Package org.forgerock.openig.filter

Class JwtBuilderFilter

  • All Implemented Interfaces:
    Filter
    public class JwtBuilderFilter
extends Object
implements Filter
    The JwtBuilderFilter collects data from template and puts the name-value pairs into a JWT structure. Then the JWT structure is placed in a context JwtBuilderContext for downstream use.

    This filter can produce:

    • unsecured (unsigned JWT are deprecated as not secure)
    • signed JWT
    • signed then encrypted JWT
    • encrypted JWT 
     {
      "type": "JwtBuilderFilter",
      "config": {
          "template"              :     map/expression           [REQUIRED]
          "secretsProvider":      :     Secrets Provider         [OPTIONAL - resolve signing/encryption keys.]
          "signature"             : {   object                   [OPTIONAL but if set, inner attributes MAY BE
                                                                  REQUIRED]
              "secretId"            :     expression                 [REQUIRED - secret ID of the key used for
                                                                                 signing]
              "algorithm"           :     expression                 [OPTIONAL - default to RS256 (1)]
              "encryption"          : {   object                   [OPTIONAL but if set, inner attributes are
                                                                    REQUIRED]
                  "secretId"            :     expression             [REQUIRED - secret ID of the key used for
                                                                                 encryption]
                  "algorithm"           :     expression             [REQUIRED - The encryption algorithm (1)]
                  "method"              :     expression             [REQUIRED - The encryption method (2)]
              }
          }
          "encryption"          : {   object                   [OPTIONAL but if set, inner attributes are
                                                                REQUIRED]
              "secretId"            :     expression             [REQUIRED - secret ID of the key used for
                                                                             encryption]
              "algorithm"             :     expression             [REQUIRED - The encryption algorithm (1)]
              "method"                :     expression             [REQUIRED - The encryption method (2)]
          }
      }
 }

    (1) List of JWS Algorithms (2) List of JWE Algorithms (3) List of Encryption Methods

    Example of use - unsecured(unsigned) JWT (deprecated): 
     {
      "type": "JwtBuilderFilter",
      "config": {
          "template": {
              "mail": "${contexts.userProfile.rawInfo.mail[0]}",
              "employeeNumber": "${contexts.userProfile.rawInfo.employeeNumber[0]}"
          }
      }
   }
    Example for signing a JWT: 
     {
      "type": "JwtBuilderFilter",
      "config": {
          "template": "${attributes.userProfile}",
          "signature": {
              "secretId": "my.signature.key",
              "algorithm": "HS384"
          }
      }
 }
    Example for signing then encrypting a JWT: 
     {
      "type": "JwtBuilderFilter",
      "config": {
          "template": {
              "mail": "${contexts.userProfile.rawInfo.mail[0]}",
              "employeeNumber": "${contexts.userProfile.rawInfo.employeeNumber[0]}"
          },
          "signature": {
              "secretId": "my.signature.key",
              "algorithm": "HS256",
              "encryption": {
                  "secretId": "my.encryption.key",
                  "algorithm": "dir",
                  "method": "A128CBC-HS256"
              }
          }
      }
 }
    Example for encrypting a JWT: 
     {
      "name": "JwtBuilderFilter-1",
      "type": "JwtBuilderFilter",
      "config": {
          "template": "${attributes.userProfile}",
          "secretsProvider": "SystemAndEnvSecretStore-1"
          "encryption": {
              "secretId": "my.encryption.key",
              "algorithm": "dir",
              "method": "A128GCM"
          }
      }
 }

    • Constructor Detail

      • JwtBuilderFilter

        public JwtBuilderFilter​(JsonValue template,
                        JwtFactory jwtFactory)
                 throws ExpressionException
        Creates a new JwtBuilderFilter which will create a JWT based on the given JSON template and place it into the context JwtBuilderContext.
        Parameters:
        template - The template representing the name-value pairs, not null, as JsonValue. It must be a Map or a String, ie: "template" : { "value": "pair"} or "template" : "${attributes.template}.
        jwtFactory - The JwtFactory used to create the JWT, not null.
        Throws:
        ExpressionException - When the template contains invalid expressions

    • Method Detail

      • filter

        public Promise<Response,​NeverThrowsException> filter​(Context context,
                                                           Request request,
                                                           Handler next)
        Description copied from interface: Filter
        Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

        This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

        Specified by:
        filter in interface Filter
        Parameters:
        context - The request context.
        request - The request.
        next - The next filter or handler in the chain to handle the request.
        Returns:
        A Promise representing the response to be returned to the client.