public class TokenTransformationFilter extends Object implements Filter
TokenTransformationFilter
is responsible for transforming a token issued by Access Management
into a token of another type.
Currently only the OpenID Connect id_token to SAML 2.0 Token (Assertions) is supported, BEARER mode.
{
"type": "TokenTransformationFilter",
"config": {
"amService" : AmService [REQUIRED*]
"openamUri" : uriExpression [REQUIRED*]
"ssoTokenHeader" : String [OPTIONAL - default is {@link AmService#DEFAULT_COOKIE_NAME}]
"realm" : String [OPTIONAL - default is {@link Realm#ROOT_REALM}]
"username" : String [REQUIRED]
"password" : String [REQUIRED]
"idToken" : String [REQUIRED]
"instance" : String [REQUIRED]
"amHandler" : handler [OPTIONAL - by default it uses the
'ForgeRockClientHandler' provided in heap.]
}
}
(*) One of either openamUri or amService must be supplied for a configuration to be valid. If amService is set then it takes precedence over any openamUri, realm settings.
The openamUri attribute is the Access Management base URI against which authentication and STS requests will be issued.
The realm attribute is the AM realm that contains both the subject (described through username and password attributes) and the STS instance (described with instance).
The idToken attribute is an Expression
specifying where to get the JWT id_token.
Note that the referenced value has to be a String
(the JWT encoded value).
The instance attribute is the name of an STS instance: a pre-configured transformation available under a specific REST endpoint.
The amHandler attribute is a reference to a Handler
heap object. That handler will be used
for all REST calls to AM (as opposed to the next
Handler of the filter method that is dedicated to
continue the execution flow through the chain).
After transformation, the returned issued_token (at the moment it is a String
that contains
the XML of the generated SAML assertions), is made available in the StsContext
for downstream handlers.
If errors are happening during the token transformation, the error response is returned as-is to the caller, and informative messages are being logged for the administrator.
Modifier and Type | Class and Description |
---|---|
static class |
TokenTransformationFilter.Heaplet
Creates and initializes a token transformation filter in a heap environment.
|
Constructor and Description |
---|
TokenTransformationFilter(Handler handler,
URI endpoint,
Expression<String> idToken)
Constructs a new TokenTransformationFilter transforming the OpenID Connect id_token from
idToken
into a SAML 2.0 Assertions structure (into StsContext ). |
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
public TokenTransformationFilter(Handler handler, URI endpoint, Expression<String> idToken)
idToken
into a SAML 2.0 Assertions structure (into StsContext
).handler
- pipeline used to send the STS transformation requestendpoint
- Fully qualified URI of the STS instance (including the _action=translate query string)idToken
- Expression for reading OpenID Connect id_token (expects a String
)public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
Copyright 2011-2017 ForgeRock AS.