Package org.mockserver.oidc

Class OidcAuthorizationStore

java.lang.Object
org.mockserver.oidc.OidcAuthorizationStore
public class OidcAuthorizationStore extends Object
In-memory state backing the mock OIDC authorization-code flow.

Two pieces of state are held:

  • Providers — one OidcAuthorizationStore.Provider per generated OIDC provider, keyed by the authorizePath/tokenPath it serves. Each provider carries its configuration and the OidcTokenMinter (with its signing key pair) so tokens are minted per request, not pre-baked. The /authorize callback looks up its provider by the request path to bind the per-request context (redirect_uri, PKCE challenge, scope, nonce) to a newly issued authorization code.
  • Codes — one OidcAuthorizationStore.AuthorizationCode per issued authorization code, keyed by the opaque code string. The /token callback consumes the code to validate the authorization_code grant (redirect_uri match + optional PKCE), then mints the token response at request time. Codes are single-use and expire after CODE_TTL_MILLIS.

This is a process-wide singleton (mirroring GrpcHealthRegistry and the other in-memory registries) because the /authorize and /token class callbacks are instantiated fresh per request and therefore cannot share instance state.

  • Method Details

    • getInstance

      public static OidcAuthorizationStore getInstance()

    • registerProvider

      public void registerProvider(OidcAuthorizationStore.Provider provider)
      Registers (or replaces) the provider serving the given authorize/token paths. The most recently registered provider for a path wins, so re-running PUT /mockserver/oidc with the same paths refreshes the minted tokens.

    • providerForAuthorizePath

      public OidcAuthorizationStore.Provider providerForAuthorizePath(String authorizePath)
      Finds the provider serving the given authorize path, or null if none registered.

    • providerForTokenPath

      public OidcAuthorizationStore.Provider providerForTokenPath(String tokenPath)
      Finds the provider serving the given token path, or null if none registered.

    • providerForDeviceAuthorizationPath

      public OidcAuthorizationStore.Provider providerForDeviceAuthorizationPath(String deviceAuthorizationPath)
      Finds the provider serving the given device-authorization path, or null if none registered.

    • providerForIntrospectPath

      public OidcAuthorizationStore.Provider providerForIntrospectPath(String introspectPath)
      Finds the provider serving the given introspection path, or null if none registered.

    • putCode

      public void putCode(String code, OidcAuthorizationStore.AuthorizationCode authorizationCode)

    • consumeCode

      public OidcAuthorizationStore.AuthorizationCode consumeCode(String code)
      Consumes (removes and returns) the authorization code, or null if unknown or expired. Codes are single-use (removed on consume) and short-lived (older than CODE_TTL_MILLIS is treated as not-found), mirroring real authorization servers.

    • putDeviceCode

      public void putDeviceCode(String deviceCode, OidcAuthorizationStore.DeviceCode value)
      Records a device code issued by the device-authorization endpoint. Like authorization codes, device codes are TTL-bounded (DEVICE_CODE_TTL_MILLIS); expired entries are evicted on write so the map cannot grow unbounded with codes that are never redeemed.

    • peekDeviceCode

      public OidcAuthorizationStore.DeviceCode peekDeviceCode(String deviceCode)
      Looks up a device code WITHOUT consuming it (the client polls the same code repeatedly until it is approved). Returns null when unknown or expired (expired entries are evicted).

    • consumeDeviceCode

      public OidcAuthorizationStore.DeviceCode consumeDeviceCode(String deviceCode)
      Consumes (removes and returns) a device code once it has been approved and tokens are minted, so a device code is single-use for the successful exchange. Returns null when unknown or expired.

    • putOpaqueToken

      public void putOpaqueToken(String token, OidcAuthorizationStore.OpaqueToken value)
      Records an opaque access token (when OidcProviderConfiguration.isOpaqueAccessToken()) so the introspection endpoint can validate it. Bounded by the token's own expiry; expired entries are evicted on write so the map cannot grow unbounded.

    • lookupOpaqueToken

      public OidcAuthorizationStore.OpaqueToken lookupOpaqueToken(String token)
      Looks up an opaque access token for introspection. Returns null when unknown; an expired token is returned (so introspection can report active:false) but evicted from the map.

    • reset

      public void reset()