Class OAuth2ResourceServerFilterHeaplet
java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilterHeaplet
- All Implemented Interfaces:
Heaplet
Validates a
Request
that contains an OAuth 2.0 access token.
This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:
Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
It extracts the token and validates it against the specified access token resolver.
{
"type": "OAuth2ResourceServerFilter",
"config": {
"scopes" : [ expression, ... ], [REQUIRED - the list of OAuth2 scopes.]
"accessTokenResolver" : resolver, [REQUIRED]
"requireHttps" : boolean, [OPTIONAL - control if this filter only accepts requests
targeting the HTTPS scheme. By default,
it is enabled (only URI starting with
{@literal https://...} will be accepted, an
Exception is thrown otherwise).]
"realm" : string, [OPTIONAL - specifies the name of the realm used in the
authentication challenges returned back to
the client in case of errors. Defaults to
'OpenIG'.]
"executor" : executor, [OPTIONAL - by default uses the 'ScheduledThreadPool'
heap object.]
"cache" : object, [OPTIONAL - cache configuration. Default is no caching.]
"enabled" : boolean, [OPTIONAL - default to false. Enable for the caching
of access tokens.]
"defaultTimeout" : duration, [OPTIONAL - default to 1 minute. If no valid expiry
value is provided by the access token,
we'll cache it during that duration.]
"maxTimeout" : duration, [OPTIONAL - if a value is provided by the access token
but is greater that this value then we'll
use that value. ("zero" and "unlimited" are
not acceptable values).]
"amService" : AmService [OPTIONAL - enables the additional features of the AM
token notification service to keep the cache
in a consistent state. Only makes sense when
working with AM and using a token resolver
endpoint that provides the necessary
metadata required by the cache.
"onNotificationDisconnection": enum [OPTIONAL - what to do if AM goes offline:
NEVER_CLEAR, CLEAR_ON_DISCONNECT,
CLEAR_ON_RECONNECT.
Default is: CLEAR_ON_DISCONNECT.]
}
}
{
"name": "ProtectedResourceFilter",
"type": "OAuth2ResourceServerFilter",
"config": {
"scopes": [ "email", "profile" ],
"requireHttps": false,
"realm": "Informative realm name",
"accessTokenResolver" : "ForgeRock Authorisation Server"
}
}
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start
-
Field Details
-
NAME
Public name used by resolver.- See Also:
-
NAME_DEPRECATED
Deprecated.NAME
is more accurate and should be used for all new referencesDeprecated public name used by resolver.- See Also:
-
-
Constructor Details
-
OAuth2ResourceServerFilterHeaplet
public OAuth2ResourceServerFilterHeaplet()
-
-
Method Details
-
create
Description copied from class:GenericHeaplet
Called to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)
after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()
method.- Specified by:
create
in classGenericHeaplet
- Returns:
- The created object.
- Throws:
HeapException
- if an exception occurred during creation of the heap object or any of its dependencies.
-
NAME
is more accurate and should be used for all new references