Package org.forgerock.jaspi.modules.openid

Class OpenIdConnectModule

  • All Implemented Interfaces:
    AsyncServerAuthModule
    public class OpenIdConnectModule
extends Object
implements AsyncServerAuthModule
    OpenID Connect module that allows access when a valid OpenID Connect JWT which our server trusts is presented in the specific header field.

    • Field Detail

      • READ_TIMEOUT_KEY

        public static final String READ_TIMEOUT_KEY
        Lookup key for the configured HTTP connection's read timeout for this module.
        See Also:
        Constant Field Values

      • CONNECTION_TIMEOUT_KEY

        public static final String CONNECTION_TIMEOUT_KEY
        Lookup key for the configured HTTP connection's connection timeout for this module.
        See Also:
        Constant Field Values

      • HEADER_KEY

        public static final String HEADER_KEY
        Lookup key for the configured HTTP header used by this module to locate JWSs.
        See Also:
        Constant Field Values

      • RESOLVERS_KEY

        public static final String RESOLVERS_KEY
        Lookup key for the configured resolvers which will be used by this module.
        See Also:
        Constant Field Values

    • Constructor Detail

      • OpenIdConnectModule

        public OpenIdConnectModule()
        Default constructor.

    • Method Detail

      • getModuleId

        public String getModuleId()
        Description copied from interface: AsyncServerAuthModule
        Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.
        Specified by:
        getModuleId in interface AsyncServerAuthModule
        Returns:
        The ID of the module.

      • initialize

        public void initialize​(javax.security.auth.message.MessagePolicy requestPolicy,
                       javax.security.auth.message.MessagePolicy responsePolicy,
                       CallbackHandler callbackHandler,
                       Map<String,​Object> config)
                throws AuthenticationException

        Initialize this module with request and response message policies to enforce, a CallbackHandler, and any module specific configuration properties.

        The request policy and the response policy must not both be null.

        Specified by:
        initialize in interface AsyncServerAuthModule
        Parameters:
        requestPolicy - The request policy this module must enforce, or null.
        responsePolicy - The response policy this module must enforce, or null.
        callbackHandler - CallbackHandler used to request information.
        config - A Map of module-specific configuration properties.
        Throws:
        AuthenticationException - when module initialization fails, including for the case where the options argument contains elements that are not supported by the module.

      • validateRequest

        public Promise<javax.security.auth.message.AuthStatus,​AuthenticationException> validateRequest​(MessageInfoContext messageInfo,
                                                                                                     Subject clientSubject,
                                                                                                     Subject serviceSubject)
        Attempts to retrieve the value of the specified OpenID Connect header from the messageInfo, then converts this to a Jwt and attempts to decrypt. If both these steps succeed, we verify the Jwt through the OpenIdResolver interface to ensure that we are the intended audience, the token has not expired and the issuer was an expected source. If all of these validate, we return SUCCESS, otherwise SEND_FAILURE.
        Specified by:
        validateRequest in interface AsyncServerAuthModule
        Parameters:
        messageInfo - The message context info for this request.
        clientSubject - A Subject that represents the subject of this request.
        serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.
        Returns:
        A Promise completed with AuthStatus.SUCCESS if everything validates or with AuthStatus.SEND_FAILURE in the case of a failure, or completed with an exception if there are issues handling the request caused by improper config.
        See Also:
        AuthStatus, ServerAuth.validateRequest( javax.security.auth.message.MessageInfo, Subject, Subject)

      • secureResponse

        public Promise<javax.security.auth.message.AuthStatus,​AuthenticationException> secureResponse​(MessageInfoContext messageInfo,
                                                                                                    Subject subject)
        Sends SEND_SUCCESS automatically. As we're on our way out of the system at this point, there's no need to hold them up, or append anything new to the response.
        Specified by:
        secureResponse in interface AsyncServerAuthModule
        Parameters:
        messageInfo - The message context info for this request.
        subject - A Subject that represents the subject for the server or null. It may be used to secure the message response.
        Returns:

        A Promise that will be completed, as some point in the future, with either a successful value or a failure value.

        A successfully completed Promise will contain an AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface

        A failed completed Promise will contain an AuthenticationException when the message processing failed without establishing a failure response message in the MessageContextInfo.

        See Also:
        AuthStatus, ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject)

      • cleanSubject

        public Promise<Void,​AuthenticationException> cleanSubject​(MessageInfoContext messageInfo,
                                                                Subject subject)
        Nothing to clean.
        Specified by:
        cleanSubject in interface AsyncServerAuthModule
        Parameters:
        messageInfo - The message context info for this request.
        subject - A Subject that represents the subject of this request.
        Returns:
        A Promise that will be completed, as some point in the future, with either a successful value or a failure value. A successfully completed Promise will contain no value and a failed completed Promise will contain an AuthenticationException if an error occurs during the Subject processing.
        See Also:
        ServerAuth.cleanSubject( javax.security.auth.message.MessageInfo, Subject)

      • getSupportedMessageTypes

        public Collection<Class<?>> getSupportedMessageTypes()
        Gets the Collection of Class objects of the message types supported by the module.
        Specified by:
        getSupportedMessageTypes in interface AsyncServerAuthModule
        Returns:
        A Collection of Class objects, with at least on element defining the message type(s) supported by the module.