com.unboundid.directory.sdk.http.scripting

Class ScriptedOAuthTokenHandler

java.lang.Object

com.unboundid.directory.sdk.http.scripting.ScriptedOAuthTokenHandler

All Implemented Interfaces:

Configurable, Reconfigurable<OAuthTokenHandlerConfig>

@Extensible
@DirectoryServerExtension
@DirectoryProxyServerExtension(appliesToLocalContent=false,
                               appliesToRemoteContent=true)
@ThreadSafety(level=INTERFACE_THREADSAFE)
public abstract class ScriptedOAuthTokenHandler
extends java.lang.Object
implements Reconfigurable<OAuthTokenHandlerConfig>

This class defines an API that must be implemented by extensions which will handle incoming SCIM requests with OAuth 2.0 bearer token authentication. The OAuthTokenHandler is responsible for decoding the bearer token and checking it for authenticity and validity.

OAuth provides a method for clients to access a protected resource on behalf of a resource owner. In the general case, before a client can access a protected resource, it must first obtain an authorization grant from the resource owner and then exchange the authorization grant for an access token. The access token represents the grant's scope, duration, and other attributes specified by the authorization grant. The client accesses the protected resource by presenting the access token to the resource server (i.e. the Directory or Proxy Server with the SCIM HTTP Servlet enabled).

The access token provides an abstraction, replacing different authorization constructs (e.g., username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server's need to understand a wide range of authentication schemes. See "OAuth 2.0 Authorization Framework: Bearer Token Usage" (RFC 6750) for the full specification and details.

TLS security is required to use OAuth 2.0 bearer tokens, as specified in RFC 6750. A bearer token may be used by any party in possession of that token (the "bearer"), and thus needs to be protected when transmitted across the network. Implementations of this API should take special care to verify that the token came from a trusted source (using a secret key or some other signing mechanism to prove that the token is authentic). Please read "OAuth 2.0 Threat Model and Security Considerations" (RFC 6819) for a comprehensive list of security threats to consider when working with OAuth bearer tokens.

The OAuthTokenHandler is also responsible for extracting an authorization DN from the bearer token (or otherwise providing one), which will be used to apply access controls before returning the protected resource. There are also methods to extract the expiration date of the token as well as verify that the intended audience is this server (to deal with token redirect).

The order these methods are called by the SCIM HTTP Servlet Extension is as follows:

1. decodeOAuthToken()
2. isTokenAuthentic()
3. isTokenForThisServer()
4. isTokenExpired()
5. validateToken()
6. getAuthzDN()

If any of the methods fail or return an error result, the server will return an appropriate "unauthorized" response to the client.

Configuring Scripted OAuth Token Handlers

In order to configure a token handler created using this API, use a command like:

      dsconfig create-oauth-token-handler \
           --handler-name "{handler-name}" \
           --type groovy-scripted \
           --set "script-class:{class-name}" \
           --set "script-argument:{name=value}"
 

where "{handler-name}" is the name to use for the token handler instance, "{class-name}" is the fully-qualified name of the Groovy class that extends com.unboundid.directory.sdk.http.scripting.ScriptedOAuthTokenHandler, and "{name=value}" represents name-value pairs for any arguments to provide to the token handler. If multiple arguments should be provided to the token handler, then the "--set extension-argument:{name=value}" option should be provided multiple times.

See Also:

OAuthTokenHandler

Constructor Summary

Constructors

Constructor and Description
ScriptedOAuthTokenHandler() Creates a new instance of this alert handler.

Method Summary

Methods

Modifier and Type	Method and Description
com.unboundid.ldap.sdk.ResultCode	applyConfiguration(OAuthTokenHandlerConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages) Attempts to apply the configuration from the provided argument parser to this extension.
abstract com.unboundid.scim.sdk.OAuthToken	decodeOAuthToken(java.lang.String base64TokenValue) Creates an OAuthToken instance from the incoming token value.
void	defineConfigArguments(com.unboundid.util.args.ArgumentParser parser) Updates the provided argument parser to define any configuration arguments which may be used by this extension.
void	finalizeTokenHandler() Performs any cleanup which may be necessary when this token handler is to be taken out of service.
abstract com.unboundid.ldap.sdk.DN	getAuthzDN(com.unboundid.scim.sdk.OAuthToken token) Extracts the DN of the authorization entry (for which to apply access controls) from the incoming token.
void	initializeTokenHandler(HTTPServerContext serverContext, OAuthTokenHandlerConfig config, com.unboundid.util.args.ArgumentParser parser) Initializes this token handler.
boolean	isConfigurationAcceptable(OAuthTokenHandlerConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons) Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension.
abstract boolean	isTokenAuthentic(com.unboundid.scim.sdk.OAuthToken token) Determines whether the incoming token is authentic (i.e.
abstract boolean	isTokenExpired(com.unboundid.scim.sdk.OAuthToken token) Determines whether the given token is expired.
abstract boolean	isTokenForThisServer(com.unboundid.scim.sdk.OAuthToken token) Determines whether the incoming token is targeted for this server.
abstract com.unboundid.scim.sdk.OAuthTokenStatus	validateToken(com.unboundid.scim.sdk.OAuthToken token, com.unboundid.scim.sdk.SCIMRequest scimRequest) Determines whether the incoming token is valid for the given request.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ScriptedOAuthTokenHandler

public ScriptedOAuthTokenHandler()

Creates a new instance of this alert handler. All token handler implementations must include a default constructor, but any initialization should generally be done in the initializeTokenHandler method.

Method Detail

defineConfigArguments

public void defineConfigArguments(com.unboundid.util.args.ArgumentParser parser)
                           throws com.unboundid.util.args.ArgumentException

Updates the provided argument parser to define any configuration arguments which may be used by this extension. The argument parser may also be updated to define relationships between arguments (e.g., to specify required, exclusive, or dependent argument sets).

Specified by:

defineConfigArguments in interface Configurable

Parameters:

parser - The argument parser to be updated with the configuration arguments which may be used by this extension.

Throws:

com.unboundid.util.args.ArgumentException - If a problem is encountered while updating the provided argument parser.

initializeTokenHandler

public void initializeTokenHandler(HTTPServerContext serverContext,
                          OAuthTokenHandlerConfig config,
                          com.unboundid.util.args.ArgumentParser parser)
                            throws com.unboundid.ldap.sdk.LDAPException

Initializes this token handler.

Parameters:

serverContext - A handle to the server context for the server in which this extension is running.

config - The general configuration for this token handler.

parser - The argument parser which has been initialized from the configuration for this token handler.

Throws:

com.unboundid.ldap.sdk.LDAPException - If a problem occurs while initializing this token handler.

isConfigurationAcceptable

public boolean isConfigurationAcceptable(OAuthTokenHandlerConfig config,
                                com.unboundid.util.args.ArgumentParser parser,
                                java.util.List<java.lang.String> unacceptableReasons)

Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension. The parser will have been used to parse any configuration available for this extension, and any automatic validation will have been performed. This method may be used to perform any more complex validation which cannot be performed automatically by the argument parser.

Specified by:

isConfigurationAcceptable in interface Reconfigurable<OAuthTokenHandlerConfig>

Parameters:

config - The general configuration for this extension.

parser - The argument parser that has been used to parse the proposed configuration for this extension.

unacceptableReasons - A list to which messages may be added to provide additional information about why the provided configuration is not acceptable.

Returns:

true if the configuration in the provided argument parser appears to be acceptable, or false if not.

applyConfiguration

public com.unboundid.ldap.sdk.ResultCode applyConfiguration(OAuthTokenHandlerConfig config,
                                                   com.unboundid.util.args.ArgumentParser parser,
                                                   java.util.List<java.lang.String> adminActionsRequired,
                                                   java.util.List<java.lang.String> messages)

Attempts to apply the configuration from the provided argument parser to this extension.

Specified by:

applyConfiguration in interface Reconfigurable<OAuthTokenHandlerConfig>

Parameters:

config - The general configuration for this extension.

parser - The argument parser that has been used to parse the new configuration for this extension.

adminActionsRequired - A list to which messages may be added to provide additional information about any additional administrative actions that may be required to apply some of the configuration changes.

messages - A list to which messages may be added to provide additional information about the processing performed by this method.

Returns:

A result code providing information about the result of applying the configuration change. A result of SUCCESS should be used to indicate that all processing completed successfully. Any other result will indicate that a problem occurred during processing.

finalizeTokenHandler

public void finalizeTokenHandler()

Performs any cleanup which may be necessary when this token handler is to be taken out of service.

decodeOAuthToken

public abstract com.unboundid.scim.sdk.OAuthToken decodeOAuthToken(java.lang.String base64TokenValue)
                                                            throws java.security.GeneralSecurityException

Creates an OAuthToken instance from the incoming token value.

Implementers may choose to return a subclass of OAuthToken in order to provide convenience methods for interacting with the token. This can be helpful because the returned OAuthToken is passed to all of the other methods in this class.

Parameters:

base64TokenValue - the base64-encoded bearer token value

Returns:

a OAuthToken instance. This must not be null.

Throws:

java.security.GeneralSecurityException - if there is an error decoding the token

isTokenExpired

public abstract boolean isTokenExpired(com.unboundid.scim.sdk.OAuthToken token)
                                throws java.security.GeneralSecurityException

Determines whether the given token is expired.

Parameters:

token - the OAuth 2.0 bearer token.

Returns:

true if the token is already expired, false if not.

Throws:

java.security.GeneralSecurityException - if there is an error determining the token's expiration date

isTokenAuthentic

public abstract boolean isTokenAuthentic(com.unboundid.scim.sdk.OAuthToken token)
                                  throws java.security.GeneralSecurityException

Determines whether the incoming token is authentic (i.e. that it came from a trusted authorization server and not an attacker). Implementers are encouraged to use signed tokens and use this method to verify the signature, but other methods such as symmetric key encryption (using a shared secret) can be used as well.

Parameters:

token - the OAuth 2.0 bearer token.

Returns:

true if the bearer token can be verified as authentic and originating from a trusted source, false if not.

Throws:

java.security.GeneralSecurityException - if there is an error determining whether the token is authentic

isTokenForThisServer

public abstract boolean isTokenForThisServer(com.unboundid.scim.sdk.OAuthToken token)
                                      throws java.security.GeneralSecurityException

Determines whether the incoming token is targeted for this server. This allows the implementation to reject the token early in the validation process if it can see that the intended recipient was not this server.

Parameters:

token - the OAuth 2.0 bearer token.

Returns:

true if the bearer token identifies this server as the intended recipient, false if not.

Throws:

java.security.GeneralSecurityException - if there is an error determining whether the token is for this server

validateToken

public abstract com.unboundid.scim.sdk.OAuthTokenStatus validateToken(com.unboundid.scim.sdk.OAuthToken token,
                                                    com.unboundid.scim.sdk.SCIMRequest scimRequest)
                                                               throws java.security.GeneralSecurityException

Determines whether the incoming token is valid for the given request. This method should verify that the token is legitimate and grants access to the requested resource specified in the SCIMRequest. This typically involves checking the token scope and any other attributes granted by the authorization grant. Implementations may need to call back to the authorization server to verify that the token is still valid and has not been revoked.

Parameters:

token - the OAuth 2.0 bearer token.

scimRequest - the SCIMRequest that we are validating.

Returns:

an OAuthTokenStatus object which indicates whether the bearer token is valid and grants access to the target resource. This must not be null.

Throws:

java.security.GeneralSecurityException - if there is an error determining whether the token is valid

getAuthzDN

public abstract com.unboundid.ldap.sdk.DN getAuthzDN(com.unboundid.scim.sdk.OAuthToken token)
                                              throws java.security.GeneralSecurityException

Extracts the DN of the authorization entry (for which to apply access controls) from the incoming token.

This may require performing an LDAP search in order to find the DN that matches a certain attribute value contained in the token.

Parameters:

token - the OAuth 2.0 bearer token.

Returns:

the authorization DN to use.

Throws:

java.security.GeneralSecurityException - if there is an error determining the authorization user DN