Skip to content

Update Token Interception Script#

This script can be used to add custom claims to the id_token. As per the open banking standard, the token should contain claim openbanking_intent_id and the same value should also reflect in the sub claim. A similar expectation is required to be fulfilled by the FAPI-RW standard where the sub claim should have the user id.

Configuration Prerequisites#

  • A Janssen Authorization Server installation
  • Update Token script - included in the default Janssen OpenBanking distribution
  • Setting configuration Parameters

Adding the custom script#

  1. To add or update custom scripts, you can use either jans-cli or curl. jans-cli in interactive mode, option 13 enables you manage custom scripts. For more info, see the docs.
  2. jans-cli in command line argument mode is more conducive to scripting and automation. To display the available operations for custom scripts, use config-cli.py --info CustomScripts. See the docs for more info.
  3. To use curl see these docs

Note

You can normally find jans-cli.py in the /opt/jans/jans-cli/ folder.

Steps to add / edit / delete configuration parameters:#

  1. Place a [JSON file] containing configuration parameters and the custom script in a folder.

  2. From this folder, run the following command:

python3 jans-cli-linux-amd64.pyz --operation-id post-config-scripts --data /updatetoken.json \
--cert-file jans_cli_client.crt --key-file jans_cli_client.key

Methods#

  1. UpdateTokenType class and default methods

    class UpdateToken(UpdateTokenType):
    
        def __init__(self, currentTimeMillis):
            self.currentTimeMillis = currentTimeMillis
    
        def init(self, customScript, configurationAttributes):
            return True
    
        def destroy(self, configurationAttributes):
            return True
    
        def getApiVersion(self):
            return 11
    
  2. modifyIdToken () : the crucial business logic. This script overrides the header and claims.

        # Returns boolean, true - indicates that script applied changes
        # Note :
        # jsonWebResponse - is JwtHeader, you can use any method to manipulate JWT
        # context is reference of io.jans.oxauth.service.external.context.ExternalUpdateTokenContext (in https://github.com/GluuFederation/oxauth project, )
        def modifyIdToken(self, jsonWebResponse, context):
    
             #read from session 
        sessionIdService = CdiUtil.bean(SessionIdService)
        sessionId = sessionIdService.getSessionByDn(context.getGrant().getSessionDn()) # fetch from persistence
            openbanking_intent_id = sessionId.getSessionAttributes().get("openbanking_intent_id")
        acr = sessionId.getSessionAttributes().get("acr_ob")
    
                # header claims
        jsonWebResponse.getHeader().setClaim("custom_header_name", "custom_header_value")
    
        #custom claims
        jsonWebResponse.getClaims().setClaim("openbanking_intent_id", openbanking_intent_id)
    
        #regular claims        
        jsonWebResponse.getClaims().setClaim("sub", openbanking_intent_id)
    
        return True
    
    3. The getRefreshTokenLifetimeInSeconds method: This method adds the ability to specify refersh_token lifetime via update_token script. If this method return 0 then built-in configuration property of AS is used to define RT lifetime refreshTokenLifetime.

     def getRefreshTokenLifetimeInSeconds(self, context):
         return 0
4. Other usefull methods.

```python3
    # Returns boolean, true - indicates that script applied changes. If false is returned token will not be created.
    # refreshToken is reference of io.jans.as.server.model.common.RefreshToken (note authorization grant can be taken as context.getGrant())
    # context is reference of io.jans.as.server.service.external.context.ExternalUpdateTokenContext (in https://github.com/JanssenProject/jans-auth-server project, )
    def modifyRefreshToken(self, refreshToken, context):
        return True

    # Returns boolean, true - indicates that script applied changes. If false is returned token will not be created.
    # accessToken is reference of io.jans.as.server.model.common.AccessToken (note authorization grant can be taken as context.getGrant())
    # context is reference of io.jans.as.server.service.external.context.ExternalUpdateTokenContext (in https://github.com/JanssenProject/jans-auth-server project, )
    def modifyAccessToken(self, accessToken, context):
        return True

    # context is reference of io.jans.as.server.service.external.context.ExternalUpdateTokenContext (in https://github.com/JanssenProject/jans-auth-server project, )
    def getRefreshTokenLifetimeInSeconds(self, context):
        return 0

    # context is reference of io.jans.as.server.service.external.context.ExternalUpdateTokenContext (in https://github.com/JanssenProject/jans-auth-server project, )
    def getIdTokenLifetimeInSeconds(self, context):
        return 0

    # context is reference of io.jans.as.server.service.external.context.ExternalUpdateTokenContext (in https://github.com/JanssenProject/jans-auth-server project, )
    def getAccessTokenLifetimeInSeconds(self, context):
        return 0
```