Package io.strimzi.kafka.oauth.validator

Class OAuthIntrospectionValidator

java.lang.Object

io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator

All Implemented Interfaces:

TokenValidator

public class OAuthIntrospectionValidator
extends Object
implements TokenValidator

This class is responsible for validating the token during session authentication by using an introspection endpoint.

It works by sending the token to the configured authorization server's introspection endpoint. The endpoint returns a response with whether the token is valid or not, and it usually also returns additional attributes, that can be used to enforce additional constraints, and prevent some otherwise valid tokens from authenticating.

Constructor Summary

Constructors

Constructor

Description

OAuthIntrospectionValidator(String id, String clientId, String clientSecret, TokenProvider bearerTokenProvider, String introspectionEndpointUri, SSLSocketFactory socketFactory, HostnameVerifier verifier, PrincipalExtractor principalExtractor, String groupsClaimQuery, String groupsClaimDelimiter, String issuerUri, String userInfoUri, String validTokenType, String audience, String customClaimCheck, int connectTimeoutSeconds, int readTimeoutSeconds, boolean enableMetrics, int retries, long retryPauseMillis, boolean includeAcceptHeader)

Create a new instance.

Method Summary

Modifier and Type	Method	Description
void	close()	Close any allocated resources like background threads
String	getValidatorId()	Return the id of this validator
TokenInfo	validate(String token)	Validate the passed access token return it wrapped in TokenInfo with

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OAuthIntrospectionValidator

public OAuthIntrospectionValidator(String id,
 String clientId,
 String clientSecret,
 TokenProvider bearerTokenProvider,
 String introspectionEndpointUri,
 SSLSocketFactory socketFactory,
 HostnameVerifier verifier,
 PrincipalExtractor principalExtractor,
 String groupsClaimQuery,
 String groupsClaimDelimiter,
 String issuerUri,
 String userInfoUri,
 String validTokenType,
 String audience,
 String customClaimCheck,
 int connectTimeoutSeconds,
 int readTimeoutSeconds,
 boolean enableMetrics,
 int retries,
 long retryPauseMillis,
 boolean includeAcceptHeader)

Create a new instance.

Parameters:

id - A unique id to associate with this validator for the purpose of validator lifecycle and metrics tracking

clientId - The clientId of the OAuth2 client representing this Kafka broker - used to authenticate to the introspection endpoint using Basic authentication

clientSecret - The secret of the OAuth2 client representing this Kafka broker - used to authenticate to the introspection endpoint using Basic authentication

bearerTokenProvider - The provider of the bearer token as an alternative to clientId and secret of the OAuth2 client representing this Kafka broker - used to authenticate to the introspection endpoint using Bearer authentication

introspectionEndpointUri - The introspection endpoint url at the authorization server

socketFactory - The optional SSL socket factory to use when establishing the connection to authorization server

verifier - The optional hostname verifier used to validate the TLS certificate by the authorization server

principalExtractor - The object used to extract the username from the attributes in the server's response

groupsClaimQuery - The JsonPath query for extracting groups from introspection endpoint response

groupsClaimDelimiter - The delimiter used to parse groups from the result of applying groupQuery to what introspection endpoint returns

issuerUri - The required value of the 'iss' claim in the introspection endpoint response

userInfoUri - The optional user info endpoint url at the authorization server, used as a failover when user id can't be extracted from the introspection endpoint response

validTokenType - The optional token type enforcement - only the specified token type is accepted as valid

audience - The optional audience check. If specified, the 'aud' attribute of the introspection endpoint response needs to contain the configured clientId

customClaimCheck - The optional JSONPath filter query for additional custom attribute checking

connectTimeoutSeconds - The maximum time to wait for connection to authorization server to be established (in seconds)

readTimeoutSeconds - The maximum time to wait for response from authorization server after connection has been established and request sent (in seconds)

enableMetrics - The switch that enables metrics collection

retries - Maximum number of retries if request to the authorization server fails (0 means no retries)

retryPauseMillis - Time to pause before retrying the request to the authorization server

includeAcceptHeader - Should we send the Accept header when making outbound http requests

Method Details

validate

public TokenInfo validate(String token)

Description copied from interface: TokenValidator

Validate the passed access token return it wrapped in TokenInfo with

Specified by:

validate in interface TokenValidator

Parameters:

token - An access token to validate

Returns:

TokenInfo wrapping a valid token

getValidatorId

public String getValidatorId()

Description copied from interface: TokenValidator

Return the id of this validator

Specified by:

getValidatorId in interface TokenValidator

Returns:

A validator id

close

public void close()

Description copied from interface: TokenValidator

Close any allocated resources like background threads

Specified by:

close in interface TokenValidator