Class OpenIdAuthenticator

java.lang.Object
org.eclipse.jetty.security.authentication.LoginAuthenticator
org.eclipse.jetty.security.openid.OpenIdAuthenticator
All Implemented Interfaces:
Authenticator

public class OpenIdAuthenticator extends LoginAuthenticator

Implements authentication using OpenId Connect on top of OAuth 2.0.

The OpenIdAuthenticator redirects unauthenticated requests to the OpenID Connect Provider. The End-User is eventually redirected back with an Authorization Code to the path set by setRedirectPath(String) within the context. The Authorization Code is then used to authenticate the user through the OpenIdCredentials and OpenIdLoginService.

Once a user is authenticated the OpenID Claims can be retrieved through an attribute on the session with the key CLAIMS. The full response containing the OAuth 2.0 Access Token can be obtained with the session attribute RESPONSE.

SessionAuthentication is then used to wrap Authentication results so that they are associated with the session.

  • Field Details

  • Constructor Details

  • Method Details

    • setConfiguration

      public void setConfiguration(Authenticator.AuthConfiguration authConfig)
      Description copied from interface: Authenticator
      Configure the Authenticator
      Specified by:
      setConfiguration in interface Authenticator
      Overrides:
      setConfiguration in class LoginAuthenticator
      Parameters:
      authConfig - the configuration
    • getAuthMethod

      public String getAuthMethod()
      Returns:
      The name of the authentication method
    • setAlwaysSaveUri

      @Deprecated public void setAlwaysSaveUri(boolean alwaysSave)
      Deprecated.
    • isAlwaysSaveUri

      @Deprecated public boolean isAlwaysSaveUri()
      Deprecated.
    • setRedirectPath

      public void setRedirectPath(String redirectPath)
    • setLogoutRedirectPath

      public void setLogoutRedirectPath(String logoutRedirectPath)
    • setErrorPage

      public void setErrorPage(String path)
    • login

      public UserIdentity login(String username, Object credentials, jakarta.servlet.ServletRequest request)
      Description copied from class: LoginAuthenticator
      If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
      Overrides:
      login in class LoginAuthenticator
      Parameters:
      username - the username of the client to be authenticated
      credentials - the user's credential
      request - the inbound request that needs authentication
    • logout

      public void logout(jakarta.servlet.ServletRequest request)
      Overrides:
      logout in class LoginAuthenticator
    • prepareRequest

      public void prepareRequest(jakarta.servlet.ServletRequest request)
      Description copied from interface: Authenticator
      Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.
      Specified by:
      prepareRequest in interface Authenticator
      Overrides:
      prepareRequest in class LoginAuthenticator
      Parameters:
      request - the request to manipulate
    • validateRequest

      public Authentication validateRequest(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory) throws ServerAuthException
      Description copied from interface: Authenticator
      Validate a request
      Parameters:
      req - The request
      res - The response
      mandatory - True if authentication is mandatory.
      Returns:
      An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.
      Throws:
      ServerAuthException - if unable to validate request
    • isJSecurityCheck

      public boolean isJSecurityCheck(String uri)
    • isErrorPage

      public boolean isErrorPage(String pathInContext)
    • getChallengeUri

      protected String getChallengeUri(Request request)
    • secureResponse

      public boolean secureResponse(jakarta.servlet.ServletRequest req, jakarta.servlet.ServletResponse res, boolean mandatory, Authentication.User validatedUser)
      Description copied from interface: Authenticator
      is response secure
      Parameters:
      req - the request
      res - the response
      mandatory - if security is mandator
      validatedUser - the user that was validated
      Returns:
      true if response is secure