On this page
This example Token Procedure plugin implements an integration with OpenID AuthZEN conformant PDPs. As part of the token issuance process, the token procedure only issues access tokens based on the authorization response from an external PDP.
Installing the Plugin
Build the plugin by running the command mvn package. The command builds the JAR files for the plugin and places them in the target/authzen-token-procedure directory.
To install the plugin, copy the compiled JAR (and all of its dependencies) into a new directory in the plugins directory, e.g. ${IDSVR_HOME}/usr/share/plugins/authzen-token-procedure on each node, including the admin node. A restart of both runtime node(s) and the Admin node is required. For more information about installing plugins, refer to the Curity Plugin SDK.
Configuration
AuthZEN Token Procedure Configuration
The token procedure requires a few configuration parameters.
Authorization Configuration
| Parameter | Type | Description | Default |
|---|---|---|---|
Authorize Client | Boolean | When enabled, the client_id of the request is passed a resource attribute in the request to the PDP. | False |
Authorize Scope | Boolean | When enabled, the scope(s) requested are passed as resource attributes to the PDP. | False |
PDP Configuration
| Name | Type | Description | Example | Default |
|---|---|---|---|---|
HttpClient | String | The ID of the HttpClient that the Authorization Manager use to call the OpenID AuthZEN PDP. | authzen-http-client | |
PDP Host | String | The hostname of the OpenID AuthZEN PDP. | authzen-pdp.example.com | localhost |
PDP Port | String | The port that the OpenID AuthZEN PDP is exposing its service on. | 8443 | 443 |
PDP Path | String | The path of the OpenID AuthZEN PDP that accepts authorization requests. | /pdp | /access/v1/evaluation |
Enable the Token Procedure
To enable the plugin using the admin UI go to your Token Service profile, then Endpoints. Locate the endpoint with type oauth-token and click in the Flows column.
Click on the dropdown under the Authorization Code or Client Credentials flow and select + New Plugin.
Limited Flows Supported
Currently, the plugin only supports the authorization code flow and client credentials flow.
Give the plugin a name, e.g. authzen-token-procedure, and select the AuthZEN Token Procedure.
Configure the needed parameters for authorization and PDP connection.
Commit the changes.
Using the Plugin
The plugin is invoked when a client requests an access token using either the authorization code flow or client credentials flow -- depending on where you assigned the token procedure. The plugin sends a request to the configured AuthZen PDP to check whether to issue a token. The request is JSON encoded and follows the AuthZEN schema. The attributes in the request depend on the plugin configuration.
Example Request
The following is an example of a request sent to the AuthZEN PDP when using the Authorization Code Flow with both the Authorize Client and Authorize Scope options enabled (line 6 and 7):
{"resource": {"id": "AUTHORIZATION_CODE","type": "api","properties": {"clientId": "client-one","scope": "openid foo"}},"subject": {"id": "alice","type": "user"},"action": {"name": "can_issue","properties": {"method": "POST"}}}
Example Response
The response from the PDP is very simple since AuthZEN does not yet support obligations or additional context attributes in the response.
{"decision": true}
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
