Versions Compared

Old Version 15

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 16

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Implicit Flow
  • Authorization Code Flow
  • Authorization Code with PKCE Extension
  • Hybrid Flow
  • Refresh Token 
  • Client Credentials Flow
  • Resource Owner Password Credentials
  • Token Introspection / Revocation
  • Token Exchange

For each scope, you can configure which attributes are added to the various types of tokens, ID Token, Access Token and Userinfo JSON.

...

For each individual token, you can specify the following setttings:

Image RemovedImage Added

Configuration for each token is stored as a JSON Object within the tokens JSON array within the federations JSON.

...

Tip
titleInput to Scripts

For the 3 script types above, see the code completion in the editor for detailed information about which variables are available to the script.

On high level, this is:

  • context
    Context containing other variables available to the script
  • context.configuredToken
    Contains the token configuration.
    See each field in the code completion help.
  • context.jo
    Parsed JSON object
  • context.json
    JSON (as a string) object containing the input  token
  • context.session
    Contains Ceptor's internal session for the user the token is created for - this contains all the information available about the authenticated user.
    Details about each field available in the code completion.

The script can return a modified token / JSON userinfo as a string.

Example:

Code Block
languagejs
titleScript to modify Acces Token / ID Token or Userinfo
function modifyToken() {
    var token = JSON.parse(context.json);
    
    token.custom = 'Hello There: ' + token.sub;
    token.sid= context.session.sessionID;
    
    return JSON.stringify(token);
}

modifyToken();


Token Exchange Script

This script is called whenever a token exchange is requested.

Default: None
JSON key is script.tokenexchange

Tip

Javascript, Groovy or Python code is executed to process the token exchange input, add validation or provide extra information for use when the access token is generated.


If incoming subject_token is not recognizable as earlier issued by Ceptor, you can parse it here and populate the session with relevant values before processing continues.

Variables
Your script is called when a variable called context with the following attributes within it:

  • configuredToken
    JWTHelper.JWTToken object, the configured token
  • session
    Ceptor's internal session object
  • sessionCtrl
    Reference to Ceptor's Session Controller
  • helper
    Reference to Ceptor's JWTHelper instance
  • actorSession
    Ceptor's session object for the actor token
  • resource
    Resource name this token is meant for
  • audience
    Audience from input
  • input
    Properties object containing all parameters from request to token URL
  • validAudiences
    List of valid audiences, or empty

If the subject_token was found and recognized as an earlier issued token, the context.session is populated with the contents of the session.

If not, the token is available in context.session.ticket and you can parse it and populate the session with the results. If context.session.userid is empty when the script returns, it is assumed that the parsing failed and an error will be sent back to the client informing that the token was not valid.

If an actor token was provided and recognized, the session of the actor is populated with information - if not recognized you can find the token (along with any other input parameters from the request in the input java.util.Properties object.

In this script, you can modify the session contents before the final access token is generated. The access token will be generated by default as a copy of the incoming subject_token but with an attribute "act" added with the subject of the actor token in the "sub" field, and the client_id in the "client_id" field of the "act" object.

In the access token generation script, you get a chance to modify the properties after the token is generated before it gets signed - the token exchange script allows you to modify the session context before the resulting access token is generated.


Example:

Code Block
function exchange() {
    if (context.actorSession) {
        context.actorSession.userid = 'Killroy was here';
    }
    if (!context.input.get('actor_token')) {
        context.session.userid = 'On behalf of ' + context.session.userid
    }
}

exchange();



Token validation related configuration

...