Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 61692200CD8 for ; Wed, 2 Aug 2017 19:25:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 602EC169F4C; Wed, 2 Aug 2017 17:25:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 59460169F48 for ; Wed, 2 Aug 2017 19:25:06 +0200 (CEST) Received: (qmail 73985 invoked by uid 500); 2 Aug 2017 17:25:04 -0000 Mailing-List: contact issues-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list issues@nifi.apache.org Received: (qmail 73974 invoked by uid 99); 2 Aug 2017 17:25:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Aug 2017 17:25:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id EB4221A1D48 for ; Wed, 2 Aug 2017 17:25:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id xy42uscQJEXh for ; Wed, 2 Aug 2017 17:25:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id B01B75FCC7 for ; Wed, 2 Aug 2017 17:25:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D2A11E0012 for ; Wed, 2 Aug 2017 17:25:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 8124B21ED9 for ; Wed, 2 Aug 2017 17:25:00 +0000 (UTC) Date: Wed, 2 Aug 2017 17:25:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@nifi.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 02 Aug 2017 17:25:07 -0000 [ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111360#comment-16111360 ] ASF GitHub Bot commented on NIFI-4210: -------------------------------------- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130940968 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + + private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + + private NiFiProperties properties; + private JwtService jwtService; + private OIDCProviderMetadata oidcProviderMetadata; + private int oidcConnectTimeout; + private int oidcReadTimeout; + private IDTokenValidator tokenValidator; + private ClientID clientId; + private Secret clientSecret; + + /** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ + public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { + this.properties = properties; + this.jwtService = jwtService; + + // attempt to process the oidc configuration if configured + if (properties.isOidcEnabled()) { + // oidc connect timeout + final String rawConnectTimeout = properties.getOidcConnectTimeout(); + try { + oidcConnectTimeout = (int) FormatUtils.getTimeDuration(rawConnectTimeout, TimeUnit.MILLISECONDS); + } catch (final Exception e) { + logger.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", + NiFiProperties.SECURITY_USER_OIDC_CONNECT_TIMEOUT, rawConnectTimeout, NiFiProperties.DEFAULT_SECURITY_USER_OIDC_CONNECT_TIMEOUT); + oidcConnectTimeout = (int) FormatUtils.getTimeDuration(NiFiProperties.DEFAULT_SECURITY_USER_OIDC_CONNECT_TIMEOUT, TimeUnit.MILLISECONDS); + } + + // oidc read timeout + final String rawReadTimeout = properties.getOidcReadTimeout(); + try { + oidcReadTimeout = (int) FormatUtils.getTimeDuration(rawReadTimeout, TimeUnit.MILLISECONDS); + } catch (final Exception e) { + logger.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", + NiFiProperties.SECURITY_USER_OIDC_READ_TIMEOUT, rawReadTimeout, NiFiProperties.DEFAULT_SECURITY_USER_OIDC_READ_TIMEOUT); + oidcReadTimeout = (int) FormatUtils.getTimeDuration(NiFiProperties.DEFAULT_SECURITY_USER_OIDC_READ_TIMEOUT, TimeUnit.MILLISECONDS); + } + + // client id + final String rawClientId = properties.getOidcClientId(); + if (StringUtils.isBlank(rawClientId)) { + throw new RuntimeException("Client ID is required when configuring an OIDC Provider."); + } + clientId = new ClientID(rawClientId); + + // client secret + final String rawClientSecret = properties.getOidcClientSecret(); + if (StringUtils.isBlank(rawClientSecret)) { + throw new RuntimeException("Client secret is required when configured an OIDC Provider."); + } + clientSecret = new Secret(rawClientSecret); + + try { + // retrieve the oidc provider metadata + oidcProviderMetadata = retrieveOidcProviderMetadata(properties.getOidcDiscoveryUrl()); + } catch (IOException | ParseException e) { + throw new RuntimeException("Unable to retrieve OpenId Connect Provider metadata from: " + properties.getOidcDiscoveryUrl(), e); + } + + // ensure the oidc provider supports basic or post client auth + final List clientAuthenticationMethods = oidcProviderMetadata.getTokenEndpointAuthMethods(); + if (clientAuthenticationMethods == null + || (!clientAuthenticationMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) + && !clientAuthenticationMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_POST))) { + + throw new RuntimeException(String.format("OpenId Connect Provider does not support %s or %s", + ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue(), + ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue())); + } + + // extract the supported json web signature algorithms + final List allowedAlgorithms = oidcProviderMetadata.getIDTokenJWSAlgs(); + if (allowedAlgorithms == null || allowedAlgorithms.isEmpty()) { + throw new RuntimeException("The OpenId Connect Provider does not support any JWS algorithms."); + } + + try { + // get the preferred json web signature algorithm + final String rawPreferredJwsAlgorithm = properties.getOidcPreferredJwsAlgorithm(); + + final JWSAlgorithm preferredJwsAlgorithm; + if (StringUtils.isBlank(rawPreferredJwsAlgorithm)) { + preferredJwsAlgorithm = oidcProviderMetadata.getIDTokenJWSAlgs().get(0); + } else { + if ("none".equals(rawPreferredJwsAlgorithm)) { + preferredJwsAlgorithm = null; + } else { + preferredJwsAlgorithm = JWSAlgorithm.parse(rawPreferredJwsAlgorithm); + } + } + + if (preferredJwsAlgorithm == null) { --- End diff -- Not sure I understand the logic here: * If no preferred algorithm, don't provide the client secret? * If the preferred algorithm is `HMAC/SHA-*`, provide that algorithm and the client secret * If the preferred algorithm is something else, make a `ResourceRetriever` with default settings and provide that (why is this different than the `HMAC/SHA` branch -- solely for the OP JWK Set to verify the EC/RSA signature? This class also appears to be deprecated; is there a reason we can't use the constructor that takes the JWK URI param but no `ResourceRetriever`?) ``` public IDTokenValidator(final Issuer expectedIssuer, final ClientID clientID, final JWSAlgorithm expectedJWSAlg, final URL jwkSetURI) ``` > Add OpenId Connect support for authenticating users > --------------------------------------------------- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI > Reporter: Matt Gilman > Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection specification. Evaluate whether a new extension point is necessary to allow for a given provider to supply custom code for instance to implement custom token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)