Class IdTokenValidationFilter

  • All Implemented Interfaces:
    Filter

    public class IdTokenValidationFilter
    extends Object
    implements Filter
    An IdTokenValidationFilter validates the given idToken according to the provided configuration. If the Jwt is verified, the chain of execution continues, with an IdTokenContext provided. If the Jwt is not valid, this filter directly exits the chain by returning either a 403 Forbidden response (by default) or the response built by the given failure handler. In case of errors, an IdTokenValidationErrorContext is provided.

    Configuration options:

      
      {
          "idToken"                : expression              [REQUIRED]
          "audience"               : expression              [REQUIRED - to validate the 'aud' attribute.]
          "failureHandler"         : handler                 [OPTIONAL - the failure handler - default is FORBIDDEN.]
          "issuer"                 : expression              [OPTIONAL - to validate the 'iss' attribute.]
          "skewAllowance"          : duration                [OPTIONAL - the skew allowance - defaults to zero.]
          "verificationSecretId"   : Secret ID               [OPTIONAL - to verify the signature of the IdToken.]
          "secretsProvider"        : SecretsProvider         [OPTIONAL - secrets provider used to obtain secrets. REQUIRED
                                                                         if 'verificationSecretId' is used.]
      }
      
      
    Example of use for a SignedJwt:
      
      {
         "type": "IdTokenValidationFilter",
         "config": {
              "idToken": "${attributes.openid.id_token}"
              "audience": "ForgeShop"
              "issuer": "http://openam.example.com:8090/openam/oauth2",
              "verificationSecretId": "signature.verification.secret.id",
              "secretsProvider": "SecretsProvider"
          }
      }
      
      
    Note that also the issued at claim ('iat') must be present and anterior to the actual date.
    See Also:
    OpenID Connect
    • Constructor Detail

      • IdTokenValidationFilter

        public IdTokenValidationFilter​(Expression<String> idToken,
                                       Clock clock,
                                       String audience,
                                       String issuer,
                                       TemporalAmount skewAllowance,
                                       org.forgerock.openig.tools.jwt.JwsSignatureVerifier verifier,
                                       Handler failureHandler)
        Constructs a IdTokenValidationFilter. This filter verifies, if a SigningHandler is provided, the signature of the IdToken, then it verifies the claims.
        Parameters:
        idToken - The idToken as an Expression of a Jwt or a SignedJwt, not null.
        clock - Clock to use when verifying JWT claims expiration.
        audience - The 'aud' claim to check on the Jwt, not null.
        issuer - The 'iss' claim to check on the Jwt. Can be null.
        skewAllowance - The skew allowance used to verify the Jwt, as a TemporalAmount.
        verifier - JwsSignatureVerifier responsible for verifying the Jwt signature.
        failureHandler - The Handler to dispatch to if the Jwt validation fails.
    • Method Detail

      • filter

        public Promise<Response,​NeverThrowsException> filter​(Context context,
                                                                   Request request,
                                                                   Handler next)
        Description copied from interface: Filter
        Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

        This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

        Specified by:
        filter in interface Filter
        Parameters:
        context - The request context.
        request - The request.
        next - The next filter or handler in the chain to handle the request.
        Returns:
        A Promise representing the response to be returned to the client.