Class IdTokenValidationFilterHeaplet
- java.lang.Object
-
- org.forgerock.openig.heap.GenericHeaplet
-
- org.forgerock.openig.filter.jwt.JwtValidationFilter.Heaplet
-
- org.forgerock.openig.filter.oauth2.client.IdTokenValidationFilterHeaplet
-
- All Implemented Interfaces:
Heaplet
public class IdTokenValidationFilterHeaplet extends JwtValidationFilter.Heaplet
AnIdTokenValidationFilterHeapletcreates a filter that can be used to validate the givenidTokenaccording to the provided configuration by leveraging theJwtValidationFilter. If theJwtis verified, the chain of execution continues, with anJwtValidationContextprovided. If theJwtis not valid, this filter directly exits the chain by returning either a 403 Forbidden response (by default) or the response built by the given failure handler. In case of errors, anJwtValidationErrorContextis provided.Configuration options:
Example of use for a{ "idToken" : expression [REQUIRED] "audience" : expression [REQUIRED - to validate the 'aud' attribute.] "failureHandler" : handler [OPTIONAL - the failure handler - default is FORBIDDEN.] "issuer" : expression [OPTIONAL - to validate the 'iss' attribute.] "skewAllowance" : expression<duration> [OPTIONAL - the skew allowance - defaults to zero.] "verificationSecretId" : Secret ID [OPTIONAL - to verify the signature of the IdToken.] "secretsProvider" : SecretsProvider [OPTIONAL - secrets provider used to obtain secrets. REQUIRED if 'verificationSecretId' is used.] "customizer" : JwtValidatorCustomizer [OPTIONAL - to add special claim checks. This will not override pre-defined constraints on "aud", "iss", "exp" and "iat"] }SignedJwt:
Note that also the issued at claim ('iat') must be present and before the actual date.{ "type": "IdTokenValidationFilter", "config": { "idToken": "${attributes.openid.id_token}" "audience": "ForgeShop" "issuer": "http://openam.example.com:8090/openam/oauth2", "verificationSecretId": "signature.verification.secret.id", "secretsProvider": "SecretsProvider", "customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('myClaim', JsonValue::asString, isEqualTo('foobar'))" ] } } } }- See Also:
- OpenID Connect
-
-
Constructor Summary
Constructors Constructor Description IdTokenValidationFilterHeaplet()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Expression<String>jwtExpression()Returns the expression to be used to obtain the JWT token value.protected Optional<JwtValidatorCustomizer>jwtValidatorCustomizer()Returns an instance of aJwtValidatorCustomizerif one has been defined.-
Methods inherited from class org.forgerock.openig.filter.jwt.JwtValidationFilter.Heaplet
create
-
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getType, meterRegistryHolder, start
-
-
-
-
Method Detail
-
jwtExpression
protected Expression<String> jwtExpression()
Description copied from class:JwtValidationFilter.HeapletReturns the expression to be used to obtain the JWT token value.- Overrides:
jwtExpressionin classJwtValidationFilter.Heaplet- Returns:
- the expression to be used to obtain the JWT token value.
-
jwtValidatorCustomizer
protected Optional<JwtValidatorCustomizer> jwtValidatorCustomizer() throws HeapException
Description copied from class:JwtValidationFilter.HeapletReturns an instance of aJwtValidatorCustomizerif one has been defined.- Overrides:
jwtValidatorCustomizerin classJwtValidationFilter.Heaplet- Returns:
- an instance of a
JwtValidatorCustomizerif one has been defined. - Throws:
HeapException- if there were any issues defining the instance.
-
-