Passing a map as the template parameter for JwtBuilderFilter

This topic contains 5 replies, has 2 voices, and was last updated by  violette 2 weeks, 4 days ago.

  • Author
    Posts
  • #23248
     acwest 
    Participant

    IG 6.1 has added JwtBuilderFilter, but I am having problems configuring it properly. In an earlier filter in my filter chain, I have added a map of claims I wish to use as the claims for the JWT token. For example: (in a Groovy ScriptableFilter)

    
    attributes.jwtClaims = new java.util.LinkedHashMap()
    jwtClaims.put("claim1", "value1")
    jwtClaims.put("claim2", value2")
    
    return next.handle(context, request)
    

    In my route config json, I have a filter:

    
    {
      "type": "JwtBuilderFilter",
      "config": {
        "template": "${attributes.jwtClaims}"
      }
    }
    

    Unfortunately, this produces an error:

    
    2018-09-21T19:19:30,960Z | ERROR | localhost-startStop-1 | o.f.o.h.r.RouterHandler | @system | The file '/usr/share/tomcat7/.openig/config/routes/04-pep.json' is not a valid route configuration.
    org.forgerock.json.JsonValueException: /handler/config/bindings/1/handler/config/filters/1/config/delegate/config/template: Expecting a java.util.Map
    	at org.forgerock.json.JsonValue.expect(JsonValue.java:762)
    	at org.forgerock.json.JsonValue.asMap(JsonValue.java:554)
    	at org.forgerock.openig.filter.JwtBuilderFilter$Heaplet.create(JwtBuilderFilter.java:175)....
    

    If, on the other hand, I use this template:

    
    {
      "type": "JwtBuilderFilter",
      "config": {
        "template": {
          "jwtClaims": "${attributes.jwtClaims}",
          "className": "${attributes.jwtClaims.getClass().getName()}"
        }
      }
    }
    

    Then the filter works, and produces a JWT Token containing:

    
    {
      "jwtClaims": {
        "claim1": "value1",
        "claim2": "value2"
      },
      "className": "java.util.LinkedHashMap"
    }
    

    What I WANT, but can’t find any way to produce, is a JWT Token containing:

    
    {
      "claim1": "value1",
      "claim2": "value2"
    }
    
    #23263
     acwest 
    Participant

    I have slightly more information now. It appears that when passing a bare map as an argument:

    
    "template": "${attributes.jwtClaims}"
    

    then template is of type: org.codehaus.groovy.runtime.NullObject. This doesn’t really explain why this is happening, though

    #23267
     acwest 
    Participant

    Another question that has come up, if you are configuring this to sign the JWT tokens, the documentation states that you need to add a section to the config:

    
    "signature" : {
      "keystore": "myKeyStore",
      "alias": "myAlias",
      "password": "myPassword",
      "algorithm": "HS384"
    }
    

    It doesn’t specify what, exactly, myKeyStore is, however. It does not appear to be a file system path, if I specify: “/var/lib/tomcat7/conf/keystore.jks” for example, the response is:

    
    org.forgerock.json.JsonValueException: /handler/config/bindings/1/handler/config/filters/2/config/delegate/config/signature/keystore: Object /var/lib/tomcat7/conf/keystore.jks (evaluated from /var/lib/tomcat7/conf/keystore.jks) not found in heap
    

    Edited: I managed to find an example of a Keystore elsewhere in the documentation, in this case, the correct form would be:`
    “signature” : {
    “keystore”: {
    “type”: “KeyStore”,
    “config”: {
    “url”: “file:///var/lib/tomcat7/conf/keystore.jks”,
    “type”: “JKS”,
    “password”: myPassword”
    }
    },
    “alias”: “myAlias”,
    “password”: “myPassword”,
    “algorithm”: “HS384”
    }
    `

    • This reply was modified 2 months, 2 weeks ago by  acwest.
    #23269
     violette 
    Participant

    Hi acwest,

    Indeed, for now the JwtBuilderFilter is unable to retrieve data as a Map from an expression, like you did in your example: "template": "${attributes.jwtClaims}"

    This could be a nice improvment. I suggest you to post an RFE on
    https://bugster.forgerock.org/jira/projects/OPENIG/ about this, if you have time.

    For the KeyStore object, here the link to the doc:
    https://backstage.forgerock.com/docs/ig/6.1/reference/#KeyStore

    But you already found how to configure it ;)

    #23288
     violette 
    Participant

    Hi,

    I created https://bugster.forgerock.org/jira/browse/OPENIG-3094 for this issue.

    Thanks,

    #23961
     violette 
    Participant

    For info, the issue above has been solved and the ability to define the "template" attribute as an expression will be possible in IG 6.5.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?