|
1 | 1 | /* |
2 | | - * Copyright (C) 2014-2025 Authlete, Inc. |
| 2 | + * Copyright (C) 2014-2026 Authlete, Inc. |
3 | 3 | * |
4 | 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | 5 | * you may not use this file except in compliance with the License. |
|
87 | 87 | */ |
88 | 88 | public class Client implements Serializable |
89 | 89 | { |
90 | | - private static final long serialVersionUID = 39L; |
| 90 | + private static final long serialVersionUID = 40L; |
91 | 91 |
|
92 | 92 |
|
93 | 93 | /* |
@@ -711,6 +711,24 @@ public class Client implements Serializable |
711 | 711 | private ClientSource clientSource; |
712 | 712 |
|
713 | 713 |
|
| 714 | + /** |
| 715 | + * The SPIFFE ID. |
| 716 | + * |
| 717 | + * @since 4.36 |
| 718 | + * @since Authlete 3.0.28 |
| 719 | + */ |
| 720 | + private URI spiffeId; |
| 721 | + |
| 722 | + |
| 723 | + /** |
| 724 | + * The SPIFFE Bundle Endpoint. |
| 725 | + * |
| 726 | + * @since 4.36 |
| 727 | + * @since Authlete 3.0.28 |
| 728 | + */ |
| 729 | + private URI spiffeBundleEndpoint; |
| 730 | + |
| 731 | + |
714 | 732 | /** |
715 | 733 | * Get the client number. |
716 | 734 | * |
@@ -5654,6 +5672,140 @@ else if (client.isDiscoveredByMetadataDocument()) |
5654 | 5672 | } |
5655 | 5673 |
|
5656 | 5674 |
|
| 5675 | + /** |
| 5676 | + * Get the SPIFFE ID. This property corresponds to the {@code spiffe_id} |
| 5677 | + * client metadata. |
| 5678 | + * |
| 5679 | + * <p> |
| 5680 | + * The value of this property is compared against the SPIFFE ID contained |
| 5681 | + * in the SVID presented by the client during SPIFFE Client Authentication. |
| 5682 | + * </p> |
| 5683 | + * |
| 5684 | + * <p> |
| 5685 | + * According to the <a href= |
| 5686 | + * "https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md">SPIFFE |
| 5687 | + * ID specification</a>, the characters allowed in the path component of a |
| 5688 | + * SPIFFE ID are limited to {@code [a-zA-Z0-9.-_]}. However, in the value |
| 5689 | + * of this property (i.e., in the value of the {@code spiffe_id} client |
| 5690 | + * metadata), the final path segment may be specified using a wildcard |
| 5691 | + * {@code *} (e.g., <code>spiffe://<wbr>example.com/<wbr>workload/*</code>). |
| 5692 | + * When comparing it with the SPIFFE ID in the SVID, the wildcard is taken |
| 5693 | + * into account. |
| 5694 | + * </p> |
| 5695 | + * |
| 5696 | + * @return |
| 5697 | + * The SPIFFE ID. |
| 5698 | + * |
| 5699 | + * @since 4.36 |
| 5700 | + * @since Authlete 3.0.28 |
| 5701 | + * |
| 5702 | + * @see <a href="https://spiffe.io/">SPIFFE</a> |
| 5703 | + * @see <a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/"> |
| 5704 | + * OAuth SPIFFE Client Authentication</a> |
| 5705 | + */ |
| 5706 | + public URI getSpiffeId() |
| 5707 | + { |
| 5708 | + return spiffeId; |
| 5709 | + } |
| 5710 | + |
| 5711 | + |
| 5712 | + /** |
| 5713 | + * Set the SPIFFE ID. This property corresponds to the {@code spiffe_id} |
| 5714 | + * client metadata. |
| 5715 | + * |
| 5716 | + * <p> |
| 5717 | + * The value of this property is compared against the SPIFFE ID contained |
| 5718 | + * in the SVID presented by the client during SPIFFE Client Authentication. |
| 5719 | + * </p> |
| 5720 | + * |
| 5721 | + * <p> |
| 5722 | + * According to the <a href= |
| 5723 | + * "https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md">SPIFFE |
| 5724 | + * ID specification</a>, the characters allowed in the path component of a |
| 5725 | + * SPIFFE ID are limited to {@code [a-zA-Z0-9.-_]}. However, in the value |
| 5726 | + * of this property (i.e., in the value of the {@code spiffe_id} client |
| 5727 | + * metadata), the final path segment may be specified using a wildcard |
| 5728 | + * {@code *} (e.g., <code>spiffe://<wbr>example.com/<wbr>workload/*</code>). |
| 5729 | + * When comparing it with the SPIFFE ID in the SVID, the wildcard is taken |
| 5730 | + * into account. |
| 5731 | + * </p> |
| 5732 | + * |
| 5733 | + * @param spiffeId |
| 5734 | + * The SPIFFE ID. |
| 5735 | + * |
| 5736 | + * @since 4.36 |
| 5737 | + * @since Authlete 3.0.28 |
| 5738 | + * |
| 5739 | + * @see <a href="https://spiffe.io/">SPIFFE</a> |
| 5740 | + * @see <a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/"> |
| 5741 | + * OAuth SPIFFE Client Authentication</a> |
| 5742 | + */ |
| 5743 | + public Client setSpiffeId(URI spiffeId) |
| 5744 | + { |
| 5745 | + this.spiffeId = spiffeId; |
| 5746 | + |
| 5747 | + return this; |
| 5748 | + } |
| 5749 | + |
| 5750 | + |
| 5751 | + /** |
| 5752 | + * Get the SPIFFE Bundle Endpoint. This property corresponds to the |
| 5753 | + * {@code spiffe_bundle_endpoint} client metadata. |
| 5754 | + * |
| 5755 | + * <p> |
| 5756 | + * The authorization server retrieves the SPIFFE Bundle from the location |
| 5757 | + * indicated by this property (i.e., by the {@code spiffe_bundle_endpoint} |
| 5758 | + * client metadata) in order to verify the SVID presented by the client |
| 5759 | + * during SPIFFE Client Authentication. The SPIFFE Bundle is, in essence, |
| 5760 | + * a JWK Set. |
| 5761 | + * </p> |
| 5762 | + * |
| 5763 | + * @return |
| 5764 | + * The SPIFFE Bundle Endpoint. |
| 5765 | + * |
| 5766 | + * @since 4.36 |
| 5767 | + * @since Authlete 3.0.28 |
| 5768 | + * |
| 5769 | + * @see <a href="https://spiffe.io/">SPIFFE</a> |
| 5770 | + * @see <a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/"> |
| 5771 | + * OAuth SPIFFE Client Authentication</a> |
| 5772 | + */ |
| 5773 | + public URI getSpiffeBundleEndpoint() |
| 5774 | + { |
| 5775 | + return spiffeBundleEndpoint; |
| 5776 | + } |
| 5777 | + |
| 5778 | + |
| 5779 | + /** |
| 5780 | + * Set the SPIFFE Bundle Endpoint. This property corresponds to the |
| 5781 | + * {@code spiffe_bundle_endpoint} client metadata. |
| 5782 | + * |
| 5783 | + * <p> |
| 5784 | + * The authorization server retrieves the SPIFFE Bundle from the location |
| 5785 | + * indicated by this property (i.e., by the {@code spiffe_bundle_endpoint} |
| 5786 | + * client metadata) in order to verify the SVID presented by the client |
| 5787 | + * during SPIFFE Client Authentication. The SPIFFE Bundle is, in essence, |
| 5788 | + * a JWK Set. |
| 5789 | + * </p> |
| 5790 | + * |
| 5791 | + * @param endpoint |
| 5792 | + * The SPIFFE Bundle Endpoint. |
| 5793 | + * |
| 5794 | + * @since 4.36 |
| 5795 | + * @since Authlete 3.0.28 |
| 5796 | + * |
| 5797 | + * @see <a href="https://spiffe.io/">SPIFFE</a> |
| 5798 | + * @see <a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/"> |
| 5799 | + * OAuth SPIFFE Client Authentication</a> |
| 5800 | + */ |
| 5801 | + public Client setSpiffeBundleEndpoint(URI endpoint) |
| 5802 | + { |
| 5803 | + this.spiffeBundleEndpoint = endpoint; |
| 5804 | + |
| 5805 | + return this; |
| 5806 | + } |
| 5807 | + |
| 5808 | + |
5657 | 5809 | /** |
5658 | 5810 | * Get a {@code Map} instance that represents a set of standard client |
5659 | 5811 | * metadata. |
@@ -5947,6 +6099,16 @@ public Map<String, Object> toStandardMetadata(ClientMetadataControl control) |
5947 | 6099 | // response_modes |
5948 | 6100 | put(metadata, "response_modes", getResponseModes(), nullIncluded); |
5949 | 6101 |
|
| 6102 | + //---------------------------------------------------------------------- |
| 6103 | + // OAuth SPIFFE Client Authentication |
| 6104 | + //---------------------------------------------------------------------- |
| 6105 | + |
| 6106 | + // spiffe_id |
| 6107 | + put(metadata, "spiffe_id", getSpiffeId(), nullIncluded); |
| 6108 | + |
| 6109 | + // spiffe_bundle_endpoint |
| 6110 | + put(metadata, "spiffe_bundle_endpoint", getSpiffeBundleEndpoint(), nullIncluded); |
| 6111 | + |
5950 | 6112 | //---------------------------------------------------------------------- |
5951 | 6113 | // Custom Metadata |
5952 | 6114 | //---------------------------------------------------------------------- |
|
0 commit comments