Class StatelessAccessTokenResolver

  • All Implemented Interfaces:
    AccessTokenResolver

    public class StatelessAccessTokenResolver
    extends Object
    implements AccessTokenResolver
    A StatelessAccessTokenResolver that locally resolves and validates stateless access_tokens issued by AM. It will examine the supplied JWT to determine that it:
    • is well-formed
    • has valid issuer
    • has an expected access token name
    • has a valid signature
    It models an AccessTokenInfo as returned by AM. AM may supply a stateless access token that is either signed or encrypted. An example of an Access Management stateless access token is as follows:
         
         {
             "sub": "demo",
             "cts": "OAUTH2_STATELESS_GRANT",
             "auth_level": 0,
             "auditTrackingId": "30068481-09c3-4d84-9039-344d6744d840-3327",
             "iss": "http://openam.example.com:8088/openam/oauth2",
             "tokenName": "access_token",
             "token_type": "Bearer",
             "authGrantId": "3-k4Rld9LPqFZVX3unl-b-VDqvc",
             "aud": "ig_client",
             "nbf": 1531339691,
             "grant_type": "password",
             "scope": [
             "openid"
             ],
             "auth_time": 1531339691,
             "realm": "/",
             "exp": 1531343291,
             "iat": 1531339691,
             "expires_in": 3600,
             "jti": "ktUoEBz6m6SZZZTE60jNkDpGO8s"
         }
         
     
    The StatelessAccessTokenResolver has the following configuration:
     {
          "type": "StatelessAccessTokenResolver",
          "config": {
            "skewAllowance"         :     expression<duration>                    [OPTIONAL - the skew allowance -
                                                                                      defaults to zero.]
            "issuer"                :     expression<Issuer URI>                  [REQUIRED]
            "secretsProvider"       :     Secrets Provider                        [OPTIONAL]
            "verificationSecretId"  :     expression<Verification Secret ID>      [OPTIONAL]
            "decryptionSecretId"    :     expression<Decryption Secret ID>        [OPTIONAL]
          }
        }
     
     
    Either the "verificationSecretId" or "decryptionSecretId" config must be supplied to allow token verification. This should be configured according to the AM token provider configuration for stateless access tokens. Be aware also that the ResourceServerFilter conducts additional checks on the token content following resolution.
    Since:
    6.5