Package org.ametys.plugins.extrausermgt.authentication.msal

Class AbstractMSALCredentialProvider

java.lang.Object

org.ametys.runtime.plugin.component.AbstractLogEnabled

org.ametys.core.authentication.AbstractCredentialProvider

org.ametys.plugins.extrausermgt.authentication.msal.AbstractMSALCredentialProvider

All Implemented Interfaces:

BlockingCredentialProvider, CredentialProvider, NonBlockingCredentialProvider, LogEnabled, Component, Contextualizable

Direct Known Subclasses:

ADFSCredentialProvider, EntraIDCredentialProvider

public abstract class AbstractMSALCredentialProvider
extends AbstractCredentialProvider
implements BlockingCredentialProvider, NonBlockingCredentialProvider, Contextualizable

Sign in through Azure AD, using the OpenId Connect protocol.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ACCESS_TOKEN_SESSION_ATTRIBUTE	Session attribute to store the access token

Constructor Summary

Constructors

Constructor	Description
AbstractMSALCredentialProvider()

Method Summary

Modifier and Type	Method	Description
UserIdentity	blockingGetUserIdentity(Redirector redirector)	Method called by AuthenticateAction each time a request need authentication.
boolean	blockingGrantAnonymousRequest()	Method called by AuthenticateAction before asking for credentials.
boolean	blockingIsStillConnected(UserIdentity userIdentity, Redirector redirector)	Validates that the user specify is still connected
void	blockingUserAllowed(UserIdentity userIdentity, Redirector redirector)	Method called by AuthenticateAction after authentication process succeeded
void	blockingUserNotAllowed(Redirector redirector)	Method called by AuthenticateAction each a user could not get authenticated.
void	contextualize(Context context)
protected abstract String	getAuthority()	Returns the URL to send authorization and token requests to.
protected Set<String>	getScopes()	Returns all needed OIDC scopes.
protected void	init(String cliendId, String clientSecret, boolean prompt, boolean silent)	Set the mandatory properties.
UserIdentity	nonBlockingGetUserIdentity(Redirector redirector)	Method called by AuthenticateAction each time a request need authentication.
boolean	nonBlockingGrantAnonymousRequest()	Method called by AuthenticateAction before asking for credentials.
boolean	nonBlockingIsStillConnected(UserIdentity userIdentity, Redirector redirector)	Validates that the user specify is still connected
void	nonBlockingUserAllowed(UserIdentity userIdentity, Redirector redirector)	Method called by AuthenticateAction after authentication process succeeded
void	nonBlockingUserNotAllowed(Redirector redirector)	Method called by AuthenticateAction each a user could not get authenticated.
void	refreshTokenIfNeeded(Session session)	Refresh the access token of the user if needed
boolean	requiresNewWindow()	Does this blocking credential provider requires a new window to process.

Methods inherited from class org.ametys.core.authentication.AbstractCredentialProvider

equals, getCredentialProviderModelId, getId, getLabel, getParameterValues, hashCode, init

Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled

getLogger, setLogger

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.ametys.core.authentication.CredentialProvider

getCredentialProviderModelId, getId, getLabel, getParameterValues, getUserIdentity, grantAnonymousRequest, init, isStillConnected, userAllowed, userNotAllowed

Field Details

ACCESS_TOKEN_SESSION_ATTRIBUTE

public static final String ACCESS_TOKEN_SESSION_ATTRIBUTE

Session attribute to store the access token

See Also:

• Constant Field Values

Constructor Details

AbstractMSALCredentialProvider

public AbstractMSALCredentialProvider()

Method Details

contextualize

public void contextualize(Context context)
                   throws ContextException

Specified by:

contextualize in interface Contextualizable

Throws:

ContextException

init

protected void init(String cliendId,
 String clientSecret,
 boolean prompt,
 boolean silent)

Set the mandatory properties. Should be called by implementors as early as possible.

Parameters:

cliendId - the OIDC app id

clientSecret - the client secret

prompt - whether the user should be explicitely forced to enter its username

silent - whether we should try to silently log the user in

getAuthority

protected abstract String getAuthority()

Returns the URL to send authorization and token requests to.

Returns:

the OIDC authority URL

blockingIsStillConnected

public boolean blockingIsStillConnected(UserIdentity userIdentity,
 Redirector redirector)
                                 throws Exception

Description copied from interface: BlockingCredentialProvider

Validates that the user specify is still connected

Specified by:

blockingIsStillConnected in interface BlockingCredentialProvider

Parameters:

userIdentity - the user previously correctly identified with this credential provider

redirector - The cocoon redirector

Returns:

true if this CredentialProvider was in a valid state, false to restart authentication process

Throws:

Exception - If an error occurred

nonBlockingIsStillConnected

public boolean nonBlockingIsStillConnected(UserIdentity userIdentity,
 Redirector redirector)
                                    throws Exception

Description copied from interface: NonBlockingCredentialProvider

Validates that the user specify is still connected

Specified by:

nonBlockingIsStillConnected in interface NonBlockingCredentialProvider

Parameters:

userIdentity - the user previously correctly identified with this credential provider

redirector - The cocoon redirector

Returns:

true if this CredentialProvider was in a valid state, false to restart authentication process

Throws:

Exception - If an error occurred

blockingGrantAnonymousRequest

public boolean blockingGrantAnonymousRequest()

Description copied from interface: BlockingCredentialProvider

Method called by AuthenticateAction before asking for credentials. This method is used to bypass authentication. If this method returns true, no authentication will be required. Use it with care, as it may lead to obvious security issues.

Specified by:

blockingGrantAnonymousRequest in interface BlockingCredentialProvider

Returns:

true if the Request is not authenticated

nonBlockingGrantAnonymousRequest

public boolean nonBlockingGrantAnonymousRequest()

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction before asking for credentials. This method is used to bypass authentication. If this method returns true, no authentication will be require. Use it with care, as it may lead to obvious security issues.

Specified by:

nonBlockingGrantAnonymousRequest in interface NonBlockingCredentialProvider

Returns:

true if the Request is not authenticated

getScopes

protected Set<String> getScopes()

Returns all needed OIDC scopes. Defaults to ["openid"]

Returns:

all needed OIDC scopes

blockingGetUserIdentity

public UserIdentity blockingGetUserIdentity(Redirector redirector)
                                     throws Exception

Description copied from interface: BlockingCredentialProvider

Method called by AuthenticateAction each time a request need authentication.

Specified by:

blockingGetUserIdentity in interface BlockingCredentialProvider

Parameters:

redirector - the cocoon redirector.

Returns:

the UserIdentity corresponding to the user (with or without population specified), or null if user could not get authenticated.

Throws:

Exception - if something wrong occurs

nonBlockingGetUserIdentity

public UserIdentity nonBlockingGetUserIdentity(Redirector redirector)
                                        throws Exception

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction each time a request need authentication.

Specified by:

nonBlockingGetUserIdentity in interface NonBlockingCredentialProvider

Parameters:

redirector - the cocoon redirector.

Returns:

the UserIdentity corresponding to the user (with or without population specified), or null if user could not get authenticated.

Throws:

Exception - if something wrong occurs

blockingUserNotAllowed

public void blockingUserNotAllowed(Redirector redirector)

Description copied from interface: BlockingCredentialProvider

Method called by AuthenticateAction each a user could not get authenticated. This method implementation is responsible of redirecting response to appropriate url.

Specified by:

blockingUserNotAllowed in interface BlockingCredentialProvider

Parameters:

redirector - the cocoon Redirector that can be used for redirecting response.

nonBlockingUserNotAllowed

public void nonBlockingUserNotAllowed(Redirector redirector)
                               throws Exception

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction each a user could not get authenticated. This method implementation is responsible of redirecting response to appropriate url.

Specified by:

nonBlockingUserNotAllowed in interface NonBlockingCredentialProvider

Parameters:

redirector - the cocoon Redirector that can be used for redirecting response.

Throws:

Exception - if something wrong occurs

blockingUserAllowed

public void blockingUserAllowed(UserIdentity userIdentity,
 Redirector redirector)
                         throws ProcessingException,
IOException

Description copied from interface: BlockingCredentialProvider

Method called by AuthenticateAction after authentication process succeeded

Specified by:

blockingUserAllowed in interface BlockingCredentialProvider

Parameters:

userIdentity - The user correctly connected

redirector - the cocoon Redirector that can be used for redirecting response.

Throws:

ProcessingException

IOException

nonBlockingUserAllowed

public void nonBlockingUserAllowed(UserIdentity userIdentity,
 Redirector redirector)

Description copied from interface: NonBlockingCredentialProvider

Method called by AuthenticateAction after authentication process succeeded

Specified by:

nonBlockingUserAllowed in interface NonBlockingCredentialProvider

Parameters:

userIdentity - The user correctly connected

redirector - the cocoon Redirector that can be used for redirecting response.

requiresNewWindow

public boolean requiresNewWindow()

Description copied from interface: BlockingCredentialProvider

Does this blocking credential provider requires a new window to process.

Specified by:

requiresNewWindow in interface BlockingCredentialProvider

Returns:

true to ask the client to process this credential provider throught a new window

refreshTokenIfNeeded

public void refreshTokenIfNeeded(Session session)
                          throws Exception

Refresh the access token of the user if needed

Parameters:

session - the session

Throws:

Exception - when an error occurs