Validating the incoming tokens

Edit online

Validate the incoming "subject_token" and "actor_token" (optional).

Procedure

  1. Validate the OAuth/OIDC opaque token.

    The "subject_token" or "actor_token" with urn:ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token-type:refresh_token might be an OAuth/OIDC opaque token that is generated by the authorization server.

    You can use utilities like OAuthMappingExtUtils.getToken(tokenId) to verify if such token exists in the token cache and use OAuthMappingExtUtils.retrieveAllAssociations(stateId) to retrieve any other attributes that are associated with the opaque token.

  2. Use the STS Chain to validate "subject_token" and/or "actor_token".

    Use STS Chains to validate many kind of tokens. Verify Identity Access supports validation of token like IvCred, SAML, STSUU, and JWT. For more information about creating STS Chain, see Configuring STS modules.

    To use the STS Chain to validate a token, refer to the following example:
    var claims = 
    LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate",
        actor_token_type,
        issuer,
        baseElement,
        null);

    You can determine the issuer and appliesTo of the STS Chains as required. You can set the issuer as the token issuer and set the appliesTo as the `subject_token_type` or actor_token_type.

    In Verify Identity Access, for example, to extract the issuer you can use OAuthMappingExtUtils.extractIssuer(token, token_type). This tool currently only supports JWT (extracted from iss claim) and SAML (extract from Issuer node).

  3. Throw exception.
    When you validate the incoming token, there might be validation errors and when an error is returned from the call to the STS, the exception should be thrown. For example, signature invalid and STS Chain does not exist. You can throw exception for such scenarios by using the following example:
    OAuthMappingExtUtils.throwSTSCustomUserPageException("The subject_token verification failed.", 400, "invalid_request");
    The same method can also be used if you choose not to support the resource or audience specified. For example:
    OAuthMappingExtUtils.throwSTSCustomUserPageException("The audience or resource is not valid.", 400, "invalid_target");