Gluu Blog

Follow us:
Back to Blog

Interception Scripts

Via October 6, 2020

Customize many aspects of your Gluu Server identity and access management service.

Interception scripts can be used to implement custom business logic for authentication, authorization and more in a way that is upgrade-proof and doesn’t require forking the Gluu Server code. Each type of script is described by a Java interface — i.e. which methods are required.

In 4.2, we’ve introduced new interception scripts for Post-Authentication Authorization (more details), UMA2 RPT claims (more details), and application session management (more details).

Post-Authentication Authorization

For example: a sensitive web application may wish to force users to re-authenticate even if they present a valid session cookie to reduce the risk of a valid user session at an unattended computer being used by another person to access data inappropriately.

After the browser has a session, if a person visits a website, the RP can obtain a code without the user having to authenticate or authorize. In some cases, it is desirable to insert custom business logic before granting the code or tokens from the authorization endpoint. Post Authn script allows to force re-authentication or re-authorization (even if client is “Pre-authorized” or client authorization persistence is on).

UMA2 RPT claims

UMA2 standard is designed to separate the requesting party and the resource owner (where OAuth2 considers them to be only one person). And this differentiation allows us to address more use-cases than OAuth2.

RPT claims is a special script for UMA 2. It allows an admin to code logic for gathering additional claims (required by UMA RPT Authorization Policy).
This script can be used in an oxAuth application only.

Application Session Management
Session management is used to facilitate secure interactions between a user and some service or application and applies to a sequence of requests and responses associated with that particular user. When a user has an ongoing session with a web application, they are submitting requests within their session and are providing potentially sensitive information. The application may retain this information and/or track the status of the user during the session across multiple requests. More importantly, it is critical that the application has a means of protecting private data belonging to each unique user, especially within authenticated sessions.
This script allows an admin to get notification about various session lifetime events. It’s possible to add multiple scripts with this type. The application should call all of them according to the level.

Be sure to subscibe to
our RSS Feed