A
StatelessAccessTokenResolver
that locally resolves and validates stateless access_tokens issued by AM.
It will examine the supplied JWT to determine that it:
- is well-formed
- has valid issuer
- has an expected access token name
- has a valid signature
It models an
AccessTokenInfo
as returned by AM. AM may supply a stateless access token that is either signed
or encrypted. An example of an Access Management stateless access token is as follows:
{
"sub": "demo",
"cts": "OAUTH2_STATELESS_GRANT",
"auth_level": 0,
"auditTrackingId": "30068481-09c3-4d84-9039-344d6744d840-3327",
"iss": "http://openam.example.com:8088/openam/oauth2",
"tokenName": "access_token",
"token_type": "Bearer",
"authGrantId": "3-k4Rld9LPqFZVX3unl-b-VDqvc",
"aud": "ig_client",
"nbf": 1531339691,
"grant_type": "password",
"scope": [
"openid"
],
"auth_time": 1531339691,
"realm": "/",
"exp": 1531343291,
"iat": 1531339691,
"expires_in": 3600,
"jti": "ktUoEBz6m6SZZZTE60jNkDpGO8s"
}
The
StatelessAccessTokenResolver
has the following configuration:
{
"type": "StatelessAccessTokenResolver",
"config": {
"skewAllowance" : expression<duration> [OPTIONAL - the skew allowance -
defaults to zero.]
"issuer" : expression<Issuer URI> [REQUIRED]
"secretsProvider" : Secrets Provider [OPTIONAL]
"verificationSecretId" : expression<Verification Secret ID> [OPTIONAL]
"decryptionSecretId" : expression<Decryption Secret ID> [OPTIONAL]
}
}
Either the "verificationSecretId" or "decryptionSecretId" config must be supplied
to allow token verification. This should be configured according to the AM token
provider configuration for stateless access tokens.
Be aware also that the
ResourceServerFilter
conducts additional checks on the token
content following resolution.