com.unboundid.directory.sdk.broker.api

Class AccessTokenValidator

java.lang.Object

com.unboundid.directory.sdk.common.api.AbstractAccessTokenValidator

com.unboundid.directory.sdk.broker.api.AccessTokenValidator

All Implemented Interfaces:

Configurable, ExampleUsageProvider, UnboundIDExtension

@Extensible
 @BrokerExtension
 @ThreadSafety(level=INTERFACE_THREADSAFE)
public abstract class AccessTokenValidator
extends AbstractAccessTokenValidator

This class defines an API that may be implemented by Data Governance Server extensions that validate externally generated access tokens. Implementing extensions that support this API enables the Data Governance Server to accept access tokens generated from external Identity Providers.

Configuring Access Token Validators

In order to configure an Access Token Validator created using this API, use a command like:

      dsconfig create-token-validator \
           ---validator-name "{name}" \
           --type third-party \
           --set "extension-class:{class-name}" \
           --set "extension-argument:{name=value}"
 

where "{name}" is the name to use for the Access Token Validator instance, "{class-name}" is the fully-qualified name of the Java class that extends com.unboundid.directory.sdk.broker.api.AccessTokenValidator, and "{name=value}" represents name-value pairs for any arguments to provide to the Access Token Validator. If multiple arguments should be provided to the extension, then the "--set extension-argument:{name=value}" option should be provided multiple times.

Constructor Summary

Constructors

Constructor and Description
AccessTokenValidator()

Method Summary

Modifier and Type	Method and Description
abstract TokenValidationResult	validate(java.lang.String encodedAccessToken) Validate the provided access token.

Methods inherited from class com.unboundid.directory.sdk.common.api.AbstractAccessTokenValidator

defineConfigArguments, finalizeTokenValidator, getExamplesArgumentSets, getExtensionDescription, getExtensionName, initializeTokenValidator

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AccessTokenValidator

public AccessTokenValidator()

Method Detail

validate

public abstract TokenValidationResult validate(java.lang.String encodedAccessToken)
                                        throws java.lang.Exception

Validate the provided access token.

Specified by:

validate in class AbstractAccessTokenValidator

Parameters:

encodedAccessToken - access token string as it is received from the requesting client.

Returns:

The Data Governance Server may be configured to accept access tokens from multiple sources so it is important that each validator differentiate between a token format that it does not recognize and a token that it can process but is not valid. If the token can be processed, the validator must return a TokenValidationResult object containing token properties. Most importantly the active field of the TokenValidationResult must be set by the validator. The decision as to whether an access token is accepted or not is made by the Data Governance Server's policy engine. All properties of the TokenValidationResult are available to XACML policies, however it is possible that policies may only examine a subset of those properties. When writing a new validator it is important to match up the properties exposed by the validator with the properties consulted by the default and/or custom policies. If the token cannot be introspected by the Access Token Validator it must return null to allow other validators to have a chance to process the token.

Throws:

java.lang.Exception - if an error occurs during the processing of a token that can be introspected by the validator. Exceptions should only be thrown for unexpected internal errors. Sensitive information should not be included in the exception message as the message may be returned to the client application that has passed the token.