org.apache.nifi.web.security.oidc

Class StandardOidcIdentityProvider

java.lang.Object

org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider

All Implemented Interfaces:

OidcIdentityProvider

public class StandardOidcIdentityProvider
extends Object
implements OidcIdentityProvider

OidcProvider for managing the OpenId Connect Authorization flow.

Field Summary

Fields

Modifier and Type	Field and Description
private com.nimbusds.oauth2.sdk.id.ClientID	clientId
private com.nimbusds.oauth2.sdk.auth.Secret	clientSecret
private String	EMAIL_CLAIM
private static org.slf4j.Logger	logger
private int	oidcConnectTimeout
private com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata	oidcProviderMetadata
private int	oidcReadTimeout
private NiFiProperties	properties
private SSLContext	sslContext
private com.nimbusds.openid.connect.sdk.validators.IDTokenValidator	tokenValidator

Fields inherited from interface org.apache.nifi.web.security.oidc.OidcIdentityProvider

OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED

Constructor Summary

Constructors

Constructor and Description
StandardOidcIdentityProvider(NiFiProperties properties) Creates a new StandardOidcIdentityProvider.

Method Summary

Modifier and Type	Method and Description
private com.nimbusds.oauth2.sdk.TokenResponse	authorizeClient(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
private com.nimbusds.oauth2.sdk.TokenResponse	authorizeClientRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest tokenHttpRequest)
private LoginAuthenticationToken	convertOIDCTokenToLoginAuthenticationToken(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
private com.nimbusds.oauth2.sdk.auth.ClientAuthentication	createClientAuthentication()
private com.nimbusds.oauth2.sdk.http.HTTPRequest	createTokenHTTPRequest(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant, com.nimbusds.oauth2.sdk.auth.ClientAuthentication clientAuthentication)
private com.nimbusds.oauth2.sdk.http.HTTPRequest	createUserInfoRequest(com.nimbusds.oauth2.sdk.token.BearerAccessToken bearerAccessToken)
String	exchangeAuthorizationCodeForAccessToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant) Exchanges the supplied authorization grant for an Access Token.
String	exchangeAuthorizationCodeForIdToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant) Exchanges the supplied authorization grant for an ID Token.
LoginAuthenticationToken	exchangeAuthorizationCodeforLoginAuthenticationToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant) Exchanges the supplied authorization grant for a Login ID Token.
private com.nimbusds.jose.JWSAlgorithm	extractJwsAlgorithm()
private com.nimbusds.oauth2.sdk.http.HTTPRequest	formHTTPRequest(com.nimbusds.oauth2.sdk.Request request)
private String	getAccessTokenString(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
URI	getAuthorizationEndpoint() Returns the URI for the authorization endpoint.
private static List<String>	getAvailableClaims(com.nimbusds.jwt.JWTClaimsSet claimSet)
com.nimbusds.oauth2.sdk.id.ClientID	getClientId() Returns the configured client id.
URI	getEndSessionEndpoint() Returns the URI for the end session endpoint.
private String	getIdTokenString(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
private com.nimbusds.openid.connect.sdk.token.OIDCTokens	getOidcTokens(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
private com.nimbusds.jose.util.ResourceRetriever	getResourceRetriever()
URI	getRevocationEndpoint() Returns the URI for the revocation endpoint.
com.nimbusds.oauth2.sdk.Scope	getScope() Returns the scopes supported by the OIDC provider.
void	initializeProvider() Loads OIDC configuration values from NiFiProperties, connects to external OIDC provider, and retrieves and validates provider metadata.
boolean	isOidcEnabled() Returns whether OIDC support is enabled.
private String	lookupIdentityInUserInfo(com.nimbusds.oauth2.sdk.http.HTTPRequest userInfoHttpRequest)
private String	retrieveIdentityFromUserInfoEndpoint(com.nimbusds.openid.connect.sdk.token.OIDCTokens oidcTokens)
private com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata	retrieveOidcProviderMetadata(String discoveryUri) Returns the retrieved OIDC provider metadata from the external provider.
private com.nimbusds.oauth2.sdk.http.HTTPRequest	setHttpRequestProperties(com.nimbusds.oauth2.sdk.http.HTTPRequest httpRequest)
private void	setSslContext()
private void	validateAccessToken(com.nimbusds.openid.connect.sdk.token.OIDCTokens oidcTokens)
private com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet	validateIdToken(com.nimbusds.jwt.JWT oidcJwt)
private void	validateOIDCConfiguration() Loads the initial configuration values relating to the OIDC provider from the class NiFiProperties and populates the individual fields.
private void	validateOIDCProviderMetadata() Validates the retrieved OIDC provider metadata.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

EMAIL_CLAIM

private final String EMAIL_CLAIM

See Also:

Constant Field Values

properties

private final NiFiProperties properties

oidcProviderMetadata

private com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata oidcProviderMetadata

oidcConnectTimeout

private int oidcConnectTimeout

oidcReadTimeout

private int oidcReadTimeout

tokenValidator

private com.nimbusds.openid.connect.sdk.validators.IDTokenValidator tokenValidator

clientId

private com.nimbusds.oauth2.sdk.id.ClientID clientId

clientSecret

private com.nimbusds.oauth2.sdk.auth.Secret clientSecret

sslContext

private SSLContext sslContext

Constructor Detail

StandardOidcIdentityProvider

public StandardOidcIdentityProvider(NiFiProperties properties)

Creates a new StandardOidcIdentityProvider.

Parameters:

properties - properties

Method Detail

initializeProvider

public void initializeProvider()

Loads OIDC configuration values from NiFiProperties, connects to external OIDC provider, and retrieves and validates provider metadata.

Specified by:

initializeProvider in interface OidcIdentityProvider

setSslContext

private void setSslContext()

validateOIDCProviderMetadata

private void validateOIDCProviderMetadata()

Validates the retrieved OIDC provider metadata.

extractJwsAlgorithm

private com.nimbusds.jose.JWSAlgorithm extractJwsAlgorithm()

validateOIDCConfiguration

private void validateOIDCConfiguration()

Loads the initial configuration values relating to the OIDC provider from the class NiFiProperties and populates the individual fields.

retrieveOidcProviderMetadata

private com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata retrieveOidcProviderMetadata(String discoveryUri)
                                                                                      throws IOException,
                                                                                             com.nimbusds.oauth2.sdk.ParseException

Returns the retrieved OIDC provider metadata from the external provider.

Parameters:

discoveryUri - the remote OIDC provider endpoint for service discovery

Returns:

the provider metadata

Throws:

IOException - if there is a problem connecting to the remote endpoint

com.nimbusds.oauth2.sdk.ParseException - if there is a problem parsing the response

isOidcEnabled

public boolean isOidcEnabled()

Description copied from interface: OidcIdentityProvider

Returns whether OIDC support is enabled.

Specified by:

isOidcEnabled in interface OidcIdentityProvider

Returns:

whether OIDC support is enabled

getAuthorizationEndpoint

public URI getAuthorizationEndpoint()

Description copied from interface: OidcIdentityProvider

Returns the URI for the authorization endpoint.

Specified by:

getAuthorizationEndpoint in interface OidcIdentityProvider

Returns:

uri for the authorization endpoint

getEndSessionEndpoint

public URI getEndSessionEndpoint()

Description copied from interface: OidcIdentityProvider

Returns the URI for the end session endpoint.

Specified by:

getEndSessionEndpoint in interface OidcIdentityProvider

Returns:

uri for the end session endpoint

getRevocationEndpoint

public URI getRevocationEndpoint()

Description copied from interface: OidcIdentityProvider

Returns the URI for the revocation endpoint.

Specified by:

getRevocationEndpoint in interface OidcIdentityProvider

Returns:

uri for the revocation endpoint

getScope

public com.nimbusds.oauth2.sdk.Scope getScope()

Description copied from interface: OidcIdentityProvider

Returns the scopes supported by the OIDC provider.

Specified by:

getScope in interface OidcIdentityProvider

Returns:

support scopes

getClientId

public com.nimbusds.oauth2.sdk.id.ClientID getClientId()

Description copied from interface: OidcIdentityProvider

Returns the configured client id.

Specified by:

getClientId in interface OidcIdentityProvider

Returns:

the client id

exchangeAuthorizationCodeforLoginAuthenticationToken

public LoginAuthenticationToken exchangeAuthorizationCodeforLoginAuthenticationToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
                                                                              throws IOException

Description copied from interface: OidcIdentityProvider

Exchanges the supplied authorization grant for a Login ID Token. Extracts the identity from the ID token.

Specified by:

exchangeAuthorizationCodeforLoginAuthenticationToken in interface OidcIdentityProvider

Parameters:

authorizationGrant - authorization grant for invoking the Token Endpoint

Returns:

a Login Authentication Token

Throws:

IOException - if there was an exceptional error while communicating with the OIDC provider

exchangeAuthorizationCodeForAccessToken

public String exchangeAuthorizationCodeForAccessToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
                                               throws Exception

Description copied from interface: OidcIdentityProvider

Exchanges the supplied authorization grant for an Access Token.

Specified by:

exchangeAuthorizationCodeForAccessToken in interface OidcIdentityProvider

Parameters:

authorizationGrant - authorization grant for invoking the Token Endpoint

Returns:

an Access Token String

Throws:

Exception - if there was an exceptional error while communicating with the OIDC provider

exchangeAuthorizationCodeForIdToken

public String exchangeAuthorizationCodeForIdToken(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)

Description copied from interface: OidcIdentityProvider

Exchanges the supplied authorization grant for an ID Token.

Specified by:

exchangeAuthorizationCodeForIdToken in interface OidcIdentityProvider

Parameters:

authorizationGrant - authorization grant for invoking the Token Endpoint

Returns:

an ID Token String

getAccessTokenString

private String getAccessTokenString(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
                             throws Exception

Throws:

Exception

getIdTokenString

private String getIdTokenString(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
                         throws com.nimbusds.jose.proc.BadJOSEException,
                                com.nimbusds.jose.JOSEException

Throws:

com.nimbusds.jose.proc.BadJOSEException

com.nimbusds.jose.JOSEException

authorizeClient

private com.nimbusds.oauth2.sdk.TokenResponse authorizeClient(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant)
                                                       throws com.nimbusds.oauth2.sdk.ParseException,
                                                              IOException

Throws:

com.nimbusds.oauth2.sdk.ParseException

IOException

authorizeClientRequest

private com.nimbusds.oauth2.sdk.TokenResponse authorizeClientRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest tokenHttpRequest)
                                                              throws com.nimbusds.oauth2.sdk.ParseException,
                                                                     IOException

Throws:

com.nimbusds.oauth2.sdk.ParseException

IOException

convertOIDCTokenToLoginAuthenticationToken

private LoginAuthenticationToken convertOIDCTokenToLoginAuthenticationToken(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)
                                                                     throws com.nimbusds.jose.proc.BadJOSEException,
                                                                            com.nimbusds.jose.JOSEException,
                                                                            ParseException,
                                                                            IOException

Throws:

com.nimbusds.jose.proc.BadJOSEException

com.nimbusds.jose.JOSEException

ParseException

IOException

getOidcTokens

private com.nimbusds.openid.connect.sdk.token.OIDCTokens getOidcTokens(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response)

retrieveIdentityFromUserInfoEndpoint

private String retrieveIdentityFromUserInfoEndpoint(com.nimbusds.openid.connect.sdk.token.OIDCTokens oidcTokens)
                                             throws IOException

Throws:

IOException

createTokenHTTPRequest

private com.nimbusds.oauth2.sdk.http.HTTPRequest createTokenHTTPRequest(com.nimbusds.oauth2.sdk.AuthorizationGrant authorizationGrant,
                                                                        com.nimbusds.oauth2.sdk.auth.ClientAuthentication clientAuthentication)

createUserInfoRequest

private com.nimbusds.oauth2.sdk.http.HTTPRequest createUserInfoRequest(com.nimbusds.oauth2.sdk.token.BearerAccessToken bearerAccessToken)

formHTTPRequest

private com.nimbusds.oauth2.sdk.http.HTTPRequest formHTTPRequest(com.nimbusds.oauth2.sdk.Request request)

setHttpRequestProperties

private com.nimbusds.oauth2.sdk.http.HTTPRequest setHttpRequestProperties(com.nimbusds.oauth2.sdk.http.HTTPRequest httpRequest)

getResourceRetriever

private com.nimbusds.jose.util.ResourceRetriever getResourceRetriever()

createClientAuthentication

private com.nimbusds.oauth2.sdk.auth.ClientAuthentication createClientAuthentication()

getAvailableClaims

private static List<String> getAvailableClaims(com.nimbusds.jwt.JWTClaimsSet claimSet)

validateAccessToken

private void validateAccessToken(com.nimbusds.openid.connect.sdk.token.OIDCTokens oidcTokens)
                          throws Exception

Throws:

Exception

validateIdToken

private com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet validateIdToken(com.nimbusds.jwt.JWT oidcJwt)
                                                                         throws com.nimbusds.jose.proc.BadJOSEException,
                                                                                com.nimbusds.jose.JOSEException

Throws:

com.nimbusds.jose.proc.BadJOSEException

com.nimbusds.jose.JOSEException

lookupIdentityInUserInfo

private String lookupIdentityInUserInfo(com.nimbusds.oauth2.sdk.http.HTTPRequest userInfoHttpRequest)
                                 throws IOException

Throws:

IOException