@Target(value={TYPE,METHOD})
@Retention(value=RUNTIME)
public @interface OpenIdAuthenticationMechanismDefinition
Attributes on this annotation make up the OpenID connect client configuration. Expression Language
expressions in attributes of type String
are evaluated.
It can make use of the user endpoint for retrieving claims about the user.
Note that in the OpenID terminology the authentication mechanism becomes a "Relying Party" (RP) that redirects the "End-User" (caller) to an "OpenId Connect Provider" (Identity Provider). Authentication takes place between the user and the Identity Provider, where the result of this authentication is communicated back to the authentication mechanism.
This is depicted in the following non-normative diagram:
+--------+ +--------+ | | | | | |---------------(1) Authentication Request------------->| | | | | | | | +--------+ | | | | | End- |<--(2) Authenticates the End-User---->| | | RP | | User | | OP | | | +--------+ | | | | | | | |<---------(3) Returns Authorization code---------------| | | | | | | |---------(3b) | | | | | Redirect to original resource (if any) | | | |<----------+ | | | | | | | |------------------------------------------------------>| | | | (4) Request to TokenEndpoint for Access / Id Token | | | OpenId |<------------------------------------------------------| OpenId | | Connect| | Connect| | Client | ----------------------------------------------------->|Provider| | | (5) Fetch JWKS to validate ID Token | | | |<------------------------------------------------------| | | | | | | |------------------------------------------------------>| | | | (6) Request to UserInfoEndpoint for End-User Claims | | | |<------------------------------------------------------| | | | | | +--------+ +--------+
Because of the way this authentication mechanism and protocol works, there is no
requirement to explicitly define an identity store. However, the authentication
mechanism MUST validate the token received from the "TokenEndpoint" by calling
the IdentityStoreHandler
. This allows for extra identity stores and/or
a custom IdentityStoreHandler to participate in the final authentication result
(e.g. adding extra groups).
https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
,
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
Modifier and Type | Optional Element and Description |
---|---|
ClaimsDefinition |
claimsDefinition
Optional.
|
java.lang.String |
clientId
Required.
|
java.lang.String |
clientSecret
Required.
|
DisplayType |
display
Optional.
|
java.lang.String |
displayExpression
Optional.
|
java.lang.String[] |
extraParameters
An array of extra options that will be sent to the OAuth provider.
|
java.lang.String |
extraParametersExpression
Allows the extra parameters to be defined as a Jakarta Expression Language expression.
|
int |
jwksConnectTimeout
Optional.
|
java.lang.String |
jwksConnectTimeoutExpression
Optional.
|
int |
jwksReadTimeout
Optional.
|
java.lang.String |
jwksReadTimeoutExpression
Optional.
|
LogoutDefinition |
logout
Optional.
|
PromptType[] |
prompt
Optional.
|
java.lang.String |
promptExpression
Optional.
|
OpenIdProviderMetadata |
providerMetadata
To override the openid connect provider's metadata property discovered
via providerUri.
|
java.lang.String |
providerURI
Required, unless providerMetadata is specified.
|
boolean |
redirectToOriginalResource
Optional.
|
java.lang.String |
redirectToOriginalResourceExpression
Optional.
|
java.lang.String |
redirectURI
The redirect URI (callback URI) to which the response will be sent by the OpenId
Connect Provider.
|
java.lang.String |
responseMode
Optional.
|
java.lang.String |
responseType
Optional.
|
java.lang.String[] |
scope
Optional.
|
java.lang.String |
scopeExpression
Optional.
|
boolean |
tokenAutoRefresh
Optional.
|
java.lang.String |
tokenAutoRefreshExpression
Optional.
|
int |
tokenMinValidity
Optional.
|
java.lang.String |
tokenMinValidityExpression
Optional.
|
boolean |
useNonce
Optional.
|
java.lang.String |
useNonceExpression
Optional.
|
boolean |
useSession
Optional.
|
java.lang.String |
useSessionExpression
Optional.
|
public abstract java.lang.String providerURI
http://openid.net/specs/openid-connect-discovery-1_0.html
public abstract OpenIdProviderMetadata providerMetadata
public abstract java.lang.String clientId
public abstract java.lang.String clientSecret
Note that it is strongly recommended to set this using an Expression so that the value is not hardcoded within the code.
public abstract ClaimsDefinition claimsDefinition
public abstract LogoutDefinition logout
public abstract java.lang.String redirectURI
public abstract boolean redirectToOriginalResource
redirectURI
attribute
to the resource the end-user originally requested in a "login to continue"
scenario.
After arriving at the original requested resource, the runtime restores
the request as it originally happened, including cookies, headers, the
request method and the request parameters in the same way as done when
using the LoginToContinue
feature.
public abstract java.lang.String redirectToOriginalResourceExpression
redirectToOriginalResource
to be specified as
Jakarta Expression Language expression.
If set, overrides the value defined by the redirectToOriginalResource
value.public abstract java.lang.String[] scope
public abstract java.lang.String scopeExpression
public abstract java.lang.String responseType
public abstract java.lang.String responseMode
public abstract PromptType[] prompt
public abstract java.lang.String promptExpression
public abstract DisplayType display
public abstract java.lang.String displayExpression
public abstract boolean useNonce
public abstract java.lang.String useNonceExpression
public abstract boolean useSession
public abstract java.lang.String useSessionExpression
public abstract java.lang.String[] extraParameters
These must be in the form of "key=value"
i.e.
extraParameters={"key1=value", "key2=value2"}
public abstract java.lang.String extraParametersExpression
public abstract int jwksConnectTimeout
public abstract java.lang.String jwksConnectTimeoutExpression
public abstract int jwksReadTimeout
public abstract java.lang.String jwksReadTimeoutExpression
public abstract boolean tokenAutoRefresh
true
, if Access and Refresh Token shall be refreshed
automatically when they are expired.public abstract java.lang.String tokenAutoRefreshExpression
public abstract int tokenMinValidity
public abstract java.lang.String tokenMinValidityExpression