Package org.logevents.util.openid

Class OpenIdConfiguration

java.lang.Object

org.logevents.util.openid.OpenIdConfiguration

public class OpenIdConfiguration
extends Object

Supports any standards compliant OpenID Connect provider as identity provider for LogEventsServlet.

To set up authorization with Azure Active Directory

This description assumes that you are member of an organization that uses Active Directory, but that you only want some users to have access to the LogEventsServlet.

1. Go to the Azure portal and log in with your organization account
2. Click "Create a resource" and enter "active directory" to create a new directory. You can name the directory what you want.
3. You have to wait a little while for the directory to be created, then click the funnel + book icon to switch to your new directory
4. Select "Azure Active Directory" from the menu in your new directory to go to directory management
5. Select "App Registration" and "New registration" to create your application
6. In the application configuration, you need to find the Application (client) ID, generate a new client secret (under Certificates and secrets) and setup your redirect URI (under Authentication) and use this to configure WebLogEventObserver
7. Set observer.servlet.openIdIssuer=https://login.microsoftonline.com/{tenantId}/v2.0/
8. In the Azure Active Directory menu, you can select "Users" and add a guest user from your organization to add to your limited Active Directory (this feature of Active Directory is known as B2B)
9. In the Azure Active Directory menu, you can select "Enterprise Applications" to limited the users that can access the logging application

To set up authorization with Google

1. Go to Google API Console
2. From the "Select a project" dropdown, click "New project"
3. Select "Credentials" from the left menu, click "Create credentials" and select "OAuth client ID"
4. Select "Web application" as the type of application and enter the Redirect URI where you would access your LogEventsServlet + "/oauth2callback" (e.g. https://myserver.com/myapp/logs/oauth2callback
5. Copy the Client ID and Client secret to your observer.servlet.clientId and observer.servlet.clientSecret
6. Set observer.servlet.openIdIssuer=https://accounts.google.com
7. Important: Your log console is currently open to anyone with a Google Account, ie. everyone. You have to restrict it with e.g. observer.servlet.requiredClaim.email_verified=true and observer.servlet.requiredClaim.email=alice@example.com, bob@example.com

Constructor Summary

Constructors

Constructor	Description
OpenIdConfiguration(String openIdIssuer, String clientId, String clientSecret)
OpenIdConfiguration(Configuration configuration)

Method Summary

Modifier and Type	Method	Description
void	addRequiredClaim(String claimName, List<String> acceptedValues)
Map<String,String>	createTokenRequestPayload(String code, String defaultRedirectUri)
Map<String,Object>	fetchIdToken(String code, String fallbackRedirectUri)	Complete the login process by fetching ID token from the Identity provider.
protected String	getAuthorizationEndpoint()
String	getAuthorizationUrl(String state, String fallbackRedirectUri)	Generate a URL to start the login flow with OpenID Connect.
String	getScopes()
protected URL	getTokenEndpoint()
boolean	isAuthorizedToken(Map<String,Object> idToken)
protected Map<String,Object>	postTokenRequest(Map<String,String> formPayload)
static String	randomString(int length)
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

OpenIdConfiguration

public OpenIdConfiguration(Configuration configuration)

OpenIdConfiguration

public OpenIdConfiguration(String openIdIssuer,
                           String clientId,
                           String clientSecret)

Method Detail

randomString

public static String randomString(int length)

getScopes

public String getScopes()

getAuthorizationUrl

public String getAuthorizationUrl(String state,
                                  String fallbackRedirectUri)
                           throws IOException

Generate a URL to start the login flow with OpenID Connect. Redirect the web browser to this URL to start the login process.

Throws:

IOException

getAuthorizationEndpoint

protected String getAuthorizationEndpoint()
                                   throws IOException

Throws:

IOException

fetchIdToken

public Map<String,Object> fetchIdToken(String code,
                                             String fallbackRedirectUri)
                                      throws IOException

Complete the login process by fetching ID token from the Identity provider. Call this when the web browser returns to the redirect_uri in your app with the code query parameter.

Throws:

IOException

postTokenRequest

protected Map<String,Object> postTokenRequest(Map<String,String> formPayload)
                                             throws IOException

Throws:

IOException

createTokenRequestPayload

public Map<String,String> createTokenRequestPayload(String code,
                                                          String defaultRedirectUri)

getTokenEndpoint

protected URL getTokenEndpoint()
                        throws IOException

Throws:

IOException

toString

public String toString()

Overrides:

toString in class Object

addRequiredClaim

public void addRequiredClaim(String claimName,
                             List<String> acceptedValues)

isAuthorizedToken

public boolean isAuthorizedToken(Map<String,Object> idToken)