Package digilib.auth

Class OpenIdAuthnOps

  • All Implemented Interfaces:
    AuthnOps

    public class OpenIdAuthnOps
    extends Object
    implements AuthnOps
    Implements AuthnOps using an OpenId Connect ID token. The name of the configuration file is read from the digilib config parameter "auth-file". The tag "digilib-oauth" is read from the configuration file:
      
     
     <digilib-oauth>
       <openid issuer="https://id.some.where" clientid="myclient" roles="someusers" keytype="jwk">
         {"kty":"RSA","e":"AQAB","kid":"rsa1","n":"qjQ5U3wXzamg9R...idGpIiVilMDVBs"}
       </openid>
     </digilib-oauth>
     
     
    A request with an "id_token" parameter containing a valid token signed with the configured key including the configured issuer (iss) and clientid (aud) is granted the configured roles.
    • Field Detail

      • logger

        protected static final org.slf4j.Logger logger
        general logger for this class
      • configFile

        protected File configFile
      • firstPassJwtConsumer

        protected org.jose4j.jwt.consumer.JwtConsumer firstPassJwtConsumer
        JwtConsumer to parse the token without validation to extract the issuer
      • idpJwtConsumers

        protected Map<String,​org.jose4j.jwt.consumer.JwtConsumer> idpJwtConsumers
        Map of validating JwtConsumers by issuer (URL)
      • idpRoles

        protected Map<String,​List<String>> idpRoles
        Map of (List of) roles by issuer (URL)
      • tokenCookieName

        protected String tokenCookieName
        Name of the cookie that contains the token
    • Constructor Detail

      • OpenIdAuthnOps

        public OpenIdAuthnOps()
    • Method Detail

      • hasUserRoles

        public boolean hasUserRoles()
        Description copied from interface: AuthnOps
        Return if the implementation supports getUserRoles().
        Specified by:
        hasUserRoles in interface AuthnOps
        Returns:
        true if the implementation supports getUserRoles().
      • getUserRoles

        public List<String> getUserRoles​(DigilibRequest request)
                                  throws AuthOpException
        Description copied from interface: AuthnOps
        Return the list of roles associated with the user represented by request. Returns null if a list of roles is not available. Users of this API should check hasUserRoles().
        Specified by:
        getUserRoles in interface AuthnOps
        Parameters:
        request - current DigilibRequest
        Returns:
        list of user's roles
        Throws:
        AuthOpException - Exception thrown on error.
      • isUserInRole

        public boolean isUserInRole​(DigilibRequest request,
                                    String role)
                             throws AuthOpException
        Description copied from interface: AuthnOps
        Test if the user represented by request has the given role.
        Specified by:
        isUserInRole in interface AuthnOps
        Parameters:
        request - Request with user information.
        role - role to be tested.
        Returns:
        true if the user has the role.
        Throws:
        AuthOpException - Exception thrown on error.