Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 31872200CE6 for ; Wed, 2 Aug 2017 00:47:42 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2FE0D16824B; Tue, 1 Aug 2017 22:47:42 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 4E56F16824A for ; Wed, 2 Aug 2017 00:47:41 +0200 (CEST) Received: (qmail 52706 invoked by uid 500); 1 Aug 2017 22:47:40 -0000 Mailing-List: contact issues-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list issues@nifi.apache.org Received: (qmail 52695 invoked by uid 99); 1 Aug 2017 22:47:40 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Aug 2017 22:47:40 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 673DFE00C5; Tue, 1 Aug 2017 22:47:40 +0000 (UTC) From: alopresto To: issues@nifi.apache.org Reply-To: issues@nifi.apache.org References: In-Reply-To: Subject: [GitHub] nifi pull request #2047: NIFI-4210: Add support for OpenId Connect Content-Type: text/plain Message-Id: <20170801224740.673DFE00C5@git1-us-west.apache.org> Date: Tue, 1 Aug 2017 22:47:40 +0000 (UTC) archived-at: Tue, 01 Aug 2017 22:47:42 -0000 Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130748365 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java --- @@ -125,6 +142,160 @@ public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) { return generateOkResponse(entity).build(); } + @GET + @Consumes(MediaType.WILDCARD) + @Produces(MediaType.WILDCARD) + @Path("oidc/request") + @ApiOperation( + value = "Initiates a request to authenticate through the configured OpenId Connect provider." + ) + public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { + // only consider user specific access over https + if (!httpServletRequest.isSecure()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); + return; + } + + // ensure oidc is enabled + if (!oidcService.isOidcEnabled()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); + return; + } + + final String oidcRequestIdentifier = UUID.randomUUID().toString(); + + // generate a cookie to associate this login sequence + final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, oidcRequestIdentifier); + cookie.setPath("/"); + cookie.setHttpOnly(true); + cookie.setMaxAge(60); + cookie.setSecure(true); + httpServletResponse.addCookie(cookie); + + // get the state for this request + final State state = oidcService.createState(oidcRequestIdentifier); + + // build the authorization uri + final URI authorizationUri = UriBuilder.fromUri(oidcService.getAuthorizationEndpoint()) + .queryParam("client_id", oidcService.getClientId()) + .queryParam("response_type", "code") + .queryParam("scope", oidcService.getScope().toString()) + .queryParam("state", state.getValue()) + .queryParam("redirect_uri", getOidcCallback()) + .build(); + + // generate the response + httpServletResponse.sendRedirect(authorizationUri.toString()); + } + + @GET + @Consumes(MediaType.WILDCARD) + @Produces(MediaType.WILDCARD) + @Path("oidc/callback") + @ApiOperation( + value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence." + ) + public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception { + // only consider user specific access over https + if (!httpServletRequest.isSecure()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS."); + return; + } + + // ensure oidc is enabled + if (!oidcService.isOidcEnabled()) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured."); + return; + } + + final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER); + if (oidcRequestIdentifier == null) { + forwardToMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue."); + return; + } + + final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse = AuthenticationResponseParser.parse(getRequestUri()); + if (oidcResponse.indicatesSuccess()) { + final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse) oidcResponse; + + // confirm state + final State state = successfulOidcResponse.getState(); + if (!oidcService.isStateValid(oidcRequestIdentifier, state)) { + logger.error("Purposed state does not match the stored state. Unable to continue login process."); + + // remove the oidc request cookie + removeOidcRequestCookie(httpServletResponse); + + // forward to the error page + forwardToMessagePage(httpServletRequest, httpServletResponse, "Purposed state does not match the stored state. Unable to continue login process."); + return; + } + + try { + // exchange authorization code for id token + final AuthorizationCode authorizationCode = successfulOidcResponse.getAuthorizationCode(); + final AuthorizationGrant authorizationGrant = new AuthorizationCodeGrant(authorizationCode, URI.create(getOidcCallback())); + oidcService.exchangeAuthorizationCode(oidcRequestIdentifier, authorizationGrant); + } catch (final Exception e) { + logger.error("Unable to exchange authorization for ID token: " + e.getMessage(), e); + + // remove the oidc request cookie + removeOidcRequestCookie(httpServletResponse); + + // forward to the error page + forwardToMessagePage(httpServletRequest, httpServletResponse, "Unable to exchange authorization for ID token: " + e.getMessage()); + return; + } + + // redirect to the name page + httpServletResponse.sendRedirect("../../../nifi"); --- End diff -- Does this path have to be relative or can it just be set to `/nifi`? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastructure@apache.org or file a JIRA ticket with INFRA. ---