Class OAuth2TokenExchangeFilter
java.lang.Object
org.forgerock.openig.filter.oauth2.OAuth2TokenExchangeFilter
- All Implemented Interfaces:
Filter
Filter
supporting OAuth2 token exchange scenarios. The OAuth2TokenExchangeFilter
will accept a request containing a subject token, which it will provide to the configured Authorization server
to be exchanged. The resulting exchange token is located in an OAuth2TokenExchangeContext
. Should a
failure occur during token exchange, an OAuth2FailureContext
is produced containing error details
and the failureHandler
is called.
{
"type": "OAuth2TokenExchangeFilter",
"config": {
"subjectToken" : Runtime Expression<String> [REQUIRED - Where to find the subject token.]
"amService" : AmService [OPTIONAL - AM service to use as the Authorization
server (1).]
"endpoint" : Expression<String> [OPTIONAL - Endpoint of the Authorization server (1).
REQUIRED - if 'amService' is not configured.]
"subjectTokenType" : String [OPTIONAL - The type of subject token - defaults to the
URN for access_token (2).]
"requestedTokenType" : String [OPTIONAL - The type of token being requested - defaults
to the URN for access_token (2).]
"scopes" : [ Expression<String>... ], [OPTIONAL - List of requested OAuth2 scopes.]
"resource" : Expression<String> [OPTIONAL - The target service URI where the token is
intended to be used.]
"audience" : Expression<String> [OPTIONAL - The target service name where the token is
intended to be used.]
"endpointHandler" : Handler [OPTIONAL - The Handler to use to make requests on
the Authorization endpoint - defaults to the
heap-defined ForgeRockClientHandler.]
"failureHandler" : Handler [OPTIONAL - Handler called upon error - defaults to 500.]
}
}
- Either 'amService' or 'endpoint' must be configured identifying the Authorization server. If both are configured then 'amService' takes precedence.
- The default URN for 'subjectTokenType' and 'exchangeTokenType' is "urn:ietf:params:oauth:token-type:access_token".
{
"name": "tokenExchangeFilter",
"type": "OAuth2TokenExchangeFilter",
"config": {
"endpointHandler": "ForgeRockHandlerWithClientSecretBasicAuthentication",
"endpoint": "https://as.example.com/oauth2/access_token",
"subjectToken": "#{request.entity.form['subject_token'][0]}",
"scopes": ["transfer", "read", "write"],
"failureHandler": "ConditionFailedHandler"
}
}
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Creates and initialises anOAuth2TokenExchangeFilter
in a heap environment. -
Constructor Summary
ConstructorDescriptionOAuth2TokenExchangeFilter
(URI endpoint, Handler handler, Expression<String> subjectTokenExpression, String subjectTokenType, String requestedTokenType, ResourceAccess scopesAccess, URI resource, String audience, Handler failureHandler) Construct a newOAuth2TokenExchangeFilter
. -
Method Summary
-
Constructor Details
-
OAuth2TokenExchangeFilter
public OAuth2TokenExchangeFilter(URI endpoint, Handler handler, Expression<String> subjectTokenExpression, String subjectTokenType, String requestedTokenType, ResourceAccess scopesAccess, URI resource, String audience, Handler failureHandler) Construct a newOAuth2TokenExchangeFilter
.- Parameters:
endpoint
- The token endpoint that will perform the token exchange, notnull
.handler
-Handler
to use to connect to the token endpoint, notnull
.subjectTokenExpression
-Expression
identifying where to find the subject token, notnull
.subjectTokenType
- The subject token type URN, notnull
.requestedTokenType
- The token type URN of the token being requested, notnull
.scopesAccess
-ResourceAccess
used to supply requested scopes, notnull
but may be empty.resource
- The target service URI where the token is intended to be used, may benull
.audience
- The target service name where the token is intended to be used, may benull
.failureHandler
-Handler
called in the event of a failure to perform the token exchange, notnull
.
-
-
Method Details
-
filter
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next) Description copied from interface:Filter
Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request)
.This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)
and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.
-