public final class OAuth2ClientFilter extends GenericFilter
{clientEndpoint}/login/{provider}?goto=<url>
- redirects
the user for authorization against the specified provider
{clientEndpoint}/logout?goto=<url>
- removes
authorization state for the end-user
{clientEndpoint}/callback
- OAuth 2.0 authorization
call-back end-point (state encodes nonce, goto, and provider)
Configuration options:
"target" : expression, [OPTIONAL - default is ${exchange.openid}] "scopes" : [ expressions ], [OPTIONAL] "clientEndpoint" : expression, [REQUIRED] "loginHandler" : handler, [REQUIRED - if more than one provider] "failureHandler" : handler, [REQUIRED] "providerHandler" : handler, [REQUIRED] "defaultLoginGoto" : expression, [OPTIONAL - default return empty page] "defaultLogoutGoto" : expression, [OPTIONAL - default return empty page] "requireLogin" : boolean [OPTIONAL - default require login] "requireHttps" : boolean [OPTIONAL - default require SSL] "cacheExpiration" : duration [OPTIONAL - default to 20 seconds] "providers" : array [ "name" : String, [REQUIRED] "wellKnownConfiguration" : String, [OPTIONAL - if authorize and token end-points are specified] "authorizeEndpoint" : uriExpression, [REQUIRED - if no well-known configuration] "tokenEndpoint" : uriExpression, [REQUIRED - if no well-known configuration] "userInfoEndpoint" : uriExpression, [OPTIONAL - default no user info] "clientId" : expression, [REQUIRED] "clientSecret" : expression, [REQUIRED] "scopes" : [ expressions ],[OPTIONAL - overrides global scopes]For example:
{ "name": "OpenIDConnect", "type": "org.forgerock.openig.filter.oauth2.client.OAuth2ClientFilter", "config": {, "target" : "${exchange.openid}", "scopes" : ["openid","profile","email"], "clientEndpoint" : "/openid", "loginHandler" : "NascarPage", "failureHandler" : "LoginFailed", "providerHandler" : "ClientHandler", "defaultLoginGoto" : "/homepage", "defaultLogoutGoto" : "/loggedOut", "requireHttps" : false, "requireLogin" : true, "providers" : [ { "name" : "openam", "wellKnownConfiguration" : "https://openam.example.com:8080/openam/.well-known/openid-configuration", "clientId" : "*****", "clientSecret" : "*****" }, { "name" : "google", "wellKnownConfiguration" : "https://accounts.google.com/.well-known/openid-configuration", "clientId" : "*****", "clientSecret" : "*****" } ] } }Once authorization, this filter will inject the following information into the target location:
"openid" : { "provider" : "google", "access_token" : "xxx", "id_token" : "xxx", "token_type" : "Bearer", "expires_in" : 3599, "scope" : [ "openid", "profile", "email" ], "client_endpoint" : "http://www.example.com:8081/openid", "id_token_claims" : { "at_hash" : "xxx", "sub" : "xxx", "aud" : [ "xxx.apps.googleusercontent.com" ], "email_verified" : true, "azp" : "xxx.apps.googleusercontent.com", "iss" : "accounts.google.com", "exp" : "2014-07-25T00:12:53+0000", "iat" : "2014-07-24T23:07:53+0000", "email" : "micky.mouse@gmail.com" }, "user_info" : { "sub" : "xxx", "email_verified" : "true", "gender" : "male", "kind" : "plus#personOpenIdConnect", "profile" : "https://plus.google.com/xxx", "name" : "Micky Mouse", "given_name" : "Micky", "locale" : "en-GB", "family_name" : "Mouse", "picture" : "https://lh4.googleusercontent.com/xxx/photo.jpg?sz=50", "email" : "micky.mouse@gmail.com" } } }
Modifier and Type | Class and Description |
---|---|
static class |
OAuth2ClientFilter.Heaplet
Creates and initializes the filter in a heap environment.
|
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_TOKEN_KEY
The expression which will be used for storing authorization information in the exchange.
|
logger, storage
Constructor and Description |
---|
OAuth2ClientFilter() |
Modifier and Type | Method and Description |
---|---|
OAuth2ClientFilter |
addProvider(OAuth2Provider provider)
Adds an authorization provider.
|
void |
filter(Exchange exchange,
Handler next)
Filters the request and/or response of an exchange.
|
OAuth2ClientFilter |
setClientEndpoint(Expression endpoint)
Sets the expression which will be used for obtaining the base URI for the
following client end-points:
{endpoint}/callback - called by the authorization server
once authorization has completed
{endpoint}/login?provider={name}[&goto={url}] - user
end-point for performing user initiated authentication, such as from a
"login" link or "NASCAR" login page.
|
OAuth2ClientFilter |
setDefaultLoginGoto(Expression endpoint)
Sets the expression which will be used for obtaining the default login
"goto" URI.
|
OAuth2ClientFilter |
setDefaultLogoutGoto(Expression endpoint)
Sets the expression which will be used for obtaining the default logout
"goto" URI.
|
OAuth2ClientFilter |
setFailureHandler(Handler handler)
Sets the handler which will be invoked when authentication fails.
|
OAuth2ClientFilter |
setLoginHandler(Handler handler)
Sets the handler which will be invoked when the user needs to
authenticate.
|
OAuth2ClientFilter |
setProviderHandler(Handler handler)
Sets the handler which will be used for communicating with the
authorization server.
|
OAuth2ClientFilter |
setRequireHttps(boolean requireHttps)
Specifies whether all incoming requests must use TLS.
|
OAuth2ClientFilter |
setRequireLogin(boolean requireLogin)
Specifies whether authentication is required for all incoming requests.
|
OAuth2ClientFilter |
setScopes(List<Expression> scopes)
Sets the expressions which will be used for obtaining the OAuth 2 scopes.
|
OAuth2ClientFilter |
setTarget(Expression target)
Sets the expression which will be used for storing authorization
information in the exchange.
|
void |
setUserInfoCache(ThreadSafeCache<String,Map<String,Object>> userInfoCache)
Set the cache of user info resources.
|
public static final String DEFAULT_TOKEN_KEY
public OAuth2ClientFilter()
public OAuth2ClientFilter addProvider(OAuth2Provider provider)
provider
- The authorization provider.public void filter(Exchange exchange, Handler next) throws HandlerException, IOException
Filter
exchange.request
contains the request to be filtered. To pass the request to the next filter or handler
in the chain, the filter calls next.handle(exchange)
. After this call,
exchange.response
contains the response that can be filtered.
This method may elect not to pass the request to the next filter or handler, and instead
handle the request itself. It can achieve this by merely avoiding a call to
next.handle(exchange)
and creating its own response object the exchange. The
filter is also at liberty to replace a response with another of its own after the call
to next.handle(exchange)
.
Important note: If an existing response exists in the exchange object
and the filter intends to replace it with its own, it must first check to see if the
existing response has an entity, and if it does, must call its close
method in
order to signal that the processing of the response from a remote server is complete.
exchange
- the exchange containing the request and response to filter.next
- the next filter or handler in the chain to handle the exchange.HandlerException
- if an exception occurred handling the exchange.IOException
- if an I/O exception occurred.public OAuth2ClientFilter setClientEndpoint(Expression endpoint)
endpoint
- The expression which will be used for obtaining the base URI
for the client end-points.public OAuth2ClientFilter setDefaultLoginGoto(Expression endpoint)
endpoint
- The expression which will be used for obtaining the default
login "goto" URI.public OAuth2ClientFilter setDefaultLogoutGoto(Expression endpoint)
endpoint
- The expression which will be used for obtaining the default
logout "goto" URI.public OAuth2ClientFilter setFailureHandler(Handler handler)
exchange
target will be populated with the following OAuth
2.0 error information:
<target> : { "provider" : "google", "error" : { "realm" : string, [OPTIONAL] "scope" : array of string, [OPTIONAL list of required scopes] "error" : string, [OPTIONAL] "error_description" : string, [OPTIONAL] "error_uri" : string [OPTIONAL] }, // The following fields may or may not be present depending on // how far authorization proceeded. "access_token" : "xxx", "id_token" : "xxx", "token_type" : "Bearer", "expires_in" : 3599, "scope" : [ "openid", "profile", "email" ], "client_endpoint" : "http://www.example.com:8081/openid", }See
OAuth2Error
for a detailed description of the various error
fields and their possible values.handler
- The handler which will be invoked when authentication fails.public OAuth2ClientFilter setLoginHandler(Handler handler)
handler
- The handler which will be invoked when the user needs to
authenticate.public OAuth2ClientFilter setProviderHandler(Handler handler)
handler
- The handler which will be used for communicating with the
authorization server.public OAuth2ClientFilter setRequireHttps(boolean requireHttps)
true
by default.requireHttps
- true
if all incoming requests must use TLS,
false
by default.public OAuth2ClientFilter setRequireLogin(boolean requireLogin)
true
by
default.requireLogin
- true
if authentication is required for all incoming
requests, or false
if authentication should be
performed only when required (default true
.public OAuth2ClientFilter setScopes(List<Expression> scopes)
scopes
- The expressions which will be used for obtaining the OAuth 2
scopes.public OAuth2ClientFilter setTarget(Expression target)
target
- The expression which will be used for storing authorization
information in the exchange.public void setUserInfoCache(ThreadSafeCache<String,Map<String,Object>> userInfoCache)
userInfoCache
- the cache of user info resources.Copyright © 2014 ForgeRock AS. All rights reserved.