java.lang.Object
io.helidon.security.providers.idcs.mapper.IdcsRoleMapperProviderBase
All Implemented Interfaces:
SecurityProvider, SubjectMappingProvider
Direct Known Subclasses:
IdcsMtRoleMapperProvider, IdcsRoleMapperProvider

public abstract class IdcsRoleMapperProviderBase extends Object implements SubjectMappingProvider
Common functionality for IDCS role mapping using Http1Client.
  • Field Details

    • IDCS_SUBJECT_TYPE_USER

      public static final String IDCS_SUBJECT_TYPE_USER
      User subject type used when requesting roles from IDCS. An attempt is made to obtain it from JWT claim sub_type. If not defined, default is used as configured in IdcsRoleMapperProviderBase.Builder.
      See Also:
    • IDCS_SUBJECT_TYPE_CLIENT

      public static final String IDCS_SUBJECT_TYPE_CLIENT
      Client subject type used when requesting roles from IDCS. An attempt is made to obtain it from JWT claim sub_type. If not defined, default is used as configured in IdcsRoleMapperProviderBase.Builder.
      See Also:
    • ROLE_GROUP

      protected static final String ROLE_GROUP
      Json key for group roles to be retrieved from IDCS response.
      See Also:
    • ROLE_APPROLE

      protected static final String ROLE_APPROLE
      Json key for app roles to be retrieved from IDCS response.
      See Also:
    • ACCESS_TOKEN_KEY

      protected static final String ACCESS_TOKEN_KEY
      Json key for token to be retrieved from IDCS response when requesting application token.
      See Also:
    • PARENT_CONTEXT_CLIENT_PROPERTY

      protected static final String PARENT_CONTEXT_CLIENT_PROPERTY
      Property sent with JAX-RS requests to override parent span context in outbound calls. We cannot use the constant declared in ClientTracingFilter, as it is not a required dependency.
      See Also:
  • Constructor Details

    • IdcsRoleMapperProviderBase

      protected IdcsRoleMapperProviderBase(IdcsRoleMapperProviderBase.Builder<?> builder)
      Configures the needed fields from the provided builder.
      Parameters:
      builder - builder with oidcConfig and other needed fields.
  • Method Details

    • map

      public AuthenticationResponse map(ProviderRequest authenticatedRequest, AuthenticationResponse previousResponse)
      Description copied from interface: SubjectMappingProvider
      Map grants from authenticated request (e.g. one or both of ProviderRequest.subject() or ProviderRequest.service() returns a non-empty value) to a new authentication response. The provider can change/add/remove grants (such as groups, scopes, permissions) or change the subject to a different one. This method is only invoked after a successful authentication.
      Specified by:
      map in interface SubjectMappingProvider
      Parameters:
      authenticatedRequest - request to get user and service subjects from
      previousResponse - response from previous authentication or subject mapping provider
      Returns:
      a new authentication response with updated user and/or service subjects
    • enhance

      protected abstract Subject enhance(ProviderRequest request, AuthenticationResponse previousResponse, Subject subject)
      Enhance subject with IDCS roles, reactive.
      Parameters:
      request - provider request
      previousResponse - authenticated response
      subject - subject to enhance
      Returns:
      future with enhanced subject
    • buildSubject

      protected Subject buildSubject(Subject originalSubject, List<? extends Grant> grants)
      Updates original subject with the list of grants.
      Parameters:
      originalSubject - as was created by authentication provider
      grants - grants added by this role mapper
      Returns:
      new subject
    • processRoleRequest

      protected List<? extends Grant> processRoleRequest(HttpClientRequest request, Object entity, String subjectName)
    • oidcConfig

      protected OidcConfig oidcConfig()
      Access to OidcConfig so the field is not duplicated by classes that extend this provider.
      Returns:
      open ID Connect configuration (also used to configure access to IDCS)
    • defaultIdcsSubjectType

      protected String defaultIdcsSubjectType()
      Default subject type to use when requesting data from IDCS.
      Returns:
      configured default subject type or IDCS_SUBJECT_TYPE_USER