OAuthTokenHandler (UnboundID SCIM SDK 1.8.14 API)

```
public interface OAuthTokenHandler
```
This class defines an API that must be implemented by extensions which will handle incoming SCIM requests with OAuth 2.0 bearer token authentication. The OAuthTokenHandler is responsible for decoding the bearer token and checking it for authenticity and validity.

OAuth provides a method for clients to access a protected resource on behalf of a resource owner. In the general case, before a client can access a protected resource, it must first obtain an authorization grant from the resource owner and then exchange the authorization grant for an access token. The access token represents the grant's scope, duration, and other attributes specified by the authorization grant. The client accesses the protected resource by presenting the access token to the resource server (i.e. the Identity Data Store or Identity Proxy with the SCIM HTTP Servlet enabled).

The access token provides an abstraction, replacing different authorization constructs (e.g., username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server's need to understand a wide range of authentication schemes. See "OAuth 2.0 Authorization Framework: Bearer Token Usage" (RFC 6750) for the full specification and details.

TLS security is required to use OAuth 2.0 bearer tokens, as specified in RFC 6750. A bearer token may be used by any party in possession of that token (the "bearer"), and thus needs to be protected when transmitted across the network. Implementations of this API should take special care to verify that the token came from a trusted source (using a secret key or some other signing mechanism to prove that the token is authentic). Please read "OAuth 2.0 Threat Model and Security Considerations" (RFC 6819) for a comprehensive list of security threats to consider when working with OAuth bearer tokens.

The OAuthTokenHandler is also responsible for extracting an authorization DN from the bearer token (or otherwise providing one), which will be used to apply access controls before returning the protected resource. There are also methods to extract the expiration date of the token as well as verify that the intended audience is this server (to deal with token redirect).

The order these methods are called by the SCIM HTTP Servlet Extension is as follows:
1. decodeOAuthToken()
2. isTokenAuthentic()
3. isTokenForThisServer()
4. isTokenExpired()
5. validateToken()
6. getAuthzDN()
If any of the methods fail or return an error result, the server will return an appropriate "unauthorized" response to the client.

Method Summary

Methods
Modifier and Type	Method and Description
`OAuthToken`	`decodeOAuthToken(String rawTokenValue)` Creates an `OAuthToken` instance from the incoming token value.
`String`	`getAuthzDN(OAuthToken token)` Extracts the DN of the authorization entry (for which to apply access controls) from the incoming token.
`boolean`	`isTokenAuthentic(OAuthToken token)` Determines whether the incoming token is authentic (i.e.
`boolean`	`isTokenExpired(OAuthToken token)` Determines whether the given token is expired.
`boolean`	`isTokenForThisServer(OAuthToken token)` Determines whether the incoming token is targeted for this server.
`OAuthTokenStatus`	`validateToken(OAuthToken token, SCIMRequest scimRequest)` Determines whether the incoming token is valid for the given request.

- Method Detail
  - decodeOAuthToken
```
OAuthToken decodeOAuthToken(String rawTokenValue)
                            throws GeneralSecurityException
```
    Creates an OAuthToken instance from the incoming token value.
    Implementers may choose to return a subclass of OAuthToken in order to provide convenience methods for interacting with the token. This can be helpful because the returned OAuthToken is passed to all of the other methods in this class.
    
    Parameters:
    rawTokenValue - the b64token token value. Note that b64token is just an ABNF syntax definition and does not imply any base64-encoding of the token value.
    
    Returns:
    a OAuthToken instance. This must not be null.
    
    Throws:
    
    GeneralSecurityException - if there is an error decoding the token
  - isTokenExpired
```
boolean isTokenExpired(OAuthToken token)
                       throws GeneralSecurityException
```
    Determines whether the given token is expired.
    
    Parameters:
    token - the OAuth 2.0 bearer token.
    
    Returns:
    true if the token is already expired, false if not.
    
    Throws:
    
    GeneralSecurityException - if there is an error determining the token's expiration date
  - isTokenAuthentic
```
boolean isTokenAuthentic(OAuthToken token)
                         throws GeneralSecurityException
```
    Determines whether the incoming token is authentic (i.e. that it came from a trusted authorization server and not an attacker). Implementers are encouraged to use signed tokens and use this method to verify the signature, but other methods such as symmetric key encryption (using a shared secret) can be used as well.
    
    Parameters:
    token - the OAuth 2.0 bearer token.
    
    Returns:
    true if the bearer token can be verified as authentic and originating from a trusted source, false if not.
    
    Throws:
    
    GeneralSecurityException - if there is an error determining whether the token is authentic
  - isTokenForThisServer
```
boolean isTokenForThisServer(OAuthToken token)
                             throws GeneralSecurityException
```
    Determines whether the incoming token is targeted for this server. This allows the implementation to reject the token early in the validation process if it can see that the intended recipient was not this server.
    
    Parameters:
    token - the OAuth 2.0 bearer token.
    
    Returns:
    true if the bearer token identifies this server as the intended recipient, false if not.
    
    Throws:
    
    GeneralSecurityException - if there is an error determining whether the token is for this server
  - validateToken
```
OAuthTokenStatus validateToken(OAuthToken token,
                             SCIMRequest scimRequest)
                               throws GeneralSecurityException
```
    Determines whether the incoming token is valid for the given request. This method should verify that the token is legitimate and grants access to the requested resource specified in the SCIMRequest. This typically involves checking the token scope and any other attributes granted by the authorization grant. Implementations may need to call back to the authorization server to verify that the token is still valid and has not been revoked.
    
    Parameters:
    token - the OAuth 2.0 bearer token.
    scimRequest - the SCIMRequest that we are validating.
    
    Returns:
    an OAuthTokenStatus object which indicates whether the bearer token is valid and grants access to the target resource. This must not be null.
    
    Throws:
    
    GeneralSecurityException - if there is an error determining whether the token is valid
  - getAuthzDN
```
String getAuthzDN(OAuthToken token)
                  throws GeneralSecurityException
```
    Extracts the DN of the authorization entry (for which to apply access controls) from the incoming token.
    This may require performing an LDAP search in order to find the DN that matches a certain attribute value contained in the token.
    
    Parameters:
    token - the OAuth 2.0 bearer token.
    
    Returns:
    the authorization DN to use. This must not return null.
    
    Throws:
    
    GeneralSecurityException - if there is an error determining the authorization user DN

Interface OAuthTokenHandler

Method Summary

Method Detail

decodeOAuthToken

isTokenExpired

isTokenAuthentic

isTokenForThisServer

validateToken

getAuthzDN