0 Replies Latest reply on Nov 6, 2014 2:47 PM by Pavel Shabalin

    Token credentials

    Pavel Shabalin Newbie

      Hi Everybody, I just started building POC project for identity management component based on Picketlink IDM.

      First of all, I really impressed with the way it was designed - every component seem to be extensible or customizable which is great in this domain.


      Although I don't understand the right way to implement simple (and I believe commonly used) token based authentication. I checked out token interface and it seem to be a little complex for understanding.


      Basically I want to generate some random string (token) and use this string later for authentication i.e. lookup token, check it is not expired and associate an identity with it.

      The source is very simple:


      1. set credentials


      ApiToken token = new ApiToken(UUID.randomUUID().toString());

      identityManager.updateCredential(account, token);

      2. lookup credentials

      TokenCredential credential = new TokenCredential(new ApiToken(token));



      validateCredentials does not work for me because in AbstractCredentialHandler an account is retrieved by credential object....


          public void validate(final IdentityContext context, final V credentials, final S store) {





              Account account = getAccount(context, credentials);



      and then (in TokenCredentialHandler) it is expected that username is in the subject field of Token object but it is NOT a username (We cannot know username at this moment) it is a token string.



          protected Account getAccount(IdentityContext context, V credentials) {

              Token token = credentials.getToken();

              if (token != null) {

                  String subject = token.getSubject();

                  if (subject == null) {

                      throw new IdentityManagementException("No subject returned from token [" + token + "].");


                  Account account = getAccount(context, subject);

                  if (account == null) {

                      account = getAccountById(context, subject);


                  return account;


              return null;




      so account is never found and credentials are always invalid...


      Please correct me If I am doing something wrong. Again I suppose this usage scenario is quite common so I should not be alone with this problem


      Thank you!