Package digilib.auth

Class OpenIdAuthnOps

  • All Implemented Interfaces:
    AuthnOps
    public class OpenIdAuthnOps
extends Object
implements AuthnOps
    Implements AuthnOps using an OpenId Connect ID token. The name of the configuration file is read from the digilib config parameter "auth-file". The tag "digilib-oauth" is read from the configuration file: 
      
 
 <digilib-oauth>
   <openid issuer="https://id.some.where" clientid="myclient" roles="someusers" keytype="jwk">
     {"kty":"RSA","e":"AQAB","kid":"rsa1","n":"qjQ5U3wXzamg9R...idGpIiVilMDVBs"}
   </openid>
 </digilib-oauth>
    A request with an "id_token" parameter containing a valid token signed with the configured key including the configured issuer (iss) and clientid (aud) is granted the configured roles.

    • Field Detail

      • logger

        protected static final org.slf4j.Logger logger
        general logger for this class

      • configFile

        protected File configFile

      • firstPassJwtConsumer

        protected org.jose4j.jwt.consumer.JwtConsumer firstPassJwtConsumer
        JwtConsumer to parse the token without validation to extract the issuer

      • idpJwtConsumers

        protected Map<String,​org.jose4j.jwt.consumer.JwtConsumer> idpJwtConsumers
        Map of validating JwtConsumers by issuer (URL)

      • idpRoles

        protected Map<String,​List<String>> idpRoles
        Map of (List of) roles by issuer (URL)

      • tokenCookieName

        protected String tokenCookieName
        Name of the cookie that contains the token

    • Constructor Detail

      • OpenIdAuthnOps

        public OpenIdAuthnOps()

    • Method Detail

      • hasUserRoles

        public boolean hasUserRoles()
        Description copied from interface: AuthnOps
        Return if the implementation supports getUserRoles().
        Specified by:
        hasUserRoles in interface AuthnOps
        Returns:
        true if the implementation supports getUserRoles().

      • getUserRoles

        public List<String> getUserRoles​(DigilibRequest request)
                          throws AuthOpException
        Description copied from interface: AuthnOps
        Return the list of roles associated with the user represented by request. Returns null if a list of roles is not available. Users of this API should check hasUserRoles().
        Specified by:
        getUserRoles in interface AuthnOps
        Parameters:
        request - current DigilibRequest
        Returns:
        list of user's roles
        Throws:
        AuthOpException - Exception thrown on error.

      • isUserInRole

        public boolean isUserInRole​(DigilibRequest request,
                            String role)
                     throws AuthOpException
        Description copied from interface: AuthnOps
        Test if the user represented by request has the given role.
        Specified by:
        isUserInRole in interface AuthnOps
        Parameters:
        request - Request with user information.
        role - role to be tested.
        Returns:
        true if the user has the role.
        Throws:
        AuthOpException - Exception thrown on error.