Class TokenTransformationFilter

java.lang.Object
org.forgerock.openig.openam.TokenTransformationFilter
All Implemented Interfaces:
Filter

public class TokenTransformationFilter extends Object implements Filter
A TokenTransformationFilter is responsible for transforming a token issued by Access Management into a token of another type.

Currently only the OpenID Connect id_token to SAML 2.0 Token (Assertions) is supported, BEARER mode.

     {
         "type": "TokenTransformationFilter",
         "config": {
             "amService"      : AmService             [REQUIRED]
             "idToken"        : String                [REQUIRED]
             "instance"       : String                [REQUIRED]
         }
     }
     
 

The idToken attribute is an Expression specifying where to get the JWT id_token. Note that the referenced value has to be a String (the JWT encoded value).

The instance attribute is the name of an STS instance: a pre-configured transformation available under a specific REST endpoint.

After transformation, the returned issued_token (at the moment it is a String that contains the XML of the generated SAML assertions), is made available in the StsContext for downstream handlers.

If errors are happening during the token transformation, the error response is returned as-is to the caller, and informative messages are being logged for the administrator.

  • Constructor Details

    • TokenTransformationFilter

      public TokenTransformationFilter(Handler handler, URI endpoint, Expression<String> idToken)
      Constructs a new TokenTransformationFilter transforming the OpenID Connect id_token from idToken into a SAML 2.0 Assertions structure (into StsContext).
      Parameters:
      handler - pipeline used to send the STS transformation request
      endpoint - Fully qualified URI of the STS instance (including the _action=translate query string)
      idToken - Expression for reading OpenID Connect id_token (expects a String)
  • Method Details

    • filter

      public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
      Description copied from interface: Filter
      Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

      This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

      Specified by:
      filter in interface Filter
      Parameters:
      context - The request context.
      request - The request.
      next - The next filter or handler in the chain to handle the request.
      Returns:
      A Promise representing the response to be returned to the client.