Class OAuthTokenHandler
- java.lang.Object
-
- com.unboundid.directory.sdk.http.api.OAuthTokenHandler
-
- All Implemented Interfaces:
Configurable
,ExampleUsageProvider
,Reconfigurable<OAuthTokenHandlerConfig>
,UnboundIDExtension
@Extensible @DirectoryServerExtension @DirectoryProxyServerExtension(appliesToLocalContent=false, appliesToRemoteContent=true) @ThreadSafety(level=INTERFACE_THREADSAFE) public abstract class OAuthTokenHandler extends java.lang.Object implements UnboundIDExtension, Reconfigurable<OAuthTokenHandlerConfig>, ExampleUsageProvider
This class defines an API that must be implemented by extensions which will handle incoming SCIM requests with OAuth 2.0 bearer token authentication. The OAuthTokenHandler is responsible for decoding the bearer token and checking it for authenticity and validity.
OAuth provides a method for clients to access a protected resource on behalf of a resource owner. In the general case, before a client can access a protected resource, it must first obtain an authorization grant from the resource owner and then exchange the authorization grant for an access token. The access token represents the grant's scope, duration, and other attributes specified by the authorization grant. The client accesses the protected resource by presenting the access token to the resource server (i.e. the Directory or Proxy Server with the SCIM HTTP Servlet enabled).
The access token provides an abstraction, replacing different authorization constructs (e.g., username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server's need to understand a wide range of authentication schemes. See "OAuth 2.0 Authorization Framework: Bearer Token Usage" (RFC 6750) for the full specification and details.
TLS security is required to use OAuth 2.0 bearer tokens, as specified in RFC 6750. A bearer token may be used by any party in possession of that token (the "bearer"), and thus needs to be protected when transmitted across the network. Implementations of this API should take special care to verify that the token came from a trusted source (using a secret key or some other signing mechanism to prove that the token is authentic). Please read "OAuth 2.0 Threat Model and Security Considerations" (RFC 6819) for a comprehensive list of security threats to consider when working with OAuth bearer tokens.
The OAuthTokenHandler is also responsible for extracting an authorization DN from the bearer token (or otherwise providing one), which will be used to apply access controls before returning the protected resource. There are also methods to extract the expiration date of the token as well as verify that the intended audience is this server (to deal with token redirect).
The order these methods are called by the SCIM HTTP Servlet Extension is as follows:- decodeOAuthToken()
- isTokenAuthentic()
- isTokenForThisServer()
- isTokenExpired()
- validateToken()
- getAuthzDN()
Configuring OAuth Token Handlers
In order to configure a token handler created using this API, use a command like:dsconfig create-oauth-token-handler \ --handler-name "{handler-name}" \ --type third-party \ --set "extension-class:{class-name}" \ --set "extension-argument:{name=value}"
where "{handler-name}" is the name to use for the token handler instance, "{class-name}" is the fully-qualified name of the Java class that extendscom.unboundid.directory.sdk.http.api.OAuthTokenHandler
, and "{name=value}" represents name-value pairs for any arguments to provide to the token handler. If multiple arguments should be provided to the token handler, then the "--set extension-argument:{name=value}
" option should be provided multiple times.- See Also:
ScriptedOAuthTokenHandler
-
-
Constructor Summary
Constructors Constructor Description OAuthTokenHandler()
Creates a new instance of this token handler.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description ResultCode
applyConfiguration(OAuthTokenHandlerConfig config, ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages)
Attempts to apply the configuration from the provided argument parser to this extension.abstract com.unboundid.scim.sdk.OAuthToken
decodeOAuthToken(java.lang.String base64TokenValue)
Creates anOAuthToken
instance from the incoming token value.void
defineConfigArguments(ArgumentParser parser)
Updates the provided argument parser to define any configuration arguments which may be used by this extension.void
finalizeTokenHandler()
Performs any cleanup which may be necessary when this token handler is to be taken out of service.abstract DN
getAuthzDN(com.unboundid.scim.sdk.OAuthToken token)
Extracts the DN of the authorization entry (for which to apply access controls) from the incoming token.java.util.Map<java.util.List<java.lang.String>,java.lang.String>
getExamplesArgumentSets()
Retrieves a map containing examples of configurations that may be used for this extension.abstract java.lang.String[]
getExtensionDescription()
Retrieves a human-readable description for this extension.abstract java.lang.String
getExtensionName()
Retrieves a human-readable name for this extension.void
initializeTokenHandler(HTTPServerContext serverContext, OAuthTokenHandlerConfig config, ArgumentParser parser)
Initializes this token handler.boolean
isConfigurationAcceptable(OAuthTokenHandlerConfig config, ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons)
Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension.abstract boolean
isTokenAuthentic(com.unboundid.scim.sdk.OAuthToken token)
Determines whether the incoming token is authentic (i.e.abstract boolean
isTokenExpired(com.unboundid.scim.sdk.OAuthToken token)
Determines whether the given token is expired.abstract boolean
isTokenForThisServer(com.unboundid.scim.sdk.OAuthToken token)
Determines whether the incoming token is targeted for this server.abstract com.unboundid.scim.sdk.OAuthTokenStatus
validateToken(com.unboundid.scim.sdk.OAuthToken token, com.unboundid.scim.sdk.SCIMRequest scimRequest)
Determines whether the incoming token is valid for the given request.
-
-
-
Constructor Detail
-
OAuthTokenHandler
public OAuthTokenHandler()
Creates a new instance of this token handler. All token handler implementations must include a default constructor, but any initialization should generally be done in theinitializeTokenHandler
method.
-
-
Method Detail
-
getExtensionName
public abstract java.lang.String getExtensionName()
Retrieves a human-readable name for this extension.- Specified by:
getExtensionName
in interfaceUnboundIDExtension
- Returns:
- A human-readable name for this extension.
-
getExtensionDescription
public abstract java.lang.String[] getExtensionDescription()
Retrieves a human-readable description for this extension. Each element of the array that is returned will be considered a separate paragraph in generated documentation.- Specified by:
getExtensionDescription
in interfaceUnboundIDExtension
- Returns:
- A human-readable description for this extension, or
null
or an empty array if no description should be available.
-
defineConfigArguments
public void defineConfigArguments(ArgumentParser parser) throws ArgumentException
Updates the provided argument parser to define any configuration arguments which may be used by this extension. The argument parser may also be updated to define relationships between arguments (e.g., to specify required, exclusive, or dependent argument sets).- Specified by:
defineConfigArguments
in interfaceConfigurable
- Parameters:
parser
- The argument parser to be updated with the configuration arguments which may be used by this extension.- Throws:
ArgumentException
- If a problem is encountered while updating the provided argument parser.
-
initializeTokenHandler
public void initializeTokenHandler(HTTPServerContext serverContext, OAuthTokenHandlerConfig config, ArgumentParser parser) throws LDAPException
Initializes this token handler.- Parameters:
serverContext
- A handle to the server context for the server in which this extension is running.config
- The general configuration for this token handler.parser
- The argument parser which has been initialized from the configuration for this token handler.- Throws:
LDAPException
- If a problem occurs while initializing this token handler.
-
isConfigurationAcceptable
public boolean isConfigurationAcceptable(OAuthTokenHandlerConfig config, ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons)
Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension. The parser will have been used to parse any configuration available for this extension, and any automatic validation will have been performed. This method may be used to perform any more complex validation which cannot be performed automatically by the argument parser.- Specified by:
isConfigurationAcceptable
in interfaceReconfigurable<OAuthTokenHandlerConfig>
- Parameters:
config
- The general configuration for this extension.parser
- The argument parser that has been used to parse the proposed configuration for this extension.unacceptableReasons
- A list to which messages may be added to provide additional information about why the provided configuration is not acceptable.- Returns:
true
if the configuration in the provided argument parser appears to be acceptable, orfalse
if not.
-
applyConfiguration
public ResultCode applyConfiguration(OAuthTokenHandlerConfig config, ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages)
Attempts to apply the configuration from the provided argument parser to this extension.- Specified by:
applyConfiguration
in interfaceReconfigurable<OAuthTokenHandlerConfig>
- Parameters:
config
- The general configuration for this extension.parser
- The argument parser that has been used to parse the new configuration for this extension.adminActionsRequired
- A list to which messages may be added to provide additional information about any additional administrative actions that may be required to apply some of the configuration changes.messages
- A list to which messages may be added to provide additional information about the processing performed by this method.- Returns:
- A result code providing information about the result of applying
the configuration change. A result of
SUCCESS
should be used to indicate that all processing completed successfully. Any other result will indicate that a problem occurred during processing.
-
finalizeTokenHandler
public void finalizeTokenHandler()
Performs any cleanup which may be necessary when this token handler is to be taken out of service.
-
getExamplesArgumentSets
public java.util.Map<java.util.List<java.lang.String>,java.lang.String> getExamplesArgumentSets()
Retrieves a map containing examples of configurations that may be used for this extension. The map key should be a list of sample arguments, and the corresponding value should be a description of the behavior that will be exhibited by the extension when used with that configuration.- Specified by:
getExamplesArgumentSets
in interfaceExampleUsageProvider
- Returns:
- A map containing examples of configurations that may be used for
this extension. It may be
null
or empty if there should not be any example argument sets.
-
decodeOAuthToken
public abstract com.unboundid.scim.sdk.OAuthToken decodeOAuthToken(java.lang.String base64TokenValue) throws java.security.GeneralSecurityException
Creates anOAuthToken
instance from the incoming token value.Implementers may choose to return a subclass of
OAuthToken
in order to provide convenience methods for interacting with the token. This can be helpful because the returnedOAuthToken
is passed to all of the other methods in this class.- Parameters:
base64TokenValue
- the base64-encoded bearer token value- Returns:
- a
OAuthToken
instance. This must not benull
. - Throws:
java.security.GeneralSecurityException
- if there is an error decoding the token
-
isTokenExpired
public abstract boolean isTokenExpired(com.unboundid.scim.sdk.OAuthToken token) throws java.security.GeneralSecurityException
Determines whether the given token is expired.- Parameters:
token
- the OAuth 2.0 bearer token.- Returns:
true
if the token is already expired,false
if not.- Throws:
java.security.GeneralSecurityException
- if there is an error determining the token's expiration date
-
isTokenAuthentic
public abstract boolean isTokenAuthentic(com.unboundid.scim.sdk.OAuthToken token) throws java.security.GeneralSecurityException
Determines whether the incoming token is authentic (i.e. that it came from a trusted authorization server and not an attacker). Implementers are encouraged to use signed tokens and use this method to verify the signature, but other methods such as symmetric key encryption (using a shared secret) can be used as well.- Parameters:
token
- the OAuth 2.0 bearer token.- Returns:
true
if the bearer token can be verified as authentic and originating from a trusted source,false
if not.- Throws:
java.security.GeneralSecurityException
- if there is an error determining whether the token is authentic
-
isTokenForThisServer
public abstract boolean isTokenForThisServer(com.unboundid.scim.sdk.OAuthToken token) throws java.security.GeneralSecurityException
Determines whether the incoming token is targeted for this server. This allows the implementation to reject the token early in the validation process if it can see that the intended recipient was not this server.- Parameters:
token
- the OAuth 2.0 bearer token.- Returns:
true
if the bearer token identifies this server as the intended recipient,false
if not.- Throws:
java.security.GeneralSecurityException
- if there is an error determining whether the token is for this server
-
validateToken
public abstract com.unboundid.scim.sdk.OAuthTokenStatus validateToken(com.unboundid.scim.sdk.OAuthToken token, com.unboundid.scim.sdk.SCIMRequest scimRequest) throws java.security.GeneralSecurityException
Determines whether the incoming token is valid for the given request. This method should verify that the token is legitimate and grants access to the requested resource specified in theSCIMRequest
. This typically involves checking the token scope and any other attributes granted by the authorization grant. Implementations may need to call back to the authorization server to verify that the token is still valid and has not been revoked.- Parameters:
token
- the OAuth 2.0 bearer token.scimRequest
- theSCIMRequest
that we are validating.- Returns:
- an
OAuthTokenStatus
object which indicates whether the bearer token is valid and grants access to the target resource. This must not benull
. - Throws:
java.security.GeneralSecurityException
- if there is an error determining whether the token is valid
-
getAuthzDN
public abstract DN getAuthzDN(com.unboundid.scim.sdk.OAuthToken token) throws java.security.GeneralSecurityException
Extracts the DN of the authorization entry (for which to apply access controls) from the incoming token.This may require performing an LDAP search in order to find the DN that matches a certain attribute value contained in the token.
- Parameters:
token
- the OAuth 2.0 bearer token.- Returns:
- the authorization DN to use.
- Throws:
java.security.GeneralSecurityException
- if there is an error determining the authorization user DN
-
-