Token Procedure Plugins#
The Curity Identity Server uses token procedures to issue tokens (see Token Issuers ).
These procedures can be defined as JavaScript scripts, described on Script Token Procedures , or as SDK plugins, as documented in this page.
To see all types of SDK Plugins available in the Curity Identity Server, please have a look at Plugin Types .
A token procedure plugin is an SDK plugin providing one or more procedures. Token procedures provided via plugins are specific to an endpoint (e.g. token endpoint) and to a flow on that endpoint (e.g. authorization code grant), as illustrated in the following table:
| Endpoint | Flow | Procedure Type |
|---|---|---|
| Authorization Endpoint | Authorization Code | AuthorizeCodeTokenProcedure |
| Authorization Endpoint | Hybrid | OpenIdAuthorizeEndpointHybridTokenProcedure |
| Authorization Endpoint | Implicit | AuthorizeImplicitTokenProcedure |
| Device Authorization Endpoint | Device Authorization | DeviceAuthorizationTokenProcedure |
| Introspection Endpoint | Introspection | IntrospectionTokenProcedure |
| Introspection Endpoint | Introspection using JWT | IntrospectionApplicationJwtTokenProcedure |
| Token Endpoint | Assertion Token | AssertionTokenProcedure |
| Token Endpoint | Authorization Code | AuthorizationCodeTokenProcedure |
| Token Endpoint | CIBA | BackchannelAuthenticationTokenProcedure |
| Token Endpoint | Client Credentials | ClientCredentialsTokenProcedure |
| Token Endpoint | Device Code | DeviceCodeTokenProcedure |
| Token Endpoint | Refresh Token | RefreshTokenProcedure |
| Token Endpoint | Resource Owner Password Credential | RopcTokenProcedure |
| Token Endpoint | Token Exchange | TokenExchangeTokenProcedure |
| Token Endpoint | Pre-Authorized Code 1 | PreAuthorizedCodeTokenProcedure |
| Assisted Token Endpoint | Assisted Token | AssistedTokenProcedure |
| UserInfo Endpoint | UserInfo | OpenIdUserInfoTokenProcedure |
A token plugin can provide zero or one procedure for each one of the above types.
Configuring and using Token Procedure Plugins#
Token plugins are configured on a token service profile, more specifically on the token-procedure-plugins list.
The following two figures illustrate listing and adding a token procedure plugin.
After a token procedure plugin is configured on a token service profile then it can be used by an endpoint of that same token service profile, by setting the plugin identifier (e.g. example-procedure-plugin-1) on the endpoint configuration (e.g. authorization endpoint configuration ).
The following figure illustrates using the procedure provided by the example-procedure-plugin-1 on the authorization endpoint and for the authorization code flow.
Note that this association is only possible if the token procedure plugin contains internally a token procedure of the type required by the endpoint and flow being configured. Note also that it is not necessary to select which internal procedure to use from the plugin, since a token procedure plugin can contain at most one procedure of each type.
Footnotes#
-
The support for the pre-authorized code flow is experimental. See related documentation for more information. ↩