org.mockserver.oidc.OidcTokenMinter

public class OidcTokenMinter extends Object

Mints the OIDC token-endpoint response (access_token, id_token, refresh_token) at request time.

Token minting was moved out of OidcProviderGenerator.generate(org.mockserver.oidc.OidcProviderConfiguration) so that per-request context — most importantly the nonce echoed back from the /authorize request — can be embedded into the id_token. The provider carries its AsymmetricKeyPair (and the JWTGenerator built from it) on OidcAuthorizationStore.Provider; the same key both signs here and is published at the JWKS endpoint, preserving the sign/publish invariant.

Claim split (per OIDC core):

id_token — iss, sub, aud=clientId, exp, iat, nbf, nonce (when supplied), profile/email claims for the requested scopes, at_hash, plus additionalClaims. Only issued when the openid scope was requested.
access_token — iss, sub, aud=audience, exp, iat, nbf, scope, client_id plus additionalClaims.

Constructor Details
- OidcTokenMinter
  
  public OidcTokenMinter(OidcProviderConfiguration config, AsymmetricKeyPair keyPair)
Method Details
- mintTokenResponse
  
  public String mintTokenResponse(String requestedScope, String nonce, boolean includeRefresh)
  
  Mints a token-endpoint response JSON for the given grant.
  
  Parameters:
  
  requestedScope - the scope string for this grant (space-delimited); falls back to the configured scopes when null/blank
  
  nonce - the nonce echoed from the authorize request, or null
  
  includeRefresh - whether to include a refresh_token (authorization_code + refresh_token grants)
  
  Returns:
  
  the serialized token-endpoint response

Class OidcTokenMinter

Constructor Summary