Package org.apache.nifi.web.security.configuration

Class OidcSecurityConfiguration

java.lang.Object
org.apache.nifi.web.security.configuration.OidcSecurityConfiguration
@Configuration public class OidcSecurityConfiguration extends Object
OpenID Connect Configuration for Spring Security

  • Field Details

    • REQUEST_EXPIRATION

      private static final Duration REQUEST_EXPIRATION

    • AUTHORIZATION_REQUEST_CACHE_SIZE

      private static final long AUTHORIZATION_REQUEST_CACHE_SIZE
      See Also:

    • DEFAULT_SOCKET_TIMEOUT

      private static final Duration DEFAULT_SOCKET_TIMEOUT

    • NIFI_TRUSTSTORE_STRATEGY

      private static final String NIFI_TRUSTSTORE_STRATEGY
      See Also:

    • nullRequestCache

      private static final org.springframework.security.web.savedrequest.RequestCache nullRequestCache

    • keyRotationPeriod

      private final Duration keyRotationPeriod

    • properties

      private final NiFiProperties properties

    • stateManagerProvider

      private final StateManagerProvider stateManagerProvider

    • propertyEncryptor

      private final PropertyEncryptor propertyEncryptor

    • bearerTokenProvider

      private final BearerTokenProvider bearerTokenProvider

    • bearerTokenResolver

      private final org.springframework.security.oauth2.server.resource.web.BearerTokenResolver bearerTokenResolver

    • jwtDecoder

      private final org.springframework.security.oauth2.jwt.JwtDecoder jwtDecoder

    • logoutRequestManager

      private final LogoutRequestManager logoutRequestManager

  • Constructor Details

  • Method Details

    • oAuth2AuthorizationCodeGrantFilter

      @Bean public org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter oAuth2AuthorizationCodeGrantFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)
      Authorization Code Grant Filter handles Authorization Server responses and updates the Authorized Client Repository with ID Token and optional Refresh Token information
      Parameters:
      authenticationManager - Spring Security Authentication Manager
      Returns:
      OAuth2 Authorization Code Grant Filter

    • oAuth2AuthorizationRequestRedirectFilter

      @Bean public org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter oAuth2AuthorizationRequestRedirectFilter()
      Authorization Request Redirect Filter handles initial OpenID Connect authentication and redirects to the Authorization Server using default filter path from Spring Security
      Returns:
      OAuth2 Authorization Request Redirect Filter

    • oAuth2LoginAuthenticationFilter

      @Bean public org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter oAuth2LoginAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StandardAuthenticationEntryPoint authenticationEntryPoint)
      Login Authentication Filter handles Authentication Responses from the Authorization Server
      Parameters:
      authenticationManager - Spring Security Authentication Manager
      authenticationEntryPoint - Authentication Entry Point for handling failures
      Returns:
      OAuth2 Login Authentication Filter

    • oidcBearerTokenRefreshFilter

      @Bean public OidcBearerTokenRefreshFilter oidcBearerTokenRefreshFilter()
      OpenID Connect Bearer Token Refresh Filter exchanges OAuth2 Refresh Tokens with the Authorization Server and generates new application Bearer Tokens on successful responses
      Returns:
      Bearer Token Refresh Filter

    • oidcLogoutFilter

      @Bean public OidcLogoutFilter oidcLogoutFilter()
      Logout Filter for completing logout processing using RP-Initiated Logout 1.0 when supported
      Returns:
      OpenID Connect Logout Filter

    • oidcLogoutSuccessHandler

      @Bean public org.springframework.security.web.authentication.logout.LogoutSuccessHandler oidcLogoutSuccessHandler()
      Logout Success Handler redirects to the Authorization Server when supported
      Returns:
      Logout Success Handler

    • oidcAuthorizationCodeAuthenticationProvider

      @Bean public org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider()
      Authorization Code Grant Authentication Provider wired to Spring Security Authentication Manager
      Returns:
      OpenID Connect Authorization Code Authentication Provider

    • accessTokenResponseClient

      @Bean public org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient<org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient()
      Access Token Response Client for retrieving Access Tokens using Authorization Codes
      Returns:
      OAuth2 Access Token Response Client

    • oidcUserService

      @Bean public org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService oidcUserService()
      OpenID Connect User Service wired to Authentication Provider for retrieving User Information
      Returns:
      OpenID Connect User Service

    • authorizedClientRepository

      @Bean public StandardOidcAuthorizedClientRepository authorizedClientRepository()
      Authorized Client Repository for storing OpenID Connect Tokens in application State Manager
      Returns:
      Authorized Client Repository

    • authorizedClientExpirationCommand

      @Bean public AuthorizedClientExpirationCommand authorizedClientExpirationCommand()

    • oidcCommandScheduler

      @Bean public org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler oidcCommandScheduler()
      Command Scheduled for OpenID Connect operations
      Returns:
      Thread Pool Task Executor

    • authorizedClientConverter

      @Bean public AuthorizedClientConverter authorizedClientConverter()
      Authorized Client Converter for OpenID Connect Tokens supporting serialization of OpenID Connect Tokens
      Returns:
      Authorized Client Converter

    • authorizationRequestRepository

      @Bean public org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest> authorizationRequestRepository()
      OpenID Connect Authorization Request Repository with Cache abstraction based on Caffeine implementation
      Returns:
      Authorization Request Repository

    • idTokenDecoderFactory

      @Bean public org.springframework.security.oauth2.jwt.JwtDecoderFactory<org.springframework.security.oauth2.client.registration.ClientRegistration> idTokenDecoderFactory()
      OpenID Connect Identifier Token Decoder with configured JWS Algorithm for verification
      Returns:
      OpenID Connect Identifier Token Decoder

    • tokenRevocationResponseClient

      @Bean public TokenRevocationResponseClient tokenRevocationResponseClient()
      Token Revocation Response Client responsible for transmitting Refresh Token revocation requests to the Provider
      Returns:
      Token Revocation Response Client

    • clientRegistrationRepository

      @Bean public org.springframework.security.oauth2.client.registration.ClientRegistrationRepository clientRegistrationRepository()
      Client Registration Repository for OpenID Connect Discovery
      Returns:
      Client Registration Repository

    • oidcRestOperations

      @Bean public org.springframework.web.client.RestOperations oidcRestOperations()
      OpenID Connect REST Operations for communication with Authorization Servers
      Returns:
      REST Operations

    • oidcClientHttpRequestFactory

      @Bean public org.springframework.http.client.ClientHttpRequestFactory oidcClientHttpRequestFactory()
      OpenID Connect Client HTTP Request Factory for communication with Authorization Servers
      Returns:
      Client HTTP Request Factory

    • getHttpClient

      private okhttp3.OkHttpClient getHttpClient()

    • getTimeout

      private Duration getTimeout(String timeoutExpression)

    • setSslSocketFactory

      private void setSslSocketFactory(okhttp3.OkHttpClient.Builder builder)

    • getAuthenticationSuccessHandler

      private OidcAuthenticationSuccessHandler getAuthenticationSuccessHandler()

    • getUserClaimNames

      private List<String> getUserClaimNames()