AccessTokenConsumer
The new HTTP client shipped with nevisAuth 4.38.0.12 will likely require changes in this auth state configuration, specifically in the area of certificate configuration and handling.
Visit Appendix H for additional information.
Introduction and overview
The AccessTokenConsumer AuthState implements the validation of access tokens issued by the AuthorizationServer AuthState (Bearer Tokens). It is used to protect access to the resource server.
If the access token provided by the client can be successfully validated, an authenticated session is established using the user ID the end-user was authenticated with at the authorization server. A session lifetime equal to the access token lifetime is signaled to nevisProxy. The roles are set to the scope values requested in the authorization request which lead to the issuance of the access token.
Only bearer tokens issued by the AuthorizationServer AuthState and sent using the authorization request header field are accepted. An example HTTP request for a protected resource is
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer [token]
where [token] needs to be replaced by the token issued by the authorization server.
If an access token could not be validated, an error code according to RFC6750 is returned.
To be compatible with the tokens issued by the authorization server, the key material configured in the AccessTokenConsumer AuthState must match the key material configured in the AuthorizationServer AuthState.
Description
The following table and chapters describe the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.oauth2.consumer.AccessTokenConsumer |
| Logging | OAuth2Consumer |
| Auditing | none |
| Marker | OAUTH2:token |
| Methods | process |
Properties
keystoreref(string, "DefaultKeyStore")Together with the
keyobjectrefidentifies the key material reference to validate the access token.keyobjectref(string, "DefaultSigner")This property configures the key material to use when validating the access token. The access token is decrypted using the configured private key. Currently, RSA and Elliptic Curve (EC) keys are supported.
propagationScope(string, "session")Define propagation scope to store information for following AuthStates.
introspectionEndpoint(string (URI), -)Defines external token introspection endpoint for checking whether access token is still active. If this property is not configured, or the authState cannot connect to external token introspection endpoint, the normal validation process takes place.
infoThe use of this property requires that the introspection endpoint does not use authentication.
httpclient.*(String)Configure the outgoing HTTP communication to the
introspectionEndpoint. For a list of valid HTTP properties, see HTTP Client.
Input
none
Transitions
token-validThe provided access token is valid.
token-invalidThe provided access token is invalid.
Output
[propagationScope]:oauth2.token.claim.[field]Claims present in the access token. For details, see Token format.
Errors
none
Notes
none
Example
<AuthState
class="ch.nevis.esauth.auth.states.oauth2.consumer.AccessTokenConsumer"
final="false"
name="OAuthTokenConsumer"
resumeState="true">
<ResultCond name="token-invalid"
next="AuthError" />
<ResultCond name="token-valid"
next="AuthDone" />
<property name="keystoreref"
value="OAuthKeyStore" />
<property name="keyobjectref"
value="OAuthTokenVerifier" />
</AuthState>