org.apache.nifi.web.security.oidc

Class OidcService

java.lang.Object

org.apache.nifi.web.security.oidc.OidcService

public class OidcService
extends Object

OidcService is a service for managing the OpenId Connect Authorization flow.

Field Summary

Fields

Modifier and Type	Field and Description
private OidcIdentityProvider	identityProvider
private com.github.benmanes.caffeine.cache.Cache<CacheKey,String>	jwtLookupForCompletedRequests
private com.github.benmanes.caffeine.cache.Cache<CacheKey,com.nimbusds.oauth2.sdk.id.State>	stateLookupForPendingRequests

Constructor Summary

Constructors

Constructor and Description
OidcService(OidcIdentityProvider identityProvider) Creates a new OIDC with an expiration of 1 minute.
OidcService(OidcIdentityProvider identityProvider, int duration, TimeUnit units) Creates a new OIDC Service.

Method Summary

Modifier and Type	Method and Description
com.nimbusds.oauth2.sdk.id.State	createState(String oidcRequestIdentifier) Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state.
String	exchangeAuthorizationCodeForAccessToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant) Exchanges the specified authorization grant for an access token.
String	exchangeAuthorizationCodeForIdToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant) Exchanges the specified authorization grant for an ID Token.
LoginAuthenticationToken	exchangeAuthorizationCodeForLoginAuthenticationToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant) Exchanges the specified authorization grant for an ID token.
URI	getAuthorizationEndpoint() Returns the OpenId Connect authorization endpoint.
String	getClientId() Returns the OpenId Connect client id.
URI	getEndSessionEndpoint() Returns the OpenId Connect end session endpoint.
String	getJwt(String oidcRequestIdentifier) Returns the resulting JWT for the given request identifier.
URI	getRevocationEndpoint() Returns the OpenId Connect revocation endpoint.
com.nimbusds.oauth2.sdk.Scope	getScope() Returns the OpenId Connect scope.
boolean	isOidcEnabled() Returns whether OpenId Connect is enabled.
boolean	isStateValid(String oidcRequestIdentifier, com.nimbusds.oauth2.sdk.id.State proposedState) Validates the proposed state with the given request identifier.
void	storeJwt(String oidcRequestIdentifier, String jwt) Stores the NiFi Jwt.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

identityProvider

private final OidcIdentityProvider identityProvider

stateLookupForPendingRequests

private final com.github.benmanes.caffeine.cache.Cache<CacheKey,com.nimbusds.oauth2.sdk.id.State> stateLookupForPendingRequests

jwtLookupForCompletedRequests

private final com.github.benmanes.caffeine.cache.Cache<CacheKey,String> jwtLookupForCompletedRequests

Constructor Detail

OidcService

public OidcService(OidcIdentityProvider identityProvider)

Creates a new OIDC with an expiration of 1 minute.

Parameters:

identityProvider - The identity provider

OidcService

public OidcService(OidcIdentityProvider identityProvider,
                   int duration,
                   TimeUnit units)

Creates a new OIDC Service.

Parameters:

identityProvider - The identity provider

duration - The expiration duration

units - The expiration units

Throws:

NullPointerException - If units is null

IllegalArgumentException - If duration is negative

Method Detail

isOidcEnabled

public boolean isOidcEnabled()

Returns whether OpenId Connect is enabled.

Returns:

whether OpenId Connect is enabled

getAuthorizationEndpoint

public URI getAuthorizationEndpoint()

Returns the OpenId Connect authorization endpoint.

Returns:

the authorization endpoint

getEndSessionEndpoint

public URI getEndSessionEndpoint()

Returns the OpenId Connect end session endpoint.

Returns:

the end session endpoint

getRevocationEndpoint

public URI getRevocationEndpoint()

Returns the OpenId Connect revocation endpoint.

Returns:

the revocation endpoint

getScope

public com.nimbusds.oauth2.sdk.Scope getScope()

Returns the OpenId Connect scope.

Returns:

scope

getClientId

public String getClientId()

Returns the OpenId Connect client id.

Returns:

client id

createState

public com.nimbusds.oauth2.sdk.id.State createState(String oidcRequestIdentifier)

Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state.

Parameters:

oidcRequestIdentifier - request identifier

Returns:

state

isStateValid

public boolean isStateValid(String oidcRequestIdentifier,
                            com.nimbusds.oauth2.sdk.id.State proposedState)

Validates the proposed state with the given request identifier. Will return false if the state does not match or if entry for this request identifier has expired.

Parameters:

oidcRequestIdentifier - request identifier

proposedState - proposed state

Returns:

whether the state is valid or not

exchangeAuthorizationCodeForLoginAuthenticationToken

public LoginAuthenticationToken exchangeAuthorizationCodeForLoginAuthenticationToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
                                                                              throws IOException

Exchanges the specified authorization grant for an ID token.

Parameters:

authorizationGrant - authorization grant

Returns:

a Login Authentication Token

Throws:

IOException - exceptional case for communication error with the OpenId Connect provider

exchangeAuthorizationCodeForAccessToken

public String exchangeAuthorizationCodeForAccessToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
                                               throws Exception

Exchanges the specified authorization grant for an access token.

Parameters:

authorizationGrant - authorization grant

Returns:

an Access Token string

Throws:

IOException - exceptional case for communication error with the OpenId Connect provider

Exception

exchangeAuthorizationCodeForIdToken

public String exchangeAuthorizationCodeForIdToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
                                           throws IOException

Exchanges the specified authorization grant for an ID Token.

Parameters:

authorizationGrant - authorization grant

Returns:

an ID Token string

Throws:

IOException - exceptional case for communication error with the OpenId Connect provider

storeJwt

public void storeJwt(String oidcRequestIdentifier,
                     String jwt)

Stores the NiFi Jwt.

Parameters:

oidcRequestIdentifier - request identifier

jwt - NiFi JWT

getJwt

public String getJwt(String oidcRequestIdentifier)

Returns the resulting JWT for the given request identifier. Will return null if the request identifier is not associated with a JWT or if the login sequence was not completed before this request identifier expired.

Parameters:

oidcRequestIdentifier - request identifier

Returns:

jwt token