Class IdentityAssertionHandlerTechPreview
- java.lang.Object
-
- org.forgerock.openig.handler.assertion.IdentityAssertionHandlerTechPreview
-
- All Implemented Interfaces:
Handler
public final class IdentityAssertionHandlerTechPreview extends Object implements Handler
Provides support to locally process a user and generate a JWT assertion that represents the user back to the calling party. Intended to be used in conjunction with an Identity Cloud authentication journey where it can redirect a user to IG to carry out local processing on its behalf and return the user to the journey, along with the assertion, once the local processing has been completed successfully. Local processing may include authentication and/or authorization.{ "type": "IdentityAssertionHandlerTechPreview", "config": { "identityAssertionPlugin" : IdentityAssertionPluginTechPreview [REQUIRED] "selfIdentifier: : expression [REQUIRED - a configuration time expression used to validate the AUD claim value in the incoming JWT and will be used as the ISS claim in the assertion JWT. "peerIdentifier: : expression [REQUIRED - a configuration time expression used to validate the ISS claim value in the incoming JWT and will be used as the AUD claim in the assertion JWT. "expire" : expression [OPTIONAL - a configuration time expression used to set the additional duration from now on the assertion JWT expiry claim date. Defaults to 30 seconds.] "secretsProvider": : Secrets Provider [OPTIONAL - resolve signing/encryption keys.] "verificationSecretId" : expression [REQUIRED - verification secret ID of the key used to validate the signature of incoming JWT] "decryptionSecretId" : expression [OPTIONAL - decryption secret ID of the key used to decrypt of incoming JWT. When not specified, the incoming JWT will only be signed.] "skewAllowance" : expression [OPTIONAL - the skew allowance duration of the incoming JWT. Defaults to zero.] "signature" : { object [REQUIRED] "secretId" : expression [REQUIRED - secret ID of the key used for signing assertion JWT] "algorithm" : expression [OPTIONAL - default to RS256 (1)] "encryption" : { object [REQUIRED] "secretId" : expression [REQUIRED - secret ID of the key used for encryption] "algorithm" : expression [REQUIRED - The encryption algorithm (1)] "method" : expression [REQUIRED - The encryption method (2)] } } } }(1) List of JWS Algorithms (2) List of JWE Algorithms
Example of use : Interoperability with the Marketplace Gateway Communications Node{ "type": "IdentityAssertionHandlerTechPreview", "config": { "identityAssertionPlugin": "ScriptablePluginExample", "selfIdentifier": "identity-gateway", "peerIdentifier": "gateway-communication-node", "secretsProvider": [ "IG-Decrypt", "Node-Verify", "IG-Sign", "Node-Encrypt" ], "verificationSecretId": "id.key.for.verifying.incoming.jwt", "decryptionSecretId": "id.key.for.decrypting.incoming.jwt", "signature": { "secretId": "id.key.for.signing.assertion.jwt", "algorithm": "RS256", "encryption": { "secretId": "id.key.for.encrypting.assertion.jwt", "algorithm": "RSA-OAEP-256", "method": "A256GCM" } } } }
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classIdentityAssertionHandlerTechPreview.BuilderA builder of aIdentityAssertionHandlerTechPreview.static classIdentityAssertionHandlerTechPreview.HeapletCreates and initializes a LocalAuthenticationHandler in a heap environment.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<Response,NeverThrowsException>handle(Context context, Request request)
-
-
-
Method Detail
-
handle
public Promise<Response,NeverThrowsException> handle(Context context, Request request)
Description copied from interface:HandlerReturns aPromiserepresenting the asynchronousResponseof the givenrequest. If any (asynchronous) processing goes wrong, the promise still contains aResponse(probably from the 4xx or 5xx status code family).A handler that doesn't hand-off the processing to another downstream handler is responsible for creating the response.
The returned
Promisecontains the response returned from the server as-is. This is responsibility of the handler to produce the appropriate error response (404, 500, ...) in case of processing error.Note: As of Promise 2.0 implementation, it is not permitted to throw any runtime exception here. Doing so produce unexpected behaviour (most likely a server-side hang of the processing thread).
-
-