Class OidcProvider

  • All Implemented Interfaces:
    AuthenticationProvider, OutboundSecurityProvider, SecurityProvider

    public final class OidcProvider
    extends Object
    implements AuthenticationProvider, OutboundSecurityProvider
    Open ID Connect authentication provider. IDCS specific notes:
    • If you want to use JWK to validate tokens, you must give access to the endpoint (by default only admin can access it)
    • If you want to use introspect endpoint to validate tokens, you must give rights to the application to do so (Client Configuration/Allowed Operations)
    • If you want to retrieve groups when using IDCS, you must add "Client Credentials" in "Allowed Grant Types" in application configuration, as well as "Grant the client access to Identity Cloud Service Admin APIs." configured to "User Administrator"
    • Method Detail

      • create

        public static OidcProvider create​(Config config)
        Load this provider from configuration.
        Parameters:
        config - configuration of this provider
        Returns:
        a new provider configured for OIDC
      • create

        public static OidcProvider create​(OidcConfig config)
        Create a new provider based on OIDC configuration.
        Parameters:
        config - config of OIDC server and client
        Returns:
        a new provider configured for OIDC
      • builder

        public static OidcProvider.Builder builder()
        A fluent API builder to created instances of this provider.
        Returns:
        a new builder instance
      • supportedAnnotations

        public Collection<Class<? extends Annotation>> supportedAnnotations()
        Description copied from interface: SecurityProvider
        Provide extension annotations supported by this provider (e.g. javax.annotation.security.RolesAllowed). Annotations will be collected according to framework in use. For JAX-RS, annotations from application class, resource class and resource methods will be collected.
        Specified by:
        supportedAnnotations in interface SecurityProvider
        Returns:
        Collection of annotations this provider expects.
      • authenticate

        public CompletionStage<AuthenticationResponse> authenticate​(ProviderRequest providerRequest)
        Description copied from interface: AuthenticationProvider
        Authenticate a request. This may be just resolving headers (tokens) or full authentication (basic auth). Do not throw exception for normal processing (e.g. invalid credentials; you may throw an exception in case of misconfiguration). This method will be invoked for inbound requests ONLY.

        This method must provide either a Principal or a whole Subject either for a user or for service (or both).

        Specified by:
        authenticate in interface AuthenticationProvider
        Parameters:
        providerRequest - context of this security enforcement/validation
        Returns:
        response that either authenticates the request, fails authentication or abstains from authentication
        See Also:
        AuthenticationResponse.success(Subject)
      • isOutboundSupported

        public boolean isOutboundSupported​(ProviderRequest providerRequest,
                                           SecurityEnvironment outboundEnv,
                                           EndpointConfig outboundConfig)
        Description copied from interface: OutboundSecurityProvider
        Check if the path to be executed is supported by this security provider. Defaults to true.
        Specified by:
        isOutboundSupported in interface OutboundSecurityProvider
        Parameters:
        providerRequest - context with environment, subject(s) etc. that was received
        outboundEnv - environment for outbound call
        outboundConfig - outbound endpoint configuration
        Returns:
        true if this identity propagator can generate required headers for the path defined