public class TokenTransformationFilter extends Object implements Filter
TokenTransformationFilter
is responsible for transforming a token issued by Access Management
into a token of another type.
Currently only the OpenID Connect id_token to SAML 2.0 Token (Assertions) is supported, BEARER mode.
{
"type": "TokenTransformationFilter",
"config": {
"amService" : AmService [REQUIRED]
"idToken" : String [REQUIRED]
"instance" : String [REQUIRED]
}
}
The idToken attribute is an Expression
specifying where to get the JWT id_token.
Note that the referenced value has to be a String
(the JWT encoded value).
The instance attribute is the name of an STS instance: a pre-configured transformation available under a specific REST endpoint.
After transformation, the returned issued_token (at the moment it is a String
that contains
the XML of the generated SAML assertions), is made available in the StsContext
for downstream handlers.
If errors are happening during the token transformation, the error response is returned as-is to the caller, and informative messages are being logged for the administrator.
Modifier and Type | Class and Description |
---|---|
static class |
TokenTransformationFilter.Heaplet
Creates and initializes a token transformation filter in a heap environment.
|
Constructor and Description |
---|
TokenTransformationFilter(Handler handler,
URI endpoint,
Expression<String> idToken)
Constructs a new TokenTransformationFilter transforming the OpenID Connect id_token from
idToken
into a SAML 2.0 Assertions structure (into StsContext ). |
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
public TokenTransformationFilter(Handler handler, URI endpoint, Expression<String> idToken)
idToken
into a SAML 2.0 Assertions structure (into StsContext
).handler
- pipeline used to send the STS transformation requestendpoint
- Fully qualified URI of the STS instance (including the _action=translate query string)idToken
- Expression for reading OpenID Connect id_token (expects a String
)public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
Copyright 2011-2017 ForgeRock AS.