PingGateway 2024.9

ScriptableIdentityAssertionPluginTechPreview

An out-of-the box implementation of IdentityAssertionPluginTechPreview.

Use with an IdentityAssertionHandlerTechPreview for local processing, such as authentication. The plugin returns IdentityAssertionClaims to include in the outgoing JWT sent to PingOne Advanced Identity Cloud.

The IdentityAssertionHandlerTechPreview, ScriptableIdentityAssertionPluginTechPreview, and IdentityAssertionPluginTechPreview are available in Technology preview. They aren’t yet supported, may be functionally incomplete, and are subject to change without notice.

The script must:

  • Access the context, request, and claims of an incoming JWT, where the claims are available under the name incomingClaims.

  • Return an IdentityAssertionClaims containing the assertions to add to the outgoing JWT sent to PingOne Advanced Identity Cloud.

Usage

{
    "name": string,
    "type": "ScriptableIdentityAssertionPluginTechPreview",
    "config": {
        "preProcessingFilter": Filter reference,
        "type": configuration expression<string>,
        "file": configuration expression<string>, // Use either "file"
        "source": [ string, ... ],                // or "source", but not both
        "args": map,
        "clientHandler": Handler reference
    }
}

Properties

For information about other properties for ScriptableIdentityAssertionPluginTechPreview, refer to Scripts.

"preProcessingFilter": _Filter reference, required

A Filter to perform user defined actions, such as local authentication and/or authorization. The Filter can be used to process the request before it reaches the script.

Example

The following example applies a preProcessingFilter that uses a ScriptableFilter to test whether the user is authenticated. If the user isn’t authenticated, the request passes to another script to manage authentication.

{
  "name": "BasicAuthScriptablePlugin",
  "type": "ScriptableIdentityAssertionPluginTechPreview",
  "config": {
    "type": "application/x-groovy",
    "source": [
      "import org.forgerock.openig.handler.assertion.IdentityAssertionClaims",
      "import org.forgerock.openig.handler.assertion.IdentityAssertionException",
      "if (request.headers.authorization != null && request.headers.authorization.values[0] == 'Basic user:password') {",
          return new IdentityAssertionClaims({Map.of("iguser", "user"))",
      "}",
      "return newExceptionPromise(new IdentityAssertionException('Invalid authentication'))",
    ],
    "preProcessingFilter": {
      "type": "ScriptableFilter",
      "config": {
        "type": "application/x-groovy",
        "source": [
          "if (request.headers.authorization == null) {",
          "    Response response = new Response(Status.UNAUTHORIZED)",
          "    response.headers['WWW-Authenticate'] = \"Basic\"",
          "    return response",
          "}",
          "return next.handle(context, request)",
        ],
      },
    }
  }
}

More information

org.forgerock.openig.handler.assertion.IdentityAssertionPlugin

IdentityAssertionClaims