Class IdTokenValidationFilter
- java.lang.Object
-
- org.forgerock.openig.filter.oauth2.client.IdTokenValidationFilter
-
- All Implemented Interfaces:
Filter
public class IdTokenValidationFilter extends Object implements Filter
AnIdTokenValidationFilter
validates the givenidToken
according to the provided configuration. If theJwt
is verified, the chain of execution continues, with anIdTokenContext
provided. If theJwt
is not valid, this filter directly exits the chain by returning either a 403 Forbidden response (by default) or the response built by the given failure handler. In case of errors, anIdTokenValidationErrorContext
is provided.Configuration options:
{ "idToken" : expression [REQUIRED] "audience" : expression [REQUIRED - to validate the 'aud' attribute.] "failureHandler" : handler [OPTIONAL - the failure handler - default is FORBIDDEN.] "issuer" : expression [OPTIONAL - to validate the 'iss' attribute.] "skewAllowance" : duration [OPTIONAL - the skew allowance - defaults to zero.] "verificationSecretId" : Secret ID [OPTIONAL - to verify the signature of the IdToken.] "secretsProvider" : SecretsProvider [OPTIONAL - secrets provider used to obtain secrets. REQUIRED if 'verificationSecretId' is used.] }
SignedJwt
:{ "type": "IdTokenValidationFilter", "config": { "idToken": "${attributes.openid.id_token}" "audience": "ForgeShop" "issuer": "http://openam.example.com:8090/openam/oauth2", "verificationSecretId": "signature.verification.secret.id", "secretsProvider": "SecretsProvider" } }
- See Also:
- OpenID Connect
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
IdTokenValidationFilter.Heaplet
Creates and initializes an IdTokenValidationFilter in a heap environment.
-
Constructor Summary
Constructors Constructor Description IdTokenValidationFilter(Expression<String> idToken, Clock clock, String audience, String issuer, TemporalAmount skewAllowance, org.forgerock.openig.tools.jwt.JwsSignatureVerifier verifier, Handler failureHandler)
Constructs a IdTokenValidationFilter.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<Response,NeverThrowsException>
filter(Context context, Request request, Handler next)
Filters the request and/or response of an exchange.
-
-
-
Constructor Detail
-
IdTokenValidationFilter
public IdTokenValidationFilter(Expression<String> idToken, Clock clock, String audience, String issuer, TemporalAmount skewAllowance, org.forgerock.openig.tools.jwt.JwsSignatureVerifier verifier, Handler failureHandler)
Constructs a IdTokenValidationFilter. This filter verifies, if aSigningHandler
is provided, the signature of the IdToken, then it verifies the claims.- Parameters:
idToken
- The idToken as anExpression
of aJwt
or aSignedJwt
, notnull
.clock
- Clock to use when verifying JWT claims expiration.audience
- The 'aud' claim to check on the Jwt, notnull
.issuer
- The 'iss' claim to check on the Jwt. Can benull
.skewAllowance
- The skew allowance used to verify the Jwt, as aTemporalAmount
.verifier
-JwsSignatureVerifier
responsible for verifying the Jwt signature.failureHandler
- The Handler to dispatch to if the Jwt validation fails.
-
-
Method Detail
-
filter
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Description copied from interface:Filter
Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request)
.This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)
and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.
-
-