Interface User

public interface User

Represents an authenticates User and contains operations to authorise the user.

Please consult the documentation for a detailed explanation.

Author:

Tim Fox

Method Summary

Modifier and Type	Method	Description
JsonObject	attributes()	Gets extra attributes of the user.
default Authorizations	authorizations()	Returns user's authorizations that have been previously loaded by the providers.
default boolean	containsKey(String key)	Checks if a value exists on the user object.
static User	create(JsonObject principal)	Factory for user instances that are free form.
static User	create(JsonObject principal, JsonObject attributes)	Factory for user instances that are free form.
default boolean	expired()	Flags this user object to be expired.
default boolean	expired(int leeway)	Flags this user object to be expired.
static User	fromName(String username)	Factory for user instances that are single string.
static User	fromToken(String token)	Factory for user instances that are single string.
default <T> T	get(String key)	Get a value from the user object.
default <T> T	getOrDefault(String key, T defaultValue)	Get a value from the user object.
default boolean	hasAmr(String value)	The "amr" (Authentication Methods References) returns a unique list of claims as defined and registered in the IANA "JSON Web Token Claims" registry.
User	merge(User other)	Merge the principal and attributes of a second user into this object properties.
JsonObject	principal()	Get the underlying principal for the User.
default String	subject()	The user subject.

Method Details

fromName

static User fromName(String username)

Factory for user instances that are single string. The credentials will be added to the principal of this instance. As nothing can be said about the credentials no validation will be done.

Will create a principal with a property "username" with the name as value.

Parameters:

username - the value for this user

Returns:

user instance

fromToken

static User fromToken(String token)

Factory for user instances that are single string. The credentials will be added to the principal of this instance. As nothing can be said about the credentials no validation will be done.

Will create a principal with a property "access_token" with the name as value.

Parameters:

token - the value for this user

Returns:

user instance

create

static User create(JsonObject principal)

Factory for user instances that are free form. The credentials will be added to the principal of this instance. As nothing can be said about the credentials no validation will be done.

Parameters:

principal - the free form json principal

Returns:

user instance

create

static User create(JsonObject principal,
 JsonObject attributes)

Factory for user instances that are free form. The credentials will be added to the principal of this instance. As nothing can be said about the credentials no validation will be done.

Parameters:

principal - the free form json principal

attributes - the free form json attributes that further describe the principal

Returns:

user instance

subject

default String subject()

The user subject. Usually a human representation that identifies this user.

The lookup for this information will take place in several places in the following order:

1. principal.username - Usually for username/password or webauthn authentication
2. principal.userHandle - Optional field for webauthn
3. attributes.idToken.sub - For OpenID Connect ID Tokens
4. attributes.[rootClaim?]accessToken.sub - For OpenID Connect/OAuth2 Access Tokens

Returns:

the subject for this user or null.

attributes

JsonObject attributes()

Gets extra attributes of the user. Attributes contain any attributes related to the outcome of authenticating a user (e.g.: issued date, metadata, etc...)

Returns:

a json object with any relevant attribute.

expired

default boolean expired()

Flags this user object to be expired. A User is considered expired if it contains an expiration time and the current clock time is post the expiration date.

Returns:

true if expired

expired

default boolean expired(int leeway)

Flags this user object to be expired. Expiration takes 3 values in account:

1. exp "expiration" timestamp in seconds.
2. iat "issued at" in seconds.
3. nbf "not before" in seconds.

A User is considered expired if it contains any of the above and the current clock time does not agree with the parameter value. If the attributes() do not contain a key then principal() properties are checked.

If all of the properties are not available the user will not expire.

Implementations of this interface might relax this rule to account for a leeway to safeguard against clock drifting.

Parameters:

leeway - a greater than zero leeway value.

Returns:

true if expired

get

default <T> T get(String key)

Get a value from the user object. This method will perform lookups on several places before returning a value.

1. If there is a rootClaim the look up will happen in the attributes[rootClaim]
2. If exists the value will be returned from the attributes()
3. If exists the value will be returned from the principal()
4. Otherwise it will be null

Type Parameters:

T - the expected type

Parameters:

key - the key to look up

Returns:

the value or null if missing

Throws:

ClassCastException - if the value cannot be casted to T

getOrDefault

default <T> T getOrDefault(String key,
 T defaultValue)

Get a value from the user object. This method will perform lookups on several places before returning a value.

1. If there is a rootClaim the look up will happen in the attributes[rootClaim]
2. If exists the value will be returned from the attributes()
3. If exists the value will be returned from the principal()
4. Otherwise it will be null

Type Parameters:

T - the expected type

Parameters:

key - the key to look up

defaultValue - default value to return if missing

Returns:

the value or null if missing

Throws:

ClassCastException - if the value cannot be casted to T

containsKey

default boolean containsKey(String key)

Checks if a value exists on the user object. This method will perform lookups on several places before returning.

1. If there is a rootClaim the look up will happen in the attributes[rootClaim]
2. If exists the value will be returned from the attributes()
3. If exists the value will be returned from the principal()
4. Otherwise it will be null

Parameters:

key - the key to look up

Returns:

the value or null if missing

authorizations

default Authorizations authorizations()

Returns user's authorizations that have been previously loaded by the providers.

Returns:

authorizations holder for the user.

principal

JsonObject principal()

Get the underlying principal for the User. What this actually returns depends on the implementation. For a simple user/password based auth, it's likely to contain a JSON object with the following structure:

  {
    "username", "tim"
  }

Returns:

JSON representation of the Principal

merge

User merge(User other)

Merge the principal and attributes of a second user into this object properties.

It is important to notice that the principal merges by replacing existing keys with the new values, while the attributes (as they represent decoded data) are accumulated at the root level.

This means that given:

userA = {
  attributes: {
    roles: [ 'read' ]
  }
}

userB = {
  attributes: {
    roles: [ 'write' ]
  }
}

When performing a merge of userA with userB, you will get:

userA.merge(userB);
// results in
{
  attributes: {
    roles: [ 'read', 'write' ]
  }
}

Parameters:

other - the other user to merge

Returns:

fluent self

hasAmr

default boolean hasAmr(String value)

The "amr" (Authentication Methods References) returns a unique list of claims as defined and registered in the IANA "JSON Web Token Claims" registry. The values in this collection are based on RFC8176. This information can be used to filter authenticated users by their authentication mechanism.

Returns:

true if claim is present in the principal.