Mock Access Token Validator

Mock Access Token Validators accept access tokens without validating the token's authenticity using a trusted authorization server or signing certificate. Mock Access Token Validators are intended for test use only and should never be enabled in production deployments or used to access sensitive data.

Bearer tokens accepted by the Mock Access Token Validator are plain text JSON objects. For example:
{"active":true,"sub":"user1","scope":"profile","client_id":"client1"}

In general, arbitrary access token claims may be used, but access token validity is solely determined by the boolean 'active' claim. The token owner is determined by the claim named by the subject-claim-name property, which defaults to 'sub'.

Parent Component Properties dsconfig Usage

Parent Component

The Mock Access Token Validator component inherits from the Access Token Validator

Properties

The properties supported by this managed object are as follows:


General Configuration Basic Properties: Advanced Properties:
 identity-mapper  subject-claim-name
 description  client-id-claim-name
 enabled  scope-claim-name
 evaluation-order-index

Basic Properties

identity-mapper

Property Group
General Configuration
Description
Specifies the name of the Identity Mapper that should be used for associating user entries with Bearer token subject names. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property.
Default Value
Requests must specify a fully qualified DN. No attempt will be made to map a user name to a DN.
Allowed Values
The DN of any Identity Mapper.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

description

Property Group
General Configuration
Description
A description for this Access Token Validator
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Property Group
General Configuration
Description
Indicates whether this Access Token Validator is enabled for use in Directory Server.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

evaluation-order-index

Property Group
General Configuration
Description
When multiple Mock Access Token Validators are defined for a single Directory Server, this property determines the evaluation order for determining the correct validator class for an access token received by the Directory Server. Values of this property must be unique among all Mock Access Token Validators defined within Directory Server but not necessarily contiguous. Mock Access Token Validators with a smaller value will be evaluated first to determine if they are able to validate the access token.
Default Value
9999
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


Advanced Properties

subject-claim-name (Advanced Property)

Property Group
General Configuration
Description
The name of the token claim that contains the subject, i.e. the logged-in user in an access token. This property goes hand-in-hand with the identity-mapper property and tells the Identity Mapper which field to use to look up the user entry on the server.
Default Value
sub
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

client-id-claim-name (Advanced Property)

Property Group
General Configuration
Description
The name of the token claim that contains the OAuth2 client ID.
Default Value
client_id
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

scope-claim-name (Advanced Property)

Property Group
General Configuration
Description
The name of the token claim that contains the scopes granted by the token.
Default Value
scope
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Access Token Validators:

dsconfig list-access-token-validators
     [--property {propertyName}] ...

To view the configuration for an existing Access Token Validator:

dsconfig get-access-token-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Access Token Validator:

dsconfig set-access-token-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Mock Access Token Validator:

dsconfig create-access-token-validator
     --validator-name {name}
     --type mock
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Access Token Validator:

dsconfig delete-access-token-validator
     --validator-name {name}