Package org.eclipse.jetty.security.openid

Class OpenIdAuthenticator

java.lang.Object

org.eclipse.jetty.security.authentication.LoginAuthenticator

org.eclipse.jetty.security.openid.OpenIdAuthenticator

All Implemented Interfaces:

Authenticator

public class OpenIdAuthenticator
extends LoginAuthenticator

Implements authentication using OpenId Connect on top of OAuth 2.0.

The OpenIdAuthenticator redirects unauthenticated requests to the OpenID Connect Provider. The End-User is eventually redirected back with an Authorization Code to the path set by setRedirectPath(String) within the context. The Authorization Code is then used to authenticate the user through the OpenIdCredentials and OpenIdLoginService.

Once a user is authenticated the OpenID Claims can be retrieved through an attribute on the session with the key CLAIMS. The full response containing the OAuth 2.0 Access Token can be obtained with the session attribute RESPONSE.

SessionAuthentication is then used to wrap Authentication results so that they are associated with the session.

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

LoginAuthenticator.LoggedOutAuthentication, LoginAuthenticator.UserAuthenticationSent, LoginAuthenticator.UserAuthenticationSucceeded

Nested classes/interfaces inherited from interface org.eclipse.jetty.security.Authenticator

Authenticator.Configuration, Authenticator.Factory, Authenticator.NoOp

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CLAIMS
static final String	CSRF_TOKEN	Deprecated.
static final String	ERROR_PAGE
static final String	ERROR_PARAMETER
static final String	ISSUER
static final String	J_METHOD
static final String	J_POST
static final String	J_SECURITY_CHECK
static final String	J_URI
static final String	LOGOUT_REDIRECT_PATH
static final String	REDIRECT_PATH
static final String	RESPONSE

Fields inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

_identityService, _loginService

Fields inherited from interface org.eclipse.jetty.security.Authenticator

BASIC_AUTH, CERT_AUTH, CERT_AUTH2, DIGEST_AUTH, FORM_AUTH, NEGOTIATE_AUTH, OPENID_AUTH, SPNEGO_AUTH

Constructor Summary

Constructors

Constructor	Description
OpenIdAuthenticator()
OpenIdAuthenticator(OpenIdConfiguration configuration)
OpenIdAuthenticator(OpenIdConfiguration configuration, String errorPage)
OpenIdAuthenticator(OpenIdConfiguration configuration, String redirectPath, String errorPage)
OpenIdAuthenticator(OpenIdConfiguration configuration, String redirectPath, String errorPage, String logoutRedirectPath)

Method Summary

Modifier and Type	Method	Description
String	getAuthenticationType()
protected String	getChallengeUri(Request request)
Constraint.Authorization	getConstraintAuthentication(String pathInContext, Constraint.Authorization existing, Function<Boolean,Session> getSession)	Get an Constraint.Authorization applicable to the path for this authenticator.
protected Fields	getParameters(Request request)
boolean	isAlwaysSaveUri()	Deprecated.
boolean	isErrorPage(String pathInContext)
boolean	isJSecurityCheck(String uri)
UserIdentity	login(String username, Object credentials, Request request, Response response)	If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability.
void	logout(Request request, Response response)
Request	prepareRequest(Request request, AuthenticationState authenticationState)	Called after Authenticator.validateRequest(Request, Response, Callback) and before calling Request.Handler.handle(Request, Response, Callback) of the nested handler.
void	setAlwaysSaveUri(boolean alwaysSave)	Deprecated.
void	setConfiguration(Authenticator.Configuration authConfig)	Configure the Authenticator
void	setErrorPage(String path)
void	setLogoutRedirectPath(String logoutRedirectPath)
void	setRedirectPath(String redirectPath)
AuthenticationState	validateRequest(Request request, Response response, Callback cb)	Validate a request

Methods inherited from class org.eclipse.jetty.security.authentication.LoginAuthenticator

getLoginService, updateSession

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

CLAIMS

public static final String CLAIMS

See Also:

• Constant Field Values

RESPONSE

public static final String RESPONSE

See Also:

• Constant Field Values

ISSUER

public static final String ISSUER

See Also:

• Constant Field Values

REDIRECT_PATH

public static final String REDIRECT_PATH

See Also:

• Constant Field Values

LOGOUT_REDIRECT_PATH

public static final String LOGOUT_REDIRECT_PATH

See Also:

• Constant Field Values

ERROR_PAGE

public static final String ERROR_PAGE

See Also:

• Constant Field Values

J_URI

public static final String J_URI

See Also:

• Constant Field Values

J_POST

public static final String J_POST

See Also:

• Constant Field Values

J_METHOD

public static final String J_METHOD

See Also:

• Constant Field Values

J_SECURITY_CHECK

public static final String J_SECURITY_CHECK

See Also:

• Constant Field Values

ERROR_PARAMETER

public static final String ERROR_PARAMETER

See Also:

• Constant Field Values

CSRF_TOKEN

@Deprecated
public static final String CSRF_TOKEN

Deprecated.

See Also:

• Constant Field Values

Constructor Details

OpenIdAuthenticator

public OpenIdAuthenticator()

OpenIdAuthenticator

public OpenIdAuthenticator(OpenIdConfiguration configuration)

OpenIdAuthenticator

public OpenIdAuthenticator(OpenIdConfiguration configuration,
 String errorPage)

OpenIdAuthenticator

public OpenIdAuthenticator(OpenIdConfiguration configuration,
 String redirectPath,
 String errorPage)

OpenIdAuthenticator

public OpenIdAuthenticator(OpenIdConfiguration configuration,
 String redirectPath,
 String errorPage,
 String logoutRedirectPath)

Method Details

setConfiguration

public void setConfiguration(Authenticator.Configuration authConfig)

Description copied from interface: Authenticator

Configure the Authenticator

Specified by:

setConfiguration in interface Authenticator

Overrides:

setConfiguration in class LoginAuthenticator

Parameters:

authConfig - the configuration

getAuthenticationType

public String getAuthenticationType()

Returns:

The name of the authentication type

setAlwaysSaveUri

@Deprecated
public void setAlwaysSaveUri(boolean alwaysSave)

Deprecated.

isAlwaysSaveUri

@Deprecated
public boolean isAlwaysSaveUri()

Deprecated.

setRedirectPath

public void setRedirectPath(String redirectPath)

setLogoutRedirectPath

public void setLogoutRedirectPath(String logoutRedirectPath)

setErrorPage

public void setErrorPage(String path)

login

public UserIdentity login(String username,
 Object credentials,
 Request request,
 Response response)

Description copied from class: LoginAuthenticator

If the UserIdentity returned from LoginService.login(String, Object, Request, Function) is not null, it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.

Overrides:

login in class LoginAuthenticator

Parameters:

username - the username of the client to be authenticated

credentials - the user's credential

request - the inbound request that needs authentication

logout

public void logout(Request request,
 Response response)

Overrides:

logout in class LoginAuthenticator

prepareRequest

public Request prepareRequest(Request request,
 AuthenticationState authenticationState)

Description copied from interface: Authenticator

Called after Authenticator.validateRequest(Request, Response, Callback) and before calling Request.Handler.handle(Request, Response, Callback) of the nested handler. This may be used by an Authenticator to restore method or content from a previous request that was challenged.

Parameters:

request - the request to prepare for handling

authenticationState - The authentication for the request

getParameters

protected Fields getParameters(Request request)

getConstraintAuthentication

public Constraint.Authorization getConstraintAuthentication(String pathInContext,
 Constraint.Authorization existing,
 Function<Boolean,Session> getSession)

Description copied from interface: Authenticator

Get an Constraint.Authorization applicable to the path for this authenticator. This is typically used to vary protection on special URIs known to a specific Authenticator (e.g. /j_security_check for the FormAuthenticator.

Parameters:

pathInContext - The pathInContext to potentially constrain.

existing - The existing authentication constraint for the pathInContext determined independently of Authenticator

getSession - Function to get or create a Session.

Returns:

The Constraint.Authorization to apply.

validateRequest

public AuthenticationState validateRequest(Request request,
 Response response,
 Callback cb)
                                    throws ServerAuthException

Description copied from interface: Authenticator

Validate a request

Parameters:

request - The request

response - The response

cb - the callback to use for writing a response

Returns:

An Authentication. If Authentication is successful, this will be a AuthenticationState.Succeeded. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement AuthenticationState.ResponseSent.

Throws:

ServerAuthException - if unable to validate request

isJSecurityCheck

public boolean isJSecurityCheck(String uri)

isErrorPage

public boolean isErrorPage(String pathInContext)

getChallengeUri

protected String getChallengeUri(Request request)