OPENDJ-3067 Make authzIdTemplate config parameter specific to each resolver config
Moves the 'authzIdTemplate' field from authorization.oauth2 to authorization.oauth2,[resolver]
Thus, the gateway will be more inclined to work OOB and default values for the template are more readable.
| | |
|---|
| | | // and well formed in the "oauth2" JSON attribute. |
|---|
| | | "resolver": "openam", |
|---|
| | | |
|---|
| | | // The default authzIdTemplate demonstrates how an authorization DN may be constructed |
|---|
| | | // from the "uid" field in the following example OAuth2 token introspection response: |
|---|
| | | // { |
|---|
| | | // "token": "access_token_string", |
|---|
| | | // "uid" : "user.2", |
|---|
| | | // "userName" : [ "user.2" ] |
|---|
| | | // } |
|---|
| | | // This attribute is required and has a string syntax. |
|---|
| | | // It must start with either 'dn:' or 'u:'. |
|---|
| | | // Note: For the CTS resolver, the following placeholder "{userName/0}" must be part of the template string, |
|---|
| | | // e.g "authzIdTemplate": "dn:uid={userName/0},ou=People,dc=example,dc=com" |
|---|
| | | "authzIdTemplate": "dn:uid={uid},ou=People,dc=example,dc=com", |
|---|
| | | |
|---|
| | | // Configures caching of access token introspection results. |
|---|
| | | // This attribute is optional, if it is not present, no token caching will be performed. |
|---|
| | | "accessTokenCache": { |
|---|
| | |
|---|
| | | "openam": { |
|---|
| | | // Defines the OpenAM endpoint URL where the request should be sent. |
|---|
| | | // This attribute is required and must have a string syntax. |
|---|
| | | "endpointURL": "http://openam.example.com:8080/openam/oauth2/tokeninfo" |
|---|
| | | "endpointURL": "http://openam.example.com:8080/openam/oauth2/tokeninfo", |
|---|
| | | |
|---|
| | | // The default authzIdTemplate demonstrates how an authorization DN may be constructed |
|---|
| | | // from the "uid" field in the following example OpenAM tokeninfo response: |
|---|
| | | // { |
|---|
| | | // "scope":["uid"], |
|---|
| | | // "realm":"/", |
|---|
| | | // "expires_in":45, |
|---|
| | | // "uid" : "bjensen", |
|---|
| | | // } |
|---|
| | | // This attribute is required and has a string syntax. |
|---|
| | | // It must start with either 'dn:' or 'u:'. |
|---|
| | | "authzIdTemplate": "dn:uid={uid},ou=People,dc=example,dc=com" |
|---|
| | | }, |
|---|
| | | |
|---|
| | | // The RFC-7662 (see https://tools.ietf.org/html/rfc7662) access token resolver configuration. |
|---|
| | |
|---|
| | | // It should support HTTP basic authorization (a base64-encoded string of clientId:clientSecret) |
|---|
| | | // These attributes are mandatory. |
|---|
| | | "clientId": "client_id", |
|---|
| | | "clientSecret": "client_secret" |
|---|
| | | "clientSecret": "client_secret", |
|---|
| | | |
|---|
| | | // The default authzIdTemplate demonstrates how an authorization DN may be constructed |
|---|
| | | // from the "username" field in the following example introspect response: |
|---|
| | | // { |
|---|
| | | // "active": true, |
|---|
| | | // "token_type": "access_token", |
|---|
| | | // "exp": 3524, |
|---|
| | | // "username" : "bjensen", |
|---|
| | | // } |
|---|
| | | // This attribute is required and has a string syntax. |
|---|
| | | // It must start with either 'dn:' or 'u:'. |
|---|
| | | "authzIdTemplate": "dn:uid={username},ou=People,dc=example,dc=com" |
|---|
| | | }, |
|---|
| | | |
|---|
| | | // The CTS access token resolver. |
|---|
| | |
|---|
| | | |
|---|
| | | // The access token base DN. |
|---|
| | | // This attribute is required and must have a string syntax. |
|---|
| | | "baseDN": "ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com" |
|---|
| | | "baseDN": "ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com", |
|---|
| | | |
|---|
| | | // The default authzIdTemplate demonstrates how an authorization DN may be constructed |
|---|
| | | // from the "userName" field in the following example CTS access token entry: |
|---|
| | | // { |
|---|
| | | // "active": true, |
|---|
| | | // "tokenName": ["access_token"], |
|---|
| | | // "exp": [3524], |
|---|
| | | // "userName" : ["bjensen"], |
|---|
| | | // } |
|---|
| | | // This attribute is required and has a string syntax. |
|---|
| | | // It must start with either 'dn:' or 'u:'. |
|---|
| | | "authzIdTemplate": "dn:uid={userName/0},ou=People,dc=example,dc=com" |
|---|
| | | }, |
|---|
| | | |
|---|
| | | // ONLY FOR TEST PURPOSE: A File based access token resolver |
|---|
| | |
|---|
| | | // File names must be equal to the token strings. |
|---|
| | | // The file content must a JSON object with the following attributes: |
|---|
| | | // 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate. |
|---|
| | | "folderPath": "/path/to/test/folder" |
|---|
| | | "folderPath": "/path/to/test/folder", |
|---|
| | | |
|---|
| | | // The default authzIdTemplate demonstrates how an authorization DN may be constructed |
|---|
| | | // from the "uid" field extracted from a fake token file: |
|---|
| | | // { |
|---|
| | | // "scope": ["read", "uid", "write"], |
|---|
| | | // "expireTime": 1961336698000, |
|---|
| | | // "uid": "bjensen" |
|---|
| | | // } |
|---|
| | | // This attribute is required and has a string syntax. |
|---|
| | | // It must start with either 'dn:' or 'u:'. |
|---|
| | | "authzIdTemplate": "dn:uid={uid},ou=People,dc=example,dc=com" |
|---|
| | | } |
|---|
| | | } |
|---|
| | | }, |
|---|
| | |
|---|
| | | final Set<String> scopes = config.get(SCOPES).required().asSet(String.class); |
|---|
| | | final AccessTokenResolver resolver = |
|---|
| | | createCachedTokenResolverIfNeeded(config, parseUnderlyingResolver(config)); |
|---|
| | | final String resolverName = config.get(RESOLVER_CONFIG_OBJECT).asString(); |
|---|
| | | final ConditionalFilter oAuth2Filter = newConditionalOAuth2ResourceServerFilter( |
|---|
| | | realm, scopes, resolver, config.get(AUTHZID_TEMPLATE).required().asString()); |
|---|
| | | realm, scopes, resolver, config.get(resolverName).get(AUTHZID_TEMPLATE).required().asString()); |
|---|
| | | return newConditionalFilter( |
|---|
| | | Filters.chainOf(oAuth2Filter.getFilter(), |
|---|
| | | newProxyAuthzFilter(getConnectionFactory(DEFAULT_ROOT_FACTORY))), |
|---|
| | |
|---|
| | | // Invalid 'authzIdTemplate' content |
|---|
| | | { |
|---|
| | | "{'realm': 'example.com'," |
|---|
| | | + "'authzIdTemplate': 'userName: ou={/user/id},dc=example,dc=com'," |
|---|
| | | + "'requiredScopes': ['read', 'write', 'dolphin']," |
|---|
| | | + "'resolver': 'openam'," |
|---|
| | | + "'openam': {'endpointURL': 'http://www.example.com/token-info'}," |
|---|
| | | + "'openam': {" |
|---|
| | | + " 'endpointURL': 'http://www.example.com/token-info'," |
|---|
| | | + " 'authzIdTemplate': 'userName: ou={/user/id},dc=example,dc=com'" |
|---|
| | | + "}," |
|---|
| | | + "'accessTokenCache': {'enabled': true, 'cacheExpiration': '42'}}", |
|---|
| | | }, |
|---|
| | | // Invalid 'accessTokenCache/expiration' duration |
|---|
| | | { |
|---|
| | | "{'realm': 'example.com'," |
|---|
| | | + "'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'," |
|---|
| | | + "'requiredScopes': ['read', 'write', 'dolphin']," |
|---|
| | | + "'resolver': 'openam'," |
|---|
| | | + "'openam': {'endpointURL': 'http://www.example.com/token-info'}," |
|---|
| | | + "'openam': {" |
|---|
| | | + " 'endpointURL': 'http://www.example.com/token-info'," |
|---|
| | | + " 'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'" |
|---|
| | | + "}," |
|---|
| | | + "'accessTokenCache': {'enabled': true, 'cacheExpiration': '42'}}", |
|---|
| | | } |
|---|
| | | }; |
|---|
| | |
|---|
| | | public void testOAuth2FilterWithEmptyScopes() throws Exception { |
|---|
| | | final String config = |
|---|
| | | "{'realm': 'example.com'," |
|---|
| | | + "'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'," |
|---|
| | | + "'requiredScopes': []," |
|---|
| | | + "'resolver': 'openam'," |
|---|
| | | + "'openam': {'endpointURL': 'http://www.example.com/token-info'}}"; |
|---|
| | | + "'openam': {" |
|---|
| | | + " 'endpointURL': 'http://www.example.com/token-info'," |
|---|
| | | + " 'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'" |
|---|
| | | + "}}"; |
|---|
| | | fakeApp.buildOAuth2Filter(parseJson(config)); |
|---|
| | | } |
|---|
| | | |
|---|
| | |
|---|
| | | { |
|---|
| | | "{'resolver': 'rfc7662'," |
|---|
| | | + "'rfc7662': { 'endpointURL': 'http:/example.com/introspect'," |
|---|
| | | + " 'clientId': 'client_app_id'," |
|---|
| | | + " 'clientSecret': 'client_app_secret'}}" |
|---|
| | | + " 'clientId': 'client_app_id'," |
|---|
| | | + " 'clientSecret': 'client_app_secret'," |
|---|
| | | + " 'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'}}" |
|---|
| | | }, |
|---|
| | | { |
|---|
| | | "{'resolver': 'openam'," |
|---|
| | | + "'openam': { 'endpointURL': 'http:/example.com/tokeninfo'}}" |
|---|
| | | + "'openam': { " |
|---|
| | | + " 'endpointURL': 'http:/example.com/tokeninfo'," |
|---|
| | | + " 'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'}}" |
|---|
| | | }, |
|---|
| | | { |
|---|
| | | "{'resolver': 'cts'," |
|---|
| | | + "'cts': { 'baseDN': 'coreTokenId={token},dc=com' }}" |
|---|
| | | + "'cts': { 'baseDN': 'coreTokenId={token},dc=com'," |
|---|
| | | + " 'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'}}" |
|---|
| | | }, |
|---|
| | | { |
|---|
| | | "{'resolver': 'file'," |
|---|
| | | + "'file': { 'folderPath': '/path/to/test/folder'}}" |
|---|
| | | + "'file': { 'folderPath': '/path/to/test/folder'," |
|---|
| | | + " 'authzIdTemplate': 'dn: ou={/user/id},dc=example,dc=com'}}" |
|---|
| | | } |
|---|
| | | }; |
|---|
| | | // @Checkstyle:on |
|---|
