What is a stateless token?
The stateless token is basically a JWT token, that is stored in the existing iPlanetDirectoryPro cookie (if accessing via a browser) or within the tokenId response if authenticating over REST. The JWT contains all of the content that would stored on the server side in a stateful session - so things like uid, expiryTime and any other profile or session attributes you want to define.
To quote my colleague Ashley Stevenson "Stateful is a phone call and Stateless is a text message".
The token can also be signed and/or encrypted using standard algorithms such as HS256 (which uses a shared secret) or RS256 (which uses a public / private key combo) so adding a bit of security.
Config can be done at the realm level too, which makes for a flexible approach to which realms, users and applications should use it.
An interesting bi-product of using stateless tokens, is that introspection can be done on the token, without going back to the originating source - ie OpenAM. Once OpenAM issues the token (this would need to be at least cryptographically signed and ideally encrypted if it contained sensitive PII required for authorization), verification and decoding of the token can be done by a 3rd party application. This is pretty straight forward to do as OpenAM leverages open standards such as JSON Web Tokens (JWT) with standard signing and encryption algorithms.
- Authenticates to the pre-configured stateless realm in OpenAM over REST
- Receives the JSON response with the tokenId value and strips out the JWT component
- Verifies the tail signature using HS256 and a shared secret configured by OpenAM to prove the token hasn't been tampered with
- Decodes the token from base64 and introspects the JSON contents
The code is available here.
The introspection aspect in step 4, could be easily expanded to perform additional queries of the contents, such as looking for certain claims or profile attributes that could be used by an application, in order to perform an authorization decision.
See the following draft documentation for further details on configuration of stateless tokens and the implications of the approach over stateful - http://openam.forgerock.org/doc/bootstrap/admin-guide/index.html#chap-session-state