Class IssuerHeaplet
java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.filter.oauth2.client.IssuerHeaplet
- All Implemented Interfaces:
Heaplet
A configuration for an OAuth2 or an OpenID Connect Issuer. Two approaches to create the
Issuer:
With an OpenId well-known endpoint:
{
"wellKnownEndpoint" : uriExpression, [REQUIRED]
"issuerHandler" : handler [OPTIONAL - by default it uses the 'ForgeRockClientHandler'
provided in heap.]
"supportedDomains" : [ patterns ] [OPTIONAL - if this issuer supports other domain names]
}
The 'supportedDomains' are the other domain names supported by this issuer,
their format can include use of regular-expression patterns.
Note: Declaring these domains in the configuration should be as simple as
possible, without any schemes or end slash i.e.:
GOOD: [ "openam.com", "openam.com:8092", "register.server.com", "allopenamdomains.*" ]
BAD : [ "http://openam.com", "openam.com:8092/", "http://openam.com/" ]
For example, use this kind of configuration if the endpoints are not known:
{
"name": "openam",
"type": "Issuer",
"config": {
"wellKnownEndpoint": "http://openam.example.com:8081/openam/oauth2/.well-known/openid-configuration"
"supportedDomains" : [ "openam.com", "openam.com:8092", "register.server.com" ]
}
}
Use this configuration if the endpoints are known.
{
"authorizeEndpoint" : uriExpression, [REQUIRED]
"tokenEndpoint" : uriExpression, [REQUIRED]
"issuer" : stringExpression, [REQUIRED for OIDC]
"secretsProvider" : SecretsProvider [OPTIONAL - Contains the public keys used to verify the ID token
when using asymetric signature algorithm.
Defaults to none. Meaning that a symmetric signature
algorithm is expected, see ClientRegistration to
set it up.]
"idTokenVerificationSecretId" : stringExpression [OPTIONAL - The secret ID leading to the ID Token verification
key.]
"registrationEndpoint" : uriExpression, [OPTIONAL - allows dynamic client registration]
"userInfoEndpoint" : uriExpression [OPTIONAL - default is no user info]
"revocationEndpoint" : uriExpression [OPTIONAL]
"endSessionEndpoint" : uriExpression [OPTIONAL]
"supportedDomains" : [ patterns ] [OPTIONAL - if this issuer supports other domain names]
}
For example:
{
"name": "openam",
"type": "Issuer",
"config": {
"authorizeEndpoint": "http://openam.example.com:8081/openam/oauth2/authorize",
"tokenEndpoint": "http://openam.example.com:8081/openam/oauth2/access_token",
"userInfoEndpoint": "http://openam.example.com:8081/openam/oauth2/userinfo"
}
}
Note: ID Token encryption is NOT supported.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringThe key used to store this issuer in the context. -
Constructor Summary
Constructors -
Method Summary
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start
-
Field Details
-
ISSUER_KEY
The key used to store this issuer in the context.- See Also:
-
-
Constructor Details
-
IssuerHeaplet
public IssuerHeaplet()
-
-
Method Details
-
create
Description copied from class:GenericHeapletCalled to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()method.- Specified by:
createin classGenericHeaplet- Returns:
- The created object.
- Throws:
HeapException- if an exception occurred during creation of the heap object or any of its dependencies.
-