Package org.forgerock.openig.filter.jwt

Class JwtValidationFilter

  • All Implemented Interfaces:
    Filter
    public class JwtValidationFilter
extends Object
implements Filter
    A JwtValidationFilter validates the given JWT according to the provided configuration. If the Jwt is verified, the chain of execution continues, with a JwtValidationContext provided. If the Jwt is not valid, this filter directly exits the chain by returning either a 403 Forbidden response (by default) or the response built by the given failure handler. In case of errors, a JwtValidationErrorContext is provided.

    Configuration options: 

      
  {
      "jwt"                    : runtime expression      [REQUIRED - the location of the JWT.]
      "failureHandler"         : handler                 [OPTIONAL - the failure handler - default is FORBIDDEN.]
      "skewAllowance"          : expression<duration>    [OPTIONAL - the skew allowance - defaults to zero.]
      "verificationSecretId"   : expression<Secret ID>   [OPTIONAL - to verify the signature of the JWT.]
      "decryptionSecretId"     : expression<Secret ID>   [OPTIONAL - to verify the encryption of the JWT.]
      "secretsProvider"        : SecretsProvider         [OPTIONAL - secrets provider used to obtain secrets. REQUIRED
                                                                     if 'verificationSecretId' or
                                                                     'decryptionSecretId' is used.]
      "customizer"             : JwtValidatorCustomizer  [OPTIONAL - to add special claim checks.]
  }
    Example of use for a plain JWT: 
      
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}"
      }
  }
    Example of use for a signed JWT: 
      
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}",
          "verificationSecretId": "signature.verification.secret.id",
          "secretsProvider": "mySecretsProvider"
      }
  }
    Example of use for an encrypted JWT: 
      
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}",
          "decryptionSecretId": "decryption.secret.id",
          "secretsProvider": "mySecretsProvider"
      }
  }
    Example of use for a signed and encrypted JWT. This is not dependant of the order the operation happened: 
      
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}",
          "decryptionSecretId": "decryption.secret.id",
          "verificationSecretId": "signature.verification.secret.id",
          "secretsProvider": "mySecretsProvider"
      }
  }
    Example of use for a plain JWT with custom claims validation: 
      
  {
      "type": "JwtValidationFilter",
      "config": {
          "jwt": "${request.headers['myToken'][0]}"
          "customizer": {
              "type": "ScriptableJwtValidatorCustomizer",
              "config": {
                  "type": "application/x-groovy",
                  "source": [
                      "builder.claim('myClaim', JsonValue::asString, isEqualTo('foobar'))"
                  ]
              }
          }
      }
  }

    • Constructor Detail

      • JwtValidationFilter

        public JwtValidationFilter​(Expression<String> jwtResolver,
                           JwtValidator validator,
                           Handler failureHandler)
        Constructs a JwtValidationFilter. This filter verifies, if a SigningHandler is provided, the signature of the JWT, then it provides the unpacked JWT in a JwtValidationContext accessible through the context chain for downstream components.
        Parameters:
        jwtResolver - The JWT as an Expression, not null.
        validator - The validator that will execute all the required checks on the JWT, not null.
        failureHandler - The Handler to dispatch to if the JWT validation fails, not null.

    • Method Detail

      • filter

        public Promise<Response,​NeverThrowsException> filter​(Context context,
                                                           Request request,
                                                           Handler next)
        Description copied from interface: Filter
        Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

        This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

        Specified by:
        filter in interface Filter
        Parameters:
        context - The request context.
        request - The request.
        next - The next filter or handler in the chain to handle the request.
        Returns:
        A Promise representing the response to be returned to the client.