Class OAuth2ResourceServerFilterHeaplet

java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilterHeaplet
All Implemented Interfaces:
Heaplet

public class OAuth2ResourceServerFilterHeaplet extends GenericHeaplet
Validates a Request that contains an OAuth 2.0 access token.

This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:

Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
It extracts the token and validates it against the specified access token resolver.
 {
      "type": "OAuth2ResourceServerFilter",
      "config": {
          "scopes"                :    [ expression, ... ],   [REQUIRED - the list of OAuth2 scopes.]
          "accessTokenResolver"   :    resolver,              [REQUIRED]
          "requireHttps"          :    boolean,               [OPTIONAL - control if this filter only accepts requests
                                                                          targeting the HTTPS scheme. By default,
                                                                          it is enabled (only URI starting with
                                                                          {@literal https://...} will be accepted, an
                                                                          Exception is thrown otherwise).]
          "realm"                 :    string,                [OPTIONAL - specifies the name of the realm used in the
                                                                          authentication challenges returned back to
                                                                          the client in case of errors. Defaults to
                                                                          'OpenIG'.]
          "executor"              :    executor,              [OPTIONAL - by default uses the 'ScheduledThreadPool'
                                                                          heap object.]
          "cache"                 :    object,                [OPTIONAL - cache configuration. Default is no caching.]
              "enabled"           :    boolean,               [OPTIONAL - default to false. Enable for the caching
                                                                          of access tokens.]
              "defaultTimeout"    :    duration,              [OPTIONAL - default to 1 minute. If no valid expiry
                                                                          value is provided by the access token,
                                                                          we'll cache it during that duration.]
              "maxTimeout"        :    duration,              [OPTIONAL - if a value is provided by the access token
                                                                          but is greater that this value then we'll
                                                                          use that value. ("zero" and "unlimited" are
                                                                          not acceptable values).]
              "amService"         :    AmService              [OPTIONAL - enables the additional features of the AM
                                                                          token notification service to keep the cache
                                                                          in a consistent state. Only makes sense when
                                                                          working with AM and using a token resolver
                                                                          endpoint that provides the necessary
                                                                          metadata required by the cache.
              "onNotificationDisconnection":  enum            [OPTIONAL - what to do if AM goes offline:
                                                                          NEVER_CLEAR, CLEAR_ON_DISCONNECT,
                                                                          CLEAR_ON_RECONNECT.
                                                                          Default is: CLEAR_ON_DISCONNECT.]

      }
  }
  
 
 
 {
         "name": "ProtectedResourceFilter",
         "type": "OAuth2ResourceServerFilter",
         "config": {
           "scopes": [ "email", "profile" ],
           "requireHttps": false,
           "realm": "Informative realm name",
           "accessTokenResolver" : "ForgeRock Authorisation Server"
         }
 }
 
 
  • Field Details

  • Constructor Details

    • OAuth2ResourceServerFilterHeaplet

      public OAuth2ResourceServerFilterHeaplet()
  • Method Details