Package io.goobi.viewer.model.security.authentication

Class OpenIdProvider

java.lang.Object
io.goobi.viewer.model.security.authentication.HttpAuthenticationProvider
io.goobi.viewer.model.security.authentication.OpenIdProvider
All Implemented Interfaces:
IAuthenticationProvider
public class OpenIdProvider extends HttpAuthenticationProvider
Authentication provider that authenticates users via an OpenID Connect identity provider.

  • Field Details

  • Constructor Details

    • OpenIdProvider

      public OpenIdProvider(String name, String label, String url, String image, long timeoutMillis, String clientId, String clientSecret)
      Creates a new OpenIdProvider instance.
      Parameters:
      name - unique internal name identifying this provider
      label - display label shown in the UI
      url - authorization endpoint URL of the provider
      image - URL or path to the provider's logo image
      timeoutMillis - login response wait timeout in milliseconds
      clientId - OAuth client ID registered with the provider
      clientSecret - OAuth client secret for token exchange

  • Method Details

    • login

      public CompletableFuture<LoginResult> login(String loginName, String password) throws AuthenticationProviderException
      Returns a future containing the login result upon completion. The result optionally contains the logged in User as well as the HttpServletRequest and HttpServletResponse to be used to complete the login and possible request forwarding If an error occurs and the request can not be processed, an AuthenticationException must be thrown. If a login has been refused, the exact reasons can be determined using the methods User.isActive(), User.isSuspended() and LoginResult.isRefused()
      Parameters:
      loginName - login name or identifier supplied by the user
      password - A string to be used as a password or similar for login. If the provider does not require such a string, this can be left empty or null
      Returns:
      A CompletableFuture which is resolved once login is completed and contains a LoginResult
      Throws:
      AuthenticationProviderException - if any.

    • completeLogin

      public Future<Boolean> completeLogin(com.auth0.jwt.interfaces.DecodedJWT jwt, HttpServletRequest request, HttpServletResponse response)
      Tries to find or create a valid User based on the given json object. Generates a LoginResult containing the given request and response and either an optional containing the user or nothing if no user was found, or a AuthenticationProviderException if an internal error occurred during login If this method is not called within HttpAuthenticationProvider.getTimeoutMillis() ms after calling login(String, String), a loginResponse is created containing an appropriate exception. In any case, the future returned by login(String, String) is resolved.
      Parameters:
      jwt - decoded JWT token received from the OAuth callback
      request - incoming HTTP request from the OAuth redirect
      response - HTTP response for the OAuth callback
      Returns:
      a Future resolving to true if login succeeded, false otherwise

    • logout

      public void logout() throws AuthenticationProviderException
      Logs the user out.
      Throws:
      AuthenticationProviderException - if any.

    • allowsPasswordChange

      public boolean allowsPasswordChange()
      Checks whether this authentication service allows user to edit their password or to reset it.
      Returns:
      true if the authentication service provides means to change or reset the user password

    • allowsNicknameChange

      public boolean allowsNicknameChange()
      allowsNicknameChange.
      Returns:
      true if the nickname may be changed and is not essential for user identification

    • allowsEmailChange

      public boolean allowsEmailChange()
      allowsEmailChange.
      Returns:
      true if the email may be changed and is not essential for user identification

    • getDiscoveryUri

      public String getDiscoveryUri()

    • setDiscoveryUri

      public OpenIdProvider setDiscoveryUri(String discoveryUri)
      Parameters:
      discoveryUri - the OpenID Connect discovery endpoint URI used to retrieve provider metadata
      Returns:
      this

    • getClientId

      public String getClientId()
      Getter for the field clientId.
      Returns:
      the OAuth 2.0 client identifier registered with the OpenID provider

    • getClientSecret

      public String getClientSecret()
      Getter for the field clientSecret.
      Returns:
      the OAuth 2.0 client secret used to authenticate with the OpenID provider

    • getTokenEndpoint

      public String getTokenEndpoint()

    • setTokenEndpoint

      public OpenIdProvider setTokenEndpoint(String tokenEndpoint)
      Parameters:
      tokenEndpoint - the URL of the token endpoint used to exchange authorization codes for tokens
      Returns:
      this

    • getJwksUri

      public String getJwksUri()

    • setJwksUri

      public OpenIdProvider setJwksUri(String jwksUri)
      Parameters:
      jwksUri - the URL of the JSON Web Key Set endpoint used to retrieve signing keys
      Returns:
      this

    • getRedirectionEndpoint

      public String getRedirectionEndpoint()

    • setRedirectionEndpoint

      public OpenIdProvider setRedirectionEndpoint(String redirectionEndpoint)
      Parameters:
      redirectionEndpoint - the redirect URI registered with the provider to receive the authorization response
      Returns:
      this

    • getScope

      public String getScope()

    • setScope

      public OpenIdProvider setScope(String scope)
      Parameters:
      scope - the space-separated OAuth 2.0 scope values requested during authorization
      Returns:
      this

    • getResponseType

      public String getResponseType()

    • setResponseType

      public OpenIdProvider setResponseType(String responseType)
      Parameters:
      responseType - the OAuth 2.0 response type requested (e.g. "code" for authorization code flow)
      Returns:
      this

    • getResponseMode

      public String getResponseMode()

    • setResponseMode

      public OpenIdProvider setResponseMode(String responseMode)
      Parameters:
      responseMode - the OAuth 2.0 response mode specifying how the authorization response is returned (e.g. "query", "fragment")
      Returns:
      this

    • getIssuer

      public String getIssuer()

    • setIssuer

      public OpenIdProvider setIssuer(String issuer)
      Parameters:
      issuer - the expected issuer claim value used to validate ID tokens from this provider
      Returns:
      this

    • getTokenCheckDelay

      public long getTokenCheckDelay()

    • setTokenCheckDelay

      public OpenIdProvider setTokenCheckDelay(long tokenCheckDelay)
      Parameters:
      tokenCheckDelay - the delay in milliseconds before performing the token validation check
      Returns:
      this

    • getThirdPartyLoginUrl

      public String getThirdPartyLoginUrl()

    • getThirdPartyLoginApiKey

      public String getThirdPartyLoginApiKey()

    • getThirdPartyLoginScope

      public String getThirdPartyLoginScope()

    • getThirdPartyLoginReqParamDef

      public String getThirdPartyLoginReqParamDef()

    • getThirdPartyLoginClaim

      public String getThirdPartyLoginClaim()

    • setThirdPartyVariables

      public IAuthenticationProvider setThirdPartyVariables(String thirdPartyLoginUrl, String thirdPartyLoginApiKey, String thirdPartyLoginScope, String thirdPartyLoginReqParamDef, String thirdPartyLoginClaim)

    • getoAuthState

      public String getoAuthState()
      Getter for the field oAuthState.
      Returns:
      the OAuth 2.0 state parameter used to prevent cross-site request forgery

    • setoAuthState

      public void setoAuthState(String oAuthState)
      Setter for the field oAuthState.
      Parameters:
      oAuthState - the OAuth 2.0 state parameter used to prevent cross-site request forgery

    • getoAuthAccessToken

      public String getoAuthAccessToken()
      Getter for the field oAuthAccessToken.
      Returns:
      the OAuth 2.0 access token received from the provider

    • setoAuthAccessToken

      public void setoAuthAccessToken(String oAuthAccessToken)
      Setter for the field oAuthAccessToken.
      Parameters:
      oAuthAccessToken - the OAuth 2.0 access token received from the provider