Package org.forgerock.openig.filter.oauth2

Class OAuth2TokenExchangeFilter

  • All Implemented Interfaces:
    Filter
    public class OAuth2TokenExchangeFilter
extends Object
implements Filter
    Filter supporting OAuth2 token exchange scenarios. The OAuth2TokenExchangeFilter will accept a request containing a subject token, which it will provide to the configured Authorization server to be exchanged. The resulting exchange token is located in an OAuth2TokenExchangeContext. Should a failure occur during token exchange, an OAuth2FailureContext is produced containing error details and the failureHandler is called. 
     {
      "type": "OAuth2TokenExchangeFilter",
      "config": {
         "subjectToken"         : Runtime Expression<String> [REQUIRED - Where to find the subject token.]
         "amService"            : AmService                  [OPTIONAL - AM service to use as the Authorization
                                                                         server (1).]
         "endpoint"             : Expression<String>         [OPTIONAL - Endpoint of the Authorization server (1).
                                                                         REQUIRED - if 'amService' is not configured.]
         "subjectTokenType"     : String                     [OPTIONAL - The type of subject token - defaults to the
                                                                         URN for access_token (2).]
         "requestedTokenType"   : String                     [OPTIONAL - The type of token being requested - defaults
                                                                         to the URN for access_token (2).]
         "scopes"               : [ Expression<String>... ], [OPTIONAL - List of requested OAuth2 scopes.]
         "resource"             : Expression<String>         [OPTIONAL - The target service URI where the token is
                                                                         intended to be used.]
         "audience"             : Expression<String>         [OPTIONAL - The target service name where the token is
                                                                         intended to be used.]
         "endpointHandler"      : Handler                    [OPTIONAL - The Handler to use to make requests on
                                                                         the Authorization endpoint - defaults to the
                                                                         heap-defined ForgeRockClientHandler.]
         "failureHandler"       : Handler                    [OPTIONAL - Handler called upon error - defaults to 500.]
      }
  }
    1. Either 'amService' or 'endpoint' must be configured identifying the Authorization server. If both are configured then 'amService' takes precedence.
    2. The default URN for 'subjectTokenType' and 'exchangeTokenType' is "urn:ietf:params:oauth:token-type:access_token".
     
 {
         "name": "tokenExchangeFilter",
         "type": "OAuth2TokenExchangeFilter",
         "config": {
           "endpointHandler": "ForgeRockHandlerWithClientSecretBasicAuthentication",
           "endpoint": "https://as.example.com/oauth2/access_token",
           "subjectToken": "#{request.entity.form['subject_token'][0]}",
           "scopes": ["transfer", "read", "write"],
           "failureHandler": "ConditionFailedHandler"
         }
 }
    See Also:
    RFC 8693 - OAuth2 Token Exchange

    • Constructor Detail

      • OAuth2TokenExchangeFilter

        public OAuth2TokenExchangeFilter​(URI endpoint,
                                 Handler handler,
                                 Expression<String> subjectTokenExpression,
                                 String subjectTokenType,
                                 String requestedTokenType,
                                 ResourceAccess scopesAccess,
                                 URI resource,
                                 String audience,
                                 Handler failureHandler)
        Construct a new OAuth2TokenExchangeFilter.
        Parameters:
        endpoint - The token endpoint that will perform the token exchange, not null.
        handler - Handler to use to connect to the token endpoint, not null.
        subjectTokenExpression - Expression identifying where to find the subject token, not null.
        subjectTokenType - The subject token type URN, not null.
        requestedTokenType - The token type URN of the token being requested, not null.
        scopesAccess - ResourceAccess used to supply requested scopes, not null but may be empty.
        resource - The target service URI where the token is intended to be used, may be null.
        audience - The target service name where the token is intended to be used, may be null.
        failureHandler - Handler called in the event of a failure to perform the token exchange, not null.

    • Method Detail

      • filter

        public Promise<Response,​NeverThrowsException> filter​(Context context,
                                                           Request request,
                                                           Handler next)
        Description copied from interface: Filter
        Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

        This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

        Specified by:
        filter in interface Filter
        Parameters:
        context - The request context.
        request - The request.
        next - The next filter or handler in the chain to handle the request.
        Returns:
        A Promise representing the response to be returned to the client.