public class OAuth2ResourceServerFilter extends GenericHeapObject implements Filter
Request
that contains an OAuth 2.0 access token. This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:
Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
It extracts the token and validate it against the tokenInfoEndpoint URL provided in the configuration.
{
"name": "ProtectedResourceFilter",
"type": "OAuth2ResourceServerFilter",
"config": {
"scopes": [ "email", "profile" ],
"tokenInfoEndpoint": "https://openam.example.com:8443/openam/oauth2/tokeninfo",
"cacheExpiration": "2 minutes",
"requireHttps": false,
"providerHandler": "ClientHandler",
"realm": "Informative realm name",
"target": "${attributes.oauth2AccessToken}"
}
}
scopes, tokenInfoEndpoint and providerHandler are the 3 only mandatory
configuration attributes.
If cacheExpiration is not set, the default is to keep the AccessToken
s for 1 minute.
cacheExpiration is expressed using natural language (use zero or none
to deactivate caching, any 0 valued duration will also deactivate it):
"cacheExpiration": "2 minutes"
"cacheExpiration": "3 days and 6 hours"
"cacheExpiration": "5m" // 5 minutes
"cacheExpiration": "10 min, 30 sec"
"cacheExpiration": "zero" // no cache
"cacheExpiration": "0 s" // no cache
providerHandler is a name reference to another handler available in the heap. It will be used to perform
access token validation against the tokenInfoEndpoint URL.
It is usually a reference to some ClientHandler
.
The requireHttps optional attribute control if this filter only accepts requests targeting the HTTPS scheme. By default, it is enabled (only URI starting with https://... will be accepted, an Exception is thrown otherwise).
The realm optional attribute specifies the name of the realm used in the authentication challenges returned back to the client in case of errors.
The target optional attribute specifies the expression which will be used for storing the OAuth 2.0 access token information in the context. Defaults to ${attributes.oauth2AccessToken}.
Duration
Modifier and Type | Class and Description |
---|---|
static class |
OAuth2ResourceServerFilter.Heaplet
Creates and initializes an OAuth2 filter in a heap environment.
|
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_ACCESS_TOKEN_KEY
The key under which downstream handlers will find the access token in the
Context 's attributes . |
static String |
DEFAULT_REALM_NAME
Name of the realm when none is specified in the heaplet.
|
logger, storage
Constructor and Description |
---|
OAuth2ResourceServerFilter(AccessTokenResolver resolver,
BearerTokenExtractor extractor,
TimeService time,
Expression<?> target)
Creates a new
OAuth2Filter . |
OAuth2ResourceServerFilter(AccessTokenResolver resolver,
BearerTokenExtractor extractor,
TimeService time,
Set<Expression<String>> scopes,
String realm,
Expression<?> target)
Creates a new
OAuth2Filter . |
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
getLogger, getStorage, setLogger, setStorage
public static final String DEFAULT_ACCESS_TOKEN_KEY
Context
's attributes
.public static final String DEFAULT_REALM_NAME
public OAuth2ResourceServerFilter(AccessTokenResolver resolver, BearerTokenExtractor extractor, TimeService time, Expression<?> target)
OAuth2Filter
.resolver
- A AccessTokenResolver
instance.extractor
- A BearerTokenExtractor
instance.time
- A TimeService
instance used to check if token is expired or not.target
- The target optional attribute specifies the expression which will be used for storing the
OAuth 2.0 access token information in the context. Should not be null.public OAuth2ResourceServerFilter(AccessTokenResolver resolver, BearerTokenExtractor extractor, TimeService time, Set<Expression<String>> scopes, String realm, Expression<?> target)
OAuth2Filter
.resolver
- A AccessTokenResolver
instance.extractor
- A BearerTokenExtractor
instance.time
- A TimeService
instance used to check if token is expired or not.scopes
- A set of scope expressions to be checked in the resolved access tokens.realm
- Name of the realm (used in authentication challenge returned in case of error).target
- The target optional attribute specifies the expression which will be used for storing the
OAuth 2.0 access token information in the context. Should not be null.public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
Copyright 2011-2015 ForgeRock AS.