Example 1 with OAuthProviderPrincipal
use of org.dcache.auth.OAuthProviderPrincipal in project dcache by dCache.
the class OidcAuthPlugin method authenticate.
@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals, Set<Restriction> restrictions) throws AuthenticationException {
String token = null;
for (Object credential : privateCredentials) {
if (credential instanceof BearerTokenCredential) {
checkAuthentication(token == null, "Multiple bearer tokens");
token = ((BearerTokenCredential) credential).getToken();
LOG.debug("Found bearer token: {}", token);
}
}
checkAuthentication(token != null, "No bearer token in the credentials");
checkValid(token);
try {
ExtractResult result = tokenProcessor.extract(token);
checkAuthentication(!result.claims().isEmpty(), "processing token yielded no claims");
checkAudience(result.claims());
var idp = result.idp();
identifiedPrincipals.add(new OAuthProviderPrincipal(idp.getName()));
Profile profile = idp.getProfile();
var profileResult = profile.processClaims(idp, result.claims());
identifiedPrincipals.addAll(profileResult.getPrincipals());
profileResult.getRestriction().ifPresent(restrictions::add);
} catch (UnableToProcess e) {
throw new AuthenticationException("Unable to process token: " + e.getMessage());
}
}
Also used :
OAuthProviderPrincipal(org.dcache.auth.OAuthProviderPrincipal)
AuthenticationException(org.dcache.gplazma.AuthenticationException)
BearerTokenCredential(org.dcache.auth.BearerTokenCredential)
Example 2 with OAuthProviderPrincipal
use of org.dcache.auth.OAuthProviderPrincipal in project dcache by dCache.
the class SciTokenPluginTest method shouldAcceptWlcgProfileWithoutScope.
@Test
public void shouldAcceptWlcgProfileWithoutScope() throws Exception {
given(aSciTokenPlugin().withProperty("gplazma.scitoken.issuer!EXAMPLE", "https://example.org/ /prefix uid:1000 gid:1000"));
givenThat("OP1", isAnIssuer().withURL("https://example.org/").withKey("key1", rsa256Keys()));
String sub = UUID.randomUUID().toString();
String jti = UUID.randomUUID().toString();
whenAuthenticatingWith(aJwtToken().withClaim("wlcg.ver", "1.0").withClaim("jti", jti).withClaim("sub", sub).issuedBy("OP1").usingKey("key1"));
assertThat(identifiedPrincipals, hasItems(new JwtSubPrincipal("EXAMPLE", sub), new OidcSubjectPrincipal(sub, "EXAMPLE"), new OAuthProviderPrincipal("EXAMPLE"), new JwtJtiPrincipal("EXAMPLE", jti)));
assertThat(identifiedPrincipals, not(hasItems(new UidPrincipal(1000), new GidPrincipal(1000, true))));
}
Also used :
OidcSubjectPrincipal(org.dcache.auth.OidcSubjectPrincipal)
JwtSubPrincipal(org.dcache.auth.JwtSubPrincipal)
OAuthProviderPrincipal(org.dcache.auth.OAuthProviderPrincipal)
UidPrincipal(org.dcache.auth.UidPrincipal)
JwtJtiPrincipal(org.dcache.auth.JwtJtiPrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
Test(org.junit.Test)
Aggregations
OAuthProviderPrincipal (org.dcache.auth.OAuthProviderPrincipal)2
BearerTokenCredential (org.dcache.auth.BearerTokenCredential)1
GidPrincipal (org.dcache.auth.GidPrincipal)1
JwtJtiPrincipal (org.dcache.auth.JwtJtiPrincipal)1
JwtSubPrincipal (org.dcache.auth.JwtSubPrincipal)1
OidcSubjectPrincipal (org.dcache.auth.OidcSubjectPrincipal)1
UidPrincipal (org.dcache.auth.UidPrincipal)1
AuthenticationException (org.dcache.gplazma.AuthenticationException)1
Test (org.junit.Test)1
