Class OpenIdAuthenticator
- All Implemented Interfaces:
Authenticator
Implements authentication using OpenId Connect on top of OAuth 2.0.
The OpenIdAuthenticator redirects unauthenticated requests to the OpenID Connect Provider. The End-User is
eventually redirected back with an Authorization Code to the path set by setRedirectPath(String)
within the context.
The Authorization Code is then used to authenticate the user through the OpenIdCredentials
and OpenIdLoginService
.
Once a user is authenticated the OpenID Claims can be retrieved through an attribute on the session with the key CLAIMS
.
The full response containing the OAuth 2.0 Access Token can be obtained with the session attribute RESPONSE
.
SessionAuthentication
is then used to wrap Authentication results so that they are associated with the session.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
This Authentication represents a just completed OpenId Connect authentication.Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator
Authenticator.AuthConfiguration, Authenticator.Factory
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
Deprecated.static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
_identityService, _loginService
-
Constructor Summary
ConstructorDescriptionOpenIdAuthenticator
(OpenIdConfiguration configuration) OpenIdAuthenticator
(OpenIdConfiguration configuration, String errorPage) OpenIdAuthenticator
(OpenIdConfiguration configuration, String redirectPath, String errorPage) OpenIdAuthenticator
(OpenIdConfiguration configuration, String redirectPath, String errorPage, String logoutRedirectPath) -
Method Summary
Modifier and TypeMethodDescriptionprotected String
getChallengeUri
(Request request) boolean
Deprecated.boolean
isErrorPage
(String pathInContext) boolean
isJSecurityCheck
(String uri) If the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest)
, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.void
logout
(jakarta.servlet.ServletRequest request) void
prepareRequest
(jakarta.servlet.ServletRequest request) Called prior to validateRequest.boolean
secureResponse
(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser) is response securevoid
setAlwaysSaveUri
(boolean alwaysSave) Deprecated.void
setConfiguration
(Authenticator.AuthConfiguration authConfig) Configure the Authenticatorvoid
setErrorPage
(String path) void
setLogoutRedirectPath
(String logoutRedirectPath) void
setRedirectPath
(String redirectPath) validateRequest
(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory) Validate a requestMethods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator
getLoginService, renewSession
-
Field Details
-
CLAIMS
- See Also:
-
RESPONSE
- See Also:
-
ISSUER
- See Also:
-
REDIRECT_PATH
- See Also:
-
LOGOUT_REDIRECT_PATH
- See Also:
-
ERROR_PAGE
- See Also:
-
J_URI
- See Also:
-
J_POST
- See Also:
-
J_METHOD
- See Also:
-
J_SECURITY_CHECK
- See Also:
-
ERROR_PARAMETER
- See Also:
-
CSRF_TOKEN
Deprecated.- See Also:
-
-
Constructor Details
-
OpenIdAuthenticator
public OpenIdAuthenticator() -
OpenIdAuthenticator
-
OpenIdAuthenticator
-
OpenIdAuthenticator
public OpenIdAuthenticator(OpenIdConfiguration configuration, String redirectPath, String errorPage) -
OpenIdAuthenticator
public OpenIdAuthenticator(OpenIdConfiguration configuration, String redirectPath, String errorPage, String logoutRedirectPath)
-
-
Method Details
-
setConfiguration
Description copied from interface:Authenticator
Configure the Authenticator- Specified by:
setConfiguration
in interfaceAuthenticator
- Overrides:
setConfiguration
in classLoginAuthenticator
- Parameters:
authConfig
- the configuration
-
getAuthMethod
- Returns:
- The name of the authentication method
-
setAlwaysSaveUri
Deprecated. -
isAlwaysSaveUri
Deprecated. -
setRedirectPath
-
setLogoutRedirectPath
-
setErrorPage
-
login
public UserIdentity login(String username, Object credentials, jakarta.servlet.ServletRequest request) Description copied from class:LoginAuthenticator
If the UserIdentity is not null after this method callsLoginService.login(String, Object, ServletRequest)
, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.- Overrides:
login
in classLoginAuthenticator
- Parameters:
username
- the username of the client to be authenticatedcredentials
- the user's credentialrequest
- the inbound request that needs authentication
-
logout
public void logout(jakarta.servlet.ServletRequest request) - Overrides:
logout
in classLoginAuthenticator
-
prepareRequest
public void prepareRequest(jakarta.servlet.ServletRequest request) Description copied from interface:Authenticator
Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.- Specified by:
prepareRequest
in interfaceAuthenticator
- Overrides:
prepareRequest
in classLoginAuthenticator
- Parameters:
request
- the request to manipulate
-
validateRequest
public Authentication validateRequest(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory) throws ServerAuthException Description copied from interface:Authenticator
Validate a request- Parameters:
req
- The requestres
- The responsemandatory
- True if authentication is mandatory.- Returns:
- An Authentication. If Authentication is successful, this will be a
Authentication.User
. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implementAuthentication.ResponseSent
. If Authentication is not mandatory, then aAuthentication.Deferred
may be returned. - Throws:
ServerAuthException
- if unable to validate request
-
isJSecurityCheck
-
isErrorPage
-
getChallengeUri
-
secureResponse
public boolean secureResponse(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser) Description copied from interface:Authenticator
is response secure- Parameters:
req
- the requestres
- the responsemandatory
- if security is mandatorvalidatedUser
- the user that was validated- Returns:
- true if response is secure
-