Identity Server SDK 9.1.0 API

Curity Identity Server SDK

This document describes the Identity Server Plugin SDK. It is used to create extensions and plug-ins of various types that will run inside of instances of the Curity Identity Server.

Plugin Types

The type of a plugin defines what functionality it adds to the Server at runtime. A plugin declares its type by implementing one of the subtypes of PluginDescriptor.

Authorization Manager

An Authorization Manager plugin provides an implementation of AuthorizationManager.

Authorization Manager plugins are described by a AuthorizationManagerPluginDescriptor.

Data Access Provider

A Data Access Provider plugin provides one or more DataAccessProvider implementations.

Data Access Provider plugins implement the DataAccessProviderPluginDescriptor interface. Samples can be found on GitHub.

SMS Sender

An SMS plugin provides an SmsSender service, used for sending SMS messages.

SMS sender plugins implement the SmsPluginDescriptor interface. Samples can be found on GitHub.

Email Sender

An email sender plugin provides a Emailer service, and is used to send email messages.

Email sender plugins implement the EmailProviderPluginDescriptor interface. Samples can be found on GitHub.

Authenticator

An Authenticator plugin is described by a AuthenticatorPluginDescriptor.

They provide handlers for anonymous requests (such that users can, for example, access login and registration pages), as well as handlers of the actual logic for authentication and registration. Samples can be found on GitHub.

Back-channel Authenticator

A back-channel authenticator is used to authenticate a user when the OpenID Connect Client-initiated Back-channel Authentication (CIBA) protocol is used.

Back-channel authenticators are described by the BackchannelAuthenticatorPluginDescriptor. An example can be found on GitHub.

Authentication Action

An Authentication Action plugin is described by AuthenticationActionPluginDescriptor.

These type of plug-ins provide the "steps" within a workflow that execute after login or SSO. Samples can be found on GitHub.

Event Listener

An EventListener plugin allows arbitrary custom logic to run in response to an Event being published.

The EventListenerPluginDescriptor class describes this type of plugin. Samples can be found on GitHub.

Consentors and Signing Consentors

A consentor is a plugin that runs after user consent has taken place in an OAuth flow. It implements additional logic that verifies the consent prior to it being granted. A specialized type of consentor is a Signing Consentor. Because this specialization is so common, a subtype exists to simplify the development of this kind of consentor. A general consentor plugin will implement the ConsentorPluginDescriptor interface and signing consentors will implement SigningConsentorPluginDescriptor. Samples can be found on GitHub.

Claims Provider

When tokens are issued and claims need to be added to them, the values can be obtained from Claims Providers. This kind of plugin will implement the ClaimsProvider interface. This is made know to the run-time environment by implementing an instance of the ClaimsProviderPluginDescriptor interface.

Alarm Handler

When an alarm is raised for the first time, its severity changes, or when it is cleared, the Alarm Handler is invoked. This kind of plugin will implement the AlarmHandlerPluginDescriptor interface. It can choose to handle the alarm directly itself, or forward the message to some other system (e.g., a NMS or NOC). An Alarm Handler that forwards the alarm info rather than handling it directly, is referred to as an Alarm Notifier.

Configuration

Plugins can be configured through the same user interfaces provided for administrating the standard components of the server.

A plugin defines its configuration by declaring an interface extending the Configuration interface in its descriptor.

Services

Services provided to a plugin are declared in the se.curity.identityserver.sdk.service package. Some services may be implemented and provided by other plugins running on the server; which may create runtime dependencies between different plugins.

Lifecycle

Plugin lifecycle management is facilitated through a ManagedObject associated with the plugin through its descriptor.
Packages
Package
Description
 
 
Attribute framework which allows the Identity Server to handle in a uniform, generic way, any entity that can be modelled as a collection of attributes, such as a user account.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
This package contains annotations that may be used by Configuration interfaces to provide extra information about configuration values.
 
 
 
 
 
 
 
 
 
 
This package contains interfaces for the various DataAccessProviders a Data Access Provider plugin may provide implementations for.
 
 
 
 
 
This package contains errors that a plugin may be expected to handle and/or throw.
 
 
 
 
 
 
 
 
 
All interfaces in this package are PluginDescriptor subtypes which may be implemented by plugin authors to extend the functionality of the server.
 
 
 
Services provided by the server that can be used by plugins are all under this package.