OidcProvider
      Parameters:
      callback - The callback to register.