Class OAuth2ResourceServerFilterHeaplet

  • All Implemented Interfaces:
    Heaplet

    public class OAuth2ResourceServerFilterHeaplet
    extends GenericHeaplet
    Validates a Request that contains an OAuth 2.0 access token.

    This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:

    Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
    It extracts the token and validates it against the specified access token resolver.
     {
          "type": "OAuth2ResourceServerFilter",
          "config": {
              "scopes"                :    [ expression, ... ],   [REQUIRED - the list of OAuth2 scopes.]
              "accessTokenResolver"   :    resolver,              [REQUIRED]
              "requireHttps"          :    boolean,               [OPTIONAL - control if this filter only accepts requests
                                                                              targeting the HTTPS scheme. By default,
                                                                              it is enabled (only URI starting with
                                                                              {@literal https://...} will be accepted, an
                                                                              Exception is thrown otherwise).]
              "realm"                 :    string,                [OPTIONAL - specifies the name of the realm used in the
                                                                              authentication challenges returned back to
                                                                              the client in case of errors. Defaults to
                                                                              'OpenIG'.]
              "executor"              :    executor,              [OPTIONAL - by default uses the 'ScheduledThreadPool'
                                                                              heap object.]
              "cache"                 :    object,                [OPTIONAL - cache configuration. Default is no caching.]
                  "enabled"           :    boolean,               [OPTIONAL - default to false. Enable for the caching
                                                                              of access tokens.]
                  "defaultTimeout"    :    duration,              [OPTIONAL - default to 1 minute. If no valid expiry
                                                                              value is provided by the access token,
                                                                              we'll cache it during that duration.]
                  "maxTimeout"        :    duration,              [OPTIONAL - if a value is provided by the access token
                                                                              but is greater that this value then we'll
                                                                              use that value. ("zero" and "unlimited" are
                                                                              not acceptable values).]
                  "amService"         :    AmService              [OPTIONAL - enables the additional features of the AM
                                                                              token notification service to keep the cache
                                                                              in a consistent state. Only makes sense when
                                                                              working with AM and using a token resolver
                                                                              endpoint that provides the necessary
                                                                              metadata required by the cache.
                  "onNotificationDisconnection":  enum            [OPTIONAL - what to do if AM goes offline:
                                                                              NEVER_CLEAR, CLEAR_ON_DISCONNECT,
                                                                              CLEAR_ON_RECONNECT.
                                                                              Default is: CLEAR_ON_DISCONNECT.]
    
          }
      }
      
     
     
     {
             "name": "ProtectedResourceFilter",
             "type": "OAuth2ResourceServerFilter",
             "config": {
               "scopes": [ "email", "profile" ],
               "requireHttps": false,
               "realm": "Informative realm name",
               "accessTokenResolver" : "ForgeRock Authorisation Server"
             }
     }
     
     
    • Constructor Detail

      • OAuth2ResourceServerFilterHeaplet

        public OAuth2ResourceServerFilterHeaplet()
    • Method Detail