Class OidcProvider
- java.lang.Object
-
- io.helidon.security.providers.oidc.OidcProvider
-
- All Implemented Interfaces:
AuthenticationProvider
,OutboundSecurityProvider
,SecurityProvider
public final class OidcProvider extends Object implements AuthenticationProvider, OutboundSecurityProvider
Open ID Connect authentication provider. IDCS specific notes:- If you want to use JWK to validate tokens, you must give access to the endpoint (by default only admin can access it)
- If you want to use introspect endpoint to validate tokens, you must give rights to the application to do so (Client Configuration/Allowed Operations)
- If you want to retrieve groups when using IDCS, you must add "Client Credentials" in "Allowed Grant Types" in application configuration, as well as "Grant the client access to Identity Cloud Service Admin APIs." configured to "User Administrator"
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
OidcProvider.Builder
Builder forOidcProvider
.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description CompletionStage<AuthenticationResponse>
authenticate(ProviderRequest providerRequest)
Authenticate a request.static OidcProvider.Builder
builder()
A fluent API builder to created instances of this provider.static OidcProvider
create(Config config)
Load this provider from configuration.static OidcProvider
create(OidcConfig config)
Create a new provider based on OIDC configuration.boolean
isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundConfig)
Check if the path to be executed is supported by this security provider.CompletionStage<OutboundSecurityResponse>
outboundSecurity(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig)
Creates necessary updates to headers and entity needed for outbound security (e.g.Collection<Class<? extends Annotation>>
supportedAnnotations()
Provide extension annotations supported by this provider (e.g.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface io.helidon.security.spi.SecurityProvider
supportedAttributes, supportedConfigKeys, supportedCustomObjects
-
-
-
-
Method Detail
-
create
public static OidcProvider create(Config config)
Load this provider from configuration.- Parameters:
config
- configuration of this provider- Returns:
- a new provider configured for OIDC
-
create
public static OidcProvider create(OidcConfig config)
Create a new provider based on OIDC configuration.- Parameters:
config
- config of OIDC server and client- Returns:
- a new provider configured for OIDC
-
builder
public static OidcProvider.Builder builder()
A fluent API builder to created instances of this provider.- Returns:
- a new builder instance
-
supportedAnnotations
public Collection<Class<? extends Annotation>> supportedAnnotations()
Description copied from interface:SecurityProvider
Provide extension annotations supported by this provider (e.g.javax.annotation.security.RolesAllowed
). Annotations will be collected according to framework in use. For JAX-RS, annotations from application class, resource class and resource methods will be collected.- Specified by:
supportedAnnotations
in interfaceSecurityProvider
- Returns:
- Collection of annotations this provider expects.
-
authenticate
public CompletionStage<AuthenticationResponse> authenticate(ProviderRequest providerRequest)
Description copied from interface:AuthenticationProvider
Authenticate a request. This may be just resolving headers (tokens) or full authentication (basic auth). Do not throw exception for normal processing (e.g. invalid credentials; you may throw an exception in case of misconfiguration). This method will be invoked for inbound requests ONLY.This method must provide either a
Principal
or a wholeSubject
either for a user or for service (or both).- Specified by:
authenticate
in interfaceAuthenticationProvider
- Parameters:
providerRequest
- context of this security enforcement/validation- Returns:
- response that either authenticates the request, fails authentication or abstains from authentication
- See Also:
AuthenticationResponse.success(Subject)
-
isOutboundSupported
public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundConfig)
Description copied from interface:OutboundSecurityProvider
Check if the path to be executed is supported by this security provider. Defaults to true.- Specified by:
isOutboundSupported
in interfaceOutboundSecurityProvider
- Parameters:
providerRequest
- context with environment, subject(s) etc. that was receivedoutboundEnv
- environment for outbound calloutboundConfig
- outbound endpoint configuration- Returns:
- true if this identity propagator can generate required headers for the path defined
-
outboundSecurity
public CompletionStage<OutboundSecurityResponse> outboundSecurity(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig)
Description copied from interface:OutboundSecurityProvider
Creates necessary updates to headers and entity needed for outbound security (e.g. identity propagation, s2s security etc.). This method will be invoked for outbound requests ONLY.- Specified by:
outboundSecurity
in interfaceOutboundSecurityProvider
- Parameters:
providerRequest
- context with environment, subject(s) etc. that was receivedoutboundEnv
- environment for outbound calloutboundEndpointConfig
- outbound endpoint configuration- Returns:
- response with generated headers and other possible configuration
- See Also:
OutboundSecurityResponse.builder()
-
-