public class TokenTransformationFilter extends GenericHeapObject implements Filter
TokenTransformationFilter
is responsible to transform a token issued by OpenAM
into a token of another type.
Currently only the OpenID Connect id_token to SAML 2.0 Token (Assertions) is supported, BEARER mode.
{
"type": "TokenTransformationFilter",
"config": {
"openamUri": "https://openam.example.com/openam/",
"realm": "/my-realm",
"username": "${attributes.username}",
"password": "${attributes.password}",
"idToken": "${attributes.id_token}",
"target": "${attributes.saml_assertions}",
"instance": "oidc-to-saml",
"amHandler": "#Handler"
}
}
The openamUri attribute is the OpenAM base URI against which authentication and STS requests will be issued.
The realm attribute is the OpenAM realm that contains both the subject (described through username and password attributes) and the STS instance (described with instance).
The idToken attribute is an Expression
specifying where to get the JWT id_token.
Note that the referenced value has to be a String
(the JWT encoded value).
The target attribute is an Expression
specifying where to place the
result of the transformation. Note that the pointed location will contains a String
.
The instance attribute is the name of an STS instance: a pre-configured transformation available under a specific REST endpoint.
The amHandler attribute is a reference to a Handler
heap object. That handler will be used
for all REST calls to OpenAM (as opposed to the next
Handler of the filter method that is dedicated to
continue the execution flow through the chain).
If errors are happening during the token transformation, the error response is returned as-is to the caller, and informative messages are being logged for the administrator.
Modifier and Type | Class and Description |
---|---|
static class |
TokenTransformationFilter.Heaplet
Creates and initializes a token transformation filter in a heap environment.
|
logger, storage
Constructor and Description |
---|
TokenTransformationFilter(Handler handler,
URI endpoint,
Expression<String> idToken,
Expression<String> target)
Constructs a new TokenTransformationFilter transforming the OpenID Connect id_token from
idToken
into a SAML 2.0 Assertions structure (into target ). |
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
getLogger, getStorage, setLogger, setStorage
public TokenTransformationFilter(Handler handler, URI endpoint, Expression<String> idToken, Expression<String> target)
idToken
into a SAML 2.0 Assertions structure (into target
).handler
- pipeline used to send the STS transformation requestendpoint
- Fully qualified URI of the STS instance (including the _action=translate query string)idToken
- Expression for reading OpenID Connect id_token (expects a String
)target
- Expression for writing SAML 2.0 token (expects a String
)public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
Copyright 2011-2015 ForgeRock AS.