Package org.forgerock.openig.session.jwt

Class JwtSessionManagerHeaplet

java.lang.Object

org.forgerock.openig.heap.GenericHeaplet

org.forgerock.openig.session.jwt.JwtSessionManagerHeaplet

All Implemented Interfaces:

Heaplet

public class JwtSessionManagerHeaplet
extends GenericHeaplet

This Heaplet is responsible for configuring and creating a JwtSession.

 {
       "type": "JwtSession",
       "config": {
         "cookie": {         object                   [OPTIONAL - structure describing the properties of the JWT
                                                                  session cookie: ]
           "name":             expression<String>       [OPTIONAL - Name of cookie containing the IG JWT session.
                                                                    Defaults to {@link #IG_JWT_SESSION_NAME}.
           "domain":           expression<String>       [OPTIONAL - Domain that cookie is applicable to. If not set,
                                                                    the cookie will be treated as a host-based cookie
           "path":             expression<String>       [OPTIONAL - Path to apply to the cookie.
                                                                    Defaults to {@literal "/" }
           "secure":           expression<boolean>      [OPTIONAL - Determines if the cookie should be set to be
                                                                    secure. Defaults to {@code false}.
           "httpOnly":         expression<boolean>      [OPTIONAL - httpOnly flag. Defaults to {@code true}.
           "sameSite":         expression<enum>         [OPTIONAL - STRICT or LAX. Defaults to {@code null}.
         }
         "sessionTimeout":     duration               [OPTIONAL - amount of time before the JWT session expires.
                                                                  Defaults to 30min. A duration of 0 is not valid,
                                                                  and it will be limited to a max of ~ 10 years.]
         "persistentCookie":   expression<boolean>    [OPTIONAL - specifies whether the supporting cookie will have
                                                                  an {@literal Expires} attribute (persistent cookie)
                                                                  or not (session cookie). The expiration value is
                                                                  based on the {@literal sessionTimeout} value.
                                                                  Defaults to {@code false}.]
         "authenticatedEncryptionSecretId":           [OPTIONAL - The secret ID of the encryption key
                              expression<secret-id>               used to perform authenticated encryption on the JWT.
                                                                  If not set, a key is generated automatically.]
         "encryptionMethod":  String                  [OPTIONAL - The standard names of the encryption algorithm
                                                                  to use with Authenticated Encryption.
                                                                  See RFC 7518#section-5.1 See (1).
                                                                  Defaults to A256GCM.]
         "skewAllowance":     expression<duration>    [OPTIONAL - The skew allowance to use for temporal validation
                                                                  on the {@link JwtSession}.]
         "useCompression":    boolean                 [OPTIONAL - Set to true to use compression during the building
                                                                  of the JWT. Compression can help to reduce the size
                                                                  of the final cookie value when the session is used
                                                                  to store large items such as tokens.
                                                                  Defaults to {@code false}.]
      }
   }
 

Example:

{
          "name": "JwtSession",
          "type": "JwtSession",
          "config": {
              "cookie": {
                  "name": "IG",
                  "domain": ".example.com",
                  "path": "/",
                  "secure": false,
                  "httpOnly": true
              }
              "sessionTimeout": "30 minutes",
              "persistentCookie": true,
              "useCompression": true,
              "authenticatedEncryptionSecretId": "encryption.key.id"
          }
     }
 

All the session configuration is optional: if you omit everything, the appropriate keys will be generated and the cookie name used will be IG_JWT_SESSION_NAME.

The authenticatedEncryptionSecretId is the label of a Purpose using Commons Secrets API, the secret which specifies the key used to perform authenticated encryption on the JWT.

The encryptionMethod should be one of the six standard encryption methods available: (1) @See JWE Encryption Methods

If the JWT is too big to fit in one session cookie, then the cookie will be split in multiple cookies.

Since:

3.1

Field Summary

Fields

Modifier and Type	Field	Description
static final String	NAME	Public name used by resolver.
static final String	NAME_DEPRECATED	Deprecated, for removal: This API element is subject to removal in a future version.

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

config, heap, name, object, qualified

Constructor Summary

Constructors

Constructor	Description
JwtSessionManagerHeaplet()

Method Summary

Modifier and Type	Method	Description
AsyncSessionManager	create()	Called to request the heaplet create an object.

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

NAME_DEPRECATED

@Deprecated(since="2024.11",
            forRemoval=true)
public static final String NAME_DEPRECATED

Deprecated, for removal: This API element is subject to removal in a future version.

Public name used by resolver.

See Also:

• Constant Field Values

NAME

public static final String NAME

Public name used by resolver.

See Also:

• Constant Field Values

Constructor Details

JwtSessionManagerHeaplet

public JwtSessionManagerHeaplet()

Method Details

create

public AsyncSessionManager create()
                           throws HeapException

Description copied from class: GenericHeaplet

Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.

Specified by:

create in class GenericHeaplet

Returns:

The created object.

Throws:

HeapException - if an exception occurred during creation of the heap object or any of its dependencies.