Class OAuth2ResourceServerFilterHeaplet
- java.lang.Object
-
- org.forgerock.openig.heap.GenericHeaplet
-
- org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilterHeaplet
-
- All Implemented Interfaces:
Heaplet
public class OAuth2ResourceServerFilterHeaplet extends GenericHeaplet
Validates aRequestthat contains an OAuth 2.0 access token.This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:
It extracts the token and validate it against the tokenInfoEndpoint URL provided in the configuration.Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
scopes, tokenInfoEndpoint and providerHandler are the 3 only mandatory configuration attributes.{ "name": "ProtectedResourceFilter", "type": "OAuth2ResourceServerFilter", "config": { "scopes": [ "email", "profile" ], "tokenInfoEndpoint": "https://openam.example.com:8443/openam/oauth2/tokeninfo", "cacheExpiration": "2 minutes", "requireHttps": false, "providerHandler": "ClientHandler", "realm": "Informative realm name", } }If cacheExpiration is not set, the default is to keep the
AccessTokenInfoobjects for 1 minute. cacheExpiration is expressed using natural language (use zero or none to deactivate caching, any 0 valued duration will also deactivate it):"cacheExpiration": "2 minutes" "cacheExpiration": "3 days and 6 hours" "cacheExpiration": "5m" // 5 minutes "cacheExpiration": "10 min, 30 sec" "cacheExpiration": "zero" // no cache "cacheExpiration": "0 s" // no cacheproviderHandler is a name reference to another handler available in the heap. It will be used to perform access token validation against the tokenInfoEndpoint URL. It is usually a reference to some
ClientHandler.The requireHttps optional attribute control if this filter only accepts requests targeting the HTTPS scheme. By default, it is enabled (only URI starting with https://... will be accepted, an Exception is thrown otherwise).
The realm optional attribute specifies the name of the realm used in the authentication challenges returned back to the client in case of errors.
- See Also:
Duration
-
-
Field Summary
Fields Modifier and Type Field Description static StringDEFAULT_REALM_NAMEName of the realm when none is specified in the heaplet.
-
Constructor Summary
Constructors Constructor Description OAuth2ResourceServerFilterHeaplet()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Objectcreate()Called to request the heaplet create an object.voiddestroy()Called to indicate that the object created by the heaplet is going to be dereferenced.-
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, endpointRegistry, evaluatedWithHeapProperties, expression, start
-
-
-
-
Field Detail
-
DEFAULT_REALM_NAME
public static final String DEFAULT_REALM_NAME
Name of the realm when none is specified in the heaplet.- See Also:
- Constant Field Values
-
-
Method Detail
-
create
public Object create() throws HeapException
Description copied from class:GenericHeapletCalled to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()method.- Specified by:
createin classGenericHeaplet- Returns:
- The created object.
- Throws:
HeapException- if an exception occurred during creation of the heap object or any of its dependencies.
-
destroy
public void destroy()
Description copied from interface:HeapletCalled to indicate that the object created by the heaplet is going to be dereferenced. This gives the heaplet an opportunity to free any resources that are being held prior to its dereference.- Specified by:
destroyin interfaceHeaplet- Overrides:
destroyin classGenericHeaplet
-
-