Class DiscoveryFilter

java.lang.Object
org.forgerock.openig.filter.oauth2.client.DiscoveryFilter
All Implemented Interfaces:
Filter

public class DiscoveryFilter extends Object implements Filter
In order for an OpenID Connect Relying Party to utilize OpenID Connect services for an End-User, the RP needs to know where the OpenID Provider is. OpenID Connect uses WebFinger [RFC7033] to locate the OpenID Provider for an End-User.

This class performs OpenID Provider Issuer discovery : determine the location of the OpenID Provider based on a given End-User input which can be an e-mail address or a URL Syntax or even a HostName and Port Syntax.

The user input is given from the query parameters '?discovery=<userInput>'.
Discovery is in two parts. The first extracts the host name and a normalized user input from the given input.
Then, IG verifies if an existing Issuer already exists in the issuer's repository matching the extracted host name. If it exists, reuse it. If not, IG verifies this host name is not part of an Issuer "supportedDomain". If the host name belongs to an Issuer supported Domain, this Issuer is used. Otherwise, discovery process continues...
In the second part, the WebFinger uses the extracted host name, to get the corresponding OpenID Issuer location which match the selected type of service ("http://openid.net/specs/connect/1.0/issuer") if it exists.
Based on the returned OpenID Issuer's location, the OpenID well-known end-point is extracted and the filter builds a Issuer which is placed in the context and in the issuer's repository to be reused if needed.

See Also:
  • Method Details

    • filter

      public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
      Description copied from interface: Filter
      Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

      This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

      Specified by:
      filter in interface Filter
      Parameters:
      context - The request context.
      request - The request.
      next - The next filter or handler in the chain to handle the request.
      Returns:
      A Promise representing the response to be returned to the client.