Class IdentityAssertionHandlerTechPreview

  • All Implemented Interfaces:
    Handler

    public final class IdentityAssertionHandlerTechPreview
    extends Object
    implements Handler
    Provides support to locally process a user and generate a JWT assertion that represents the user back to the calling party. Intended to be used in conjunction with an Identity Cloud authentication journey where it can redirect a user to IG to carry out local processing on its behalf and return the user to the journey, along with the assertion, once the local processing has been completed successfully. Local processing may include authentication and/or authorization.
     {
          "type": "IdentityAssertionHandlerTechPreview",
          "config": {
              "identityAssertionPlugin"   :     IdentityAssertionPluginTechPreview [REQUIRED]
              "selfIdentifier:              :     expression       [REQUIRED - a configuration time expression used to
                                                                               validate the AUD claim value in the
                                                                               incoming JWT and will be used as the ISS
                                                                               claim in the assertion JWT.
              "peerIdentifier:              :     expression       [REQUIRED - a configuration time expression used to
                                                                               validate the ISS claim value in the
                                                                               incoming JWT and will be used as the AUD
                                                                               claim in the assertion JWT.
              "expire"                    :     expression         [OPTIONAL - a configuration time expression used to set
                                                                               the additional duration from now on the
                                                                               assertion JWT expiry claim date. Defaults
                                                                               to 30 seconds.]
              "secretsProvider":          :     Secrets Provider   [OPTIONAL - resolve signing/encryption keys.]
              "verificationSecretId"      :     expression         [REQUIRED - verification secret ID of the key used to
                                                                               validate the signature of incoming JWT]
              "decryptionSecretId"        :     expression         [OPTIONAL - decryption secret ID of the key used to
                                                                               decrypt of incoming JWT. When not
                                                                               specified, the incoming JWT will only be
                                                                               signed.]
              "skewAllowance"             :     expression         [OPTIONAL - the skew allowance duration of the incoming
                                                                               JWT. Defaults to zero.]
              "signature"                 : {   object             [REQUIRED]
                  "secretId"                :     expression       [REQUIRED - secret ID of the key used for signing
                                                                               assertion JWT]
                  "algorithm"               :     expression       [OPTIONAL - default to RS256 (1)]
                  "encryption"              : {   object           [REQUIRED]
                      "secretId"              :     expression     [REQUIRED - secret ID of the key used for encryption]
                      "algorithm"             :     expression     [REQUIRED - The encryption algorithm (1)]
                      "method"                :     expression     [REQUIRED - The encryption method (2)]
                  }
              }
          }
     }
     
     

    (1) List of JWS Algorithms (2) List of JWE Algorithms

    Example of use : Interoperability with the Marketplace Gateway Communications Node
     {
             "type": "IdentityAssertionHandlerTechPreview",
             "config": {
                 "identityAssertionPlugin": "ScriptablePluginExample",
                 "selfIdentifier": "identity-gateway",
                 "peerIdentifier": "gateway-communication-node",
                 "secretsProvider": [
                     "IG-Decrypt",
                     "Node-Verify",
                     "IG-Sign",
                     "Node-Encrypt"
                 ],
                 "verificationSecretId": "id.key.for.verifying.incoming.jwt",
                 "decryptionSecretId": "id.key.for.decrypting.incoming.jwt",
                 "signature": {
                     "secretId": "id.key.for.signing.assertion.jwt",
                     "algorithm": "RS256",
                     "encryption": {
                         "secretId": "id.key.for.encrypting.assertion.jwt",
                         "algorithm": "RSA-OAEP-256",
                         "method": "A256GCM"
                     }
                 }
             }
         }
     
     
    • Method Detail

      • handle

        public Promise<Response,​NeverThrowsException> handle​(Context context,
                                                                   Request request)
        Description copied from interface: Handler
        Returns a Promise representing the asynchronous Response of the given request. If any (asynchronous) processing goes wrong, the promise still contains a Response (probably from the 4xx or 5xx status code family).

        A handler that doesn't hand-off the processing to another downstream handler is responsible for creating the response.

        The returned Promise contains the response returned from the server as-is. This is responsibility of the handler to produce the appropriate error response (404, 500, ...) in case of processing error.

        Note: As of Promise 2.0 implementation, it is not permitted to throw any runtime exception here. Doing so produce unexpected behaviour (most likely a server-side hang of the processing thread).

        Specified by:
        handle in interface Handler
        Parameters:
        context - The request context.
        request - The request.
        Returns:
        A Promise representing the response to be returned to the caller.