A custom Authenticator plugin for the Curity Identity Server.
This plugin can only be used to authenticate users via HAAPI, hence the OAuth client initiating authorization MUST be a confidential client with the HAAPI capability.
If a user tries to run an authentication flow with this authenticator from a browser, they will see an error.
This plugin allows users to authenticate using HAAPI assuming they have already obtained an access token via other means.
That allows a form of token exchange where the end user may be prompted to consent to upscoping, for example.
The following configuration settings are available:
required-issuer- required token issuer.required-audience- required token audience. Optional.required-scopes- required token scopes. Optional.required-purpose- required tokenpurpose. Default:access_token. If set to a blank string, this will be ignored.subject-claim-name- the name of the subject claim. Default:sub.allowed-oauth-client-ids- the allowed OAuth clients. If empty, any confidential HAAPI client will be allowed.key-verification/id- ID of an existing token signature verification key.
Note
OAuth clients added to the allowed-oauth-client-ids list must be confidential clients.
Public clients will be rejected when trying to use this authenticator, even if they are on the list.
This is to ensure that only a limited set of OAuth clients, ones that the authorization server trusts,
will have the power to obtain sensitive tokens on behalf of end users.
This limitation applies only to the client that runs an authentication flow with this authenticator. The access token used as the input to this authenticator can be obtained by any OAuth client, even a public one.
Build the plugin by issuing the command mvn package. This will produce a JAR file in the target directory, which can be installed.
To install the plugin, copy the compiled JAR and JARs of the dependencies not provided by the Curity Identity Server from the target directory into the :file:`${IDSVR_HOME}/usr/share/plugins/AccessTokenAuthenticator`. ${IDSVR_HOME} is the installation folder of the Curity Identity Server. Inisde of a Docker container that uses an official image of the Curity Identity Server, the istallation directory is /opt/idsvr. Make sure to copy the JARs on each node that run the Curity Identity Server, including the admin node. Restart the Curity Identity Server so that it can load the plugin. For more information about installing plugins, refer to the curity.io/plugins.
For a list of the dependencies and their versions, run mvn dependency:list. Ensure that all of these are installed in
the plugin directory, except for the JARs provided by the Curity Identity Server (you can find the provided dependencies in the documentation). Otherwise, they will not be accessible to this plug-in and run-time errors will result.
Please visit curity.io for more information about the Curity Identity Server.