public class OAuth2ResourceServerFilter extends GenericFilter
Exchange
that contains an OAuth 2.0 access token. This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:
Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
It extracts the token and validate it against the token-info-endpoint URL provided in the configuration.
{ "name": "ProtectedResourceFilter", "type": "org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilter", "config": { "scopes": [ "email", "profile" ], "tokenInfoEndpoint": "https://openam.example.com:8443/openam/oauth2/tokeninfo", "cacheExpiration": "2 minutes", "requireHttps": false, "providerHandler": "ClientHandler", "realm": "Informative realm name", "target": "${exchange.oauth2AccessToken}" } }scopes, tokenInfoEndpoint and providerHandler are the 3 only mandatory configuration attributes.
If cacheExpiration is not set, the default is to keep the AccessToken
s for 1 minute.
cacheExpiration is expressed using natural language (use zero or none
to deactivate caching, any 0 valued duration will also deactivate it):
"cacheExpiration": "2 minutes" "cacheExpiration": "3 days and 6 hours" "cacheExpiration": "5m" // 5 minutes "cacheExpiration": "10 min, 30 sec" "cacheExpiration": "zero" // no cache "cacheExpiration": "0 s" // no cache
providerHandler is a name reference to another handler available in the heap. It will be used to perform
access token validation against the tokenInfoEndpoint URL.
It is usually a reference to some ClientHandler
.
The requireHttps optional attribute control if this filter only accepts requests targeting the HTTPS scheme. By default, it is enabled (only URI starting with https://... will be accepted, an Exception is thrown otherwise).
The realm optional attribute specifies the name of the realm used in the authentication challenges returned back to the client in case of errors.
The target optional attribute specifies the expression which will be used for storing the OAuth 2.0 access token information in the exchange. Defaults to ${exchange.oauth2AccessToken}.
Duration
Modifier and Type | Class and Description |
---|---|
static class |
OAuth2ResourceServerFilter.Heaplet
Creates and initializes an OAuth2 filter in a heap environment.
|
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_ACCESS_TOKEN_KEY
The key under which downstream handlers will find the access token in the
Exchange . |
static String |
DEFAULT_REALM_NAME
Name of the realm when none is specified in the heaplet.
|
logger, storage
Constructor and Description |
---|
OAuth2ResourceServerFilter(AccessTokenResolver resolver,
BearerTokenExtractor extractor,
org.forgerock.util.time.TimeService time,
Expression target)
Creates a new
OAuth2Filter . |
OAuth2ResourceServerFilter(AccessTokenResolver resolver,
BearerTokenExtractor extractor,
org.forgerock.util.time.TimeService time,
Set<Expression> scopes,
String realm,
Expression target)
Creates a new
OAuth2Filter . |
public static final String DEFAULT_ACCESS_TOKEN_KEY
Exchange
.public static final String DEFAULT_REALM_NAME
public OAuth2ResourceServerFilter(AccessTokenResolver resolver, BearerTokenExtractor extractor, org.forgerock.util.time.TimeService time, Expression target)
OAuth2Filter
.resolver
- A AccessTokenResolver
instance.extractor
- A BearerTokenExtractor
instance.time
- A TimeService
instance used to check if token is expired or not.target
- The target optional attribute specifies the expression which will be used for storing the
OAuth 2.0 access token information in the exchange. Should not be null.public OAuth2ResourceServerFilter(AccessTokenResolver resolver, BearerTokenExtractor extractor, org.forgerock.util.time.TimeService time, Set<Expression> scopes, String realm, Expression target)
OAuth2Filter
.resolver
- A AccessTokenResolver
instance.extractor
- A BearerTokenExtractor
instance.time
- A TimeService
instance used to check if token is expired or not.scopes
- A set of scope expressions to be checked in the resolved access tokens.realm
- Name of the realm (used in authentication challenge returned in case of error).target
- The target optional attribute specifies the expression which will be used for storing the
OAuth 2.0 access token information in the exchange. Should not be null.public void filter(Exchange exchange, Handler next) throws HandlerException, IOException
Filter
exchange.request
contains the request to be filtered. To pass the request to the next filter or handler
in the chain, the filter calls next.handle(exchange)
. After this call,
exchange.response
contains the response that can be filtered.
This method may elect not to pass the request to the next filter or handler, and instead
handle the request itself. It can achieve this by merely avoiding a call to
next.handle(exchange)
and creating its own response object the exchange. The
filter is also at liberty to replace a response with another of its own after the call
to next.handle(exchange)
.
Important note: If an existing response exists in the exchange object
and the filter intends to replace it with its own, it must first check to see if the
existing response has an entity, and if it does, must call its close
method in
order to signal that the processing of the response from a remote server is complete.
exchange
- the exchange containing the request and response to filter.next
- the next filter or handler in the chain to handle the exchange.HandlerException
- if an exception occurred handling the exchange.IOException
- if an I/O exception occurred.Copyright © 2014 ForgeRock AS. All rights reserved.