-
Notifications
You must be signed in to change notification settings - Fork 221
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: OAuth2 endpoint audience (#2000)
* Move interface to spi * Add enpoint audience configuration setting * Refactor * Introduce oauth2 default providers * PR remark * PR remarks
- Loading branch information
Showing
25 changed files
with
599 additions
and
387 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
...n/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2DefaultServicesExtension.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
/* | ||
* Copyright (c) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* Contributors: | ||
* Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation | ||
* | ||
*/ | ||
|
||
|
||
package org.eclipse.dataspaceconnector.iam.oauth2.core; | ||
|
||
import org.eclipse.dataspaceconnector.iam.oauth2.spi.CredentialsRequestAdditionalParametersProvider; | ||
import org.eclipse.dataspaceconnector.iam.oauth2.spi.NoopCredentialsRequestAdditionalParametersProvider; | ||
import org.eclipse.dataspaceconnector.runtime.metamodel.annotation.Provider; | ||
import org.eclipse.dataspaceconnector.spi.system.ServiceExtension; | ||
|
||
/** | ||
* Provides default service implementations for fallback | ||
*/ | ||
public class Oauth2DefaultServicesExtension implements ServiceExtension { | ||
|
||
@Override | ||
public String name() { | ||
return "OAuth2 Core Default Services"; | ||
} | ||
|
||
@Provider(isDefault = true) | ||
public CredentialsRequestAdditionalParametersProvider credentialsRequestAdditionalParametersProvider() { | ||
return new NoopCredentialsRequestAdditionalParametersProvider(); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
...ava/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2AudienceValidationRule.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/* | ||
* Copyright (c) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* Contributors: | ||
* Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation | ||
* | ||
*/ | ||
|
||
|
||
package org.eclipse.dataspaceconnector.iam.oauth2.core.rule; | ||
|
||
import org.eclipse.dataspaceconnector.spi.iam.ClaimToken; | ||
import org.eclipse.dataspaceconnector.spi.jwt.TokenValidationRule; | ||
import org.eclipse.dataspaceconnector.spi.result.Result; | ||
import org.jetbrains.annotations.NotNull; | ||
import org.jetbrains.annotations.Nullable; | ||
|
||
import java.util.Map; | ||
|
||
import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.AUDIENCE; | ||
|
||
/** | ||
* Token validation rule that checks if the "audience" of token contains the expected audience | ||
*/ | ||
public class Oauth2AudienceValidationRule implements TokenValidationRule { | ||
|
||
private final String endpointAudience; | ||
|
||
public Oauth2AudienceValidationRule(String endpointAudience) { | ||
this.endpointAudience = endpointAudience; | ||
} | ||
|
||
@Override | ||
public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) { | ||
var audiences = toVerify.getListClaim(AUDIENCE); | ||
if (audiences.isEmpty()) { | ||
return Result.failure("Required audience (aud) claim is missing in token"); | ||
} else if (!audiences.contains(endpointAudience)) { | ||
return Result.failure("Token audience (aud) claim did not contain connector audience: " + endpointAudience); | ||
} | ||
|
||
return Result.success(); | ||
} | ||
} |
Oops, something went wrong.