Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5C189200CD8 for ; Wed, 2 Aug 2017 15:56:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 5A4D616981C; Wed, 2 Aug 2017 13:56:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 793A7169820 for ; Wed, 2 Aug 2017 15:56:05 +0200 (CEST) Received: (qmail 73832 invoked by uid 500); 2 Aug 2017 13:56:04 -0000 Mailing-List: contact issues-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list issues@nifi.apache.org Received: (qmail 73823 invoked by uid 99); 2 Aug 2017 13:56:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Aug 2017 13:56:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 32D291A23DE for ; Wed, 2 Aug 2017 13:56:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 5VJupz4PhDRi for ; Wed, 2 Aug 2017 13:56:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 414FE6106C for ; Wed, 2 Aug 2017 13:56:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 977CCE09A6 for ; Wed, 2 Aug 2017 13:56:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 3855321ED9 for ; Wed, 2 Aug 2017 13:56:00 +0000 (UTC) Date: Wed, 2 Aug 2017 13:56:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@nifi.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 02 Aug 2017 13:56:06 -0000 [ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110946#comment-16110946 ] ASF GitHub Bot commented on NIFI-4210: -------------------------------------- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130882716 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/OidcService.java --- @@ -0,0 +1,207 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.id.State; +import org.apache.nifi.web.security.util.CacheKey; + +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; + +import static org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED; + +/** + * OidcService is a service for managing the OpenId Connect Authorization flow. + */ +public class OidcService { + + private OidcIdentityProvider identityProvider; + private Cache stateLookupForPendingRequests; // identifier from cookie -> state value + private Cache jwtLookupForCompletedRequests; // identifier from cookie -> jwt or identity (and generate jwt on retrieval) + + /** + * Creates a new OtpService with an expiration of 5 minutes. + */ + public OidcService(final OidcIdentityProvider identityProvider) { + this(identityProvider, 60, TimeUnit.SECONDS); + } + + /** + * Creates a new OtpService. + * + * @param duration The expiration duration + * @param units The expiration units + * @throws NullPointerException If units is null + * @throws IllegalArgumentException If duration is negative + */ + public OidcService(final OidcIdentityProvider identityProvider, final int duration, final TimeUnit units) { + this.identityProvider = identityProvider; + this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); + this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(duration, units).build(); + } + + /** + * Returns whether OpenId Connect is enabled. + * + * @return whether OpenId Connect is enabled + */ + public boolean isOidcEnabled() { + return identityProvider.isOidcEnabled(); + } + + /** + * Returns the OpenId Connect authorization endpoint. + * + * @return the authorization endpoint + */ + public URI getAuthorizationEndpoint() { + return identityProvider.getAuthorizationEndpoint(); + } + + /** + * Returns the OpenId Connect scope. + * + * @return scope + */ + public Scope getScope() { + return identityProvider.getScope(); + } + + /** + * Returns the OpenId Connect client id. + * + * @return client id + */ + public String getClientId() { + return identityProvider.getClientId().getValue(); + } + + /** + * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. + * + * @param oidcRequestIdentifier request identifier + * @return state + */ + public State createState(final String oidcRequestIdentifier) { + if (!isOidcEnabled()) { + throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); + } + + final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); + final State state = new State(new BigInteger(130, new SecureRandom()).toString(32)); --- End diff -- Got it. Thanks for the additional explanation. The new comment will include these details. > Add OpenId Connect support for authenticating users > --------------------------------------------------- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI > Reporter: Matt Gilman > Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection specification. Evaluate whether a new extension point is necessary to allow for a given provider to supply custom code for instance to implement custom token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)