Package org.forgerock.openig.filter.oauth2

Class StatelessAccessTokenResolver

java.lang.Object

org.forgerock.openig.filter.oauth2.StatelessAccessTokenResolver

All Implemented Interfaces:

AccessTokenResolver

public class StatelessAccessTokenResolver
extends Object
implements AccessTokenResolver

A StatelessAccessTokenResolver that locally resolves and validates stateless access_tokens issued by AM. It will examine the supplied JWT to determine that it:

• is well-formed
• has valid issuer
• has an expected access token name
• has a valid signature

It models an AccessTokenInfo as returned by AM. AM may supply a stateless access token that is either signed or encrypted. An example of an Access Management stateless access token is as follows:

     
     {
         "sub": "demo",
         "cts": "OAUTH2_STATELESS_GRANT",
         "auth_level": 0,
         "auditTrackingId": "30068481-09c3-4d84-9039-344d6744d840-3327",
         "iss": "http://openam.example.com:8088/openam/oauth2",
         "tokenName": "access_token",
         "token_type": "Bearer",
         "authGrantId": "3-k4Rld9LPqFZVX3unl-b-VDqvc",
         "aud": "ig_client",
         "nbf": 1531339691,
         "grant_type": "password",
         "scope": [
         "openid"
         ],
         "auth_time": 1531339691,
         "realm": "/",
         "exp": 1531343291,
         "iat": 1531339691,
         "expires_in": 3600,
         "jti": "ktUoEBz6m6SZZZTE60jNkDpGO8s"
     }
     
 

The StatelessAccessTokenResolver has the following configuration:

 {
      "type": "StatelessAccessTokenResolver",
      "config": {
        "skewAllowance"         :     expression<duration>                    [OPTIONAL - the skew allowance -
                                                                                  defaults to zero.]
        "issuer"                :     expression<Issuer URI>                  [REQUIRED]
        "secretsProvider"       :     Secrets Provider                        [REQUIRED]
        "verificationSecretId"  :     expression<Verification Secret ID>      [OPTIONAL]
        "decryptionSecretId"    :     expression<Decryption Secret ID>        [OPTIONAL]
      }
    }
 
 

Either the "verificationSecretId" or "decryptionSecretId" config must be supplied to allow token verification. This should be configured according to the AM token provider configuration for stateless access tokens. Be aware also that the ResourceServerFilter conducts additional checks on the token content following resolution.

Since:

6.5

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	StatelessAccessTokenResolver.Heaplet	Creates and initializes a stateless access token resolver in the heap environment.

Method Summary

Modifier and Type	Method	Description
Promise<AccessTokenInfo,AccessTokenException>	resolve(Context context, Supplier<Request,IOException> request, String token)	Resolves a given access token against an authorization server.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.http.oauth2.AccessTokenResolver

resolve

Method Details

resolve

public Promise<AccessTokenInfo,AccessTokenException> resolve(Context context,
 Supplier<Request,IOException> request,
 String token)

Description copied from interface: AccessTokenResolver

Resolves a given access token against an authorization server.

Specified by:

resolve in interface AccessTokenResolver

Parameters:

context - Context chain used to keep a relationship between requests (tracking)

request - a supplier for the HTTP request the access token was presented on. The request should be defensively copied by the caller in case the resolver needs to consume the entity.

token - token identifier to be resolved

Returns:

a promise completed either with a valid AccessTokenInfo (well-formed, known by the server), or by an exception