nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alopresto <...@git.apache.org>
Subject [GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect
Date Tue, 01 Aug 2017 22:42:15 GMT
Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2047#discussion_r130747485
  
    --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
---
    @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest)
{
             return generateOkResponse(entity).build();
         }
     
    +    @GET
    +    @Consumes(MediaType.WILDCARD)
    +    @Produces(MediaType.WILDCARD)
    +    @Path("oidc/request")
    +    @ApiOperation(
    +            value = "Initiates a request to authenticate through the configured OpenId
Connect provider."
    +    )
    +    public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context
HttpServletResponse httpServletResponse) throws Exception {
    +        // only consider user specific access over https
    +        if (!httpServletRequest.isSecure()) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization
is only supported when running over HTTPS.");
    +            return;
    +        }
    +
    +        // ensure oidc is enabled
    +        if (!oidcService.isOidcEnabled()) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect
is not configured.");
    +            return;
    +        }
    +
    +        final String oidcRequestIdentifier = UUID.randomUUID().toString();
    +
    +        // generate a cookie to associate this login sequence
    +        final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier);
    +        cookie.setPath("/");
    +        cookie.setHttpOnly(true);
    +        cookie.setMaxAge(60);
    +        cookie.setSecure(true);
    +        httpServletResponse.addCookie(cookie);
    +
    +        // get the state for this request
    +        final State state = oidcService.createState(oidcRequestIdentifier);
    +
    +        // build the authorization uri
    +        final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
    +                .queryParam("client_id", oidcService.getClientId())
    +                .queryParam("response_type", "code")
    +                .queryParam("scope", oidcService.getScope().toString())
    +                .queryParam("state", state.getValue())
    +                .queryParam("redirect_uri", getOidcCallback())
    +                .build();
    +
    +        // generate the response
    +        httpServletResponse.sendRedirect(authorizationUri.toString());
    +    }
    +
    +    @GET
    +    @Consumes(MediaType.WILDCARD)
    +    @Produces(MediaType.WILDCARD)
    +    @Path("oidc/callback")
    +    @ApiOperation(
    +            value = "Redirect/callback URI for processing the result of the OpenId Connect
login sequence."
    +    )
    +    public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context
HttpServletResponse httpServletResponse) throws Exception {
    +        // only consider user specific access over https
    +        if (!httpServletRequest.isSecure()) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization
is only supported when running over HTTPS.");
    +            return;
    +        }
    +
    +        // ensure oidc is enabled
    +        if (!oidcService.isOidcEnabled()) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect
is not configured.");
    +            return;
    +        }
    +
    +        final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(),
OIDC_REQUEST_IDENTIFIER);
    +        if (oidcRequestIdentifier == null) {
    +            forwardToMessagePage(httpServletRequest, httpServletResponse, "The login
request identifier was not found in the request. Unable to continue.");
    +            return;
    +        }
    +
    +        final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
    +        if (oidcResponse.indicatesSuccess()) {
    +            final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse)
oidcResponse;
    +
    +            // confirm state
    +            final State state = successfulOidcResponse.getState();
    +            if (!oidcService.isStateValid(oidcRequestIdentifier, state)) {
    +                logger.error("Purposed state does not match the stored state. Unable
to continue login process.");
    --- End diff --
    
    I don't understand what "Purposed state" refers to here. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message