AccessTokenConsumer
Introduction and overview
The AccessTokenConsumer AuthState implements the validation of access tokens issued by the AuthorizationServer AuthState (Bearer Tokens). It is used to protect access to the resource server.
If the access token provided by the client can be successfully validated, an authenticated session is established using the user ID the end-user was authenticated with at the authorization server. A session lifetime equal to the access token lifetime is signaled to nevisProxy. The roles are set to the scope values requested in the authorization request which lead to the issuance of the access token.
Only bearer tokens issued by the AuthorizationServer AuthState and sent using the authorization request header field are accepted. An example HTTP request for a protected resource is
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer
where [token] needs to be replaced by the token issued by the authorization server.
If an access token could not be validated, an error code according to RFC6750 is returned.
To be compatible with the tokens issued by the authorization server, the key material configured in the AccessTokenConsumer AuthState must match the key material configured in the AuthorizationServer AuthState.
Description
The following table describes the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.oauth2.consumer.AccessTokenConsumer |
| Logging | OAuth2Consumer |
| Auditing | none |
| Marker | OAUTH2:token |
| Properties | keystoreref (string, "DefaultKeyStore") |
| keyobjectref (string, "DefaultSigner")This property configures the key material to use when validating the access token. The access token is decrypted using the configured private key. Currently, only RSA keys are supported. | |
| propagationScope (string, "session")Define propagation scope to store information for following AuthStates. | |
| Methods | process: Will try to validate the access token provided by the client. |
| Input | none |
| Transitions | token-valid: The provided access token is valid. |
| token-invalid: The provided access token is invalid. | |
| Output | **[propagationScope]:oauth2.token.claim.. |
| Errors | none |
| Notes | none |
Example
<AuthState
class="ch.nevis.esauth.auth.states.oauth2.consumer.AccessTokenConsumer"
final="false"
name="OAuthTokenConsumer"
resumeState="true">
<ResultCond name="token-invalid"
next="AuthError" />
<ResultCond name="token-valid"
next="AuthDone" />
<property name="keystoreref"
value="OAuthKeyStore" />
<property name="keyobjectref"
value="OAuthTokenVerifier" />
</AuthState>