Package io.camunda.identity.sdk.authentication

Interface Authentication

All Known Implementing Classes:
AbstractAuthentication, Auth0Authentication, GenericAuthentication, KeycloakAuthentication, MicrosoftAuthentication
public interface Authentication
The Authentication class provides functionality to authenticate a user with Identity and verify access tokens.

  • Method Details

    • create

      static Authentication create(IdentityConfiguration configuration)
      Factory function to create a new authentication instance
      Parameters:
      configuration - Identity configuration
      Returns:
      Authentication instance

    • isAvailable

      boolean isAvailable()
      Returns a true/false indicating if authentication is available or not.
      Returns:
      the availability of authentication

    • authorizeUriBuilder

      AuthorizeUriBuilder authorizeUriBuilder(String redirectUri)
      Returns a new Authorize uri builder. It is used to build the authorize uri for user authentication.
      Parameters:
      redirectUri - the redirect uri
      Returns:
      the authorize uri builder

    • exchangeAuthCode

      Tokens exchangeAuthCode(AuthCodeDto authCodeDto, String redirectUri) throws CodeExchangeException
      Exchanges provided auth code with access tokens. The provided redirect uri argument must match the redirect uri that was used to build the authorize uri.
      Parameters:
      authCodeDto - the auth code dto
      redirectUri - the redirect uri
      Returns:
      the tokens
      Throws:
      CodeExchangeException - if code exchange fails

    • renewToken

      Tokens renewToken(String refreshToken)
      Exchanges provided refresh token with an access tokens.
      Parameters:
      refreshToken - refresh token used for the request
      Returns:
      the tokens
      Throws:
      IdentityException - if token renewal has failed

    • revokeToken

      void revokeToken(String refreshToken)
      Logs out from Identity backend. This will invalidate the given refresh token and refresh tokens issued for other applications during the same session. The user's session or access token still has to be deleted by the client application.
      Parameters:
      refreshToken - refresh token used for the request
      Throws:
      IdentityException - if token revocation has failed

    • singleSignOut

      Optional<URI> singleSignOut(String refreshToken, String callbackUrl)
      Logs out from Identity backend based on the configuration, one of these cases is possible: 1. The refresh token is not empty and OP has provided a revoke endpoint, then see revokeToken(java.lang.String), in this case the method return an empty Optional. 2. end-session endpoint is available, so in this case the url for logout is returned and client should handle the redirection 3. otherwise this method will throw exception
      Parameters:
      refreshToken - refresh token used for the request
      callbackUrl - the URL to redirect to post-SSO if supported by SSO provider
      Throws:
      IdentityException - if token revocation has failed or neither revoke
      org.apache.commons.lang3.NotImplementedException - if case 3 happens

    • requestToken

      Tokens requestToken(String audience)
      Requests a client token from the cache if available. If no token is found with the required audience, a new token will be requested from the authentication provider and stored.
      Parameters:
      audience - the audience of the resource server
      Returns:
      the tokens
      Throws:
      IdentityException - if case of a failure

    • decodeJWT

      com.auth0.jwt.interfaces.DecodedJWT decodeJWT(String token)
      Decodes a token. Can be used to access tokens data without validation
      Parameters:
      token - token in JWT format
      Returns:
      decoded token
      Throws:
      TokenDecodeException - the token can not be decoded

    • verifyToken

      AccessToken verifyToken(String token)
      Verifies the validity of the passed token. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      Returns:
      the decoded jwt
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • verifyToken

      AccessToken verifyToken(String token, String organizationId)
      Verifies the validity of the passed token and organisation. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      organizationId - the organisation of the token
      Returns:
      the decoded jwt
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • verifyTokenIgnoringAudience

      AccessToken verifyTokenIgnoringAudience(String token)
      Verifies the validity of the passed token. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      Parameters:
      token - the token
      Returns:
      the decoded jwt
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • isM2MToken

      boolean isM2MToken(String token)
      Checks if the token passed in is considered an M2M token.
      Parameters:
      token - the token
      Returns:
      true if the token is a M2M token, else false

    • getClientId

      String getClientId(String token)
      Gets the client ID associated to the token
      Parameters:
      token - the token
      Returns:
      the clientID

    • verifyAndDecode

      com.auth0.jwt.interfaces.DecodedJWT verifyAndDecode(String token, String audience)

    • getAssignedOrganizations

      Map<String,Set<String>> getAssignedOrganizations(com.auth0.jwt.interfaces.DecodedJWT token)

    • getPermissions

      List<String> getPermissions(String token)
      Verifies the validity of the passed token and return permissions assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      Returns:
      list of permissions assigned to the token
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • getPermissions

      List<String> getPermissions(String token, String audience)
      Verifies the validity of the passed token and audience and return permissions assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      audience - the audience
      Returns:
      list of permissions assigned to the token
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • getGroups

      List<String> getGroups(String token)
      Verifies the validity of the passed token and return groups assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      Returns:
      list of groups assigned to the token
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • getGroups

      List<String> getGroups(String token, String audience)
      Verifies the validity of the passed token and audience and return groups assigned to it. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      audience - the audience
      Returns:
      list of groups assigned to the token
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • getGroupsInOrganization

      List<String> getGroupsInOrganization(String token, String organization)
      Verifies the validity of the passed token and return groups assigned to it within the organization. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      organization - the organization
      Returns:
      list of groups assigned to the token within the organization. If organization is null, it returns groups that has no organization assigned to them.
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved

    • getGroupsInOrganization

      List<String> getGroupsInOrganization(String token, String audience, String organization)
      Verifies the validity of the passed token and audience and return groups assigned to it within the organization. Following checks will be performed:
      • The token is correctly signed
      • The token has not expired
      • Token's audience (aud claim) matches application's audience
      Parameters:
      token - the token
      audience - the audience
      organization - the organization
      Returns:
      list of groups assigned to the token within the organization. If organization is null, it returns groups that has no organization assigned to them.
      Throws:
      TokenDecodeException - the token can not be decoded
      InvalidSignatureException - the token's signature is invalid
      TokenExpiredException - the token has expired
      InvalidClaimException - the provided claim is invalid
      JsonWebKeyException - the JWK needed to verify token's signature can not be retrieved