Class IdentityAssertionHandler
java.lang.Object
org.forgerock.openig.assertion.handler.IdentityAssertionHandler
- All Implemented Interfaces:
Handler
Provides support to locally process a user and generate a JWT assertion that represents the user back to the
calling party. Intended to be used in conjunction with an Identity Cloud authentication journey where it can redirect
a user to IG to carry out local processing on its behalf and return the user to the journey, along with the
assertion, once the local processing has been completed successfully. Local processing may include authentication
and/or authorization.
Makes use of the IdentityRequestJwtContext provided by the IdentityRequestJwtValidationFilter once
validation of the Identity Request JWT is completed.
{
"type": "IdentityAssertionHandler",
"config": {
"identityAssertionPlugin" : IdentityAssertionPlugin [REQUIRED]
"selfIdentifier : expression [REQUIRED - a configuration time expression used to
validate the AUD claim value in the
Identity Request JWT and will be used as
the ISS claim in the Identity Assertion
JWT.]
"peerIdentifier : expression [REQUIRED - a configuration time expression used to
validate the ISS claim value in the
Identity Request JWT and will be used as
the AUD claim in the Identity Assertion
JWT.]
"encryptionSecretId" : expression<secret-id> [REQUIRED - a configuration time expression to define
the secret ID of the Authenticated
Encryption (symmetric) key, used to
decrypt the Identity Request JWT and to
encrypt the returned Identity Assertion
JWT. The encryption method used when
encrypting the Identity Assertion JWT will
be the same as was used for the Identity
Request JWT.]
"secretsProvider" : Secrets Provider [REQUIRED - resolve the authenticated encryption key.]
"expiry" : expression<duration> [OPTIONAL - a configuration time expression used to
set the additional duration from now on
the Identity Assertion JWT expiry claim.
Defaults to 30 seconds.]
"skewAllowance" : expression<duration> [OPTIONAL - a configuration time expression to define
the skew allowance duration of the
Identity Request JWT issued at and expiry
claims. Defaults to zero.]
}
}
}
Example usage:
{
"type": "IdentityAssertionHandler",
"config": {
"identityAssertionPlugin": "ScriptablePluginExample",
"selfIdentifier": "identity-gateway",
"peerIdentifier": "identity-cloud",
"secretsProvider": "assertionSecrets",
"encryptionSecretId": "encryption.key.id"
}
}
All JWTs contain the core claims of:
iss (Issuer)
aud (Audience)
iat (Issued At)
exp (Expiration Time)
nonce (a unique ID, generated by the Node and returned in the Identity Assertion JWT)
Additional claims in the Identity Request JWT:
redirect (URL to pass the Identity Assertion JWT back on)
version (The version of the JWT, v1 is the only version currently supported)
data (optional claim containing a map of claims items that might be required by a plugin)
Additional claims in the Identity Assertion JWT are either one of the following claim items:
principal (represents the principal of the local user)
identity (a claim containing a map of any additional identity claim items returned by the plugin)
or in the case of an error during plugin processing
error (a claim containing the error message of the plugin processing failure)
Example Identity Request JWT:
{
"iss": "issuer identifier",
"aud": "audience identifier",
"nonce": "unique random String",
"redirect": "URL used to get the Identity Assertion JWT back to the Node",
"iat": 1705618125,
"exp": 1705618180,
"version": "v1",
"data": {
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0"
}
}
Example Identity Assertion JWT with identity claims
{
"iss": "Node identifier",
"aud": "IG identifier",
"nonce": "nonce from the Identity Request JWT",
"iat": 1705618125,
"exp": 1705618180,
"principal": "iguser",
"identity": {
"auth": "Basic"
}
}
Example Identity Assertion JWT with error claim
{
"iss": "IG identifier",
"aud": "Node identifier",
"nonce": "nonce from the Identity Request JWT",
"iat": 1705618125,
"exp": 1705618180,
"error": "Invalid token"
}
Cryptographic note: We chose to use on "A256GCM" encryption method to encrypt tokens exchanged with the Identity Cloud node module because:
- It can be easily generated in a PKCS12 or other keystore using Oracle's keytool (unlike "A256CBC_HS512")
- It can be used to create a symmetric key as an Octet JWK with the
directalgorithm - It is recommended by the Ping Cryptographic guidelines (v1_7 of 10/06/23)
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classCreates and initializes aIdentityAssertionHandlerin a heap environment. -
Method Summary
-
Method Details
-
handle
Description copied from interface:HandlerReturns aPromiserepresenting the asynchronousResponseof the givenrequest. If any (asynchronous) processing goes wrong, the promise still contains aResponse(probably from the 4xx or 5xx status code family).A handler that doesn't hand-off the processing to another downstream handler is responsible for creating the response.
The returned
Promisecontains the response returned from the server as-is. This is responsibility of the handler to produce the appropriate error response (404, 500, ...) in case of processing error.Note: As of Promise 2.0 implementation, it is not permitted to throw any runtime exception here. Doing so produce unexpected behaviour (most likely a server-side hang of the processing thread).
-