com.ibm.wsspi.security.oauth20

Interface UserCredentialResolver



  • public interface UserCredentialResolver
    Create the SPI interface of com.ibm.wsspi.security.oauth.UserCredentialResolver The UserCredentialResolver maps the Access token to the user credentials in the Subject. The UserCredentialResolver has to be implemented as a single Liberty Service or User Feature in the Liberty Server and multiple UserCredentialResolver services or features will result in unpredictable behavior. 1) If the mapIdentityToRegistryUser attribute in the OpenID Connect Client configuration is set to "true", then only mapToUser method will be called. The other methods, such as: mapToGroups, mapToUserUniqueID and mapToRealm will be ignored. 2) If the mapIdentityToRegistryUser attribute in the OpenID Connect Client configuration is set to "false" , then the valid values (must be non null and non empty string) returned from mapToUser, mapToGroups, mapToUserUniqueID and mapToRealm will be used. We do not need the User Registry in this case. 3) An invalid value returned from these APIs will be ignored and the authentication process will continue with the defaults. For example, if the mapToUser returns an empty or null string, then the runtime will try to get the user name from the authentication token using the claim name which is set by the userIdentifier attribute or the default claim "sub".
    • Method Summary

      Methods 
      Modifier and Type Method and Description
      java.util.List<java.lang.String> mapToGroups(java.lang.String tokenString)
      This method is for mapping the authentication token with the list of groups.
      java.lang.String mapToRealm(java.lang.String tokenString)
      This method is for mapping the authentication token with the Realm.
      java.lang.String mapToUser(java.lang.String tokenString)
      This method is for mapping the authentication token with the user name.
      java.lang.String mapToUserUniqueID(java.lang.String tokenString)
      This method is for mapping the authentication token with the user unique ID.
    • Method Detail

      • mapToUser

        java.lang.String mapToUser(java.lang.String tokenString)
                                   throws UserIdentityException
        This method is for mapping the authentication token with the user name. A valid user name cannot be null or empty.
        Parameters:
        tokenString - -- the oAuth authentication token string in the JSON format. Example: {"exp":1460058764,"sub":"testuser","realmName":"BasicRealm","scope":"openid scope2 scope1","grant_type":"refresh_token","iss":"http:\/\/localhost:8940\/oidc\/endpoint\/tokenissuer","uniqueSecurityName":"testuser","active":true,"token_type":"Bearer","client_id":"client01","iat":1460058759}
        Returns:
        string -- the user name. If this value is null or empty, then the runtime will resolve the user name using the default. For example, runtime will try to get the user information using the "sub" claim in the token.
        Throws:
        UserIdentityException - - authentication process will fail
      • mapToGroups

        java.util.List<java.lang.String> mapToGroups(java.lang.String tokenString)
                                                     throws UserIdentityException
        This method is for mapping the authentication token with the list of groups. A valid list of groups cannot be null or empty. This method is ignored when the mapIdentityToRegistryUser is set to "true".
        Parameters:
        tokenString - -- the oAuth authentication token string in the JSON format. Example: {"sub":"testuser","iss":"http:\/\/localhost:8940\/oidc\/endpoint\/tokenissuer","groupIds":[ "testuserdepartment","administrators" ]}
        Returns:
        ArrayList -- the list of groups. If this value is null or empty, then the runtime will resolve the user name using the default. For example, runtime will try to get the group information using the "groupIds" claim in the token.
        Throws:
        UserIdentityException - -- authentication process will fail.
      • mapToUserUniqueID

        java.lang.String mapToUserUniqueID(java.lang.String tokenString)
                                           throws UserIdentityException
        This method is for mapping the authentication token with the user unique ID. A valid user unique ID cannot be null or empty. This method is ignored when the mapIdentityToRegistryUser is set to "true".
        Parameters:
        tokenString - -- the oAuth authentication token string in the JSON format. Example: {"exp":1460058764,"sub":"testuser","realmName":"BasicRealm","scope":"openid scope2 scope1","grant_type":"refresh_token","iss":"http:\/\/localhost:8940\/oidc\/endpoint\/tokenissuer","uniqueSecurityName":"testuser","active":true,"token_type":"Bearer","client_id":"client01","iat":1460058759}
        Returns:
        string -- a valid user unique ID. If this value is null or empty, then the runtime will resolve the unique user id using the default. For example, runtime will try to get the unique user id using the "uniqueSecurityName" claim in the token.
        Throws:
        UserIdentityException - -- authentication process will fail.
      • mapToRealm

        java.lang.String mapToRealm(java.lang.String tokenString)
                                    throws UserIdentityException
        This method is for mapping the authentication token with the Realm. A valid Realm cannot be null or empty. This method is ignored when the mapIdentityToRegistryUser is set to "true".
        Parameters:
        tokenString - -- the oAuth authentication token string in the JSON format. Example: {"exp":1460058764,"sub":"testuser","realmName":"BasicRealm","scope":"openid scope2 scope1","grant_type":"refresh_token","iss":"http:\/\/localhost:8940\/oidc\/endpoint\/tokenissuer","uniqueSecurityName":"testuser","active":true,"token_type":"Bearer","client_id":"client01","iat":1460058759}
        Returns:
        string -- a valid Realm. If this value is null or empty, then the runtime will resolve the unique user id using the default. For example, runtime will try to get the realm information using the OpenID Connect Client configuration attribute "realmName" or the "realmName" claim in the token.
        Throws:
        UserIdentityException - -- authentication process will fail.