As the limitations of OAuth 2.0 become apparent in modern, complex scenarios—IoT devices, mobile apps, and decentralized architectures—a new protocol has emerged to address these challenges. GNAP (Grant Negotiation and Authorization Protocol), developed in the IETF, represents a fundamental rethink of how authorization should work in the modern internet. For Java applications, implementing GNAP offers a future-proof approach to authorization with built-in support for rich interactions, multiple devices, and cryptographic binding.
What is GNAP?
GNAP is a next-generation authorization protocol designed to replace OAuth 2.0 and UMA, addressing their limitations while incorporating lessons learned from years of deployment. Key features include:
- Negotiated Grants: Clients and servers negotiate the grant type dynamically
- Multiple Interaction Methods: Support for redirect, device code, push notifications, etc.
- Cryptographic Binding: Keys bound to requests, not just bearer tokens
- Rich Authorization Requests: Built-in support for fine-grained permissions
- First-Class Support for Multiple Devices: Seamless flows across devices
- Extensibility: Designed for easy extension with new features
Why GNAP for Java Applications?
- IoT and Mobile: Better support for devices without browsers
- Decentralized Identity: Works with self-sovereign identity systems
- Financial-Grade Security: Built-in cryptographic protections
- Simplified Flows: Fewer round trips than OAuth 2.0
- Future-Proof: Designed to meet evolving authorization needs
GNAP Core Concepts
┌─────────┐ ┌──────────────┐ ┌─────────┐ │ Client │ │ AS │ │ User │ │(App) │ │(Auth Server) │ │(RO) │ └────┬────┘ └──────┬───────┘ └────┬────┘ │ │ │ │ 1. Grant Request │ │ │ (with client key) │ │ ├─────────────────────>│ │ │ │ │ │ 2. Interaction │ │ │ Request │ │ │<─────────────────────┤ │ │ │ │ │ 3. User Interaction │ │ │ (via browser, app) ├──────────────────────>│ │ │<──────────────────────┤ │ │ │ │ 4. Interaction │ │ │ Complete │ │ ├─────────────────────>│ │ │ │ │ │ 5. Grant Response │ │ │ (with access token) │ │ │<─────────────────────┤ │ ┌────┴────┐ ┌──────┴───────┐ ┌────┴────┐ │ Client │ │ AS │ │ User │ │(App) │ │(Auth Server) │ │(RO) │ └─────────┘ └──────────────┘ └─────────┘
Implementing GNAP in Java
1. Maven Dependencies
<dependencies> <!-- Spring Boot Web --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <!-- JSON processing --> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> </dependency> <!-- Nimbus JOSE for JWT and JWK --> <dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>9.37</version> </dependency> <!-- Bouncy Castle for crypto --> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> <version>1.70</version> </dependency> <!-- Validation --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-validation</artifactId> </dependency> <!-- WebSocket for interaction --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-websocket</artifactId> </dependency> </dependencies>
2. GNAP Core Data Models
import com.fasterxml.jackson.annotation.JsonProperty;
import lombok.Data;
import lombok.Builder;
import javax.validation.constraints.*;
import java.net.URI;
import java.security.PublicKey;
import java.time.Instant;
import java.util.List;
import java.util.Map;
/**
* GNAP Grant Request (client -> AS)
*/
@Data
@Builder
public class GrantRequest {
@NotNull
private Client client;
private List<AccessTokenRequest> accessToken;
private String user;
private List<InteractionRequest> interactions;
private Map<String, Object> claims;
@Data
@Builder
public static class Client {
@NotNull
private Key key;
private String display;
private String name;
private URI uri;
}
@Data
@Builder
public static class Key {
@NotBlank
private String proof;
private JWK jwk;
private String jwksUri;
private String kid;
}
@Data
@Builder
public static class AccessTokenRequest {
private List<String> access;
private List<String> label;
private List<String> flags;
}
@Data
@Builder
public static class InteractionRequest {
@NotBlank
private String start;
private String end;
private String uri;
private String callback;
}
}
/**
* GNAP Grant Response (AS -> client)
*/
@Data
@Builder
public class GrantResponse {
private String handle;
private List<AccessToken> accessToken;
private InteractionResponse interaction;
private Map<String, Object> claims;
@Data
@Builder
public static class AccessToken {
private String value;
private String label;
private String manage;
private List<String> access;
private String key;
private Instant expiresIn;
}
@Data
@Builder
public static class InteractionResponse {
@NotBlank
private String redirect;
private String code;
private String callback;
private String push;
private String userCode;
}
}
/**
* GNAP Token Request (client -> AS)
*/
@Data
@Builder
public class TokenRequest {
@NotBlank
private String grant;
private Client client;
private List<AccessTokenRequest> accessToken;
}
/**
* GNAP Token Response (AS -> client)
*/
@Data
@Builder
public class TokenResponse {
private List<AccessToken> accessToken;
}
3. GNAP Authorization Server Implementation
import org.springframework.web.bind.annotation.*;
import org.springframework.http.ResponseEntity;
import org.springframework.http.HttpStatus;
@RestController
@RequestMapping("/gnap")
public class GnapAuthorizationServer {
@Autowired
private ClientKeyValidator keyValidator;
@Autowired
private GrantService grantService;
@Autowired
private InteractionService interactionService;
@Autowired
private TokenService tokenService;
/**
* GNAP Grant Request Endpoint
* As defined in Section 2 of the GNAP spec
*/
@PostMapping("/grant")
public ResponseEntity<GrantResponse> requestGrant(
@RequestBody @Valid GrantRequest request,
HttpServletRequest httpRequest) {
// Validate client proof (key binding)
keyValidator.validateProof(request.getClient().getKey(), httpRequest);
// Validate client registration
ClientInfo clientInfo = keyValidator.getClientInfo(request.getClient().getKey());
// Create grant session
GrantSession session = grantService.createGrantSession(
clientInfo,
request.getAccessToken(),
request.getClaims()
);
// Determine interaction methods
List<InteractionRequest> interactions = request.getInteractions();
if (interactions != null && !interactions.isEmpty()) {
session.setRequestedInteractions(interactions);
}
// Check if user needs to authenticate
if (needsUserAuthentication(session, request.getUser())) {
InteractionResponse interaction = interactionService.createInteraction(session);
GrantResponse response = GrantResponse.builder()
.handle(session.getHandle())
.interaction(interaction)
.build();
return ResponseEntity.ok(response);
}
// Issue access tokens directly if no interaction needed
List<GrantResponse.AccessToken> tokens = tokenService.issueTokens(session);
GrantResponse response = GrantResponse.builder()
.accessToken(tokens)
.build();
return ResponseEntity.ok(response);
}
/**
* Interaction completion endpoint
* Called after user authenticates
*/
@PostMapping("/interact/{interactionId}")
public ResponseEntity<GrantResponse> completeInteraction(
@PathVariable String interactionId,
@RequestBody InteractionCompletion completion) {
InteractionSession interaction = interactionService.getInteraction(interactionId);
// Validate interaction completion (e.g., check code)
if (!interactionService.validateCompletion(interaction, completion)) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
// Mark user as authenticated in grant session
GrantSession session = grantService.completeUserAuthentication(
interaction.getGrantHandle(),
completion.getUserId()
);
// Issue tokens
List<GrantResponse.AccessToken> tokens = tokenService.issueTokens(session);
GrantResponse response = GrantResponse.builder()
.accessToken(tokens)
.build();
return ResponseEntity.ok(response);
}
/**
* Token continuation endpoint
* For getting additional tokens using grant handle
*/
@PostMapping("/token")
public ResponseEntity<TokenResponse> continueGrant(
@RequestBody @Valid TokenRequest request,
HttpServletRequest httpRequest) {
// Validate client proof
keyValidator.validateProof(request.getClient().getKey(), httpRequest);
// Get grant session
GrantSession session = grantService.getGrantSession(request.getGrant());
if (session == null || session.isExpired()) {
return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
}
// Issue additional tokens
List<GrantResponse.AccessToken> tokens = tokenService.issueTokens(
session,
request.getAccessToken()
);
TokenResponse response = TokenResponse.builder()
.accessToken(tokens)
.build();
return ResponseEntity.ok(response);
}
}
4. Client Key Validation and Proof Verification
import com.nimbusds.jose.*;
import com.nimbusds.jose.crypto.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jwt.SignedJWT;
@Service
public class ClientKeyValidator {
@Autowired
private ClientRepository clientRepository;
@Autowired
private JWKCache jwkCache;
/**
* Validate client proof (HTTPS Signing, JWS, or MTLS)
*/
public void validateProof(GrantRequest.Key key, HttpServletRequest request) {
String proofMethod = key.getProof();
switch (proofMethod) {
case "httpsig":
validateHttpSignature(key, request);
break;
case "jws":
validateJwsSignature(key, request);
break;
case "mtls":
validateMtls(key, request);
break;
default:
throw new InvalidProofException("Unsupported proof method: " + proofMethod);
}
}
private void validateHttpSignature(GrantRequest.Key key, HttpServletRequest request) {
// Extract signature from HTTP headers
String signature = request.getHeader("Signature");
if (signature == null) {
throw new InvalidProofException("Missing HTTP signature");
}
try {
// Get client's public key
JWK jwk = getClientKey(key);
PublicKey publicKey = jwk.toRSAKey().toPublicKey();
// Verify HTTP signature (implementation depends on HTTP signature library)
boolean valid = verifyHttpSignature(signature, request, publicKey);
if (!valid) {
throw new InvalidProofException("Invalid HTTP signature");
}
} catch (Exception e) {
throw new InvalidProofException("Signature verification failed: " + e.getMessage());
}
}
private void validateJwsSignature(GrantRequest.Key key, HttpServletRequest request) {
// Extract JWS from Authorization header
String authHeader = request.getHeader("Authorization");
if (authHeader == null || !authHeader.startsWith("Signature ")) {
throw new InvalidProofException("Missing JWS signature");
}
String jwsString = authHeader.substring(10); // Remove "Signature "
try {
SignedJWT signedJWT = SignedJWT.parse(jwsString);
// Get client's public key
JWK jwk = getClientKey(key);
JWSVerifier verifier = new RSASSAVerifier((RSAKey) jwk);
if (!signedJWT.verify(verifier)) {
throw new InvalidProofException("Invalid JWS signature");
}
// Verify nonce and timestamp
JWTClaimsSet claims = signedJWT.getJWTClaimsSet();
validateNonce(claims.getStringClaim("nonce"));
validateTimestamp(claims.getIssueTime());
// Store verified nonce
storeVerifiedNonce(claims.getStringClaim("nonce"));
} catch (Exception e) {
throw new InvalidProofException("JWS verification failed: " + e.getMessage());
}
}
private void validateMtls(GrantRequest.Key key, HttpServletRequest request) {
X509Certificate[] certs = (X509Certificate[]) request.getAttribute(
"javax.servlet.request.X509Certificate");
if (certs == null || certs.length == 0) {
throw new InvalidProofException("MTLS client certificate required");
}
X509Certificate clientCert = certs[0];
// Verify certificate matches client key
try {
JWK jwk = getClientKey(key);
PublicKey expectedKey = jwk.toRSAKey().toPublicKey();
if (!clientCert.getPublicKey().equals(expectedKey)) {
throw new InvalidProofException("Certificate key mismatch");
}
} catch (Exception e) {
throw new InvalidProofException("Certificate validation failed: " + e.getMessage());
}
}
private JWK getClientKey(GrantRequest.Key key) {
if (key.getJwk() != null) {
return key.getJwk();
} else if (key.getJwksUri() != null) {
return jwkCache.getJwk(key.getJwksUri(), key.getKid());
} else {
// Look up registered client
return clientRepository.findByKeyId(key.getKid())
.map(Client::getJwk)
.orElseThrow(() -> new InvalidProofException("Client key not found"));
}
}
public ClientInfo getClientInfo(GrantRequest.Key key) {
// Resolve client from key
return clientRepository.findByKey(key)
.orElseThrow(() -> new InvalidProofException("Client not registered"));
}
}
5. Interaction Service
@Service
public class InteractionService {
@Autowired
private UserAuthenticationService authService;
@Autowired
private InteractionSessionRepository sessionRepository;
@Autowired
private WebSocketService webSocketService;
@Autowired
private SecureRandom secureRandom;
/**
* Create interaction session based on requested methods
*/
public InteractionResponse createInteraction(GrantSession grant) {
InteractionResponse.InteractionResponseBuilder builder = InteractionResponse.builder();
for (InteractionRequest requested : grant.getRequestedInteractions()) {
switch (requested.getStart()) {
case "redirect":
builder.redirect(createRedirectInteraction(grant, requested));
break;
case "user_code":
builder.userCode(createUserCodeInteraction(grant, requested));
break;
case "app":
builder.push(createAppInteraction(grant, requested));
break;
case "callback":
builder.callback(requested.getCallback());
break;
}
}
InteractionResponse response = builder.build();
// Store interaction session
InteractionSession session = InteractionSession.builder()
.id(generateInteractionId())
.grantHandle(grant.getHandle())
.response(response)
.expiresAt(Instant.now().plusSeconds(300))
.build();
sessionRepository.save(session);
return response;
}
private String createRedirectInteraction(GrantSession grant, InteractionRequest requested) {
String redirectUri = requested.getUri() != null ?
requested.getUri() : "/gnap/interact";
String interactionToken = generateInteractionToken(grant);
return redirectUri + "?interaction_id=" + interactionToken;
}
private String createUserCodeInteraction(GrantSession grant, InteractionRequest requested) {
// Generate user-friendly code
String userCode = String.format("%06d",
secureRandom.nextInt(1000000));
// Store code in grant
grant.setUserCode(userCode);
return userCode;
}
private String createAppInteraction(GrantSession grant, InteractionRequest requested) {
// Send push notification to user's device
webSocketService.sendAuthenticationRequest(
grant.getUserId(),
PushNotification.builder()
.title("Authentication Request")
.body("Approve access request from " + grant.getClientName())
.data(Map.of(
"grantHandle", grant.getHandle(),
"interactionId", generateInteractionId()
))
.build()
);
return "push_sent";
}
public boolean validateCompletion(InteractionSession session, InteractionCompletion completion) {
// Validate based on interaction type
if (session.getResponse().getRedirect() != null) {
return validateRedirectCompletion(session, completion);
} else if (session.getResponse().getUserCode() != null) {
return validateUserCodeCompletion(session, completion);
} else if (session.getResponse().getPush() != null) {
return validatePushCompletion(session, completion);
}
return false;
}
private boolean validateRedirectCompletion(InteractionSession session, InteractionCompletion completion) {
// Validate code from redirect
String code = completion.getCode();
return code != null && code.equals(session.getGrant().getInteractionCode());
}
private boolean validateUserCodeCompletion(InteractionSession session, InteractionCompletion completion) {
String userCode = completion.getUserCode();
return userCode != null && userCode.equals(session.getGrant().getUserCode());
}
}
6. Token Service with Cryptographic Binding
@Service
public class TokenService {
@Autowired
private JWKSource<SecurityContext> jwkSource;
@Autowired
private TokenRepository tokenRepository;
@Autowired
private SecureRandom secureRandom;
/**
* Issue access tokens bound to client key
*/
public List<GrantResponse.AccessToken> issueTokens(GrantSession session) {
return issueTokens(session, null);
}
public List<GrantResponse.AccessToken> issueTokens(
GrantSession session,
List<AccessTokenRequest> requestedTokens) {
List<GrantResponse.AccessToken> tokens = new ArrayList<>();
List<AccessTokenRequest> tokenRequests = requestedTokens != null ?
requestedTokens : session.getRequestedTokens();
for (AccessTokenRequest tokenRequest : tokenRequests) {
GrantResponse.AccessToken token = createAccessToken(
session,
tokenRequest
);
tokens.add(token);
}
return tokens;
}
private GrantResponse.AccessToken createAccessToken(
GrantSession session,
AccessTokenRequest request) {
// Generate token value (could be JWT or opaque)
String tokenValue = generateTokenValue();
// Bind token to client's key
String keyBinding = createKeyBinding(session.getClientKey(), tokenValue);
// Build token response
GrantResponse.AccessToken token = GrantResponse.AccessToken.builder()
.value(tokenValue)
.label(request.getLabel())
.access(request.getAccess())
.expiresIn(Instant.now().plusSeconds(3600))
.key(keyBinding)
.build();
// Store token
Token storedToken = Token.builder()
.value(tokenValue)
.clientId(session.getClientId())
.userId(session.getUserId())
.access(request.getAccess())
.expiresAt(Instant.now().plusSeconds(3600))
.keyBinding(keyBinding)
.build();
tokenRepository.save(storedToken);
return token;
}
/**
* Validate token with proof of possession
*/
public boolean validateToken(String tokenValue, String proof, HttpServletRequest request) {
Token token = tokenRepository.findByValue(tokenValue)
.orElse(null);
if (token == null || token.isExpired()) {
return false;
}
// Verify proof of key possession
return verifyKeyBinding(token.getKeyBinding(), proof, request);
}
/**
* Create JWT-based access token with key binding
*/
private String createJwtAccessToken(GrantSession session, AccessTokenRequest request) {
try {
// Get signing key
JWK signingKey = jwkSource.getJWKSelector(
new JWKSelector(new JWKMatcher.Builder()
.keyUse(KeyUse.SIGNATURE)
.build()))
.get(0);
// Build JWT
JWTClaimsSet claims = new JWTClaimsSet.Builder()
.issuer("https://auth.example.com")
.subject(session.getUserId())
.audience(session.getClientId())
.expirationTime(new Date(System.currentTimeMillis() + 3600000))
.issueTime(new Date())
.jwtID(generateTokenId())
.claim("access", request.getAccess())
.claim("cnf", Map.of(
"jkt", computeKeyThumbprint(session.getClientKey())
))
.build();
SignedJWT signedJWT = new SignedJWT(
new JWSHeader.Builder(JWSAlgorithm.RS256)
.keyID(signingKey.getKeyID())
.build(),
claims
);
signedJWT.sign(new RSASSASigner((RSAKey) signingKey));
return signedJWT.serialize();
} catch (Exception e) {
throw new TokenCreationException("Failed to create JWT token", e);
}
}
}
7. GNAP Client Implementation
@Component
public class GnapClient {
@Autowired
private RestTemplate restTemplate;
@Autowired
private KeyService keyService;
private String grantHandle;
private String clientKeyId;
/**
* Start GNAP flow
*/
public GrantResponse startGrant(String gnapServerUrl, List<AccessTokenRequest> tokenRequests) {
// Generate client key pair
JWK clientKey = keyService.generateKey();
clientKeyId = clientKey.getKeyID();
// Build grant request
GrantRequest request = GrantRequest.builder()
.client(GrantRequest.Client.builder()
.key(GrantRequest.Key.builder()
.proof("jws")
.jwk(clientKey.toPublicJWK())
.kid(clientKey.getKeyID())
.build())
.name("GNAP Client Example")
.build())
.accessToken(tokenRequests)
.interactions(List.of(
InteractionRequest.builder()
.start("redirect")
.uri("https://client.example.com/callback")
.build(),
InteractionRequest.builder()
.start("user_code")
.build()
))
.build();
// Sign request with client key
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "Signature " + signRequest(request, clientKey));
HttpEntity<GrantRequest> entity = new HttpEntity<>(request, headers);
ResponseEntity<GrantResponse> response = restTemplate.postForEntity(
gnapServerUrl + "/gnap/grant",
entity,
GrantResponse.class
);
GrantResponse grantResponse = response.getBody();
// Store grant handle for continuation
if (grantResponse.getHandle() != null) {
this.grantHandle = grantResponse.getHandle();
}
return grantResponse;
}
/**
* Handle interaction (e.g., redirect user to authorization server)
*/
public void handleInteraction(GrantResponse.InteractionResponse interaction) {
if (interaction.getRedirect() != null) {
// Redirect user to authorization server
System.out.println("Please visit: " + interaction.getRedirect());
// In a real app, you'd redirect the user's browser
}
if (interaction.getUserCode() != null) {
System.out.println("Please enter code: " + interaction.getUserCode());
}
}
/**
* Continue grant after user interaction
*/
public TokenResponse continueGrant(String gnapServerUrl) {
if (grantHandle == null) {
throw new IllegalStateException("No grant handle available");
}
TokenRequest request = TokenRequest.builder()
.grant(grantHandle)
.client(GrantRequest.Client.builder()
.key(GrantRequest.Key.builder()
.proof("jws")
.kid(clientKeyId)
.build())
.build())
.build();
// Sign request
JWK clientKey = keyService.getKey(clientKeyId);
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "Signature " + signRequest(request, clientKey));
HttpEntity<TokenRequest> entity = new HttpEntity<>(request, headers);
ResponseEntity<TokenResponse> response = restTemplate.postForEntity(
gnapServerUrl + "/gnap/token",
entity,
TokenResponse.class
);
return response.getBody();
}
/**
* Sign request with client's private key (JWS)
*/
private String signRequest(Object request, JWK privateKey) {
try {
String requestJson = new ObjectMapper().writeValueAsString(request);
JWTClaimsSet claims = new JWTClaimsSet.Builder()
.claim("body", requestJson)
.claim("nonce", generateNonce())
.issueTime(new Date())
.build();
SignedJWT signedJWT = new SignedJWT(
new JWSHeader.Builder(JWSAlgorithm.RS256)
.keyID(privateKey.getKeyID())
.build(),
claims
);
signedJWT.sign(new RSASSASigner((RSAKey) privateKey));
return signedJWT.serialize();
} catch (Exception e) {
throw new RuntimeException("Failed to sign request", e);
}
}
}
8. WebSocket-Based Push Interaction
@Controller
public class GnapWebSocketController {
@Autowired
private SimpMessagingTemplate messagingTemplate;
@Autowired
private InteractionService interactionService;
/**
* Send push notification to authenticated device
*/
public void sendAuthenticationRequest(String userId, PushNotification notification) {
messagingTemplate.convertAndSendToUser(
userId,
"/queue/gnap-auth",
notification
);
}
/**
* Handle device approval via WebSocket
*/
@MessageMapping("/gnap/approve")
public void handleDeviceApproval(
@Payload ApprovalMessage approval,
Principal principal) {
String userId = principal.getName();
// Complete interaction
InteractionCompletion completion = InteractionCompletion.builder()
.interactionId(approval.getInteractionId())
.userId(userId)
.code(approval.getCode())
.build();
interactionService.completePushInteraction(completion);
}
@Data
public static class PushNotification {
private String title;
private String body;
private Map<String, Object> data;
}
@Data
public static class ApprovalMessage {
private String interactionId;
private String code;
private boolean approved;
}
}
9. GNAP Configuration
gnap: # Server configuration server: base-url: https://auth.example.com grant-endpoint: /gnap/grant token-endpoint: /gnap/token interaction-endpoint: /gnap/interact # Supported features features: proof-methods: - httpsig - jws - mtls interaction-methods: - redirect - user_code - push - callback # Security settings security: require-proof: true nonce-ttl-seconds: 300 max-grant-lifetime-seconds: 3600 token-ttl-seconds: 3600 # Key management keys: rotation-days: 30 jwks-uri: /gnap/jwks # Interaction interaction: user-code-length: 6 user-code-ttl-seconds: 300 push-enabled: true
Testing GNAP Implementation
@SpringBootTest
@AutoConfigureMockMvc
class GnapIntegrationTest {
@Autowired
private MockMvc mockMvc;
@Autowired
private ObjectMapper objectMapper;
@Test
void testCompleteGnapFlow() throws Exception {
// 1. Client initiates grant request
GrantRequest grantRequest = GrantRequest.builder()
.client(GrantRequest.Client.builder()
.key(GrantRequest.Key.builder()
.proof("jws")
.jwk(testClientKey)
.kid("test-key-1")
.build())
.name("Test Client")
.build())
.accessToken(List.of(
AccessTokenRequest.builder()
.access(List.of("api://read", "api://write"))
.label("test-token")
.build()
))
.interactions(List.of(
InteractionRequest.builder()
.start("redirect")
.uri("https://client.example.com/callback")
.build()
))
.build();
String requestJson = objectMapper.writeValueAsString(grantRequest);
// 2. Send grant request with signature
MvcResult grantResult = mockMvc.perform(post("/gnap/grant")
.header("Authorization", "Signature " + signRequest(grantRequest))
.contentType(MediaType.APPLICATION_JSON)
.content(requestJson))
.andExpect(status().isOk())
.andReturn();
GrantResponse grantResponse = objectMapper.readValue(
grantResult.getResponse().getContentAsString(),
GrantResponse.class);
assertNotNull(grantResponse.getHandle());
assertNotNull(grantResponse.getInteraction());
// 3. Simulate user authentication
String interactionId = extractInteractionId(grantResponse.getInteraction());
mockMvc.perform(post("/gnap/interact/" + interactionId)
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(
InteractionCompletion.builder()
.userId("test-user")
.code("123456")
.build())))
.andExpect(status().isOk());
// 4. Continue grant for tokens
TokenRequest tokenRequest = TokenRequest.builder()
.grant(grantResponse.getHandle())
.client(GrantRequest.Client.builder()
.key(GrantRequest.Key.builder()
.proof("jws")
.kid("test-key-1")
.build())
.build())
.build();
MvcResult tokenResult = mockMvc.perform(post("/gnap/token")
.header("Authorization", "Signature " + signRequest(tokenRequest))
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(tokenRequest)))
.andExpect(status().isOk())
.andReturn();
TokenResponse tokenResponse = objectMapper.readValue(
tokenResult.getResponse().getContentAsString(),
TokenResponse.class);
assertNotNull(tokenResponse.getAccessToken());
assertEquals(1, tokenResponse.getAccessToken().size());
}
}
Best Practices
- Cryptographic Binding: Always use proof of possession for client authentication
- Nonce Validation: Prevent replay attacks with nonces
- User Interaction: Support multiple interaction methods for different devices
- Short-Lived Grants: Minimize grant handle lifetime
- Audit Logging: Log all grant and token operations
- Key Rotation: Regular rotation of server and client keys
- Interaction Security: Protect interaction endpoints from CSRF
- Token Binding: Bind tokens to client keys for additional security
Conclusion
GNAP represents the future of authorization protocols, designed from the ground up to address the limitations of OAuth 2.0 in modern, complex scenarios. For Java applications, implementing GNAP provides:
- Flexible Grant Negotiation: Clients and servers negotiate the best flow
- Cryptographic Security: Built-in key binding and proof of possession
- Rich Interaction Support: Multiple ways to interact with users
- Future-Proof Design: Extensible for new use cases and technologies
- Simplified Flows: Fewer round trips and clearer semantics
The implementation presented here demonstrates how Java applications can leverage GNAP's advanced features—from cryptographic client authentication to multi-device interaction flows. As the authorization landscape evolves, GNAP offers a robust foundation for building secure, flexible, and user-friendly authorization systems that can adapt to the diverse needs of modern applications.
Java Programming Basics – Variables, Loops, Methods, Classes, Files & Exception Handling (Related to Java Programming)
Variables and Data Types in Java:
This topic explains how variables store data in Java and how data types define the kind of values a variable can hold, such as numbers, characters, or text. Java includes primitive types like int, double, and boolean, which are essential for storing and managing data in programs. (GeeksforGeeks)
Read more: https://macronepal.com/blog/variables-and-data-types-in-java/
Basic Input and Output in Java:
This lesson covers how Java programs receive input from users and display output using tools like Scanner for input and System.out.println() for output. These operations allow interaction between the program and the user.
Read more: https://macronepal.com/blog/basic-input-output-in-java/
Arithmetic Operations in Java:
This guide explains mathematical operations such as addition, subtraction, multiplication, and division using operators like +, -, *, and /. These operations are used to perform calculations in Java programs.
Read more: https://macronepal.com/blog/arithmetic-operations-in-java/
If-Else Statement in Java:
The if-else statement allows programs to make decisions based on conditions. It helps control program flow by executing different blocks of code depending on whether a condition is true or false.
Read more: https://macronepal.com/blog/if-else-statement-in-java/
For Loop in Java:
A for loop is used to repeat a block of code a specific number of times. It is commonly used when the number of repetitions is known in advance.
Read more: https://macronepal.com/blog/for-loop-in-java/
Method Overloading in Java:
Method overloading allows multiple methods to have the same name but different parameters. It improves code readability and flexibility by allowing similar tasks to be handled using one method name.
Read more: https://macronepal.com/blog/method-overloading-in-java-a-complete-guide/
Basic Inheritance in Java:
Inheritance is an object-oriented concept that allows one class to inherit properties and methods from another class. It promotes code reuse and helps build hierarchical class structures.
Read more: https://macronepal.com/blog/basic-inheritance-in-java-a-complete-guide/
File Writing in Java:
This topic explains how to create and write data into files using Java. File writing is commonly used to store program data permanently.
Read more: https://macronepal.com/blog/file-writing-in-java-a-complete-guide/
File Reading in Java:
File reading allows Java programs to read stored data from files. It is useful for retrieving saved information and processing it inside applications.
Read more: https://macronepal.com/blog/file-reading-in-java-a-complete-guide/
Exception Handling in Java:
Exception handling helps manage runtime errors using tools like try, catch, and finally. It prevents programs from crashing and allows safe error handling.
Read more: https://macronepal.com/blog/exception-handling-in-java-a-complete-guide/
Constructors in Java:
Constructors are special methods used to initialize objects when they are created. They help assign initial values to object variables automatically.
Read more: https://macronepal.com/blog/constructors-in-java/
Classes and Objects in Java:
Classes are blueprints used to create objects, while objects are instances of classes. These concepts form the foundation of object-oriented programming in Java.
Read more: https://macronepal.com/blog/classes-and-object-in-java/
Methods in Java:
Methods are blocks of code that perform specific tasks. They help organize programs into smaller reusable sections and improve code readability.
Read more: https://macronepal.com/blog/methods-in-java/
Arrays in Java:
Arrays store multiple values of the same type in a single variable. They are useful for handling lists of data such as numbers or names.
Read more: https://macronepal.com/blog/arrays-in-java/
While Loop in Java:
A while loop repeats a block of code as long as a given condition remains true. It is useful when the number of repetitions is not known beforehand.
Read more: https://macronepal.com/blog/while-loop-in-java/