Class IdTokenValidationFilterHeaplet
java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.filter.jwt.JwtValidationFilter.Heaplet
org.forgerock.openig.filter.oauth2.client.IdTokenValidationFilterHeaplet
- All Implemented Interfaces:
Heaplet
An
IdTokenValidationFilterHeaplet creates a filter that can be used to validate the given
idToken according to the provided configuration by leveraging the JwtValidationFilter.
If the Jwt is verified, the chain of execution continues, with an JwtValidationContext provided.
If the Jwt is not valid, this filter directly exits the chain by returning either a 403 Forbidden
response (by default) or the response built by the given failure handler.
In case of errors, an JwtValidationErrorContext is provided.
Configuration options:
{
"idToken" : expression [REQUIRED]
"audience" : expression [REQUIRED - to validate the 'aud' attribute.]
"failureHandler" : handler [OPTIONAL - the failure handler - default is FORBIDDEN.]
"issuer" : expression [OPTIONAL - to validate the 'iss' attribute.]
"skewAllowance" : expression<duration> [OPTIONAL - the skew allowance - defaults to zero.]
"verificationSecretId" : Secret ID [OPTIONAL - to verify the signature of the IdToken.]
"secretsProvider" : SecretsProvider [OPTIONAL - secrets provider used to obtain secrets. REQUIRED
if 'verificationSecretId' is used.]
"customizer" : JwtValidatorCustomizer [OPTIONAL - to add special claim checks. This will not
override pre-defined constraints on "aud", "iss",
"exp" and "iat"]
}
Example of use for a SignedJwt:
{
"type": "IdTokenValidationFilter",
"config": {
"idToken": "${attributes.openid.id_token}"
"audience": "ForgeShop"
"issuer": "http://openam.example.com:8090/openam/oauth2",
"verificationSecretId": "signature.verification.secret.id",
"secretsProvider": "SecretsProvider",
"customizer": {
"type": "ScriptableJwtValidatorCustomizer",
"config": {
"type": "application/x-groovy",
"source": [
"builder.claim('myClaim', JsonValue::asString, isEqualTo('foobar'))"
]
}
}
}
}
Note that also the issued at claim ('iat') must be present and before the actual date.- See Also:
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected Expression<String>Returns the expression to be used to obtain the JWT token value.protected Optional<JwtValidatorCustomizer>Returns an instance of aJwtValidatorCustomizerif one has been defined.Methods inherited from class org.forgerock.openig.filter.jwt.JwtValidationFilter.Heaplet
createMethods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start
-
Field Details
-
NAME
Public name used by resolver.- See Also:
-
-
Constructor Details
-
IdTokenValidationFilterHeaplet
public IdTokenValidationFilterHeaplet()
-
-
Method Details
-
jwtExpression
Description copied from class:JwtValidationFilter.HeapletReturns the expression to be used to obtain the JWT token value.- Overrides:
jwtExpressionin classJwtValidationFilter.Heaplet- Returns:
- the expression to be used to obtain the JWT token value.
-
jwtValidatorCustomizer
Description copied from class:JwtValidationFilter.HeapletReturns an instance of aJwtValidatorCustomizerif one has been defined.- Overrides:
jwtValidatorCustomizerin classJwtValidationFilter.Heaplet- Returns:
- an instance of a
JwtValidatorCustomizerif one has been defined. - Throws:
HeapException- if there were any issues defining the instance.
-