Class AbstractOIDCCredentialProvider
java.lang.Object
org.ametys.runtime.plugin.component.AbstractLogEnabled
org.ametys.core.authentication.AbstractCredentialProvider
org.ametys.plugins.extrausermgt.authentication.oidc.AbstractOIDCCredentialProvider
- All Implemented Interfaces:
BlockingCredentialProvider
,CredentialProvider
,LogEnabled
,Component
,Contextualizable
,Serviceable
- Direct Known Subclasses:
AutoDiscoveringOIDCCredentialProvider
,FacebookCredentialProvider
,GenericOIDCCredentialProvider
,GoogleCredentialProvider
public abstract class AbstractOIDCCredentialProvider
extends AbstractCredentialProvider
implements BlockingCredentialProvider, Contextualizable, Serviceable
Sign in (through Google, facebook...) using the OpenId Connect (OIDC) protocol.
-
Field Summary
Modifier and TypeFieldDescriptionprotected URI
URI for the authentication requestprotected com.nimbusds.oauth2.sdk.id.ClientID
Client IDprotected com.nimbusds.oauth2.sdk.auth.Secret
Client secretprotected Context
Ametys contextprotected com.nimbusds.oauth2.sdk.id.Issuer
Issuer for the validation of the tokenprotected URL
jwk URL for the validation of the tokenprotected com.nimbusds.oauth2.sdk.Scope
Scope for the authentication requestprotected URI
URI for the token requestprotected URI
URI for the user info requeststatic final String
Session date attribute for OIDCstatic final String
Session attribute for OIDCstatic final String
Session attribute for OIDCstatic final String
Session attribute for OIDCstatic final String
Session attribute for OIDC -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionblockingGetUserIdentity
(Redirector redirector) Method called by AuthenticateAction each time a request need authentication.boolean
Method called by AuthenticateAction before asking for credentials.boolean
blockingIsStillConnected
(UserIdentity userIdentity, Redirector redirector) Validates that the user specify is still connectedvoid
blockingUserAllowed
(UserIdentity userIdentity, Redirector redirector) Method called by AuthenticateAction after authentication process succeededvoid
blockingUserNotAllowed
(Redirector redirector) Method called by AuthenticateAction each a user could not get authenticated.protected void
Checks the State parameter of the request to prevent CSRF attacksvoid
contextualize
(Context context) protected com.nimbusds.oauth2.sdk.auth.ClientAuthentication
get the client authentication info for the token end pointprotected UserIdentity
getUserIdentity
(com.nimbusds.openid.connect.sdk.claims.UserInfo userInfo, Request request, Redirector redirector) Compute a user identity based on the user infoprotected com.nimbusds.openid.connect.sdk.claims.UserInfo
getUserInfo
(com.nimbusds.oauth2.sdk.token.AccessToken accessToken) Request the userInfo using the user info end point and an access tokenvoid
Initialize the credential provider with given parameters' values.protected abstract void
Initialize the URIsprotected com.nimbusds.openid.connect.sdk.token.OIDCTokens
requestToken
(com.nimbusds.oauth2.sdk.auth.ClientAuthentication clientAuth, com.nimbusds.oauth2.sdk.AuthorizationGrant refreshTokenGrant) Request the tokens using a refresh tokenprotected com.nimbusds.openid.connect.sdk.token.OIDCTokens
requestToken
(com.nimbusds.oauth2.sdk.AuthorizationCode authCode, URI redirectUri) Request the tokens (ID token and Access token)boolean
Does this blocking credential provider requires a new window to process.void
service
(ServiceManager manager) protected void
signIn
(Redirector redirector, URI redirectUri, Session session) Sign the user in by sending an authentication request to the issuerprotected com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet
validateIdToken
(com.nimbusds.jwt.JWT idToken) Validate the id token from the token requestMethods inherited from class org.ametys.core.authentication.AbstractCredentialProvider
equals, getCredentialProviderModelId, getId, getLabel, getParameterValues, hashCode
Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled
getLogger, setLogger
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.ametys.core.authentication.CredentialProvider
getCredentialProviderModelId, getId, getLabel, getParameterValues, getUserIdentity, grantAnonymousRequest, isStillConnected, userAllowed, userNotAllowed
-
Field Details
-
REDIRECT_URI_SESSION_ATTRIBUTE
Session attribute for OIDC- See Also:
-
TOKEN_SESSION_ATTRIBUTE
Session attribute for OIDC- See Also:
-
EXPDATE_SESSION_ATTRIBUTE
Session date attribute for OIDC- See Also:
-
REFRESH_TOKEN_SESSION_ATTRIBUTE
Session attribute for OIDC- See Also:
-
STATE_SESSION_ATTRIBUTE
Session attribute for OIDC- See Also:
-
_scope
Scope for the authentication request -
_authUri
URI for the authentication request -
_tokenEndpointUri
URI for the token request -
_userInfoEndpoint
URI for the user info request -
_jwkSetURL
jwk URL for the validation of the token -
_iss
Issuer for the validation of the token -
_context
Ametys context -
_clientID
Client ID -
_clientSecret
Client secret
-
-
Constructor Details
-
AbstractOIDCCredentialProvider
public AbstractOIDCCredentialProvider()
-
-
Method Details
-
contextualize
- Specified by:
contextualize
in interfaceContextualizable
- Throws:
ContextException
-
service
- Specified by:
service
in interfaceServiceable
- Throws:
ServiceException
-
init
public void init(String id, String cpModelId, Map<String, Object> paramValues, String label) throws ExceptionDescription copied from interface:CredentialProvider
Initialize the credential provider with given parameters' values.- Specified by:
init
in interfaceCredentialProvider
- Overrides:
init
in classAbstractCredentialProvider
- Parameters:
id
- The unique identifiercpModelId
- The id of credential provider extension pointparamValues
- The parameters' valueslabel
- The specific label of this instance. Can be null- Throws:
Exception
- If an error occurred
-
getClientAuthentication
get the client authentication info for the token end point- Returns:
- the client authentication
-
blockingGrantAnonymousRequest
Description copied from interface:BlockingCredentialProvider
Method called by AuthenticateAction before asking for credentials. This method is used to bypass authentication. If this method returns true, no authentication will be required. Use it with care, as it may lead to obvious security issues.- Specified by:
blockingGrantAnonymousRequest
in interfaceBlockingCredentialProvider
- Returns:
- true if the Request is not authenticated
-
blockingIsStillConnected
public boolean blockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) throws Exception Description copied from interface:BlockingCredentialProvider
Validates that the user specify is still connected- Specified by:
blockingIsStillConnected
in interfaceBlockingCredentialProvider
- Parameters:
userIdentity
- the user previously correctly identified with this credential providerredirector
- The cocoon redirector- Returns:
- true if this CredentialProvider was in a valid state, false to restart authentication process
- Throws:
Exception
- If an error occurred
-
blockingGetUserIdentity
Description copied from interface:BlockingCredentialProvider
Method called by AuthenticateAction each time a request need authentication.- Specified by:
blockingGetUserIdentity
in interfaceBlockingCredentialProvider
- Parameters:
redirector
- the cocoon redirector.- Returns:
- the
UserIdentity
corresponding to the user (with or without population specified), or null if user could not get authenticated. - Throws:
Exception
- if something wrong occurs
-
blockingUserNotAllowed
Description copied from interface:BlockingCredentialProvider
Method called by AuthenticateAction each a user could not get authenticated. This method implementation is responsible of redirecting response to appropriate url.- Specified by:
blockingUserNotAllowed
in interfaceBlockingCredentialProvider
- Parameters:
redirector
- the cocoon Redirector that can be used for redirecting response.- Throws:
Exception
- if something wrong occurs
-
blockingUserAllowed
Description copied from interface:BlockingCredentialProvider
Method called by AuthenticateAction after authentication process succeeded- Specified by:
blockingUserAllowed
in interfaceBlockingCredentialProvider
- Parameters:
userIdentity
- The user correctly connectedredirector
- the cocoon Redirector that can be used for redirecting response.- Throws:
Exception
- if something wrong occurs
-
requiresNewWindow
Description copied from interface:BlockingCredentialProvider
Does this blocking credential provider requires a new window to process.- Specified by:
requiresNewWindow
in interfaceBlockingCredentialProvider
- Returns:
- true to ask the client to process this credential provider throught a new window
-
initUrisScope
Initialize the URIs- Throws:
AccessDeniedException
- If an error occurs
-
signIn
protected void signIn(Redirector redirector, URI redirectUri, Session session) throws ProcessingException, IOException Sign the user in by sending an authentication request to the issuer- Parameters:
redirector
- The redirectorredirectUri
- The redirect URIsession
- The current session- Throws:
ProcessingException
- If an error occursIOException
- If an error occurs
-
checkState
Checks the State parameter of the request to prevent CSRF attacks- Throws:
AccessDeniedException
- If an error occurs
-
requestToken
protected com.nimbusds.openid.connect.sdk.token.OIDCTokens requestToken(com.nimbusds.oauth2.sdk.AuthorizationCode authCode, URI redirectUri) throws AccessDeniedException Request the tokens (ID token and Access token)- Parameters:
authCode
- The authorization code from the authentication requestredirectUri
- The redirect URI- Returns:
- The
OIDCTokens
that contains the access token and the id token - Throws:
AccessDeniedException
- If an error occurs
-
requestToken
protected com.nimbusds.openid.connect.sdk.token.OIDCTokens requestToken(com.nimbusds.oauth2.sdk.auth.ClientAuthentication clientAuth, com.nimbusds.oauth2.sdk.AuthorizationGrant refreshTokenGrant) throws AccessDeniedException, URISyntaxException Request the tokens using a refresh token- Parameters:
clientAuth
- The client authenticationrefreshTokenGrant
- The refreshtokenGrant- Returns:
- The
OIDCTokens
that contains the access token and the id token - Throws:
AccessDeniedException
- If an error occursURISyntaxException
- If an error occurs
-
validateIdToken
protected com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet validateIdToken(com.nimbusds.jwt.JWT idToken) throws AccessDeniedException Validate the id token from the token request- Parameters:
idToken
- The id token from the token request- Returns:
- The
IDTokenClaimsSet
that contains information on the connection such as the expiration time - Throws:
AccessDeniedException
- If an error occurs
-
getUserInfo
protected com.nimbusds.openid.connect.sdk.claims.UserInfo getUserInfo(com.nimbusds.oauth2.sdk.token.AccessToken accessToken) throws IOException, com.nimbusds.oauth2.sdk.ParseException Request the userInfo using the user info end point and an access token- Parameters:
accessToken
- the access token to retrieve the user info- Returns:
- a representation of the user info from the scope requested with the token
- Throws:
IOException
- if an error occurred while contacting the end pointcom.nimbusds.oauth2.sdk.ParseException
- if an error occurred while parsing the end point answer
-
getUserIdentity
protected UserIdentity getUserIdentity(com.nimbusds.openid.connect.sdk.claims.UserInfo userInfo, Request request, Redirector redirector) throws NotUniqueUserException Compute a user identity based on the user info- Parameters:
userInfo
- the user inforequest
- the original requestredirector
- the redirector to use if need be- Returns:
- the identified user info or null if no matching user were found
- Throws:
NotUniqueUserException
- if multiple user matched
-