Package org.apache.nifi.web.security.configuration

Class OidcSecurityConfiguration

java.lang.Object

org.apache.nifi.web.security.configuration.OidcSecurityConfiguration

@Configuration
public class OidcSecurityConfiguration
extends Object

OpenID Connect Configuration for Spring Security

Field Summary

Fields

Modifier and Type	Field	Description
private static final long	AUTHORIZATION_REQUEST_CACHE_SIZE
private final BearerTokenProvider	bearerTokenProvider
private final org.springframework.security.oauth2.server.resource.web.BearerTokenResolver	bearerTokenResolver
private final org.springframework.security.oauth2.client.registration.ClientRegistrationRepository	clientRegistrationRepository
private final org.springframework.security.oauth2.jwt.JwtDecoderFactory<org.springframework.security.oauth2.client.registration.ClientRegistration>	idTokenDecoderFactory
private final org.springframework.security.oauth2.jwt.JwtDecoder	jwtDecoder
private final Duration	keyRotationPeriod
private final LogoutRequestManager	logoutRequestManager
private static final org.springframework.security.web.savedrequest.RequestCache	nullRequestCache
private final org.springframework.web.client.RestClient	oidcRestClient
private final org.springframework.web.client.RestOperations	oidcRestOperations
private final NiFiProperties	properties
private final PropertyEncryptor	propertyEncryptor
private static final Duration	REQUEST_EXPIRATION
private final StateManagerProvider	stateManagerProvider

Constructor Summary

Constructors

Constructor

Description

OidcSecurityConfiguration(NiFiProperties properties, StateManagerProvider stateManagerProvider, PropertyEncryptor propertyEncryptor, BearerTokenProvider bearerTokenProvider, org.springframework.security.oauth2.server.resource.web.BearerTokenResolver bearerTokenResolver, org.springframework.security.oauth2.client.registration.ClientRegistrationRepository clientRegistrationRepository, org.springframework.security.oauth2.jwt.JwtDecoder jwtDecoder, org.springframework.security.oauth2.jwt.JwtDecoderFactory<org.springframework.security.oauth2.client.registration.ClientRegistration> idTokenDecoderFactory, org.springframework.web.client.RestOperations oidcRestOperations, org.springframework.web.client.RestClient oidcRestClient, LogoutRequestManager logoutRequestManager)

Method Summary

Modifier and Type	Method	Description
org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient<org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest>	accessTokenResponseClient()	Access Token Response Client for retrieving Access Tokens using Authorization Codes
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest>	authorizationRequestRepository()	OpenID Connect Authorization Request Repository with Cache abstraction based on Caffeine implementation
AuthorizedClientConverter	authorizedClientConverter()	Authorized Client Converter for OpenID Connect Tokens supporting serialization of OpenID Connect Tokens
AuthorizedClientExpirationCommand	authorizedClientExpirationCommand()
StandardOidcAuthorizedClientRepository	authorizedClientRepository()	Authorized Client Repository for storing OpenID Connect Tokens in application State Manager
private OidcAuthenticationSuccessHandler	getAuthenticationSuccessHandler()
private List<String>	getUserClaimNames()
org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter	oAuth2AuthorizationCodeGrantFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)	Authorization Code Grant Filter handles Authorization Server responses and updates the Authorized Client Repository with ID Token and optional Refresh Token information
org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter	oAuth2AuthorizationRequestRedirectFilter()	Authorization Request Redirect Filter handles initial OpenID Connect authentication and redirects to the Authorization Server using default filter path from Spring Security
org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter	oAuth2LoginAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager, StandardAuthenticationEntryPoint authenticationEntryPoint)	Login Authentication Filter handles Authentication Responses from the Authorization Server
org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider	oidcAuthorizationCodeAuthenticationProvider()	Authorization Code Grant Authentication Provider wired to Spring Security Authentication Manager
OidcBearerTokenRefreshFilter	oidcBearerTokenRefreshFilter()	OpenID Connect Bearer Token Refresh Filter exchanges OAuth2 Refresh Tokens with the Authorization Server and generates new application Bearer Tokens on successful responses
org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler	oidcCommandScheduler()	Command Scheduled for OpenID Connect operations
OidcLogoutFilter	oidcLogoutFilter()	Logout Filter for completing logout processing using RP-Initiated Logout 1.0 when supported
org.springframework.security.web.authentication.logout.LogoutSuccessHandler	oidcLogoutSuccessHandler()	Logout Success Handler redirects to the Authorization Server when supported
org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService	oidcUserService()	OpenID Connect User Service wired to Authentication Provider for retrieving User Information
TokenRevocationResponseClient	tokenRevocationResponseClient()	Token Revocation Response Client responsible for transmitting Refresh Token revocation requests to the Provider

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

REQUEST_EXPIRATION

private static final Duration REQUEST_EXPIRATION

AUTHORIZATION_REQUEST_CACHE_SIZE

private static final long AUTHORIZATION_REQUEST_CACHE_SIZE

See Also:

• Constant Field Values

nullRequestCache

private static final org.springframework.security.web.savedrequest.RequestCache nullRequestCache

keyRotationPeriod

private final Duration keyRotationPeriod

properties

private final NiFiProperties properties

stateManagerProvider

private final StateManagerProvider stateManagerProvider

propertyEncryptor

private final PropertyEncryptor propertyEncryptor

bearerTokenProvider

private final BearerTokenProvider bearerTokenProvider

bearerTokenResolver

private final org.springframework.security.oauth2.server.resource.web.BearerTokenResolver bearerTokenResolver

clientRegistrationRepository

private final org.springframework.security.oauth2.client.registration.ClientRegistrationRepository clientRegistrationRepository

jwtDecoder

private final org.springframework.security.oauth2.jwt.JwtDecoder jwtDecoder

idTokenDecoderFactory

private final org.springframework.security.oauth2.jwt.JwtDecoderFactory<org.springframework.security.oauth2.client.registration.ClientRegistration> idTokenDecoderFactory

oidcRestOperations

private final org.springframework.web.client.RestOperations oidcRestOperations

oidcRestClient

private final org.springframework.web.client.RestClient oidcRestClient

logoutRequestManager

private final LogoutRequestManager logoutRequestManager

Constructor Details

OidcSecurityConfiguration

@Autowired
public OidcSecurityConfiguration(NiFiProperties properties,
 StateManagerProvider stateManagerProvider,
 PropertyEncryptor propertyEncryptor,
 BearerTokenProvider bearerTokenProvider,
 org.springframework.security.oauth2.server.resource.web.BearerTokenResolver bearerTokenResolver,
 org.springframework.security.oauth2.client.registration.ClientRegistrationRepository clientRegistrationRepository,
 org.springframework.security.oauth2.jwt.JwtDecoder jwtDecoder,
 org.springframework.security.oauth2.jwt.JwtDecoderFactory<org.springframework.security.oauth2.client.registration.ClientRegistration> idTokenDecoderFactory,
 @Qualifier("oidcRestOperations")
 org.springframework.web.client.RestOperations oidcRestOperations,
 @Qualifier("oidcRestClient")
 org.springframework.web.client.RestClient oidcRestClient,
 LogoutRequestManager logoutRequestManager)

Method Details

oAuth2AuthorizationCodeGrantFilter

@Bean
public org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter oAuth2AuthorizationCodeGrantFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager)

Authorization Code Grant Filter handles Authorization Server responses and updates the Authorized Client Repository with ID Token and optional Refresh Token information

Parameters:

authenticationManager - Spring Security Authentication Manager

Returns:

OAuth2 Authorization Code Grant Filter

oAuth2AuthorizationRequestRedirectFilter

@Bean
public org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter oAuth2AuthorizationRequestRedirectFilter()

Authorization Request Redirect Filter handles initial OpenID Connect authentication and redirects to the Authorization Server using default filter path from Spring Security

Returns:

OAuth2 Authorization Request Redirect Filter

oAuth2LoginAuthenticationFilter

@Bean
public org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter oAuth2LoginAuthenticationFilter(org.springframework.security.authentication.AuthenticationManager authenticationManager,
 StandardAuthenticationEntryPoint authenticationEntryPoint)

Login Authentication Filter handles Authentication Responses from the Authorization Server

Parameters:

authenticationManager - Spring Security Authentication Manager

authenticationEntryPoint - Authentication Entry Point for handling failures

Returns:

OAuth2 Login Authentication Filter

oidcBearerTokenRefreshFilter

@Bean
public OidcBearerTokenRefreshFilter oidcBearerTokenRefreshFilter()

OpenID Connect Bearer Token Refresh Filter exchanges OAuth2 Refresh Tokens with the Authorization Server and generates new application Bearer Tokens on successful responses

Returns:

Bearer Token Refresh Filter

oidcLogoutFilter

@Bean
public OidcLogoutFilter oidcLogoutFilter()

Logout Filter for completing logout processing using RP-Initiated Logout 1.0 when supported

Returns:

OpenID Connect Logout Filter

oidcLogoutSuccessHandler

@Bean
public org.springframework.security.web.authentication.logout.LogoutSuccessHandler oidcLogoutSuccessHandler()

Logout Success Handler redirects to the Authorization Server when supported

Returns:

Logout Success Handler

oidcAuthorizationCodeAuthenticationProvider

@Bean
public org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider()

Authorization Code Grant Authentication Provider wired to Spring Security Authentication Manager

Returns:

OpenID Connect Authorization Code Authentication Provider

accessTokenResponseClient

@Bean
public org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient<org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient()

Access Token Response Client for retrieving Access Tokens using Authorization Codes

Returns:

OAuth2 Access Token Response Client

oidcUserService

@Bean
public org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService oidcUserService()

OpenID Connect User Service wired to Authentication Provider for retrieving User Information

Returns:

OpenID Connect User Service

authorizedClientRepository

@Bean
public StandardOidcAuthorizedClientRepository authorizedClientRepository()

Authorized Client Repository for storing OpenID Connect Tokens in application State Manager

Returns:

Authorized Client Repository

authorizedClientExpirationCommand

@Bean
public AuthorizedClientExpirationCommand authorizedClientExpirationCommand()

oidcCommandScheduler

@Bean
public org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler oidcCommandScheduler()

Command Scheduled for OpenID Connect operations

Returns:

Thread Pool Task Executor

authorizedClientConverter

@Bean
public AuthorizedClientConverter authorizedClientConverter()

Authorized Client Converter for OpenID Connect Tokens supporting serialization of OpenID Connect Tokens

Returns:

Authorized Client Converter

authorizationRequestRepository

@Bean
public org.springframework.security.oauth2.client.web.AuthorizationRequestRepository<org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest> authorizationRequestRepository()

OpenID Connect Authorization Request Repository with Cache abstraction based on Caffeine implementation

Returns:

Authorization Request Repository

tokenRevocationResponseClient

@Bean
public TokenRevocationResponseClient tokenRevocationResponseClient()

Token Revocation Response Client responsible for transmitting Refresh Token revocation requests to the Provider

Returns:

Token Revocation Response Client

getAuthenticationSuccessHandler

private OidcAuthenticationSuccessHandler getAuthenticationSuccessHandler()

getUserClaimNames

private List<String> getUserClaimNames()