Class IdentityAssertionHandlerTechPreview
java.lang.Object
org.forgerock.openig.handler.assertion.IdentityAssertionHandlerTechPreview
- All Implemented Interfaces:
Handler
Provides support to locally process a user and generate a JWT assertion that represents the user back to the
calling party. Intended to be used in conjunction with an Identity Cloud authentication journey where it can redirect
a user to IG to carry out local processing on its behalf and return the user to the journey, along with the
assertion, once the local processing has been completed successfully. Local processing may include authentication
and/or authorization.
{
"type": "IdentityAssertionHandlerTechPreview",
"config": {
"identityAssertionPlugin" : IdentityAssertionPluginTechPreview [REQUIRED]
"selfIdentifier: : expression [REQUIRED - a configuration time expression used to
validate the AUD claim value in the
incoming JWT and will be used as the ISS
claim in the assertion JWT.
"peerIdentifier: : expression [REQUIRED - a configuration time expression used to
validate the ISS claim value in the
incoming JWT and will be used as the AUD
claim in the assertion JWT.
"expire" : expression [OPTIONAL - a configuration time expression used to set
the additional duration from now on the
assertion JWT expiry claim date. Defaults
to 30 seconds.]
"secretsProvider": : Secrets Provider [REQUIRED - resolve signing/encryption keys.]
"verificationSecretId" : expression [REQUIRED - verification secret ID of the key used to
validate the signature of incoming JWT]
"decryptionSecretId" : expression [OPTIONAL - decryption secret ID of the key used to
decrypt of incoming JWT. When not
specified, the incoming JWT will only be
signed.]
"skewAllowance" : expression [OPTIONAL - the skew allowance duration of the incoming
JWT. Defaults to zero.]
"signature" : { object [REQUIRED]
"secretId" : expression [REQUIRED - secret ID of the key used for signing
assertion JWT]
"algorithm" : expression [OPTIONAL - default to RS256 (1)]
"encryption" : { object [REQUIRED]
"secretId" : expression [REQUIRED - secret ID of the key used for encryption]
"algorithm" : expression [REQUIRED - The encryption algorithm (1)]
"method" : expression [REQUIRED - The encryption method (2)]
}
}
}
}
(1) List of JWS Algorithms (2) List of JWE Algorithms
Example of use : Interoperability with the Marketplace Gateway Communications Node
{
"type": "IdentityAssertionHandlerTechPreview",
"config": {
"identityAssertionPlugin": "ScriptablePluginExample",
"selfIdentifier": "identity-gateway",
"peerIdentifier": "gateway-communication-node",
"secretsProvider": [
"IG-Decrypt",
"Node-Verify",
"IG-Sign",
"Node-Encrypt"
],
"verificationSecretId": "id.key.for.verifying.incoming.jwt",
"decryptionSecretId": "id.key.for.decrypting.incoming.jwt",
"signature": {
"secretId": "id.key.for.signing.assertion.jwt",
"algorithm": "RS256",
"encryption": {
"secretId": "id.key.for.encrypting.assertion.jwt",
"algorithm": "RSA-OAEP-256",
"method": "A256GCM"
}
}
}
}
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic final class
A builder of aIdentityAssertionHandlerTechPreview
.static class
Creates and initializes a LocalAuthenticationHandler in a heap environment. -
Method Summary
-
Method Details
-
handle
Description copied from interface:Handler
Returns aPromise
representing the asynchronousResponse
of the givenrequest
. If any (asynchronous) processing goes wrong, the promise still contains aResponse
(probably from the 4xx or 5xx status code family).A handler that doesn't hand-off the processing to another downstream handler is responsible for creating the response.
The returned
Promise
contains the response returned from the server as-is. This is responsibility of the handler to produce the appropriate error response (404, 500, ...) in case of processing error.Note: As of Promise 2.0 implementation, it is not permitted to throw any runtime exception here. Doing so produce unexpected behaviour (most likely a server-side hang of the processing thread).
-