org.gcube.common.iam

Class D4ScienceIAMClient

java.lang.Object

org.gcube.common.iam.D4ScienceIAMClient

public class D4ScienceIAMClient
extends Object

Helper class that acts as IAM client providing authentication and authorization using the IAM hiding the underlying implementation

Author:

Mauro Mugnaini (Nubisware S.r.l.)

Field Summary

Fields

Modifier and Type	Field and Description
protected static org.slf4j.Logger	logger Logger instance for this class
static boolean	USE_DYNAMIC_SCOPES Flag to enable/disable dynamic scopes functionality

Method Summary

Modifier and Type	Method and Description
D4ScienceIAMClientAuthn	authenticate(String clientId, String clientSecret) Authenticates the client with provided id and secret
D4ScienceIAMClientAuthn	authenticate(String clientId, String clientSecret, String context) Authenticates the client with provided credentials, reducing the token audience to the requested `context`
D4ScienceIAMClientAuthn	authenticateUser(String username, String password) Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
D4ScienceIAMClientAuthn	authenticateUser(String username, String password, String context) Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
D4ScienceIAMClientAuthn	authenticateUser(String clientId, String clientSecret, String username, String password) Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
D4ScienceIAMClientAuthn	authenticateUser(String clientId, String clientSecret, String username, String password, String context) Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
D4ScienceIAMClientAuthz	authorize(String clientId, String clientSecret, String context) Directly authorizes the client by using the provided credentials, for the specific context audience and with no optional permissions
D4ScienceIAMClientAuthz	authorize(String clientId, String clientSecret, String context, List<String> permissions) Directly authorizes the client by using the provided credentials, for the specific context audience and with optional permissions
protected org.gcube.common.keycloak.KeycloakClient	getKeycloakClient() Returns the underlying Keycloak client instance.
URL	getRealmBaseURL() Returns the base URL of the realm.
boolean	isTokenValid(String token) Checks if the token is valid (signature and expiration).
boolean	isTokenValid(String token, boolean checkExpiration) Checks if the token is valid and optionally checks for expiration.
static D4ScienceIAMClient	newInstance(String contextInfra) Creates a new client for the specific context, in the default IAM realm.
static D4ScienceIAMClient	newInstance(String contextInfra, String realm) Creates a new client for the specific context, in the default realm.
static D4ScienceIAMClient	newInstance(URL realmBaseURL) Creates a new client with the provided base URL.
static void	setDefaultGatewayClientID(String gatewayClientId) Sets the new default GW clientId used for all the queries to the IAM server.
void	verifyToken(String token) Verifies the token signature and also checks the expiration.
void	verifyToken(String token, boolean checkExpiration) Verifies the token signature and optionally checks for expiration.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected static org.slf4j.Logger logger

Logger instance for this class

USE_DYNAMIC_SCOPES

public static boolean USE_DYNAMIC_SCOPES

Flag to enable/disable dynamic scopes functionality

Method Detail

setDefaultGatewayClientID

public static void setDefaultGatewayClientID(String gatewayClientId)

Sets the new default GW clientId used for all the queries to the IAM server. Note: The operation will logged as WARN to be visible.

Parameters:

gatewayClientId - the new GW clientId

newInstance

public static D4ScienceIAMClient newInstance(String contextInfra)
                                      throws D4ScienceIAMClientException

Creates a new client for the specific context, in the default IAM realm.

Parameters:

contextInfra - the context to be used to obtain the base URL of the infrastructure

Returns:

the client to be used for authn and authz requests

Throws:

D4ScienceIAMClientException - if an error occurs obtaining the base URL

newInstance

public static D4ScienceIAMClient newInstance(String contextInfra,
                                             String realm)
                                      throws D4ScienceIAMClientException

Creates a new client for the specific context, in the default realm.

Parameters:

contextInfra - the context to be used to obtain the base URL of the infrastructure

realm - the IAM realm

Returns:

the client to be used for authn and authz requests

Throws:

D4ScienceIAMClientException - if an error occurs obtaining the base URL

newInstance

public static D4ScienceIAMClient newInstance(URL realmBaseURL)

Creates a new client with the provided base URL.

Parameters:

realmBaseURL - the realm base URL

Returns:

the client to be used for authn and authz requests

getKeycloakClient

protected org.gcube.common.keycloak.KeycloakClient getKeycloakClient()

Returns the underlying Keycloak client instance.

Returns:

the Keycloak client

getRealmBaseURL

public URL getRealmBaseURL()

Returns the base URL of the realm.

Returns:

the realm base URL

authenticate

public D4ScienceIAMClientAuthn authenticate(String clientId,
                                            String clientSecret)
                                     throws D4ScienceIAMClientException

Authenticates the client with provided id and secret

Parameters:

clientId - the client id

clientSecret - the client secret

Returns:

the authn object

Throws:

D4ScienceIAMClientException - if an error occurs during authn process

authenticate

public D4ScienceIAMClientAuthn authenticate(String clientId,
                                            String clientSecret,
                                            String context)
                                     throws D4ScienceIAMClientException

Authenticates the client with provided credentials, reducing the token audience to the requested `context`

Parameters:

clientId - the client id

clientSecret - the client secret

context - the requested token context audience (e.g. a specific context or another client)

Returns:

the authn object

Throws:

D4ScienceIAMClientException - if an error occurs during authn process

authenticateUser

public D4ScienceIAMClientAuthn authenticateUser(String username,
                                                String password)
                                         throws D4ScienceIAMClientException

Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)

Authenticates the user with provided username and password by using the default clientId.

Parameters:

username - the user's username

password - the user's password

Returns:

the authn object

Throws:

D4ScienceIAMClientException - if an error occurs during authn process

authenticateUser

public D4ScienceIAMClientAuthn authenticateUser(String username,
                                                String password,
                                                String context)
                                         throws D4ScienceIAMClientException

Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)

Authenticates the user with provided username and password by using the default clientId.

Parameters:

username - the user's username

password - the user's password

context - the requested token context audience (e.g. a specific context or another client)

Returns:

the authn object

Throws:

D4ScienceIAMClientException - if an error occurs during authn process

authenticateUser

public D4ScienceIAMClientAuthn authenticateUser(String clientId,
                                                String clientSecret,
                                                String username,
                                                String password)
                                         throws D4ScienceIAMClientException

Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)

Authenticates the user with provided username and password

Parameters:

clientId - the client id

clientSecret - the client secret

username - the user's username

password - the user's password

Returns:

the authn object

Throws:

D4ScienceIAMClientException - if an error occurs during authn process

authenticateUser

public D4ScienceIAMClientAuthn authenticateUser(String clientId,
                                                String clientSecret,
                                                String username,
                                                String password,
                                                String context)
                                         throws D4ScienceIAMClientException

Deprecated. this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)

Authenticates the user with provided credentials, reducing the token audience to the requested `context`.

Parameters:

clientId - the client id

clientSecret - the client secret

username - the user's username

password - the user's password

context - the requested token context audience (e.g. a specific context or another client)

Returns:

the authn object

Throws:

D4ScienceIAMClientException - if an error occurs during authn process

authorize

public D4ScienceIAMClientAuthz authorize(String clientId,
                                         String clientSecret,
                                         String context)
                                  throws D4ScienceIAMClientException

Directly authorizes the client by using the provided credentials, for the specific context audience and with no optional permissions

Parameters:

clientId - the client id

clientSecret - the client secret

context - the requested token context audience (e.g. a specific context or another client)

Returns:

the authz object

Throws:

D4ScienceIAMClientException - if an error occurs during authz process

authorize

public D4ScienceIAMClientAuthz authorize(String clientId,
                                         String clientSecret,
                                         String context,
                                         List<String> permissions)
                                  throws D4ScienceIAMClientException

Directly authorizes the client by using the provided credentials, for the specific context audience and with optional permissions

Parameters:

clientId - the client id

clientSecret - the client secret

context - the requested token context audience (e.g. a specific context or another client)

permissions - the optional permissions

Returns:

the authz object

Throws:

D4ScienceIAMClientException - if an error occurs during authz process

verifyToken

public void verifyToken(String token)
                 throws org.gcube.io.jsonwebtoken.security.SignatureException,
                        org.gcube.io.jsonwebtoken.ExpiredJwtException,
                        org.gcube.io.jsonwebtoken.JwtException,
                        Exception

Verifies the token signature and also checks the expiration.

Parameters:

token - the base64 JWT token string

Throws:

org.gcube.io.jsonwebtoken.security.SignatureException - if the token signature is invalid

org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token is expired

org.gcube.io.jsonwebtoken.JwtException - if another JWT related problem is found

Exception - if an unexpected error occurs (e.g. constructing the verifier)

verifyToken

public void verifyToken(String token,
                        boolean checkExpiration)
                 throws org.gcube.io.jsonwebtoken.security.SignatureException,
                        org.gcube.io.jsonwebtoken.ExpiredJwtException,
                        org.gcube.io.jsonwebtoken.JwtException,
                        Exception

Verifies the token signature and optionally checks for expiration.

Parameters:

token - the base64 JWT token string

checkExpiration - flag to enable/disable expiration check

Throws:

org.gcube.io.jsonwebtoken.security.SignatureException - if the token signature is invalid

org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token is expired

org.gcube.io.jsonwebtoken.JwtException - if another JWT related problem is found

Exception - if an unexpected error occurs (e.g. constructing the verifier)

isTokenValid

public boolean isTokenValid(String token)
                     throws D4ScienceIAMClientException

Checks if the token is valid (signature and expiration).

Parameters:

token - the base64 JWT token string

Returns:

true if the token is valid, false otherwise

Throws:

D4ScienceIAMClientException - if an error occurs during the verification process

isTokenValid

public boolean isTokenValid(String token,
                            boolean checkExpiration)
                     throws D4ScienceIAMClientException

Checks if the token is valid and optionally checks for expiration.

Parameters:

token - the base64 JWT token string

checkExpiration -

Returns:

true if the token is valid, false otherwise

Throws:

D4ScienceIAMClientException - if an error occurs during the verification process