Class StatelessAccessTokenResolver
- java.lang.Object
-
- org.forgerock.openig.filter.oauth2.StatelessAccessTokenResolver
-
- All Implemented Interfaces:
AccessTokenResolver
public class StatelessAccessTokenResolver extends Object implements AccessTokenResolver
AStatelessAccessTokenResolverthat locally resolves and validates stateless access_tokens issued by AM. It will examine the supplied JWT to determine that it:- is well-formed
- has valid issuer
- has an expected access token name
- has a valid signature
AccessTokenInfoas returned by AM. AM may supply a stateless access token that is either signed or encrypted. An example of an Access Management stateless access token is as follows:{ "sub": "demo", "cts": "OAUTH2_STATELESS_GRANT", "auth_level": 0, "auditTrackingId": "30068481-09c3-4d84-9039-344d6744d840-3327", "iss": "http://openam.example.com:8088/openam/oauth2", "tokenName": "access_token", "token_type": "Bearer", "authGrantId": "3-k4Rld9LPqFZVX3unl-b-VDqvc", "aud": "ig_client", "nbf": 1531339691, "grant_type": "password", "scope": [ "openid" ], "auth_time": 1531339691, "realm": "/", "exp": 1531343291, "iat": 1531339691, "expires_in": 3600, "jti": "ktUoEBz6m6SZZZTE60jNkDpGO8s" }StatelessAccessTokenResolverhas the following configuration:
Either the "verificationSecretId" or "decryptionSecretId" config must be supplied to allow token verification. This should be configured according to the AM token provider configuration for stateless access tokens. Be aware also that the{ "type": "StatelessAccessTokenResolver", "config": { "skewAllowance" : expression<duration> [OPTIONAL - the skew allowance - defaults to zero.] "issuer" : expression<Issuer URI> [REQUIRED] "secretsProvider" : Secrets Provider [OPTIONAL] "verificationSecretId" : expression<Verification Secret ID> [OPTIONAL] "decryptionSecretId" : expression<Decryption Secret ID> [OPTIONAL] } }ResourceServerFilterconducts additional checks on the token content following resolution.- Since:
- 6.5
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classStatelessAccessTokenResolver.HeapletCreates and initializes a stateless access token resolver in the heap environment.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<AccessTokenInfo,AccessTokenException>resolve(Context context, Supplier<Request,IOException> request, String token)Resolves a given access token against an authorization server.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.forgerock.http.oauth2.AccessTokenResolver
resolve
-
-
-
-
Method Detail
-
resolve
public Promise<AccessTokenInfo,AccessTokenException> resolve(Context context, Supplier<Request,IOException> request, String token)
Description copied from interface:AccessTokenResolverResolves a given access token against an authorization server.- Specified by:
resolvein interfaceAccessTokenResolver- Parameters:
context- Context chain used to keep a relationship between requests (tracking)request- a supplier for the HTTP request the access token was presented on. The request should be defensively copied by the caller in case the resolver needs to consume the entity.token- token identifier to be resolved- Returns:
- a promise completed either with a valid
AccessTokenInfo(well-formed, known by the server), or by an exception
-
-