Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id CD468200CD8 for ; Wed, 2 Aug 2017 20:46:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id CBA8516A242; Wed, 2 Aug 2017 18:46:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9CC3A16A241 for ; Wed, 2 Aug 2017 20:46:08 +0200 (CEST) Received: (qmail 5151 invoked by uid 500); 2 Aug 2017 18:46:07 -0000 Mailing-List: contact issues-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list issues@nifi.apache.org Received: (qmail 5142 invoked by uid 99); 2 Aug 2017 18:46:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Aug 2017 18:46:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 62CE5C59C7 for ; Wed, 2 Aug 2017 18:46:07 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.001 X-Spam-Level: X-Spam-Status: No, score=-100.001 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id b7qz1khTXmlB for ; Wed, 2 Aug 2017 18:46:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 3611C5FB32 for ; Wed, 2 Aug 2017 18:46:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id AD587E09A6 for ; Wed, 2 Aug 2017 18:46:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4AAE42464D for ; Wed, 2 Aug 2017 18:46:00 +0000 (UTC) Date: Wed, 2 Aug 2017 18:46:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@nifi.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (NIFI-4210) Add OpenId Connect support for authenticating users MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 02 Aug 2017 18:46:10 -0000 [ https://issues.apache.org/jira/browse/NIFI-4210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111510#comment-16111510 ] ASF GitHub Bot commented on NIFI-4210: -------------------------------------- Github user mcgilman commented on a diff in the pull request: https://github.com/apache/nifi/pull/2047#discussion_r130962379 --- Diff: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.java --- @@ -0,0 +1,339 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.oidc; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.util.DefaultResourceRetriever; +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenErrorResponse; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.TokenResponse; +import com.nimbusds.oauth2.sdk.auth.ClientAuthentication; +import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.openid.connect.sdk.OIDCScopeValue; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser; +import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import net.minidev.json.JSONObject; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.util.FormatUtils; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.jwt.JwtService; +import org.apache.nifi.web.security.token.LoginAuthenticationToken; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.URL; +import java.util.Calendar; +import java.util.Date; +import java.util.List; +import java.util.concurrent.TimeUnit; + +import static com.nimbusds.openid.connect.sdk.claims.UserInfo.EMAIL_CLAIM_NAME; + +/** + * OidcProvider for managing the OpenId Connect Authorization flow. + */ +public class StandardOidcIdentityProvider implements OidcIdentityProvider { + + private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class); + + private NiFiProperties properties; + private JwtService jwtService; + private OIDCProviderMetadata oidcProviderMetadata; + private int oidcConnectTimeout; + private int oidcReadTimeout; + private IDTokenValidator tokenValidator; + private ClientID clientId; + private Secret clientSecret; + + /** + * Creates a new StandardOidcIdentityProvider. + * + * @param jwtService jwt service + * @param properties properties + */ + public StandardOidcIdentityProvider(final JwtService jwtService, final NiFiProperties properties) { + this.properties = properties; + this.jwtService = jwtService; + + // attempt to process the oidc configuration if configured + if (properties.isOidcEnabled()) { + // oidc connect timeout + final String rawConnectTimeout = properties.getOidcConnectTimeout(); + try { + oidcConnectTimeout = (int) FormatUtils.getTimeDuration(rawConnectTimeout, TimeUnit.MILLISECONDS); + } catch (final Exception e) { + logger.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", + NiFiProperties.SECURITY_USER_OIDC_CONNECT_TIMEOUT, rawConnectTimeout, NiFiProperties.DEFAULT_SECURITY_USER_OIDC_CONNECT_TIMEOUT); + oidcConnectTimeout = (int) FormatUtils.getTimeDuration(NiFiProperties.DEFAULT_SECURITY_USER_OIDC_CONNECT_TIMEOUT, TimeUnit.MILLISECONDS); + } + + // oidc read timeout + final String rawReadTimeout = properties.getOidcReadTimeout(); + try { + oidcReadTimeout = (int) FormatUtils.getTimeDuration(rawReadTimeout, TimeUnit.MILLISECONDS); + } catch (final Exception e) { + logger.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", + NiFiProperties.SECURITY_USER_OIDC_READ_TIMEOUT, rawReadTimeout, NiFiProperties.DEFAULT_SECURITY_USER_OIDC_READ_TIMEOUT); + oidcReadTimeout = (int) FormatUtils.getTimeDuration(NiFiProperties.DEFAULT_SECURITY_USER_OIDC_READ_TIMEOUT, TimeUnit.MILLISECONDS); + } + + // client id + final String rawClientId = properties.getOidcClientId(); + if (StringUtils.isBlank(rawClientId)) { + throw new RuntimeException("Client ID is required when configuring an OIDC Provider."); + } + clientId = new ClientID(rawClientId); + + // client secret + final String rawClientSecret = properties.getOidcClientSecret(); + if (StringUtils.isBlank(rawClientSecret)) { + throw new RuntimeException("Client secret is required when configured an OIDC Provider."); + } + clientSecret = new Secret(rawClientSecret); + + try { + // retrieve the oidc provider metadata + oidcProviderMetadata = retrieveOidcProviderMetadata(properties.getOidcDiscoveryUrl()); + } catch (IOException | ParseException e) { + throw new RuntimeException("Unable to retrieve OpenId Connect Provider metadata from: " + properties.getOidcDiscoveryUrl(), e); + } + + // ensure the oidc provider supports basic or post client auth + final List clientAuthenticationMethods = oidcProviderMetadata.getTokenEndpointAuthMethods(); + if (clientAuthenticationMethods == null + || (!clientAuthenticationMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) + && !clientAuthenticationMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_POST))) { + + throw new RuntimeException(String.format("OpenId Connect Provider does not support %s or %s", + ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue(), + ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue())); + } + + // extract the supported json web signature algorithms + final List allowedAlgorithms = oidcProviderMetadata.getIDTokenJWSAlgs(); + if (allowedAlgorithms == null || allowedAlgorithms.isEmpty()) { + throw new RuntimeException("The OpenId Connect Provider does not support any JWS algorithms."); + } + + try { + // get the preferred json web signature algorithm + final String rawPreferredJwsAlgorithm = properties.getOidcPreferredJwsAlgorithm(); + + final JWSAlgorithm preferredJwsAlgorithm; + if (StringUtils.isBlank(rawPreferredJwsAlgorithm)) { + preferredJwsAlgorithm = oidcProviderMetadata.getIDTokenJWSAlgs().get(0); + } else { + if ("none".equals(rawPreferredJwsAlgorithm)) { + preferredJwsAlgorithm = null; + } else { + preferredJwsAlgorithm = JWSAlgorithm.parse(rawPreferredJwsAlgorithm); + } + } + + if (preferredJwsAlgorithm == null) { + tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId); + } else if (JWSAlgorithm.HS256.equals(preferredJwsAlgorithm) || JWSAlgorithm.HS384.equals(preferredJwsAlgorithm) || JWSAlgorithm.HS512.equals(preferredJwsAlgorithm)) { + tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId, preferredJwsAlgorithm, clientSecret); + } else { + final ResourceRetriever retriever = new DefaultResourceRetriever(oidcConnectTimeout, oidcReadTimeout); + tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId, preferredJwsAlgorithm, oidcProviderMetadata.getJWKSetURI().toURL(), retriever); + } + } catch (final Exception e) { + throw new RuntimeException("Unable to create the ID token validator for the configured OpenId Connect Provider: " + e.getMessage(), e); + } + } + } + + private OIDCProviderMetadata retrieveOidcProviderMetadata(final String discoveryUri) throws IOException, ParseException { + final URL url = new URL(discoveryUri); + final HTTPRequest httpRequest = new HTTPRequest(HTTPRequest.Method.GET, url); + httpRequest.setConnectTimeout(oidcConnectTimeout); + httpRequest.setReadTimeout(oidcReadTimeout); + + final HTTPResponse httpResponse = httpRequest.send(); + + if (httpResponse.getStatusCode() != 200) { + throw new IOException("Unable to download OpenId Connect Provider metadata from " + url + ": Status code " + httpResponse.getStatusCode()); + } + + final JSONObject jsonObject = httpResponse.getContentAsJSONObject(); + return OIDCProviderMetadata.parse(jsonObject); + } + + @Override + public boolean isOidcEnabled() { + return properties.isOidcEnabled(); + } + + @Override + public URI getAuthorizationEndpoint() { + if (!isOidcEnabled()) { + throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); + } + + return oidcProviderMetadata.getAuthorizationEndpointURI(); + } + + @Override + public Scope getScope() { + if (!isOidcEnabled()) { + throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); + } + + final Scope scope = new Scope("openid"); + + // if this provider supports email scope, include it to prevent a subsequent request to the user endpoint + if (oidcProviderMetadata.getScopes() != null && oidcProviderMetadata.getScopes().contains(OIDCScopeValue.EMAIL)) { + scope.add("email"); + } + return scope; + } + + @Override + public ClientID getClientId() { + if (!isOidcEnabled()) { + throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); + } + + return clientId; + } + + @Override + public String exchangeAuthorizationCode(final AuthorizationGrant authorizationGrant) throws IOException { + if (!isOidcEnabled()) { + throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); + } + + final ClientAuthentication clientAuthentication; + if (oidcProviderMetadata.getTokenEndpointAuthMethods().contains(ClientAuthenticationMethod.CLIENT_SECRET_POST)) { + clientAuthentication = new ClientSecretPost(clientId, clientSecret); + } else { + clientAuthentication = new ClientSecretBasic(clientId, clientSecret); + } + + try { + // build the token request + final TokenRequest request = new TokenRequest(oidcProviderMetadata.getTokenEndpointURI(), clientAuthentication, authorizationGrant, getScope()); + final HTTPRequest tokenHttpRequest = request.toHTTPRequest(); + tokenHttpRequest.setConnectTimeout(oidcConnectTimeout); + tokenHttpRequest.setReadTimeout(oidcReadTimeout); + + // get the token response + final TokenResponse response = OIDCTokenResponseParser.parse(tokenHttpRequest.send()); + + if (response.indicatesSuccess()) { + final OIDCTokenResponse oidcTokenResponse = (OIDCTokenResponse) response; + final OIDCTokens oidcTokens = oidcTokenResponse.getOIDCTokens(); + final JWT oidcJwt = oidcTokens.getIDToken(); + + // validate the token - no nonce required for authorization code flow + final IDTokenClaimsSet claimsSet = tokenValidator.validate(oidcJwt, null); + + // attempt to extract the email from the id token if possible + String email = claimsSet.getStringClaim(EMAIL_CLAIM_NAME); + if (email == null) { + // extract the bearer access token + final BearerAccessToken bearerAccessToken = oidcTokens.getBearerAccessToken(); + if (bearerAccessToken == null) { + throw new IllegalStateException("No access token found in the ID tokens"); + } + + // invoke the UserInfo endpoint + email = lookupEmail(bearerAccessToken); --- End diff -- Great question. I don't know the what an enterprise would want to use instead. Maybe an enhancement request at a later date? > Add OpenId Connect support for authenticating users > --------------------------------------------------- > > Key: NIFI-4210 > URL: https://issues.apache.org/jira/browse/NIFI-4210 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Core UI > Reporter: Matt Gilman > Assignee: Matt Gilman > > Add support for authenticating users with the OpenId Connection specification. Evaluate whether a new extension point is necessary to allow for a given provider to supply custom code for instance to implement custom token validation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)