Package org.forgerock.am.iot

Class IotAuthenticationNode

  • All Implemented Interfaces:
    Node
    public class IotAuthenticationNode
extends Object
    This node handles the authentication of things. It is responsible for collecting the authentication Proof of Possession or Client Assertion JWTs for a thing and verifying that the JWT`s claims and signature are valid, that the thing's identity exists and that it contains a valid conformation key. If authentication is successful then it will add the username and verified claims to the shared state. It will also modify the resulting session by adding a proof of possession restriction if that is enabled. Any requests accompanied by the resulting session token must be signed, and those signatures must be verified by the stored confirmation key.

    • Constructor Detail

      • IotAuthenticationNode

        @Inject
public IotAuthenticationNode​(Realm realm,
                             IotAuthenticationNode.Config config,
                             org.forgerock.openam.core.CoreWrapper coreWrapper,
                             org.forgerock.openam.identity.idm.IdentityUtils identityUtils,
                             org.forgerock.am.iot.JwtProofOfPossessionVerifier.Factory popVerifierFactory,
                             org.forgerock.am.iot.ClientAssertionVerifier.Factory assertionVerifierFactory,
                             JwtBuilderFactory jwtBuilderFactory)
        Create an instance of the IotAuthenticationNode.
        Parameters:
        realm - the realm in which to create the node.
        config - the node configuration.
        coreWrapper - wrapper for abstracting core AM functionality.
        identityUtils - an instance of the IdentityUtils.
        popVerifierFactory - factory for creating JwtProofOfPossessionVerifier.
        assertionVerifierFactory - factory for creating ClientAssertionVerifier.
        jwtBuilderFactory - factory for creating JwtBuilder.

    • Method Detail

      • getInputs

        public org.forgerock.openam.auth.node.api.InputState[] getInputs()
        Description copied from interface: Node
        Provide a list of shared state data a node consumes. An InputState consists of a property name and an "isRequired" flag. The IsRequired flag indicates whether the input is required in order for the node to function. If the flag is false this indicates that the node will consume this data if it is present but it is not required for the node to function. Example: public InputState[] getInputs() { return new InputState[] { new InputState(IDENTITY), new InputState("foo", false) }; } In this example the node declares that it requires state to contain a property named IDENTITY and that it will consume a property named "foo" if it is present. If "foo" is not present then the node will still function but may be skipping some functionality. This list is used to ensure that state data, both shared and transient, from upstream nodes is left intact for this node to access. If inputs are not declared there is no guarantee that the data needed by the node will still be present in state when the node executes. This list is also used for tree validation to report errors in tree construction.
        Returns:
        The list of shared state data.

      • getOutputs

        public org.forgerock.openam.auth.node.api.OutputState[] getOutputs()
        Description copied from interface: Node
        Provide a list of shared state data a node provides. An OutputState consists of a property name and a map of node outcomes to a flag indicating whether that outcome is guaranteed to produce that property in state. Any given output may be provided for all outcomes or any subset of outcomes and perhaps only optionally for some of them. Example: public OutputState[] getOutputs() { return new OutputState[] { new OutputState(PASSWORD), new OutputState(config.mode(), singletonMap("*", false) }; } In this example we declare that the node will produce an output named PASSWORD. The lack of an outcome map indicates that this output is provided for all outcomes. The node also outputs a property named via config.mode() that is optional for all of the node's outcomes, i.e. it may or may not be present for downstream nodes to consume. This type of output is best consumed by other nodes by declaring an InputState such as new InputState(config.mode(), false). This list is used by tree validation to report errors in tree construction.
        Returns:
        The list of shared state data.

      • process

        public Action process​(TreeContext context)
               throws NodeProcessException
        Description copied from interface: Node
        Performs processing on the given shared state, which holds all the data gathered by nodes that have already executed as part of this authentication session in the tree.

        This method is invoked when the node is reached in the tree.

        Specified by:
        process in interface Node
        Parameters:
        context - The context of the tree authentication.
        Returns:
        The next action to perform. Must not be null.
        Throws:
        NodeProcessException - If there was a problem processing that could not be resolved to a single outcome.

      • failureAction

        protected Action failureAction()

      • successAction

        protected Action successAction​(org.forgerock.am.iot.VerifiedClaimSet verifiedClaims,
                               TreeContext context,
                               boolean requiresTokenRestriction)
                        throws Exception
        Throws:
        Exception