Package io.strimzi.kafka.oauth.common

Class PrincipalExtractor

java.lang.Object
io.strimzi.kafka.oauth.common.PrincipalExtractor
public class PrincipalExtractor extends Object
An object with logic for extracting a principal name (i.e. a user id) from a JWT token.

First a claim configured as usernameClaim is looked up. If found, and the usernamePrefix is configured, it is prepended to the value of the claim. If not found, the claim configured as fallbackUsernameClaim is looked up. If that one is found and if the fallbackUsernamePrefix is configured prefix the found value with the prefix, otherwise not.

The claim specification uses the following rules:

  • If the claim specification starts with an opening square bracket '[', it is interpreted as a JsonPath query, and allows targeting a nested attribute.
  • Otherwise, it is interpreted as a top level attribute name.

A JsonPath query is resolved relative to JSON object containing info to identify user (a JWT payload, a response from Introspection Endpoint or a response from User Info Endpoint).

For more on JsonPath syntax see https://github.com/json-path/JsonPath.

Examples of claim specification: 

     userId                    ... use top level attribute named 'userId'
     user.id                   ... use top level attribute named 'user.id'
     $userid                   ... use top level attribute named '$userid'
     ['userInfo']['id']        ... use nested attribute 'id' under 'userInfo' top level attribute
     ['userInfo'].id           ... use nested attribute 'id' under 'userInfo' top level attribute (second segment not using brackets)
     ['user.info']['user.id']  ... use nested attribute 'user.id' under 'user.info' top level attribute
     ['user.info'].['user.id'] ... use nested attribute 'user.id' under 'user.info' top level attribute (optional dot)
See PrincipalExtractorTest.java for more working and non-working examples of claim specification.

  • Constructor Details

    • PrincipalExtractor

      public PrincipalExtractor()
      Create a new instance

    • PrincipalExtractor

      public PrincipalExtractor(String usernameClaim)
      Create a new instance
      Parameters:
      usernameClaim - Attribute name for an attribute containing the user id to lookup first.

    • PrincipalExtractor

      public PrincipalExtractor(String usernameClaim, String usernamePrefix, String fallbackUsernameClaim, String fallbackUsernamePrefix)
      Create a new instance
      Parameters:
      usernameClaim - Attribute name for an attribute containing the user id to lookup first.
      usernamePrefix - A prefix to prepend to the user id
      fallbackUsernameClaim - Attribute name for an attribute containg the user id to lookup as a fallback
      fallbackUsernamePrefix - A prefix to prepend to the value of the fallback attribute value if set

  • Method Details

    • getPrincipal

      public String getPrincipal(com.fasterxml.jackson.databind.JsonNode json)
      Get the principal name
      Parameters:
      json - JWT token as a JsonNode object
      Returns:
      Principal name

    • getSub

      public String getSub(com.fasterxml.jackson.databind.JsonNode json)
      Get the value of sub claim
      Parameters:
      json - JWT token as a JsonNode object
      Returns:
      The value of sub attribute

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • isConfigured

      public boolean isConfigured()
      Return true if any of the configuration options is configured
      Returns:
      True if any of the constructor parameters is set