Package org.forgerock.am.iot
Class IotRegistrationNode
- java.lang.Object
-
- org.forgerock.am.iot.IotRegistrationNode
-
- All Implemented Interfaces:
Node
public class IotRegistrationNode extends Object
This node handles the registration of things. It is responsible for collecting the registration Proof of Possession JWT and/or Software Statement for a thing and verifying that the JWT`s claims and signature are valid in accordance with the JWT registration Method. The node can create a new thing identity (with provided claims) and register or rotate the thing's confirmation key.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
IotRegistrationNode.Config
Configuration for the node.static class
IotRegistrationNode.JwtRegistrationMethod
The JWT registration method used to verify the JWT presented for registration.static class
IotRegistrationNode.RegistrationOutcomeProvider
Defines the possible outcomes from this node.-
Nested classes/interfaces inherited from interface org.forgerock.openam.auth.node.api.Node
Node.Metadata
-
-
Field Summary
Fields Modifier and Type Field Description protected static Map<String,Boolean>
alwaysOnRegister
protected static Map<String,Boolean>
alwaysOnSuccess
protected org.forgerock.openam.core.CoreWrapper
coreWrapper
protected static String
FAILURE_OUTCOME
protected static String
JWT_ADDITIONAL_AUDIENCES_KEY
protected static String
JWT_CHALLENGE_KEY
protected static String
JWT_VERIFIED_CLAIMS_KEY
protected Realm
realm
protected static String
REGISTER_OUTCOME
protected static String
REQUIRES_TOKEN_RESTRICTION_KEY
protected static Map<String,Boolean>
sometimesOnSuccess
protected static String
SUCCESS_OUTCOME
-
Constructor Summary
Constructors Constructor Description IotRegistrationNode(Realm realm, IotRegistrationNode.Config config, org.forgerock.openam.core.CoreWrapper coreWrapper, LegacyIdentityService identityService, org.forgerock.am.iot.JwtProofOfPossessionVerifier.Factory jwtPopVerifierFactory, org.forgerock.openam.integration.idm.IdmIntegrationConfig idmConfig, org.forgerock.openam.integration.idm.IdmIntegrationService idmIntegrationService, IdentityStoreFactory identityStoreFactory, JwtBuilderFactory jwtBuilderFactory, org.forgerock.oauth2.registration.SoftwareStatementVerifier.Factory softwareStatementVerifierFactory, org.forgerock.am.iot.OAuthAudienceProvider audienceProvider)
Create an instance of theIotRegistrationNode
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Optional<Action>
callbackRequired(TreeContext context)
protected String
createChallenge(TreeContext context)
protected Action
failureAction()
protected String
getChallenge(TreeContext context)
org.forgerock.openam.auth.node.api.InputState[]
getInputs()
Provide a list of shared state data a node consumes.protected SignedJwt
getJWT(TreeContext context)
protected SignedJwt
getJWT(TreeContext context, String callbackId)
org.forgerock.openam.auth.node.api.OutputState[]
getOutputs()
Provide a list of shared state data a node provides.Action
process(TreeContext context)
Performs processing on the given shared state, which holds all the data gathered by nodes that have already executed as part of this authentication session in the tree.protected Action
successAction(org.forgerock.am.iot.VerifiedClaimSet verifiedClaims, TreeContext context, boolean requiresTokenRestriction)
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.forgerock.openam.auth.node.api.Node
getAuditEntryDetail
-
-
-
-
Field Detail
-
JWT_CHALLENGE_KEY
protected static final String JWT_CHALLENGE_KEY
- See Also:
- Constant Field Values
-
JWT_VERIFIED_CLAIMS_KEY
protected static final String JWT_VERIFIED_CLAIMS_KEY
- See Also:
- Constant Field Values
-
JWT_ADDITIONAL_AUDIENCES_KEY
protected static final String JWT_ADDITIONAL_AUDIENCES_KEY
- See Also:
- Constant Field Values
-
REQUIRES_TOKEN_RESTRICTION_KEY
protected static final String REQUIRES_TOKEN_RESTRICTION_KEY
- See Also:
- Constant Field Values
-
SUCCESS_OUTCOME
protected static final String SUCCESS_OUTCOME
- See Also:
- Constant Field Values
-
FAILURE_OUTCOME
protected static final String FAILURE_OUTCOME
- See Also:
- Constant Field Values
-
REGISTER_OUTCOME
protected static final String REGISTER_OUTCOME
- See Also:
- Constant Field Values
-
realm
protected final Realm realm
-
coreWrapper
protected final org.forgerock.openam.core.CoreWrapper coreWrapper
-
-
Constructor Detail
-
IotRegistrationNode
@Inject public IotRegistrationNode(Realm realm, IotRegistrationNode.Config config, org.forgerock.openam.core.CoreWrapper coreWrapper, LegacyIdentityService identityService, org.forgerock.am.iot.JwtProofOfPossessionVerifier.Factory jwtPopVerifierFactory, org.forgerock.openam.integration.idm.IdmIntegrationConfig idmConfig, org.forgerock.openam.integration.idm.IdmIntegrationService idmIntegrationService, IdentityStoreFactory identityStoreFactory, JwtBuilderFactory jwtBuilderFactory, org.forgerock.oauth2.registration.SoftwareStatementVerifier.Factory softwareStatementVerifierFactory, org.forgerock.am.iot.OAuthAudienceProvider audienceProvider)
Create an instance of theIotRegistrationNode
.- Parameters:
realm
- the realm in which to create the node.config
- the node configuration.coreWrapper
- wrapper for abstracting core AM functionality.identityService
- an instance of IdentityService.jwtPopVerifierFactory
- factory for creating JWT PoP verifiers.idmConfig
- IDM integration config.idmIntegrationService
- IDM integration service.identityStoreFactory
- factory for creating identity repositories.jwtBuilderFactory
- factory for creating JwtBuilder.softwareStatementVerifierFactory
- factory for creating Software Statement verifiers.audienceProvider
- a provider for the OAuth audience values configured in the OAuth Provider.
-
-
Method Detail
-
callbackRequired
protected Optional<Action> callbackRequired(TreeContext context)
-
getInputs
public org.forgerock.openam.auth.node.api.InputState[] getInputs()
Description copied from interface:Node
Provide a list of shared state data a node consumes. AnInputState
consists of a property name and an "isRequired" flag. The IsRequired flag indicates whether the input is required in order for the node to function. If the flag is false this indicates that the node will consume this data if it is present but it is not required for the node to function. Example: public InputState[] getInputs() { return new InputState[] { new InputState(IDENTITY), new InputState("foo", false) }; } In this example the node declares that it requires state to contain a property named IDENTITY and that it will consume a property named "foo" if it is present. If "foo" is not present then the node will still function but may be skipping some functionality. This list is used to ensure that state data, both shared and transient, from upstream nodes is left intact for this node to access. If inputs are not declared there is no guarantee that the data needed by the node will still be present in state when the node executes. This list is also used for tree validation to report errors in tree construction.- Returns:
- The list of shared state data.
-
getOutputs
public org.forgerock.openam.auth.node.api.OutputState[] getOutputs()
Description copied from interface:Node
Provide a list of shared state data a node provides. AnOutputState
consists of a property name and a map of node outcomes to a flag indicating whether that outcome is guaranteed to produce that property in state. Any given output may be provided for all outcomes or any subset of outcomes and perhaps only optionally for some of them. Example: public OutputState[] getOutputs() { return new OutputState[] { new OutputState(PASSWORD), new OutputState(config.mode(), singletonMap("*", false) }; } In this example we declare that the node will produce an output named PASSWORD. The lack of an outcome map indicates that this output is provided for all outcomes. The node also outputs a property named via config.mode() that is optional for all of the node's outcomes, i.e. it may or may not be present for downstream nodes to consume. This type of output is best consumed by other nodes by declaring an InputState such as new InputState(config.mode(), false). This list is used by tree validation to report errors in tree construction.- Returns:
- The list of shared state data.
-
process
public Action process(TreeContext context) throws NodeProcessException
Description copied from interface:Node
Performs processing on the given shared state, which holds all the data gathered by nodes that have already executed as part of this authentication session in the tree.This method is invoked when the node is reached in the tree.
- Specified by:
process
in interfaceNode
- Parameters:
context
- The context of the tree authentication.- Returns:
- The next action to perform. Must not be null.
- Throws:
NodeProcessException
- If there was a problem processing that could not be resolved to a single outcome.
-
createChallenge
protected String createChallenge(TreeContext context)
-
failureAction
protected Action failureAction()
-
successAction
protected Action successAction(org.forgerock.am.iot.VerifiedClaimSet verifiedClaims, TreeContext context, boolean requiresTokenRestriction) throws Exception
- Throws:
Exception
-
getChallenge
protected String getChallenge(TreeContext context) throws NodeProcessException
- Throws:
NodeProcessException
-
getJWT
protected SignedJwt getJWT(TreeContext context) throws NodeProcessException
- Throws:
NodeProcessException
-
getJWT
protected SignedJwt getJWT(TreeContext context, String callbackId) throws NodeProcessException
- Throws:
NodeProcessException
-
-