public class StatelessAccessTokenResolver extends Object implements AccessTokenResolver
StatelessAccessTokenResolver
that locally resolves and validates stateless access_tokens issued by AM.
It will examine the supplied JWT to determine that it:
AccessTokenInfo
as returned by AM. AM may supply a stateless access token that is either signed
or encrypted. An example of an Access Management stateless access token is as follows:
{
"sub": "demo",
"cts": "OAUTH2_STATELESS_GRANT",
"auth_level": 0,
"auditTrackingId": "30068481-09c3-4d84-9039-344d6744d840-3327",
"iss": "http://openam.example.com:8088/openam/oauth2",
"tokenName": "access_token",
"token_type": "Bearer",
"authGrantId": "3-k4Rld9LPqFZVX3unl-b-VDqvc",
"aud": "ig_client",
"nbf": 1531339691,
"grant_type": "password",
"scope": [
"openid"
],
"auth_time": 1531339691,
"realm": "/",
"exp": 1531343291,
"iat": 1531339691,
"expires_in": 3600,
"jti": "ktUoEBz6m6SZZZTE60jNkDpGO8s"
}
The StatelessAccessTokenResolver
has the following configuration:
{
"type": "StatelessAccessTokenResolver",
"config": {
"issuer" : Issuer URI [REQUIRED]
"secretsProvider" : Secrets Provider [OPTIONAL]
"signatureSecretId" : Signature Secret ID [OPTIONAL]
"encryptionSecretId" : Encryption Secret ID [OPTIONAL]
}
}
Either the "signature" or "encryption" config must be supplied to allow token verification. This should be
configured according to the AM token provider configuration for stateless access tokens.
Be aware also that the ResourceServerFilter
conducts additional checks on the token
content following resolution.Modifier and Type | Class and Description |
---|---|
static class |
StatelessAccessTokenResolver.Heaplet
Creates and initializes a stateless access token resolver in the heap environment.
|
Modifier and Type | Method and Description |
---|---|
Promise<AccessTokenInfo,AccessTokenException> |
resolve(Context context,
String token)
Resolves a given access token against an authorization server.
|
public Promise<AccessTokenInfo,AccessTokenException> resolve(Context context, String token)
AccessTokenResolver
resolve
in interface AccessTokenResolver
context
- Context chain used to keep a relationship between requests (tracking)token
- token identifier to be resolvedAccessTokenInfo
(well-formed, known by the server),
or by an exceptionCopyright 2011-2017 ForgeRock AS.