Package org.forgerock.openig.filter

Class JwtBuilderFilter

java.lang.Object

org.forgerock.openig.filter.JwtBuilderFilter

All Implemented Interfaces:

Filter

public class JwtBuilderFilter
extends Object
implements Filter

The JwtBuilderFilter collects data from template and puts the name-value pairs into a JWT structure. Then the JWT structure is placed in a context JwtBuilderContext for downstream use.

This filter can produce:

• unsecured (unsigned JWT are deprecated as not secure)
• signed JWT
• signed then encrypted JWT
• encrypted JWT

 {
      "type": "JwtBuilderFilter",
      "config": {
          "template"              :     map/expression       [REQUIRED]
          "secretsProvider":      :     Secrets Provider     [OPTIONAL - resolve signing/encryption keys.]
          "signature"             : {   object               [OPTIONAL but if set, inner attributes MAY BE REQUIRED]
              "secretId"            :     expression           [REQUIRED - secret ID of the key used for signing]
              "algorithm"           :     expression           [OPTIONAL - default to RS256 (1)]
              "encryption"          : {   object               [OPTIONAL but if set, inner attributes are REQUIRED]
                  "secretId"            :   expression           [REQUIRED - secret ID of the key used for encryption]
                  "algorithm"           :   expression           [REQUIRED - The encryption algorithm (2)]
                  "method"              :   expression           [REQUIRED - The encryption method (3)]
              }
          }
          "encryption"          : {   object                 [OPTIONAL but if set, inner attributes are REQUIRED]
              "secretId"            :   expression             [REQUIRED - secret ID of the key used for encryption]
              "algorithm"             :   expression           [REQUIRED - The encryption algorithm (2)]
              "method"                :   expression           [REQUIRED - The encryption method (3)]
          }
      }
 }
 
 

(1) List of JWS Algorithms (2) List of JWE Algorithms (3) List of Encryption Methods

Example of use - unsecured(unsigned) JWT (deprecated):

 {
      "type": "JwtBuilderFilter",
      "config": {
          "template": {
              "mail": "${contexts.userProfile.rawInfo.mail[0]}",
              "employeeNumber": "${contexts.userProfile.rawInfo.employeeNumber[0]}"
          }
      }
   }
 
 

Example for signing a JWT:

 {
      "type": "JwtBuilderFilter",
      "config": {
          "template": "${attributes.userProfile}",
          "signature": {
              "secretId": "my.signature.key",
              "algorithm": "HS384"
          }
      }
 }
 
 

Example for signing then encrypting a JWT:

 {
      "type": "JwtBuilderFilter",
      "config": {
          "template": {
              "mail": "${contexts.userProfile.rawInfo.mail[0]}",
              "employeeNumber": "${contexts.userProfile.rawInfo.employeeNumber[0]}"
          },
          "signature": {
              "secretId": "my.signature.key",
              "algorithm": "HS256",
              "encryption": {
                  "secretId": "my.encryption.key",
                  "algorithm": "dir",
                  "method": "A128CBC-HS256"
              }
          }
      }
 }
 
 

Example for encrypting a JWT:

 {
      "name": "JwtBuilderFilter-1",
      "type": "JwtBuilderFilter",
      "config": {
          "template": "${attributes.userProfile}",
          "secretsProvider": "SystemAndEnvSecretStore-1"
          "encryption": {
              "secretId": "my.encryption.key",
              "algorithm": "dir",
              "method": "A128GCM"
          }
      }
 }
 
 

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	JwtBuilderFilter.Heaplet	Creates and initializes a JwtBuilderFilter in a heap environment.

Constructor Summary

Constructors

Constructor	Description
JwtBuilderFilter(Object template, JwtFactory jwtFactory)	Creates a new JwtBuilderFilter which will create a JWT based on the given JSON template and place it into the context JwtBuilderContext.

Method Summary

Modifier and Type	Method	Description
Promise<Response,NeverThrowsException>	filter(Context context, Request request, Handler next)	Filters the request and/or response of an exchange.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JwtBuilderFilter

public JwtBuilderFilter(Object template,
 JwtFactory jwtFactory)
                 throws ExpressionException

Creates a new JwtBuilderFilter which will create a JWT based on the given JSON template and place it into the context JwtBuilderContext.

Parameters:

template - The template representing compiled expressions from the template configuration item.

jwtFactory - The JwtFactory used to create the JWT, not null.

Throws:

ExpressionException - When the template contains invalid expressions

Method Details

filter

public Promise<Response,NeverThrowsException> filter(Context context,
 Request request,
 Handler next)

Description copied from interface: Filter

Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

Specified by:

filter in interface Filter

Parameters:

context - The request context.

request - The request.

next - The next filter or handler in the chain to handle the request.

Returns:

A Promise representing the response to be returned to the client.