OpenIdentityPlatform · maximthomas · Feb 13, 2026 · Feb 13, 2026
diff --git a/openig-core/src/main/java/org/forgerock/openig/alias/CoreClassAliasResolver.java b/openig-core/src/main/java/org/forgerock/openig/alias/CoreClassAliasResolver.java
@@ -62,10 +62,12 @@
 import org.forgerock.openig.security.TrustManagerHeaplet;
 import org.forgerock.openig.thread.ScheduledExecutorServiceHeaplet;
 import org.openidentityplatform.openig.filter.ICAPFilter;
+import org.openidentityplatform.openig.filter.JwtBuilderFilter;
 import org.openidentityplatform.openig.filter.MCPServerFeaturesFilter;
 import org.openidentityplatform.openig.mq.EmbeddedKafka;
 import org.openidentityplatform.openig.mq.MQ_IBM;
 import org.openidentityplatform.openig.mq.MQ_Kafka;
+import org.openidentityplatform.openig.secrets.SystemAndEnvSecretStore;
 
 /**
  * Register all the aliases supported by the {@literal openig-core} module.
@@ -93,6 +95,7 @@ public class CoreClassAliasResolver implements ClassAliasResolver {
         ALIASES.put("FileAttributesFilter", FileAttributesFilter.class);
         ALIASES.put("HeaderFilter", HeaderFilter.class);
         ALIASES.put("HttpBasicAuthFilter", HttpBasicAuthFilter.class);
+        ALIASES.put("JwtBuilderFilter", JwtBuilderFilter.class);
         ALIASES.put("JwtSessionFactory", JwtSessionManager.class);
         ALIASES.put("JwtSession", JwtSessionManager.class);
         ALIASES.put("KeyManager", KeyManagerHeaplet.class);
@@ -121,7 +124,12 @@ public class CoreClassAliasResolver implements ClassAliasResolver {
         ALIASES.put("MQ_Kafka", MQ_Kafka.class);
         ALIASES.put("MQ_IBM", MQ_IBM.class);
         ALIASES.put("ICAP", ICAPFilter.class);
+
+        //AI features
         ALIASES.put("MCPServerFeaturesFilter", MCPServerFeaturesFilter.class);
+
+        //Secrets
+        ALIASES.put("SystemAndEnvSecretStore", SystemAndEnvSecretStore.class);
     }
 
     @Override

diff --git a/openig-core/src/main/java/org/forgerock/openig/el/ExpressionInstant.java b/openig-core/src/main/java/org/forgerock/openig/el/ExpressionInstant.java
@@ -0,0 +1,84 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2026 3A Systems LLC.
+ */
+
+package org.forgerock.openig.el;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+
+/**
+ * {@link java.time.Instant} wrapper to use in OpenIG expression language
+ *
+ * @see org.forgerock.openig.el.plugins.ExpressionInstantPlugin
+ *
+ */
+
+public class ExpressionInstant {
+
+    Instant instant;
+
+    public ExpressionInstant(Instant instant) {
+        this.instant = instant;
+    }
+    public long getEpochMillis() {
+        return this.instant.toEpochMilli();
+    }
+
+    public long getEpochSeconds() {
+        return this.instant.getEpochSecond();
+    }
+
+    public ExpressionInstant minusDays(long daysToSubtract) {
+        return new ExpressionInstant(this.instant.minus(daysToSubtract, ChronoUnit.DAYS));
+    }
+
+
+    public ExpressionInstant minusHours(long hoursToSubtract) {
+        return new ExpressionInstant(this.instant.minus(hoursToSubtract, ChronoUnit.HOURS));
+    }
+
+    public ExpressionInstant minusMillis(long millisecondsToSubtract) {
+        return new ExpressionInstant(this.instant.minusMillis(millisecondsToSubtract));
+    }
+
+    public ExpressionInstant minusMinutes(long minutesToSubtract) {
+        return new ExpressionInstant(this.instant.minus(minutesToSubtract, ChronoUnit.MINUTES));
+    }
+
+    public ExpressionInstant minusSeconds(long secondsToSubtract) {
+        return new ExpressionInstant(this.instant.minus(secondsToSubtract, ChronoUnit.SECONDS));
+    }
+
+    public ExpressionInstant plusDays(long daysToAdd) {
+        return new ExpressionInstant(this.instant.plus(daysToAdd, ChronoUnit.DAYS));
+    }
+
+    public ExpressionInstant plusHours(long hoursToAdd) {
+        return new ExpressionInstant(this.instant.plus(hoursToAdd, ChronoUnit.DAYS));
+    }
+
+    public ExpressionInstant plusMillis(long millisecondsToAdd) {
+        return new ExpressionInstant(this.instant.plus(millisecondsToAdd, ChronoUnit.DAYS));
+    }
+
+    public ExpressionInstant plusMinutes(long minutesToAdd) {
+        return new ExpressionInstant(this.instant.plus(minutesToAdd, ChronoUnit.DAYS));
+    }
+
+    public ExpressionInstant plusSeconds(long secondsToAdd) {
+        return new ExpressionInstant(this.instant.plus(secondsToAdd, ChronoUnit.DAYS));
+    }
+}
diff --git a/openig-core/src/main/java/org/forgerock/openig/el/plugins/ExpressionInstantPlugin.java b/openig-core/src/main/java/org/forgerock/openig/el/plugins/ExpressionInstantPlugin.java
@@ -0,0 +1,38 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2026 3A Systems LLC.
+ */
+
+package org.forgerock.openig.el.plugins;
+
+import org.forgerock.openig.el.ExpressionInstant;
+import org.forgerock.openig.el.ExpressionPlugin;
+
+import java.time.Instant;
+
+
+/**
+ * An ELContext node plugin that provides access to {@link ExpressionInstant} instance.
+ */
+public class ExpressionInstantPlugin implements ExpressionPlugin {
+    @Override
+    public Object getObject() {
+        return new ExpressionInstant(Instant.now());
+    }
+
+    @Override
+    public String getKey() {
+        return "now";
+    }
+}
diff --git a/openig-core/src/main/java/org/forgerock/openig/util/JsonValues.java b/openig-core/src/main/java/org/forgerock/openig/util/JsonValues.java
@@ -12,20 +12,24 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
+ * Portions copyright 2026 3A Systems LLC.
  */
 
 package org.forgerock.openig.util;
 
 import static java.util.Collections.unmodifiableList;
 import static org.forgerock.http.util.Json.readJsonLenient;
 import static org.forgerock.http.util.Loader.loadList;
+import static org.forgerock.json.JsonValue.object;
 import static org.forgerock.openig.util.StringUtil.trailingSlash;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 import java.util.List;
+import java.util.Map;
 
+import org.forgerock.json.JsonException;
 import org.forgerock.json.JsonValue;
 import org.forgerock.json.JsonValueException;
 import org.forgerock.openig.alias.ClassAliasResolver;
@@ -449,4 +453,41 @@ public static JsonValue readJson(URL resource) throws IOException {
             return new JsonValue(readJsonLenient(in));
         }
     }
+
+    public static <T> Function<Bindings, Map<String, T>, ExpressionException>
+        asFunction(final JsonValue node, final Class<T> expectedType, final Bindings initialBindings) {
+        if (node.isNull()) {
+            return null;
+        } else if (node.isString()) {
+            return bindings -> node.as(JsonValues.expression(Map.class, initialBindings)).eval(bindings);
+        } else if (node.isMap()) {
+            return new Function<>() {
+                // Avoid 'environment' entry's value to be null (cause an error in AM)
+                Function<JsonValue, JsonValue, JsonException> filterNullMapValues =
+                        value -> {
+                            if (!value.isMap()) {
+                                return value;
+                            }
+
+                            Map<String, Object> object = object();
+                            for (String key : value.keys()) {
+                                JsonValue entry = value.get(key);
+                                if (entry.isNotNull()) {
+                                    object.put(key, entry.getObject());
+                                }
+                            }
+                            return new JsonValue(object, value.getPointer());
+                        };
+
+                @Override
+                public Map<String, T> apply(Bindings bindings) {
+                    return node.as(evaluated(bindings))
+                            .as(filterNullMapValues) // see OPENIG-1402 and AME-12483
+                            .asMap(expectedType);
+                }
+            };
+        } else {
+            throw new JsonValueException(node, "Expecting a String or a Map");
+        }
+    }
 }
diff --git a/openig-core/src/main/java/org/openidentityplatform/openig/filter/JwtBuilderContext.java b/openig-core/src/main/java/org/openidentityplatform/openig/filter/JwtBuilderContext.java
@@ -0,0 +1,53 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2026 3A Systems LLC.
+ */
+
+package org.openidentityplatform.openig.filter;
+
+import org.forgerock.json.JsonValue;
+import org.forgerock.services.context.AbstractContext;
+import org.forgerock.services.context.Context;
+
+import java.util.Map;
+
+import static org.forgerock.json.JsonValue.json;
+
+public class JwtBuilderContext extends AbstractContext {
+
+    private final String value;
+
+    private final Map<String, Object> claims;
+
+    private final JsonValue claimsAsJsonValue;
+
+    JwtBuilderContext(Context parent, String value, Map<String, Object> claims) {
+        super(parent, "jwtBuilder");
+        this.value = value;
+        this.claims = claims;
+        this.claimsAsJsonValue = json(claims);
+    }
+
+    public String getValue() {
+        return value;
+    }
+
+    public Map<String, Object> getClaims() {
+        return claims;
+    }
+
+    public JsonValue getClaimsAsJsonValue() {
+        return claimsAsJsonValue;
+    }
+}