Class MacaroonToken<T extends IntrospectableToken>
- java.lang.Object
-
- org.forgerock.openam.oauth2.token.macaroon.MacaroonToken<T>
-
- Type Parameters:
T
- the type of token this is.
- All Implemented Interfaces:
IntrospectableToken
,Token
@Evolving public class MacaroonToken<T extends IntrospectableToken> extends Object implements IntrospectableToken
An OAuth2 access or refresh token that is represented as aMacaroon
. Macaroons allow caveats to be added to a token after it has been issued. Caveats restrict the scope, expiry time or other properties of the token.In addition to the supported
AccessToken
orRefreshToken
methods, macaroon tokens expose additional supported methods for adding caveats from scripts and plugins.
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description T
addFirstPartyCaveat(byte[] caveat)
Adds a first-party caveat to the access token macaroon.T
addFirstPartyCaveat(String caveat)
Adds a first-party caveat to the access token macaroon.T
addFirstPartyCaveat(JsonValue caveat)
Adds a first-party caveat to the access token macaroon.T
addThirdPartyCaveat(String location, SecretKey caveatKey, byte[] caveat)
Adds a third-party caveat to a macaroon.T
addThirdPartyCaveat(String location, SecretKey caveatKey, String caveat)
Adds a third-party caveat to a macaroon.
-
-
-
Method Detail
-
addFirstPartyCaveat
@Evolving public T addFirstPartyCaveat(String caveat)
Adds a first-party caveat to the access token macaroon. AM supports caveats in JSON format in the following forms:
- reduces the expiry time of the token (in seconds since the UNIX epoch).{"exp":12345}
- reduces the scope of the token.{"scope":"a b c"}
- reduces the audience of the token. A token without an audience restriction is assumed to be valid to access all resource servers.{"aud": ["x", "y", "z"]}
- adds a proof-of-possession confirmation key restriction, such as a mutual TLS certificate binding. Such a restriction can only be added once, and only if the underlying access token does not already have a confirmation key associated with it.{"cnf": ...}
"caveats"
field.- Parameters:
caveat
- the caveat to add as a string.- Returns:
- this macaroon token
- See Also:
addFirstPartyCaveat(JsonValue)
-
addFirstPartyCaveat
@Evolving public T addFirstPartyCaveat(byte[] caveat)
Adds a first-party caveat to the access token macaroon. AM supports caveats in JSON format in the following forms:
- reduces the expiry time of the token (in seconds since the UNIX epoch).{"exp":12345}
- reduces the scope of the token.{"scope":"a b c"}
- reduces the audience of the token. A token without an audience restriction is assumed to be valid to access all resource servers.{"aud": ["x", "y", "z"]}
- adds a proof-of-possession confirmation key restriction, such as a mutual TLS certificate binding. Such a restriction can only be added once, and only if the underlying access token does not already have a confirmation key associated with it.{"cnf": ...}
"caveats"
field.- Parameters:
caveat
- the caveat to add as a string.- Returns:
- this macaroon token
- See Also:
addFirstPartyCaveat(JsonValue)
-
addFirstPartyCaveat
@Evolving public T addFirstPartyCaveat(JsonValue caveat)
Adds a first-party caveat to the access token macaroon. AM supports caveats in JSON format in the following forms:
- reduces the expiry time of the token (in seconds since the UNIX epoch).{"exp":12345}
- reduces the scope of the token.{"scope":"a b c"}
- reduces the audience of the token. A token without an audience restriction is assumed to be valid to access all resource servers.{"aud": ["x", "y", "z"]}
- adds a proof-of-possession confirmation key restriction, such as a mutual TLS certificate binding. Such a restriction can only be added once, and only if the underlying access token does not already have a confirmation key associated with it.{"cnf": ...}
"caveats"
field.- Parameters:
caveat
- the caveat to add as a string.- Returns:
- this macaroon token
-
addThirdPartyCaveat
@Evolving public T addThirdPartyCaveat(String location, SecretKey caveatKey, byte[] caveat)
Adds a third-party caveat to a macaroon. Third-party caveats are satisfied by the client obtaining a discharge macaroon from the named 3rd-party service. Discharge macaroons can be provided to AM's token introspection endpoint by using the non-standardX-Discharge-Macaroon
header.Note: any unsatisfied 3rd-party caveats will cause the token to be rejected from the token introspection endpoint with an
invalid_grant
error code.- Parameters:
location
- The location of the 3rd-party service, such as a URI. May be null.caveatKey
- The key that will be used to sign the discharge macaroon. This should be generated fresh for each caveat by callingMacaroon.generateKey()
.caveat
- the caveat that the 3rd-party service should verify. This should securely communicate the caveatKey to the 3rd-party service, for example by encrypting it with a public key of the 3rd-party service or by establishing a ticket via out of band communications. The details of how this is done are unspecified and need to be agreed between the AS and 3rd-party service.- Returns:
- this macaroon token.
-
addThirdPartyCaveat
@Evolving public T addThirdPartyCaveat(String location, SecretKey caveatKey, String caveat)
Adds a third-party caveat to a macaroon. Third-party caveats are satisfied by the client obtaining a discharge macaroon from the named 3rd-party service. Discharge macaroons can be provided to AM's token introspection endpoint by using the non-standardX-Discharge-Macaroon
header.Note: any unsatisfied 3rd-party caveats will cause the token to be rejected from the token introspection endpoint with an
invalid_grant
error code.- Parameters:
location
- The location of the 3rd-party service, such as a URI. May be null.caveatKey
- The key that will be used to sign the discharge macaroon. This should be generated fresh for each caveat by callingMacaroon.generateKey()
.caveat
- the caveat that the 3rd-party service should verify. This should securely communicate the caveatKey to the 3rd-party service, for example by encrypting it with a public key of the 3rd-party service or by establishing a ticket via out of band communications. The details of how this is done are unspecified and need to be agreed between the AS and 3rd-party service.- Returns:
- this macaroon token.
-
-