Skip to main content
Version: 8.2411.x.x RR

AccessTokenConsumer

nevisAuth 4.38.x HTTP client changes

The new HTTP client shipped with nevisAuth 4.38.0.12 will likely require changes in this auth state configuration, specifically in the area of certificate configuration and handling.

Visit the migration guide for additional information.

Introduction and overview

The AccessTokenConsumer AuthState implements the validation of access tokens issued by the AuthorizationServer AuthState (Bearer Tokens). It is used to protect access to the resource server.

If the access token provided by the client can be successfully validated, an authenticated session is established using the user ID the end-user was authenticated with at the authorization server. A session lifetime equal to the access token lifetime is signaled to nevisProxy. The roles are set to the scope values requested in the authorization request which lead to the issuance of the access token.

Only bearer tokens issued by the AuthorizationServer AuthState and sent using the authorization request header field are accepted. An example HTTP request for a protected resource is

GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer [token]

where [token] needs to be replaced by the token issued by the authorization server.

If an access token could not be validated, an error code according to RFC6750 is returned.

To be compatible with the tokens issued by the authorization server, the key material configured in the AccessTokenConsumer AuthState must match the key material configured in the AuthorizationServer AuthState.

Description

The following table and chapters describe the characteristics of the AuthState.

TopicDescription
Classch.nevis.esauth.auth.states.oauth2.consumer.AccessTokenConsumer
LoggingOAuth2Consumer
Auditingnone
MarkerOAUTH2:token
Methodsprocess

Properties

  • keystoreref (string, "DefaultKeyStore")

    Together with the keyobjectref identifies the key material reference to validate the access token.

  • keyobjectref (string, "DefaultSigner")

    This property configures the key material to use when validating the access token. The access token is decrypted using the configured private key. Currently, RSA and Elliptic Curve (EC) keys are supported.

  • propagationScope (string, "session")

    Define propagation scope to store information for following AuthStates.

  • introspectionEndpoint (string (URI), -)

    Defines external token introspection endpoint for checking whether access token is still active. If this property is not configured, or the authState cannot connect to external token introspection endpoint, the normal validation process takes place.

    info

    The use of this property requires that the introspection endpoint does not use authentication.

  • httpclient.* (String)

    Configure the outgoing HTTP communication to the introspectionEndpoint. For a list of valid HTTP properties, see HTTP Client.

Input

none

Transitions

  • token-valid

    The provided access token is valid.

  • token-invalid

    The provided access token is invalid.

Output

  • [propagationScope]:oauth2.token.claim.[field]

    Claims present in the access token. For details, see Token format.

Errors

none

Notes

none

Example

<AuthState
class="ch.nevis.esauth.auth.states.oauth2.consumer.AccessTokenConsumer"
final="false"
name="OAuthTokenConsumer"
resumeState="true">
<ResultCond name="token-invalid"
next="AuthError" />
<ResultCond name="token-valid"
next="AuthDone" />
<property name="keystoreref"
value="OAuthKeyStore" />
<property name="keyobjectref"
value="OAuthTokenVerifier" />
</AuthState>