com.unboundid.directory.sdk.broker.api

Class TokenResourceLookupMethod

java.lang.Object

com.unboundid.directory.sdk.broker.api.TokenResourceLookupMethod

All Implemented Interfaces:

Configurable, ExampleUsageProvider, Reconfigurable<TokenResourceLookupMethodConfig>, UnboundIDExtension

@Extensible
 @BrokerExtension
public abstract class TokenResourceLookupMethod
extends java.lang.Object
implements UnboundIDExtension, Reconfigurable<TokenResourceLookupMethodConfig>, ExampleUsageProvider

This class defines an API that must be implemented by extensions that provide a custom Token Resource Lookup Method for access token validation. A Token Resource Lookup Method is invoked after an Access Token Validator has parsed an access token and produced a TokenValidationResult. The Token Resource Lookup Method uses data from the token validation result to look up the token owner in an identity store such as a Directory Server or RDBMS, returning a TokenOwnerPrincipal object that includes the token owner's attributes. This data is then provided to policies and used to make access control decisions.

Configuring Token Resource Lookup Methods

To configure a Token Resource Lookup Method, an Access Token Validator must first be configured using a command like the following:

      dsconfig create-access-token-validator \
            --validator-name "{validator-name}" \
            --type jwt \
            --set enabled:true \
            --set evaluation-order-index:100 \
            --set "authorization-server:{auth-server-name}" \
            --set jwks-endpoint-path:/ext/oauth/jwks
 

(See the server documentation for other examples of configuring an Access Token Validator.) After creating an Access Token Validator, a Token Resource Lookup Method may be created as a child of the Access Token Validator using a command like:

      dsconfig create-token-resource-lookup-method \
            --validator-name "{validator-name}" \
            --method-name "{method-name}" \
            --type third-party \
            --set enabled:true \
            --set evaluation-order-index:100 \
            --set "extension-class:{class-name}" \
            --set "extension-argument:{name=value}"
 

where "{method-name}" is the name to use for the Token Resource Lookup Method instance, "{class-name}" is the fully-qualified name of the Java class that extends com.unboundid.directory.sdk.broker.api.TokenResourceLookupMethod, and "{name=value}" represents name-value pairs for any arguments to provide to the token resource lookup method. If multiple arguments should be provided to the token resource lookup method, then the "--set extension-argument:{name=value}" option should be provided multiple times.

Constructor Summary

Constructors

Constructor and Description
TokenResourceLookupMethod() No-args constructor.

Method Summary

Modifier and Type	Method and Description
com.unboundid.ldap.sdk.ResultCode	applyConfiguration(TokenResourceLookupMethodConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages) Attempts to apply the configuration from the provided argument parser to this extension.
void	defineConfigArguments(com.unboundid.util.args.ArgumentParser parser) Updates the provided argument parser to define any configuration arguments which may be used by this extension.
void	finalizeTokenResourceLookupMethod() Performs any cleanup which may be necessary when this token resource lookup method is to be taken out of service.
java.util.Map<java.util.List<java.lang.String>,java.lang.String>	getExamplesArgumentSets() Retrieves a map containing examples of configurations that may be used for this extension.
abstract java.lang.String[]	getExtensionDescription() Retrieves a human-readable description for this extension.
abstract java.lang.String	getExtensionName() Retrieves a human-readable name for this extension.
void	initializeTokenResourceLookupMethod(BrokerContext serverContext, TokenResourceLookupMethodConfig config, com.unboundid.util.args.ArgumentParser parser) Initializes this token resource lookup method implementation.
boolean	isConfigurationAcceptable(TokenResourceLookupMethodConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons) Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension.
abstract TokenOwnerPrincipal	lookupTokenOwner(TokenValidationResult tokenValidationResult) Uses the access token validation result to locate the token owner.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TokenResourceLookupMethod

public TokenResourceLookupMethod()

No-args constructor.

Method Detail

getExtensionName

public abstract java.lang.String getExtensionName()

Retrieves a human-readable name for this extension.

Specified by:

getExtensionName in interface UnboundIDExtension

Returns:

A human-readable name for this extension.

getExtensionDescription

public abstract java.lang.String[] getExtensionDescription()

Retrieves a human-readable description for this extension. Each element of the array that is returned will be considered a separate paragraph in generated documentation.

Specified by:

getExtensionDescription in interface UnboundIDExtension

Returns:

A human-readable description for this extension, or null or an empty array if no description should be available.

initializeTokenResourceLookupMethod

public void initializeTokenResourceLookupMethod(BrokerContext serverContext,
                                                TokenResourceLookupMethodConfig config,
                                                com.unboundid.util.args.ArgumentParser parser)
                                         throws java.lang.Exception

Initializes this token resource lookup method implementation.

Parameters:

serverContext - A handle to the server context for the server in which this extension is running.

config - The general configuration for this token resource lookup method.

parser - The argument parser which has been initialized from the configuration for this token resource lookup method.

Throws:

java.lang.Exception - If a problem occurs while initializing this token resource lookup method.

finalizeTokenResourceLookupMethod

public void finalizeTokenResourceLookupMethod()

Performs any cleanup which may be necessary when this token resource lookup method is to be taken out of service.

defineConfigArguments

public void defineConfigArguments(com.unboundid.util.args.ArgumentParser parser)
                           throws com.unboundid.util.args.ArgumentException

Updates the provided argument parser to define any configuration arguments which may be used by this extension. The argument parser may also be updated to define relationships between arguments (e.g., to specify required, exclusive, or dependent argument sets).

Specified by:

defineConfigArguments in interface Configurable

Parameters:

parser - The argument parser to be updated with the configuration arguments which may be used by this extension.

Throws:

com.unboundid.util.args.ArgumentException - If a problem is encountered while updating the provided argument parser.

getExamplesArgumentSets

public java.util.Map<java.util.List<java.lang.String>,java.lang.String> getExamplesArgumentSets()

Retrieves a map containing examples of configurations that may be used for this extension. The map key should be a list of sample arguments, and the corresponding value should be a description of the behavior that will be exhibited by the extension when used with that configuration.

Specified by:

getExamplesArgumentSets in interface ExampleUsageProvider

Returns:

A map containing examples of configurations that may be used for this extension. It may be null or empty if there should not be any example argument sets.

isConfigurationAcceptable

public boolean isConfigurationAcceptable(TokenResourceLookupMethodConfig config,
                                         com.unboundid.util.args.ArgumentParser parser,
                                         java.util.List<java.lang.String> unacceptableReasons)

Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension. The parser will have been used to parse any configuration available for this extension, and any automatic validation will have been performed. This method may be used to perform any more complex validation which cannot be performed automatically by the argument parser.

Specified by:

isConfigurationAcceptable in interface Reconfigurable<TokenResourceLookupMethodConfig>

Parameters:

config - The general configuration for this extension.

parser - The argument parser that has been used to parse the proposed configuration for this extension.

unacceptableReasons - A list to which messages may be added to provide additional information about why the provided configuration is not acceptable.

Returns:

true if the configuration in the provided argument parser appears to be acceptable, or false if not.

applyConfiguration

public com.unboundid.ldap.sdk.ResultCode applyConfiguration(TokenResourceLookupMethodConfig config,
                                                            com.unboundid.util.args.ArgumentParser parser,
                                                            java.util.List<java.lang.String> adminActionsRequired,
                                                            java.util.List<java.lang.String> messages)

Attempts to apply the configuration from the provided argument parser to this extension.

Specified by:

applyConfiguration in interface Reconfigurable<TokenResourceLookupMethodConfig>

Parameters:

config - The general configuration for this extension.

parser - The argument parser that has been used to parse the new configuration for this extension.

adminActionsRequired - A list to which messages may be added to provide additional information about any additional administrative actions that may be required to apply some of the configuration changes.

messages - A list to which messages may be added to provide additional information about the processing performed by this method.

Returns:

A result code providing information about the result of applying the configuration change. A result of SUCCESS should be used to indicate that all processing completed successfully. Any other result will indicate that a problem occurred during processing.

lookupTokenOwner

public abstract TokenOwnerPrincipal lookupTokenOwner(TokenValidationResult tokenValidationResult)

Uses the access token validation result to locate the token owner.

Parameters:

tokenValidationResult - A TokenValidationResult containing an access token's properties.

Returns:

The token owner. May be null if the token owner could not be found.