Package org.forgerock.openig.jwt

Class JwtSessionManagerHeaplet

java.lang.Object

org.forgerock.openig.heap.GenericHeaplet

org.forgerock.openig.jwt.JwtSessionManagerHeaplet

All Implemented Interfaces:

Heaplet

public class JwtSessionManagerHeaplet
extends GenericHeaplet

A JwtSessionManagerHeaplet is responsible for configuring and creating a JwtSession.

 {
       "type": "JwtSession",
       "config": {
         "cookie": {         object                   [OPTIONAL - structure describing the properties of the JWT
                                                                  session cookie: ]
           "name":             expression<String>       [OPTIONAL - Name of cookie containing the IG JWT session.
                                                                    Defaults to
                                                                    {@link JwtSession#IG_JWT_SESSION }.
           "domain":           expression<String>       [OPTIONAL - Domain that cookie is applicable to. If not set,
                                                                    the cookie will be treated as a host-based cookie
           "path":             expression<String>       [OPTIONAL - Path to apply to the cookie.
                                                                    Defaults to {@literal "/" }
           "secure":           expression<boolean>      [OPTIONAL - Determines if the cookie should be set to be
                                                                    secure. Defaults to {@code false}.
           "httpOnly":         expression<boolean>      [OPTIONAL - httpOnly flag. Defaults to {@code true}.
           "sameSite":         expression<enum>         [OPTIONAL - STRICT or LAX. Defaults to {@code null}.
         }
         "sessionTimeout":     duration               [OPTIONAL - amount of time before the JWT session expires.
                                                                  Defaults to 30min. A duration of 0 is not valid,
                                                                  and it will be limited to a max of ~ 10 years.]
         "persistentCookie":   expression<boolean>    [OPTIONAL - specifies whether the supporting cookie will have
                                                                  an {@literal Expires} attribute (persistent cookie)
                                                                  or not (session cookie). The expiration value is
                                                                  based on the {@literal sessionTimeout} value.
                                                                  Defaults to {@code false}.]
         "authenticatedEncryptionSecretId":           [OPTIONAL - The secret ID of the encryption key
                              expression<secret-id>               used to perform authenticated encryption on the JWT.
                                                                  If not set, a key is generated automatically.]
         "encryptionMethod":  String                  [OPTIONAL - The standard names of the encryption algorithm
                                                                  to use with Authenticated Encryption.
                                                                  See RFC 7518#section-5.1 See (1).
                                                                  Defaults to A256GCM.]
         "skewAllowance":     expression<duration>    [OPTIONAL - The skew allowance to use for temporal validation
                                                                  on the {@link JwtSession}.]
      }
   }
 

Example:

{
          "name": "JwtSession",
          "type": "JwtSession",
          "config": {
              "cookie": {
                  "name": "IG",
                  "domain": ".example.com",
                  "path": "/",
                  "secure": false,
                  "httpOnly": true
              }
              "sessionTimeout": "30 minutes",
              "persistentCookie": true,
              "authenticatedEncryptionSecretId": "encryption.key.id"
          }
     }
 

All the session configuration is optional: if you omit everything, the appropriate keys will be generated and the cookie name used will be JwtSession.IG_JWT_SESSION. The passwordSecretId is the label of a Purpose using Commons Secrets API, used to specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified. [Deprecated since 7.0]

Or:

The password [Deprecated since 6.5 in favor of passwordSecretId]. password is a static expression attribute specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified. NOTE: If both password and passwordSecretId are provided, the passwordSecretId has precedence.

The authenticatedEncryptionSecretId is the label of a Purpose using Commons Secrets API, the secret which specifies the key used to perform authenticated encryption on the JWT. This attribute takes precedence other the "encryptionSecretId"/"alias"/"signatureSecretId"

The encryptionSecretId is the label of a Purpose using Commons Secrets API, the secret which specifies the key used to encrypt the JWT. [Deprecated in 7.0 - use authenticatedEncryptionSecretId]

OR if not use:

The alias string attribute specifies the name of the private key to obtain from the KeyStore. It is only required when a keystore is specified.[Deprecated in 7.0 - use authenticatedEncryptionSecretId]

The signatureSecretId is the label of a Purpose using Commons Secrets API, the secret which specifies the key used to sign/verify the JWTs. It is expected to be Base64 encoded. If unspecified some random data is generated as key. (Always signed). [Deprecated in 7.0 - use authenticatedEncryptionSecretId]

The cookieName [Deprecated since 7.0 in favor of cookie] optional string attribute specifies the name of the cookie used to store the encrypted JWT.

The cookieDomain [Deprecated since 7.0 in favor of cookie] optional string attribute specifies the domain of the cookie used to store the encrypted JWT. If not set, the cookie will be treated as a host-based cookie.

The encryptionMethod should be one of the six standard encryption methods available: (1) @See JWE Encryption Methods

Since:

3.1

Field Summary

Fields

Modifier and Type	Field	Description
static String	DEFAULT_SESSION_TIMEOUT	Default sessionTimeout duration.

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

config, heap, name, object, qualified

Constructor Summary

Constructors

Constructor	Description
JwtSessionManagerHeaplet()

Method Summary

Modifier and Type	Method	Description
Object	create()	Called to request the heaplet create an object.

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getType, meterRegistryHolder, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_SESSION_TIMEOUT

public static final String DEFAULT_SESSION_TIMEOUT

Default sessionTimeout duration.

See Also:

Constant Field Values

Constructor Detail

JwtSessionManagerHeaplet

public JwtSessionManagerHeaplet()

Method Detail

create

public Object create()
              throws HeapException

Description copied from class: GenericHeaplet

Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.

Specified by:

create in class GenericHeaplet

Returns:

The created object.

Throws:

HeapException - if an exception occurred during creation of the heap object or any of its dependencies.