Package io.camunda.identity.sdk.authentication

Class AbstractAuthentication

java.lang.Object
io.camunda.identity.sdk.authentication.AbstractAuthentication
All Implemented Interfaces:
Authentication
Direct Known Subclasses:
Auth0Authentication, GenericAuthentication
public abstract class AbstractAuthentication extends Object implements Authentication
The Authentication class provides functionality to authenticate a user with Identity and verify access tokens.

  • Field Details

  • Constructor Details

  • Method Details

    • isAvailable

      public boolean isAvailable()
      Description copied from interface: Authentication
      Returns a true/false indicating if authentication is available or not.
      Specified by:
      isAvailable in interface Authentication
      Returns:
      the availability of authentication

    • requestToken

      public Tokens requestToken(String audience)
      Requests a client token from the cache if available. If no token is found with the required audience, a new token will be requested from the authentication provider and stored.
      Specified by:
      requestToken in interface Authentication
      Parameters:
      audience - the audience of the resource server
      Returns:
      the tokens
      Throws:
      IdentityException - if case of a failure

    • decodeJWT

      public com.auth0.jwt.interfaces.DecodedJWT decodeJWT(String token)
      Decodes a token. Can be used to access tokens data without validation
      Specified by:
      decodeJWT in interface Authentication
      Parameters:
      token - token in JWT format
      Returns:
      decoded token
      Throws:
      TokenDecodeException - the token can not be decoded

    • verifyTokenIgnoringAudience

      public AccessToken verifyTokenIgnoringAudience(String token)
      Description copied from interface: Authentication
      Verifies the validity of the passed token. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      Specified by:
      verifyTokenIgnoringAudience in interface Authentication
      Parameters:
      token - the token
      Returns:
      the decoded jwt

    • singleSignOut

      public Optional<URI> singleSignOut(String refreshToken, String callbackUrl)
      Logs out from Identity backend based on the configuration, one of these cases is possible: 1. The refresh token is not empty and OAuth Provider (OP) has provided a revoke endpoint, then see Authentication.revokeToken(java.lang.String), in this case the method return an empty Optional. 2. end-session endpoint is available, so in this case the url for logout is returned and client should handle the redirection 3. otherwise this method will throw exception
      Specified by:
      singleSignOut in interface Authentication
      Parameters:
      refreshToken - refresh token used for the request
      callbackUrl - the URL to redirect to post-SSO if supported by SSO provider
      Throws:
      IdentityException - if token revocation has failed or neither revoke
      org.apache.commons.lang3.NotImplementedException - if case 3 happens

    • verifyToken

      public AccessToken verifyToken(String token)
      Verifies the validity of the passed token. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      verifyToken in interface Authentication
      Parameters:
      token - the token
      Returns:
      the decoded jwt
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • verifyToken

      public AccessToken verifyToken(String token, String organizationId)
      Verifies the validity of the passed token and organisation. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      verifyToken in interface Authentication
      Parameters:
      token - the token
      organizationId - the organisation of the token
      Returns:
      the decoded jwt
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • verifyToken

      protected AccessToken verifyToken(String token, String audience, String organizationId)
      Verifies the validity of the passed token. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches provided audience
      Parameters:
      token - the token
      audience - token's aud claim must match provided audience
      Returns:
      the decoded jwt
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • singleSignOutUriBuilder

      protected SingleSignOutUriBuilder singleSignOutUriBuilder()

    • generateSingleSignOutUri

      protected URI generateSingleSignOutUri(String callbackUrl)

    • getUserDetails

      protected UserDetails getUserDetails(com.auth0.jwt.interfaces.DecodedJWT token, String organizationId)

    • verifyAndDecode

      public com.auth0.jwt.interfaces.DecodedJWT verifyAndDecode(String token, String audience)
      Specified by:
      verifyAndDecode in interface Authentication

    • getPermissions

      public List<String> getPermissions(String token)
      Description copied from interface: Authentication
      Verifies the validity of the passed token and return permissions assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      getPermissions in interface Authentication
      Parameters:
      token - the token
      Returns:
      list of permissions assigned to the token

    • getPermissions

      public List<String> getPermissions(String token, String audience)
      Description copied from interface: Authentication
      Verifies the validity of the passed token and audience and return permissions assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      getPermissions in interface Authentication
      Parameters:
      token - the token
      audience - the audience
      Returns:
      list of permissions assigned to the token

    • getPermissions

      protected abstract List<String> getPermissions(com.auth0.jwt.interfaces.DecodedJWT token, String audience)

    • getGroups

      public List<String> getGroups(String token)
      Description copied from interface: Authentication
      Verifies the validity of the passed token and return groups assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      getGroups in interface Authentication
      Parameters:
      token - the token
      Returns:
      list of groups assigned to the token

    • getGroups

      public List<String> getGroups(String token, String audience)
      Description copied from interface: Authentication
      Verifies the validity of the passed token and audience and return groups assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      getGroups in interface Authentication
      Parameters:
      token - the token
      audience - the audience
      Returns:
      list of groups assigned to the token

    • getGroupsInOrganization

      public List<String> getGroupsInOrganization(String token, String organization)
      Description copied from interface: Authentication
      Verifies the validity of the passed token and return groups assigned to it within the organization. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      getGroupsInOrganization in interface Authentication
      Parameters:
      token - the token
      organization - the organization
      Returns:
      list of groups assigned to the token within the organization. If organization is null, it returns groups that has no organization assigned to them.

    • getGroupsInOrganization

      public List<String> getGroupsInOrganization(String token, String audience, String organization)
      Description copied from interface: Authentication
      Verifies the validity of the passed token and audience and return groups assigned to it within the organization. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Specified by:
      getGroupsInOrganization in interface Authentication
      Parameters:
      token - the token
      audience - the audience
      organization - the organization
      Returns:
      list of groups assigned to the token within the organization. If organization is null, it returns groups that has no organization assigned to them.

    • getGroupsInOrganization

      protected List<String> getGroupsInOrganization(com.auth0.jwt.interfaces.DecodedJWT token, String organizationId)

    • jwkProvider

      protected abstract com.auth0.jwk.JwkProvider jwkProvider()

    • wellKnownConfiguration

      protected abstract WellKnownConfiguration wellKnownConfiguration()

    • requestFreshToken

      protected abstract Tokens requestFreshToken(String audience)

    • isRevokeAvailable

      protected abstract boolean isRevokeAvailable()

    • isSingleSignOutAvailable

      protected abstract boolean isSingleSignOutAvailable()