From 2b38242ebaea27e2b4e1282475a93185b0742e2a Mon Sep 17 00:00:00 2001
From: Damian Ujma <92095156+damianujma@users.noreply.github.com>
Date: Wed, 14 May 2025 15:25:45 +0200
Subject: [PATCH] ACS-9416 Backport ACS-9414 Enhance the Identity Provider
configuration ( #3263) (#3342)
---
.github/workflows/ci.yml | 188 +-
.secrets.baseline | 10 +-
...dentityServiceAuthenticationComponent.java | 244 ++-
.../IdentityServiceConfig.java | 743 ++++----
.../IdentityServiceFacade.java | 514 ++---
.../IdentityServiceFacadeFactoryBean.java | 1650 +++++++++--------
...IdentityServiceJITProvisioningHandler.java | 174 +-
.../IdentityServiceRemoteUserMapper.java | 362 ++--
.../SpringBasedIdentityServiceFacade.java | 113 +-
...ntityServiceAdminConsoleAuthenticator.java | 73 +-
.../AccessTokenToDecodedTokenUserMapper.java | 66 +
.../user/DecodedTokenUser.java | 44 +
.../{ => user}/OIDCUserInfo.java | 2 +-
.../user/TokenUserToOIDCUserMapper.java | 76 +
.../user/UserInfoAttrMapping.java | 41 +
...dentity-service-authentication-context.xml | 23 +-
...identity-service-authentication.properties | 9 +-
.../java/org/alfresco/AllUnitTestsSuite.java | 447 ++---
.../ClientRegistrationProviderUnitTest.java | 83 +-
...ityServiceAuthenticationComponentTest.java | 345 ++--
...tityServiceJITProvisioningHandlerTest.java | 65 +-
...ServiceJITProvisioningHandlerUnitTest.java | 157 +-
.../IdentityServiceRemoteUserMapperTest.java | 29 +-
...ingBasedIdentityServiceFacadeUnitTest.java | 197 +-
...viceAdminConsoleAuthenticatorUnitTest.java | 39 +-
...TokenToDecodedTokenUserMapperUnitTest.java | 109 ++
.../TokenUserToOIDCUserMapperUnitTest.java | 95 +
.../test/resources/alfresco-global.properties | 3 +
28 files changed, 3262 insertions(+), 2639 deletions(-)
create mode 100644 repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapper.java
create mode 100644 repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/DecodedTokenUser.java
rename repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/{ => user}/OIDCUserInfo.java (99%)
create mode 100644 repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapper.java
create mode 100644 repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/UserInfoAttrMapping.java
create mode 100644 repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapperUnitTest.java
create mode 100644 repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapperUnitTest.java
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3926433b33..95710e18bb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,14 +44,10 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
- - id: changed-files
- uses: Alfresco/alfresco-build-tools/.github/actions/github-list-changes@v8.13.0
- with:
- write-list-to-env: true
- - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Prepare maven cache and check compilation"
@@ -69,12 +65,12 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.16.0
continue-on-error: true
with:
srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
@@ -92,10 +88,10 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.16.0
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repository: "Alfresco/veracode-baseline-archive"
@@ -148,10 +144,10 @@ jobs:
!contains(github.event.head_commit.message, '[skip tests]') &&
!contains(github.event.head_commit.message, '[force]')
steps:
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
- - uses: Alfresco/ya-pmd-scan@v4.1.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
+ - uses: Alfresco/ya-pmd-scan@v4.3.0
with:
classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
@@ -181,14 +177,14 @@ jobs:
testAttributes: "-Dtest=AllMmtUnitTestSuite"
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testModule }}
@@ -219,7 +215,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -261,9 +257,9 @@ jobs:
REQUIRES_INSTALLED_ARTIFACTS: true
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: |
@@ -276,7 +272,7 @@ jobs:
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }}
@@ -307,7 +303,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -340,9 +336,9 @@ jobs:
version: ['10.5', '10.6']
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: Run MariaDB ${{ matrix.version }} database
@@ -351,7 +347,7 @@ jobs:
MARIADB_VERSION: ${{ matrix.version }}
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.version }}
@@ -382,7 +378,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -411,9 +407,9 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run MariaDB 10.11 database"
@@ -422,7 +418,7 @@ jobs:
MARIADB_VERSION: 10.11
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -453,7 +449,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -482,9 +478,9 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run MySQL 8 database"
@@ -493,7 +489,7 @@ jobs:
MYSQL_VERSION: 8
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -524,7 +520,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -552,9 +548,9 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run PostgreSQL 14.15 database"
@@ -563,7 +559,7 @@ jobs:
POSTGRES_VERSION: 14.15
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -594,7 +590,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -622,9 +618,9 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run PostgreSQL 15.10 database"
@@ -633,7 +629,7 @@ jobs:
POSTGRES_VERSION: 15.10
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -664,7 +660,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -692,9 +688,9 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run PostgreSQL 16.6 database"
@@ -703,7 +699,7 @@ jobs:
POSTGRES_VERSION: 16.6
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -734,7 +730,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -760,16 +756,16 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run ActiveMQ"
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile activemq up -d
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -800,7 +796,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -860,9 +856,9 @@ jobs:
mvn-options: '-Dencryption.ssl.keystore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.keystore -Dencryption.ssl.truststore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.truststore'
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Set transformers tag"
@@ -885,7 +881,7 @@ jobs:
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }} ${{ matrix.idp }}
@@ -916,7 +912,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -974,9 +970,9 @@ jobs:
REQUIRES_LOCAL_IMAGES: true
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: |
@@ -992,7 +988,7 @@ jobs:
run: mvn install -pl :alfresco-community-repo-integration-test -am -DskipTests -Pall-tas-tests
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.test-name }}
@@ -1030,7 +1026,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.tests.outcome }}
@@ -1056,16 +1052,16 @@ jobs:
!contains(github.event.head_commit.message, '[force')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Init"
run: bash ./scripts/ci/init.sh
- name: "Run Postgres 16.6 database"
run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile postgres up -d
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -1096,7 +1092,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -1130,9 +1126,9 @@ jobs:
REQUIRES_INSTALLED_ARTIFACTS: true
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: |
@@ -1140,7 +1136,7 @@ jobs:
bash ./scripts/ci/build.sh
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (PostgreSQL) ${{ matrix.test-name }}
@@ -1176,9 +1172,9 @@ jobs:
REQUIRES_INSTALLED_ARTIFACTS: true
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: |
@@ -1186,7 +1182,7 @@ jobs:
bash ./scripts/ci/build.sh
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (MySQL) ${{ matrix.test-name }}
@@ -1218,9 +1214,9 @@ jobs:
REQUIRES_LOCAL_IMAGES: true
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: |
@@ -1234,7 +1230,7 @@ jobs:
mvn -B install -pl :alfresco-governance-services-automation-community-rest-api -am -Pags -Pall-tas-tests -DskipTests
- name: "Prepare Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
id: rp-prepare
with:
rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -1266,7 +1262,7 @@ jobs:
continue-on-error: true
- name: "Summarize Report Portal"
if: github.ref_name == 'master'
- uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+ uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
id: rp-summarize
with:
tests-outcome: ${{ steps.run-tests.outcome }}
@@ -1308,9 +1304,9 @@ jobs:
!contains(github.event.head_commit.message, '[force]')
steps:
- uses: actions/checkout@v4
- - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
- - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
+ - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
- name: "Build"
timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
run: |
diff --git a/.secrets.baseline b/.secrets.baseline
index b160381264..c1b3709032 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -133,21 +133,21 @@
"filename": ".github/workflows/ci.yml",
"hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572",
"is_verified": false,
- "line_number": 299
+ "line_number": 295
},
{
"type": "Secret Keyword",
"filename": ".github/workflows/ci.yml",
"hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966",
"is_verified": false,
- "line_number": 374
+ "line_number": 370
},
{
"type": "Secret Keyword",
"filename": ".github/workflows/ci.yml",
"hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39",
"is_verified": false,
- "line_number": 908
+ "line_number": 904
}
],
".github/workflows/master_release.yml": [
@@ -1607,7 +1607,7 @@
"filename": "repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacadeUnitTest.java",
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"is_verified": false,
- "line_number": 46,
+ "line_number": 48,
"is_secret": false
}
],
@@ -1868,5 +1868,5 @@
}
]
},
- "generated_at": "2025-02-26T15:13:52Z"
+ "generated_at": "2025-05-13T13:17:41Z"
}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
index 90d0d9e0a6..e48f9bf7f0 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java
@@ -1,123 +1,121 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.identityservice;
-
-import org.alfresco.repo.management.subsystems.ActivateableBean;
-import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
-import org.alfresco.repo.security.authentication.AuthenticationException;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-/**
- *
- * Authenticates a user against Identity Service (Keycloak/Authorization Server).
- * {@link IdentityServiceFacade} is used to verify provided user credentials. User is set as the current user if the
- * user credentials are valid.
- *
- * The {@link IdentityServiceAuthenticationComponent#identityServiceFacade} can be null in which case this authenticator
- * will just fall through to the next one in the chain.
- *
- */
-public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean
-{
- private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class);
- /** client used to authenticate user credentials against Authorization Server **/
- private IdentityServiceFacade identityServiceFacade;
- /** enabled flag for the identity service subsystem**/
- private boolean active;
-
- private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
-
- private boolean allowGuestLogin;
-
- public void setIdentityServiceFacade(IdentityServiceFacade identityServiceFacade)
- {
- this.identityServiceFacade = identityServiceFacade;
- }
-
- public void setAllowGuestLogin(boolean allowGuestLogin)
- {
- this.allowGuestLogin = allowGuestLogin;
- }
-
- public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler)
- {
- this.jitProvisioningHandler = jitProvisioningHandler;
- }
-
- @Override
- public void authenticateImpl(String userName, char[] password) throws AuthenticationException
- {
- if (identityServiceFacade == null)
- {
- if (LOGGER.isDebugEnabled())
- {
- LOGGER.debug("IdentityServiceFacade was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property.");
- }
-
- throw new AuthenticationException("User not authenticated because IdentityServiceFacade was not set.");
- }
-
- try
- {
- // Attempt to verify user credentials
- IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(AuthorizationGrant.password(userName, String.valueOf(password)));
-
- String normalizedUsername = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(accessTokenAuthorization.getAccessToken().getTokenValue())
- .map(OIDCUserInfo::username)
- .orElseThrow(() -> new AuthenticationException("Failed to extract username from token and user info endpoint."));
- // Verification was successful so treat as authenticated user
- setCurrentUser(normalizedUsername);
- }
- catch (IdentityServiceFacadeException e)
- {
- throw new AuthenticationException("Failed to verify user credentials against the OAuth2 Authorization Server.", e);
- }
- catch (RuntimeException e)
- {
- throw new AuthenticationException("Failed to verify user credentials.", e);
- }
- }
-
- public void setActive(boolean active)
- {
- this.active = active;
- }
-
- @Override
- public boolean isActive()
- {
- return active;
- }
-
- @Override
- protected boolean implementationAllowsGuestLogin()
- {
- return allowGuestLogin;
- }
-}
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.alfresco.repo.management.subsystems.ActivateableBean;
+import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
+import org.alfresco.repo.security.authentication.AuthenticationException;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
+
+/**
+ *
+ * Authenticates a user against Identity Service (Keycloak/Authorization Server). {@link IdentityServiceFacade} is used to verify provided user credentials. User is set as the current user if the user credentials are valid.
+ * The {@link IdentityServiceAuthenticationComponent#identityServiceFacade} can be null in which case this authenticator will just fall through to the next one in the chain.
+ *
+ */
+public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean
+{
+ private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class);
+ /** client used to authenticate user credentials against Authorization Server **/
+ private IdentityServiceFacade identityServiceFacade;
+ /** enabled flag for the identity service subsystem **/
+ private boolean active;
+
+ private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
+
+ private boolean allowGuestLogin;
+
+ public void setIdentityServiceFacade(IdentityServiceFacade identityServiceFacade)
+ {
+ this.identityServiceFacade = identityServiceFacade;
+ }
+
+ public void setAllowGuestLogin(boolean allowGuestLogin)
+ {
+ this.allowGuestLogin = allowGuestLogin;
+ }
+
+ public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler)
+ {
+ this.jitProvisioningHandler = jitProvisioningHandler;
+ }
+
+ @Override
+ public void authenticateImpl(String userName, char[] password) throws AuthenticationException
+ {
+ if (identityServiceFacade == null)
+ {
+ if (LOGGER.isDebugEnabled())
+ {
+ LOGGER.debug("IdentityServiceFacade was not set, possibly due to the 'identity-service.authentication.enable-username-password-authentication=false' property.");
+ }
+
+ throw new AuthenticationException("User not authenticated because IdentityServiceFacade was not set.");
+ }
+
+ try
+ {
+ // Attempt to verify user credentials
+ IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(AuthorizationGrant.password(userName, String.valueOf(password)));
+
+ String normalizedUsername = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(accessTokenAuthorization.getAccessToken().getTokenValue())
+ .map(OIDCUserInfo::username)
+ .orElseThrow(() -> new AuthenticationException("Failed to extract username from token and user info endpoint."));
+ // Verification was successful so treat as authenticated user
+ setCurrentUser(normalizedUsername);
+ }
+ catch (IdentityServiceFacadeException e)
+ {
+ throw new AuthenticationException("Failed to verify user credentials against the OAuth2 Authorization Server.", e);
+ }
+ catch (RuntimeException e)
+ {
+ throw new AuthenticationException("Failed to verify user credentials.", e);
+ }
+ }
+
+ public void setActive(boolean active)
+ {
+ this.active = active;
+ }
+
+ @Override
+ public boolean isActive()
+ {
+ return active;
+ }
+
+ @Override
+ protected boolean implementationAllowsGuestLogin()
+ {
+ return allowGuestLogin;
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java
index 5189de298a..7593e982e9 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java
@@ -1,330 +1,413 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2025 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.identityservice;
-
-import java.util.Objects;
-import java.util.Optional;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
-import org.springframework.web.util.UriComponentsBuilder;
-
-/**
- * Class to hold configuration for the Identity Service.
- *
- * @author Gavin Cornwell
- */
-@SuppressWarnings("PMD.ExcessivePublicCount")
-public class IdentityServiceConfig
-{
- private static final String REALMS = "realms";
-
- private int clientConnectionTimeout;
- private int clientSocketTimeout;
- private String issuerUrl;
- private String audience;
- // client id
- private String resource;
- private String clientSecret;
- private String authServerUrl;
- private String realm;
- private int connectionPoolSize;
- private boolean allowAnyHostname;
- private boolean disableTrustManager;
- private String truststore;
- private String truststorePassword;
- private String clientKeystore;
- private String clientKeystorePassword;
- private String clientKeyPassword;
- private String realmKey;
- private int publicKeyCacheTtl;
- private boolean publicClient;
- private String principalAttribute;
- private boolean clientIdValidationDisabled;
- private String adminConsoleRedirectPath;
- private String signatureAlgorithms;
-
- /**
- *
- * @return Client connection timeout in milliseconds.
- */
- public int getClientConnectionTimeout()
- {
- return clientConnectionTimeout;
- }
-
- /**
- *
- * @param clientConnectionTimeout Client connection timeout in milliseconds.
- */
- public void setClientConnectionTimeout(int clientConnectionTimeout)
- {
- this.clientConnectionTimeout = clientConnectionTimeout;
- }
-
- /**
- *
- * @return Client socket timeout in milliseconds.s
- */
- public int getClientSocketTimeout()
- {
- return clientSocketTimeout;
- }
-
- /**
- *
- * @param clientSocketTimeout Client socket timeout in milliseconds.
- */
- public void setClientSocketTimeout(int clientSocketTimeout)
- {
- this.clientSocketTimeout = clientSocketTimeout;
- }
-
- public void setConnectionPoolSize(int connectionPoolSize)
- {
- this.connectionPoolSize = connectionPoolSize;
- }
-
- public int getConnectionPoolSize()
- {
- return connectionPoolSize;
- }
-
- public String getIssuerUrl()
- {
- return issuerUrl;
- }
-
- public void setIssuerUrl(String issuerUrl)
- {
- this.issuerUrl = issuerUrl;
- }
-
- public String getAudience()
- {
- return audience;
- }
-
- public void setAudience(String audience)
- {
- this.audience = audience;
- }
-
- public String getAuthServerUrl()
- {
- return Optional.ofNullable(realm)
- .filter(StringUtils::isNotBlank)
- .filter(realm -> StringUtils.isNotBlank(authServerUrl))
- .map(realm -> UriComponentsBuilder.fromUriString(authServerUrl)
- .pathSegment(REALMS, realm)
- .build()
- .toString())
- .orElse(authServerUrl);
- }
-
- public void setAuthServerUrl(String authServerUrl)
- {
- this.authServerUrl = authServerUrl;
- }
-
- public String getRealm()
- {
- return realm;
- }
-
- public void setRealm(String realm)
- {
- this.realm = realm;
- }
-
- public String getResource()
- {
- return resource;
- }
-
- public void setResource(String resource)
- {
- this.resource = resource;
- }
-
- public void setClientSecret(String clientSecret)
- {
- this.clientSecret = clientSecret;
- }
-
- public String getClientSecret()
- {
- return Optional.ofNullable(clientSecret)
- .orElse("");
- }
-
- public void setAllowAnyHostname(boolean allowAnyHostname)
- {
- this.allowAnyHostname = allowAnyHostname;
- }
-
- public boolean isAllowAnyHostname()
- {
- return allowAnyHostname;
- }
-
- public void setDisableTrustManager(boolean disableTrustManager)
- {
- this.disableTrustManager = disableTrustManager;
- }
-
- public boolean isDisableTrustManager()
- {
- return disableTrustManager;
- }
-
- public void setTruststore(String truststore)
- {
- this.truststore = truststore;
- }
-
- public String getTruststore()
- {
- return truststore;
- }
-
- public void setTruststorePassword(String truststorePassword)
- {
- this.truststorePassword = truststorePassword;
- }
-
- public String getTruststorePassword()
- {
- return truststorePassword;
- }
-
- public void setClientKeystore(String clientKeystore)
- {
- this.clientKeystore = clientKeystore;
- }
-
- public String getClientKeystore()
- {
- return clientKeystore;
- }
-
- public void setClientKeystorePassword(String clientKeystorePassword)
- {
- this.clientKeystorePassword = clientKeystorePassword;
- }
-
- public String getClientKeystorePassword()
- {
- return clientKeystorePassword;
- }
-
- public void setClientKeyPassword(String clientKeyPassword)
- {
- this.clientKeyPassword = clientKeyPassword;
- }
-
- public String getClientKeyPassword()
- {
- return clientKeyPassword;
- }
-
- public void setRealmKey(String realmKey)
- {
- this.realmKey = realmKey;
- }
-
- public String getRealmKey()
- {
- return realmKey;
- }
-
- public void setPublicKeyCacheTtl(int publicKeyCacheTtl)
- {
- this.publicKeyCacheTtl = publicKeyCacheTtl;
- }
-
- public int getPublicKeyCacheTtl()
- {
- return publicKeyCacheTtl;
- }
-
- public void setPublicClient(boolean publicClient)
- {
- this.publicClient = publicClient;
- }
-
- public boolean isPublicClient()
- {
- return publicClient;
- }
-
- public String getPrincipalAttribute()
- {
- return principalAttribute;
- }
-
- public void setPrincipalAttribute(String principalAttribute)
- {
- this.principalAttribute = principalAttribute;
- }
-
- public boolean isClientIdValidationDisabled()
- {
- return clientIdValidationDisabled;
- }
-
- public void setClientIdValidationDisabled(boolean clientIdValidationDisabled)
- {
- this.clientIdValidationDisabled = clientIdValidationDisabled;
- }
-
- public String getAdminConsoleRedirectPath()
- {
- return adminConsoleRedirectPath;
- }
-
- public void setAdminConsoleRedirectPath(String adminConsoleRedirectPath)
- {
- this.adminConsoleRedirectPath = adminConsoleRedirectPath;
- }
-
- public Set getSignatureAlgorithms()
- {
- return Stream.of(signatureAlgorithms.split(","))
- .map(String::trim)
- .map(SignatureAlgorithm::from)
- .filter(Objects::nonNull)
- .collect(Collectors.toUnmodifiableSet());
- }
-
- public void setSignatureAlgorithms(String signatureAlgorithms)
- {
- this.signatureAlgorithms = signatureAlgorithms;
- }
-}
\ No newline at end of file
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice;
+
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.web.util.UriComponentsBuilder;
+
+/**
+ * Class to hold configuration for the Identity Service.
+ *
+ * @author Gavin Cornwell
+ */
+@SuppressWarnings("PMD.ExcessivePublicCount")
+public class IdentityServiceConfig
+{
+ private static final String REALMS = "realms";
+
+ private int clientConnectionTimeout;
+ private int clientSocketTimeout;
+ private String issuerUrl;
+ private String audience;
+ // client id
+ private String resource;
+ private String clientSecret;
+ private String authServerUrl;
+ private String realm;
+ private int connectionPoolSize;
+ private boolean allowAnyHostname;
+ private boolean disableTrustManager;
+ private String truststore;
+ private String truststorePassword;
+ private String clientKeystore;
+ private String clientKeystorePassword;
+ private String clientKeyPassword;
+ private String realmKey;
+ private int publicKeyCacheTtl;
+ private boolean publicClient;
+ private String principalAttribute;
+ private boolean clientIdValidationDisabled;
+ private String adminConsoleRedirectPath;
+ private String signatureAlgorithms;
+ private String adminConsoleScopes;
+ private String passwordGrantScopes;
+ private String issuerAttribute;
+ private String firstNameAttribute;
+ private String lastNameAttribute;
+ private String emailAttribute;
+ private long jwtClockSkewMs;
+
+ /**
+ *
+ * @return Client connection timeout in milliseconds.
+ */
+ public int getClientConnectionTimeout()
+ {
+ return clientConnectionTimeout;
+ }
+
+ /**
+ *
+ * @param clientConnectionTimeout
+ * Client connection timeout in milliseconds.
+ */
+ public void setClientConnectionTimeout(int clientConnectionTimeout)
+ {
+ this.clientConnectionTimeout = clientConnectionTimeout;
+ }
+
+ /**
+ *
+ * @return Client socket timeout in milliseconds.s
+ */
+ public int getClientSocketTimeout()
+ {
+ return clientSocketTimeout;
+ }
+
+ /**
+ *
+ * @param clientSocketTimeout
+ * Client socket timeout in milliseconds.
+ */
+ public void setClientSocketTimeout(int clientSocketTimeout)
+ {
+ this.clientSocketTimeout = clientSocketTimeout;
+ }
+
+ public void setConnectionPoolSize(int connectionPoolSize)
+ {
+ this.connectionPoolSize = connectionPoolSize;
+ }
+
+ public int getConnectionPoolSize()
+ {
+ return connectionPoolSize;
+ }
+
+ public String getIssuerUrl()
+ {
+ return issuerUrl;
+ }
+
+ public void setIssuerUrl(String issuerUrl)
+ {
+ this.issuerUrl = issuerUrl;
+ }
+
+ public String getAudience()
+ {
+ return audience;
+ }
+
+ public void setAudience(String audience)
+ {
+ this.audience = audience;
+ }
+
+ public String getAuthServerUrl()
+ {
+ return Optional.ofNullable(realm)
+ .filter(StringUtils::isNotBlank)
+ .filter(realm -> StringUtils.isNotBlank(authServerUrl))
+ .map(realm -> UriComponentsBuilder.fromUriString(authServerUrl)
+ .pathSegment(REALMS, realm)
+ .build()
+ .toString())
+ .orElse(authServerUrl);
+ }
+
+ public void setAuthServerUrl(String authServerUrl)
+ {
+ this.authServerUrl = authServerUrl;
+ }
+
+ public String getRealm()
+ {
+ return realm;
+ }
+
+ public void setRealm(String realm)
+ {
+ this.realm = realm;
+ }
+
+ public String getResource()
+ {
+ return resource;
+ }
+
+ public void setResource(String resource)
+ {
+ this.resource = resource;
+ }
+
+ public void setClientSecret(String clientSecret)
+ {
+ this.clientSecret = clientSecret;
+ }
+
+ public String getClientSecret()
+ {
+ return Optional.ofNullable(clientSecret)
+ .orElse("");
+ }
+
+ public void setAllowAnyHostname(boolean allowAnyHostname)
+ {
+ this.allowAnyHostname = allowAnyHostname;
+ }
+
+ public boolean isAllowAnyHostname()
+ {
+ return allowAnyHostname;
+ }
+
+ public void setDisableTrustManager(boolean disableTrustManager)
+ {
+ this.disableTrustManager = disableTrustManager;
+ }
+
+ public boolean isDisableTrustManager()
+ {
+ return disableTrustManager;
+ }
+
+ public void setTruststore(String truststore)
+ {
+ this.truststore = truststore;
+ }
+
+ public String getTruststore()
+ {
+ return truststore;
+ }
+
+ public void setTruststorePassword(String truststorePassword)
+ {
+ this.truststorePassword = truststorePassword;
+ }
+
+ public String getTruststorePassword()
+ {
+ return truststorePassword;
+ }
+
+ public void setClientKeystore(String clientKeystore)
+ {
+ this.clientKeystore = clientKeystore;
+ }
+
+ public String getClientKeystore()
+ {
+ return clientKeystore;
+ }
+
+ public void setClientKeystorePassword(String clientKeystorePassword)
+ {
+ this.clientKeystorePassword = clientKeystorePassword;
+ }
+
+ public String getClientKeystorePassword()
+ {
+ return clientKeystorePassword;
+ }
+
+ public void setClientKeyPassword(String clientKeyPassword)
+ {
+ this.clientKeyPassword = clientKeyPassword;
+ }
+
+ public String getClientKeyPassword()
+ {
+ return clientKeyPassword;
+ }
+
+ public void setRealmKey(String realmKey)
+ {
+ this.realmKey = realmKey;
+ }
+
+ public String getRealmKey()
+ {
+ return realmKey;
+ }
+
+ public void setPublicKeyCacheTtl(int publicKeyCacheTtl)
+ {
+ this.publicKeyCacheTtl = publicKeyCacheTtl;
+ }
+
+ public int getPublicKeyCacheTtl()
+ {
+ return publicKeyCacheTtl;
+ }
+
+ public void setPublicClient(boolean publicClient)
+ {
+ this.publicClient = publicClient;
+ }
+
+ public boolean isPublicClient()
+ {
+ return publicClient;
+ }
+
+ public String getPrincipalAttribute()
+ {
+ return principalAttribute;
+ }
+
+ public void setPrincipalAttribute(String principalAttribute)
+ {
+ this.principalAttribute = principalAttribute;
+ }
+
+ public boolean isClientIdValidationDisabled()
+ {
+ return clientIdValidationDisabled;
+ }
+
+ public void setClientIdValidationDisabled(boolean clientIdValidationDisabled)
+ {
+ this.clientIdValidationDisabled = clientIdValidationDisabled;
+ }
+
+ public String getAdminConsoleRedirectPath()
+ {
+ return adminConsoleRedirectPath;
+ }
+
+ public void setAdminConsoleRedirectPath(String adminConsoleRedirectPath)
+ {
+ this.adminConsoleRedirectPath = adminConsoleRedirectPath;
+ }
+
+ public Set getSignatureAlgorithms()
+ {
+ return Stream.of(signatureAlgorithms.split(","))
+ .map(String::trim)
+ .map(SignatureAlgorithm::from)
+ .filter(Objects::nonNull)
+ .collect(Collectors.toUnmodifiableSet());
+ }
+
+ public void setSignatureAlgorithms(String signatureAlgorithms)
+ {
+ this.signatureAlgorithms = signatureAlgorithms;
+ }
+
+ public String getIssuerAttribute()
+ {
+ return issuerAttribute;
+ }
+
+ public void setIssuerAttribute(String issuerAttribute)
+ {
+ this.issuerAttribute = issuerAttribute;
+ }
+
+ public Set getAdminConsoleScopes()
+ {
+ return Stream.of(adminConsoleScopes.split(","))
+ .map(String::trim)
+ .collect(Collectors.toUnmodifiableSet());
+ }
+
+ public void setAdminConsoleScopes(String adminConsoleScopes)
+ {
+ this.adminConsoleScopes = adminConsoleScopes;
+ }
+
+ public Set getPasswordGrantScopes()
+ {
+ return Stream.of(passwordGrantScopes.split(","))
+ .map(String::trim)
+ .collect(Collectors.toUnmodifiableSet());
+ }
+
+ public void setPasswordGrantScopes(String passwordGrantScopes)
+ {
+ this.passwordGrantScopes = passwordGrantScopes;
+ }
+
+ public void setFirstNameAttribute(String firstNameAttribute)
+ {
+ this.firstNameAttribute = firstNameAttribute;
+ }
+
+ public void setLastNameAttribute(String lastNameAttribute)
+ {
+ this.lastNameAttribute = lastNameAttribute;
+ }
+
+ public void setEmailAttribute(String emailAttribute)
+ {
+ this.emailAttribute = emailAttribute;
+ }
+
+ public void setJwtClockSkewMs(long jwtClockSkewMs)
+ {
+ this.jwtClockSkewMs = jwtClockSkewMs;
+ }
+
+ public String getFirstNameAttribute()
+ {
+ return firstNameAttribute;
+ }
+
+ public String getLastNameAttribute()
+ {
+ return lastNameAttribute;
+ }
+
+ public String getEmailAttribute()
+ {
+ return emailAttribute;
+ }
+
+ public long getJwtClockSkewMs()
+ {
+ return jwtClockSkewMs;
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacade.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacade.java
index cf764b6d11..3054869dbe 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacade.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacade.java
@@ -1,249 +1,265 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2025 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.identityservice;
-
-import static java.util.Objects.nonNull;
-import static java.util.Objects.requireNonNull;
-
-import java.time.Instant;
-import java.util.Objects;
-import java.util.Optional;
-
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
-
-/**
- * Allows to interact with the Identity Service
- */
-public interface IdentityServiceFacade
-{
- /**
- * Returns {@link AccessToken} based authorization for provided {@link AuthorizationGrant}.
- * @param grant the OAuth2 grant provided by the Resource Owner.
- * @return {@link AccessTokenAuthorization} containing access token and optional refresh token.
- * @throws {@link AuthorizationException} when provided grant cannot be exchanged for the access token.
- */
- AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException;
-
- /**
- * Decodes the access token into the {@link DecodedAccessToken} which contains claims connected with a given token.
- * @param token {@link String} with encoded access token value.
- * @return {@link DecodedAccessToken} containing decoded claims.
- * @throws {@link TokenDecodingException} when token decoding failed.
- */
- DecodedAccessToken decodeToken(String token) throws TokenDecodingException;
-
- /**
- * Gets claims about the authenticated user,
- * such as name and email address, via the UserInfo endpoint of the OpenID provider.
- * @param token {@link String} with encoded access token value.
- * @param principalAttribute {@link String} the attribute name used to access the user's name from the user info response.
- * @return {@link OIDCUserInfo} containing user claims.
- */
- Optional getUserInfo(String token, String principalAttribute);
-
- /**
- * Gets a client registration
- */
- ClientRegistration getClientRegistration();
-
- class IdentityServiceFacadeException extends RuntimeException
- {
- public IdentityServiceFacadeException(String message)
- {
- super(message);
- }
-
- IdentityServiceFacadeException(String message, Throwable cause)
- {
- super(message, cause);
- }
- }
-
- class AuthorizationException extends IdentityServiceFacadeException
- {
- AuthorizationException(String message)
- {
- super(message);
- }
-
- AuthorizationException(String message, Throwable cause)
- {
- super(message, cause);
- }
- }
-
- class UserInfoException extends IdentityServiceFacadeException
- {
-
- UserInfoException(String message)
- {
- super(message);
- }
-
- UserInfoException(String message, Throwable cause)
- {
- super(message, cause);
- }
- }
-
- class TokenDecodingException extends IdentityServiceFacadeException
- {
- TokenDecodingException(String message)
- {
- super(message);
- }
-
- TokenDecodingException(String message, Throwable cause)
- {
- super(message, cause);
- }
- }
-
- /**
- * Represents access token authorization with optional refresh token.
- */
- interface AccessTokenAuthorization
- {
- /**
- * Required {@link AccessToken}
- * @return {@link AccessToken}
- */
- AccessToken getAccessToken();
-
- /**
- * Optional refresh token.
- * @return Refresh token or {@code null}
- */
- String getRefreshTokenValue();
- }
-
- interface AccessToken {
- String getTokenValue();
- Instant getExpiresAt();
- }
-
- interface DecodedAccessToken extends AccessToken
- {
- Object getClaim(String claim);
- }
-
- class AuthorizationGrant {
- private final String username;
- private final String password;
- private final String refreshToken;
- private final String authorizationCode;
- private final String redirectUri;
-
- private AuthorizationGrant(String username, String password, String refreshToken, String authorizationCode, String redirectUri)
- {
- this.username = username;
- this.password = password;
- this.refreshToken = refreshToken;
- this.authorizationCode = authorizationCode;
- this.redirectUri = redirectUri;
- }
-
- public static AuthorizationGrant password(String username, String password)
- {
- return new AuthorizationGrant(requireNonNull(username), requireNonNull(password), null, null, null);
- }
-
- public static AuthorizationGrant refreshToken(String refreshToken)
- {
- return new AuthorizationGrant(null, null, requireNonNull(refreshToken), null, null);
- }
-
- public static AuthorizationGrant authorizationCode(String authorizationCode, String redirectUri)
- {
- return new AuthorizationGrant(null, null, null, requireNonNull(authorizationCode), requireNonNull(redirectUri));
- }
-
- boolean isPassword()
- {
- return nonNull(username);
- }
-
- boolean isRefreshToken()
- {
- return nonNull(refreshToken);
- }
-
- boolean isAuthorizationCode()
- {
- return nonNull(authorizationCode);
- }
-
- String getUsername()
- {
- return username;
- }
-
- String getPassword()
- {
- return password;
- }
-
- String getRefreshToken()
- {
- return refreshToken;
- }
-
- String getAuthorizationCode()
- {
- return authorizationCode;
- }
-
- String getRedirectUri()
- {
- return redirectUri;
- }
-
- @Override
- public boolean equals(Object o)
- {
- if (this == o)
- {
- return true;
- }
- if (o == null || getClass() != o.getClass())
- {
- return false;
- }
- AuthorizationGrant that = (AuthorizationGrant) o;
- return Objects.equals(username, that.username) &&
- Objects.equals(password, that.password) &&
- Objects.equals(refreshToken, that.refreshToken) &&
- Objects.equals(authorizationCode, that.authorizationCode) &&
- Objects.equals(redirectUri, that.redirectUri);
- }
-
- @Override
- public int hashCode()
- {
- return Objects.hash(username, password, refreshToken, authorizationCode, redirectUri);
- }
- }
-}
\ No newline at end of file
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice;
+
+import static java.util.Objects.nonNull;
+import static java.util.Objects.requireNonNull;
+
+import java.time.Instant;
+import java.util.Objects;
+import java.util.Optional;
+
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
+/**
+ * Allows to interact with the Identity Service
+ */
+public interface IdentityServiceFacade
+{
+ /**
+ * Returns {@link AccessToken} based authorization for provided {@link AuthorizationGrant}.
+ *
+ * @param grant
+ * the OAuth2 grant provided by the Resource Owner.
+ * @return {@link AccessTokenAuthorization} containing access token and optional refresh token.
+ * @throws {@link
+ * AuthorizationException} when provided grant cannot be exchanged for the access token.
+ */
+ AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException;
+
+ /**
+ * Decodes the access token into the {@link DecodedAccessToken} which contains claims connected with a given token.
+ *
+ * @param token
+ * {@link String} with encoded access token value.
+ * @return {@link DecodedAccessToken} containing decoded claims.
+ * @throws {@link
+ * TokenDecodingException} when token decoding failed.
+ */
+ DecodedAccessToken decodeToken(String token) throws TokenDecodingException;
+
+ /**
+ * Gets claims about the authenticated user, such as name and email address, via the UserInfo endpoint of the OpenID provider.
+ *
+ * @param token
+ * {@link String} with encoded access token value.
+ * @param userInfoAttrMapping
+ * {@link UserInfoAttrMapping} containing the mapping of claims.
+ * @return {@link DecodedTokenUser} containing user claims or {@link Optional#empty()} if the token does not contain a username claim.
+ */
+ Optional getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping);
+
+ /**
+ * Gets a client registration
+ */
+ ClientRegistration getClientRegistration();
+
+ class IdentityServiceFacadeException extends RuntimeException
+ {
+ public IdentityServiceFacadeException(String message)
+ {
+ super(message);
+ }
+
+ IdentityServiceFacadeException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+ }
+
+ class AuthorizationException extends IdentityServiceFacadeException
+ {
+ AuthorizationException(String message)
+ {
+ super(message);
+ }
+
+ AuthorizationException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+ }
+
+ class UserInfoException extends IdentityServiceFacadeException
+ {
+
+ UserInfoException(String message)
+ {
+ super(message);
+ }
+
+ UserInfoException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+ }
+
+ class TokenDecodingException extends IdentityServiceFacadeException
+ {
+ TokenDecodingException(String message)
+ {
+ super(message);
+ }
+
+ TokenDecodingException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+ }
+
+ /**
+ * Represents access token authorization with optional refresh token.
+ */
+ interface AccessTokenAuthorization
+ {
+ /**
+ * Required {@link AccessToken}
+ *
+ * @return {@link AccessToken}
+ */
+ AccessToken getAccessToken();
+
+ /**
+ * Optional refresh token.
+ *
+ * @return Refresh token or {@code null}
+ */
+ String getRefreshTokenValue();
+ }
+
+ interface AccessToken
+ {
+ String getTokenValue();
+
+ Instant getExpiresAt();
+ }
+
+ interface DecodedAccessToken extends AccessToken
+ {
+ Object getClaim(String claim);
+ }
+
+ class AuthorizationGrant
+ {
+ private final String username;
+ private final String password;
+ private final String refreshToken;
+ private final String authorizationCode;
+ private final String redirectUri;
+
+ private AuthorizationGrant(String username, String password, String refreshToken, String authorizationCode, String redirectUri)
+ {
+ this.username = username;
+ this.password = password;
+ this.refreshToken = refreshToken;
+ this.authorizationCode = authorizationCode;
+ this.redirectUri = redirectUri;
+ }
+
+ public static AuthorizationGrant password(String username, String password)
+ {
+ return new AuthorizationGrant(requireNonNull(username), requireNonNull(password), null, null, null);
+ }
+
+ public static AuthorizationGrant refreshToken(String refreshToken)
+ {
+ return new AuthorizationGrant(null, null, requireNonNull(refreshToken), null, null);
+ }
+
+ public static AuthorizationGrant authorizationCode(String authorizationCode, String redirectUri)
+ {
+ return new AuthorizationGrant(null, null, null, requireNonNull(authorizationCode), requireNonNull(redirectUri));
+ }
+
+ boolean isPassword()
+ {
+ return nonNull(username);
+ }
+
+ boolean isRefreshToken()
+ {
+ return nonNull(refreshToken);
+ }
+
+ boolean isAuthorizationCode()
+ {
+ return nonNull(authorizationCode);
+ }
+
+ String getUsername()
+ {
+ return username;
+ }
+
+ String getPassword()
+ {
+ return password;
+ }
+
+ String getRefreshToken()
+ {
+ return refreshToken;
+ }
+
+ String getAuthorizationCode()
+ {
+ return authorizationCode;
+ }
+
+ String getRedirectUri()
+ {
+ return redirectUri;
+ }
+
+ @Override
+ public boolean equals(Object o)
+ {
+ if (this == o)
+ {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass())
+ {
+ return false;
+ }
+ AuthorizationGrant that = (AuthorizationGrant) o;
+ return Objects.equals(username, that.username) &&
+ Objects.equals(password, that.password) &&
+ Objects.equals(refreshToken, that.refreshToken) &&
+ Objects.equals(authorizationCode, that.authorizationCode) &&
+ Objects.equals(redirectUri, that.redirectUri);
+ }
+
+ @Override
+ public int hashCode()
+ {
+ return Objects.hash(username, password, refreshToken, authorizationCode, redirectUri);
+ }
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java
index a3465ec3c9..bcafe791d4 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java
@@ -1,818 +1,832 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2025 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.identityservice;
-
-import static java.util.Objects.requireNonNull;
-import static java.util.Optional.ofNullable;
-import static java.util.function.Predicate.not;
-
-import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.AUDIENCE;
-import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.SCOPES_SUPPORTED;
-
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.nio.charset.StandardCharsets;
-import java.security.interfaces.RSAPublicKey;
-import java.time.Duration;
-import java.time.temporal.ChronoUnit;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.atomic.AtomicReference;
-import java.util.function.BiFunction;
-import java.util.function.Function;
-import java.util.function.Supplier;
-import java.util.stream.Collectors;
-
-import com.nimbusds.jose.JOSEObjectType;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.jwk.source.DefaultJWKSetCache;
-import com.nimbusds.jose.jwk.source.JWKSource;
-import com.nimbusds.jose.jwk.source.RemoteJWKSet;
-import com.nimbusds.jose.proc.BadJOSEException;
-import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
-import com.nimbusds.jose.proc.JWSVerificationKeySelector;
-import com.nimbusds.jose.proc.SecurityContext;
-import com.nimbusds.jose.util.ResourceRetriever;
-import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
-import com.nimbusds.oauth2.sdk.Scope;
-import com.nimbusds.oauth2.sdk.id.Identifier;
-import com.nimbusds.oauth2.sdk.id.Issuer;
-import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hc.client5.http.classic.HttpClient;
-import org.apache.hc.client5.http.config.ConnectionConfig;
-import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
-import org.apache.hc.client5.http.impl.classic.HttpClients;
-import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
-import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder;
-import org.apache.hc.client5.http.ssl.TrustAllStrategy;
-import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.apache.hc.core5.ssl.SSLContexts;
-import org.springframework.beans.factory.FactoryBean;
-import org.springframework.http.HttpMethod;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.RequestEntity;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.client.ClientHttpRequest;
-import org.springframework.http.client.ClientHttpRequestFactory;
-import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
-import org.springframework.http.converter.FormHttpMessageConverter;
-import org.springframework.security.converter.RsaKeyConverters;
-import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
-import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.client.registration.ClientRegistration.Builder;
-import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
-import org.springframework.security.oauth2.core.AuthorizationGrantType;
-import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
-import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
-import org.springframework.security.oauth2.core.OAuth2Error;
-import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
-import org.springframework.security.oauth2.core.OAuth2TokenValidator;
-import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
-import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
-import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
-import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
-import org.springframework.security.oauth2.jwt.Jwt;
-import org.springframework.security.oauth2.jwt.JwtClaimNames;
-import org.springframework.security.oauth2.jwt.JwtClaimValidator;
-import org.springframework.security.oauth2.jwt.JwtDecoder;
-import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
-import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
-import org.springframework.web.client.RestOperations;
-import org.springframework.web.client.RestTemplate;
-import org.springframework.web.util.UriComponentsBuilder;
-
-/**
- * Creates an instance of {@link IdentityServiceFacade}.
- * This factory can return a null if it is disabled.
- */
-public class IdentityServiceFacadeFactoryBean implements FactoryBean
-{
- private static final Log LOGGER = LogFactory.getLog(IdentityServiceFacadeFactoryBean.class);
-
- private static final JOSEObjectType AT_JWT = new JOSEObjectType("at+jwt");
-
- private boolean enabled;
- private SpringBasedIdentityServiceFacadeFactory factory;
-
- public void setEnabled(boolean enabled)
- {
- this.enabled = enabled;
- }
-
- public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig)
- {
- factory = new SpringBasedIdentityServiceFacadeFactory(
- new HttpClientProvider(identityServiceConfig)::createHttpClient,
- new ClientRegistrationProvider(identityServiceConfig)::createClientRegistration,
- new JwtDecoderProvider(identityServiceConfig)::createJwtDecoder
- );
- }
-
- @Override
- public IdentityServiceFacade getObject() throws Exception
- {
- // The creation of the client can be disabled for testing or when the username/password authentication is not required,
- // for instance when Identity Service is configured for 'bearer only' authentication or Direct Access Grants are disabled.
- if (!enabled)
- {
- return null;
- }
-
- return new LazyInstantiatingIdentityServiceFacade(factory::createIdentityServiceFacade);
- }
-
- @Override
- public Class getObjectType()
- {
- return IdentityServiceFacade.class;
- }
-
- @Override
- public boolean isSingleton()
- {
- return true;
- }
-
- private static IdentityServiceFacadeException authorizationServerCantBeUsedException(RuntimeException cause)
- {
- return new IdentityServiceFacadeException("Unable to use the Authorization Server.", cause);
- }
-
- // The target facade is created lazily to improve resiliency on Identity Service
- // (Keycloak/Authorization Server) failures when Spring Context is starting up.
- static class LazyInstantiatingIdentityServiceFacade implements IdentityServiceFacade
- {
- private final AtomicReference targetFacade = new AtomicReference<>();
- private final Supplier targetFacadeCreator;
-
- LazyInstantiatingIdentityServiceFacade(Supplier targetFacadeCreator)
- {
- this.targetFacadeCreator = requireNonNull(targetFacadeCreator);
- }
-
- @Override
- public AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException
- {
- return getTargetFacade().authorize(grant);
- }
-
- @Override
- public DecodedAccessToken decodeToken(String token) throws TokenDecodingException
- {
- return getTargetFacade().decodeToken(token);
- }
-
- @Override
- public Optional getUserInfo(String token, String principalAttribute)
- {
- return getTargetFacade().getUserInfo(token, principalAttribute);
- }
-
- @Override
- public ClientRegistration getClientRegistration()
- {
- return getTargetFacade().getClientRegistration();
- }
-
- private IdentityServiceFacade getTargetFacade()
- {
- return ofNullable(targetFacade.get())
- .orElseGet(() -> targetFacade.updateAndGet(prev ->
- ofNullable(prev).orElseGet(this::createTargetFacade)));
- }
-
- private IdentityServiceFacade createTargetFacade()
- {
- try
- {
- return targetFacadeCreator.get();
- }
- catch (IdentityServiceFacadeException e)
- {
- throw e;
- }
- catch (RuntimeException e)
- {
- LOGGER.warn("Failed to instantiate IdentityServiceFacade.", e);
- throw authorizationServerCantBeUsedException(e);
- }
- }
- }
-
- private static class SpringBasedIdentityServiceFacadeFactory
- {
- private final Supplier httpClientProvider;
- private final Function clientRegistrationProvider;
- private final BiFunction jwtDecoderProvider;
-
- SpringBasedIdentityServiceFacadeFactory(
- Supplier httpClientProvider,
- Function clientRegistrationProvider,
- BiFunction jwtDecoderProvider)
- {
- this.httpClientProvider = requireNonNull(httpClientProvider);
- this.clientRegistrationProvider = requireNonNull(clientRegistrationProvider);
- this.jwtDecoderProvider = requireNonNull(jwtDecoderProvider);
- }
-
- private IdentityServiceFacade createIdentityServiceFacade()
- {
- //Here we preserve the behaviour of previously used Keycloak Adapter
- // * Client is authenticating itself using basic auth
- // * Resource Owner Password Credentials Flow is used to authenticate Resource Owner
-
- final ClientHttpRequestFactory httpRequestFactory = new CustomClientHttpRequestFactory(
- httpClientProvider.get());
- final RestTemplate restTemplate = new RestTemplate(httpRequestFactory);
- final ClientRegistration clientRegistration = clientRegistrationProvider.apply(restTemplate);
- final JwtDecoder jwtDecoder = jwtDecoderProvider.apply(restTemplate,
- clientRegistration.getProviderDetails());
-
- return new SpringBasedIdentityServiceFacade(createOAuth2RestTemplate(httpRequestFactory),
- clientRegistration, jwtDecoder);
- }
-
- private RestTemplate createOAuth2RestTemplate(ClientHttpRequestFactory requestFactory)
- {
- final RestTemplate restTemplate = new RestTemplate(
- Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
- restTemplate.setRequestFactory(requestFactory);
- restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
-
- return restTemplate;
- }
- }
-
- private static class HttpClientProvider
- {
- private final IdentityServiceConfig config;
-
- private HttpClientProvider(IdentityServiceConfig config)
- {
- this.config = requireNonNull(config);
- }
-
- private HttpClient createHttpClient()
- {
- try
- {
- HttpClientBuilder clientBuilder = HttpClients.custom();
- applyConfiguration(clientBuilder);
- return clientBuilder.build();
- }
- catch (Exception e)
- {
- throw new IllegalStateException("Failed to create ClientHttpRequestFactory. " + e.getMessage(), e);
- }
- }
-
- private void applyConfiguration(HttpClientBuilder builder) throws Exception
- {
- final PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder = PoolingHttpClientConnectionManagerBuilder.create();
-
- applyConnectionConfiguration(connectionManagerBuilder);
- applySSLConfiguration(connectionManagerBuilder);
-
- builder.setConnectionManager(connectionManagerBuilder.build());
- }
-
- private void applyConnectionConfiguration(PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder)
- {
- final ConnectionConfig connectionConfig = ConnectionConfig.custom()
- .setConnectTimeout(config.getClientConnectionTimeout(), TimeUnit.MILLISECONDS)
- .setSocketTimeout(config.getClientSocketTimeout(), TimeUnit.MILLISECONDS)
- .build();
-
- connectionManagerBuilder.setMaxConnTotal(config.getConnectionPoolSize());
- connectionManagerBuilder.setDefaultConnectionConfig(connectionConfig);
- }
-
- private void applySSLConfiguration(PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder)
- throws Exception
- {
- SSLContextBuilder sslContextBuilder = null;
- if (config.isDisableTrustManager())
- {
- sslContextBuilder = SSLContexts.custom()
- .loadTrustMaterial(TrustAllStrategy.INSTANCE);
-
- }
- else if (isDefined(config.getTruststore()))
- {
- final char[] truststorePassword = asCharArray(config.getTruststorePassword(), null);
- sslContextBuilder = SSLContexts.custom()
- .loadTrustMaterial(new File(config.getTruststore()), truststorePassword);
- }
-
- if (isDefined(config.getClientKeystore()))
- {
- if (sslContextBuilder == null)
- {
- sslContextBuilder = SSLContexts.custom();
- }
- final char[] keystorePassword = asCharArray(config.getClientKeystorePassword(), null);
- final char[] keyPassword = asCharArray(config.getClientKeyPassword(), keystorePassword);
- sslContextBuilder.loadKeyMaterial(new File(config.getClientKeystore()), keystorePassword, keyPassword);
- }
-
- final SSLConnectionSocketFactoryBuilder sslConnectionSocketFactoryBuilder = SSLConnectionSocketFactoryBuilder.create();
-
- if (sslContextBuilder != null)
- {
- sslConnectionSocketFactoryBuilder.setSslContext(sslContextBuilder.build());
- }
-
- if (config.isDisableTrustManager() || config.isAllowAnyHostname())
- {
- sslConnectionSocketFactoryBuilder.setHostnameVerifier(NoopHostnameVerifier.INSTANCE);
- }
- final SSLConnectionSocketFactory sslConnectionSocketFactory = sslConnectionSocketFactoryBuilder.build();
- connectionManagerBuilder.setSSLSocketFactory(sslConnectionSocketFactory);
- }
-
- private char[] asCharArray(String value, char... nullValue)
- {
- return ofNullable(value)
- .filter(not(String::isBlank))
- .map(String::toCharArray)
- .orElse(nullValue);
- }
- }
-
- static class ClientRegistrationProvider
- {
- private final IdentityServiceConfig config;
-
- private static final Set SCOPES = Set.of("openid", "profile", "email");
-
- ClientRegistrationProvider(IdentityServiceConfig config)
- {
- this.config = requireNonNull(config);
- }
-
- public ClientRegistration createClientRegistration(final RestOperations rest)
- {
- return possibleMetadataURIs()
- .stream()
- .map(u -> extractMetadata(rest, u))
- .filter(Optional::isPresent)
- .map(Optional::get)
- .findFirst()
- .map(this::validateDiscoveryDocument)
- .map(this::createBuilder)
- .map(this::configureClientAuthentication)
- .map(Builder::build)
- .orElseThrow(() -> new IllegalStateException("Failed to create ClientRegistration."));
- }
-
- private OIDCProviderMetadata validateDiscoveryDocument(OIDCProviderMetadata metadata)
- {
- validateOIDCEndpoint(metadata.getTokenEndpointURI(), "Token");
- validateOIDCEndpoint(metadata.getAuthorizationEndpointURI(), "Authorization");
- validateOIDCEndpoint(metadata.getUserInfoEndpointURI(), "User Info");
- validateOIDCEndpoint(metadata.getJWKSetURI(), "JWK Set");
-
- if (metadata.getIssuer() != null)
- {
- try
- {
- URI metadataIssuerURI = new URI(metadata.getIssuer().getValue());
- validateOIDCEndpoint(metadataIssuerURI, "Issuer");
- if (StringUtils.isNotBlank(config.getIssuerUrl()) &&
- !metadataIssuerURI.equals(URI.create(config.getIssuerUrl())))
- {
- throw new IdentityServiceException("Failed to create ClientRegistration. "
- + "The Issuer value from the OIDC Discovery Endpoint does not align with the provided Issuer. Expected `%s` but found `%s`"
- .formatted(config.getIssuerUrl(), metadata.getIssuer().getValue()));
- }
- }
- catch (URISyntaxException e)
- {
- throw new IdentityServiceException("The provided Issuer value could not be parsed as a URI reference.", e);
- }
- }
- else
- {
- throw new IdentityServiceException("The Issuer retrieved from the OIDC Discovery Endpoint cannot be null.");
- }
-
- return metadata;
- }
-
- private void validateOIDCEndpoint(URI value, String endpointName)
- {
- if (value == null || value.toASCIIString().isBlank())
- {
- throw new IdentityServiceException("The `%s` Endpoint retrieved from the OIDC Discovery Endpoint cannot be empty.".formatted(endpointName));
- }
- }
-
- private ClientRegistration.Builder createBuilder(OIDCProviderMetadata metadata)
- {
- final String authUri = Optional.of(metadata)
- .map(OIDCProviderMetadata::getAuthorizationEndpointURI)
- .map(URI::toASCIIString)
- .orElse(null);
-
- final String issuerUri = Optional.of(metadata)
- .map(OIDCProviderMetadata::getIssuer)
- .map(Issuer::getValue)
- .orElseGet(() -> (StringUtils.isNotBlank(config.getRealm()) && StringUtils.isBlank(config.getIssuerUrl())) ?
- config.getAuthServerUrl() :
- config.getIssuerUrl());
-
- return ClientRegistration
- .withRegistrationId("ids")
- .authorizationUri(authUri)
- .tokenUri(metadata.getTokenEndpointURI().toASCIIString())
- .jwkSetUri(metadata.getJWKSetURI().toASCIIString())
- .issuerUri(issuerUri)
- .userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString())
- .scope(getSupportedScopes(metadata.getScopes()))
- .providerConfigurationMetadata(createMetadata(metadata))
- .authorizationGrantType(AuthorizationGrantType.PASSWORD);
- }
-
- private Map createMetadata(OIDCProviderMetadata metadata)
- {
- Map configurationMetadata = new LinkedHashMap<>();
- if(metadata.getScopes() != null)
- {
- configurationMetadata.put(SCOPES_SUPPORTED.getValue(), metadata.getScopes());
- }
- if(StringUtils.isNotBlank(config.getAudience()))
- {
- configurationMetadata.put(AUDIENCE.getValue(), config.getAudience());
- }
- return configurationMetadata;
- }
-
- private Builder configureClientAuthentication(Builder builder)
- {
- builder.clientId(config.getResource());
- if (config.isPublicClient())
- {
- return builder.clientSecret(null)
- .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST);
- }
- return builder.clientSecret(config.getClientSecret())
- .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
- }
-
- private Set getSupportedScopes(Scope scopes)
- {
- return scopes.stream().filter(scope -> SCOPES.contains(scope.getValue()))
- .map(Identifier::getValue)
- .collect(Collectors.toSet());
- }
-
- private Optional extractMetadata(RestOperations rest, URI metadataUri)
- {
- final String response;
- try
- {
- final ResponseEntity r = rest.exchange(RequestEntity.get(metadataUri).build(), String.class);
- if (r.getStatusCode() != HttpStatus.OK || !r.hasBody())
- {
- LOGGER.warn("Unexpected response from " + metadataUri + ". Status code: " + r.getStatusCode()
- + ", has body: " + r.hasBody() + ".");
- return Optional.empty();
- }
- response = r.getBody();
- }
- catch (Exception e)
- {
- LOGGER.warn("Failed to get response from " + metadataUri + ". " + e.getMessage(), e);
- return Optional.empty();
- }
- try
- {
- return Optional.of(OIDCProviderMetadata.parse(response));
- }
- catch (Exception e)
- {
- LOGGER.warn("Failed to parse metadata. " + e.getMessage(), e);
- return Optional.empty();
- }
- }
-
- private Collection possibleMetadataURIs()
- {
- if (StringUtils.isBlank(config.getAuthServerUrl()) && StringUtils.isBlank(config.getIssuerUrl()))
- {
- throw new IdentityServiceException(
- "Failed to create ClientRegistration. The values of issuer url and auth server url cannot both be empty.");
- }
-
- String baseUrl = StringUtils.isNotBlank(config.getAuthServerUrl()) ?
- config.getAuthServerUrl() :
- config.getIssuerUrl();
-
- return List.of(UriComponentsBuilder.fromUriString(baseUrl)
- .pathSegment(".well-known", "openid-configuration")
- .build().toUri());
- }
- }
-
- static class JwtDecoderProvider
- {
- private static final SignatureAlgorithm DEFAULT_SIGNATURE_ALGORITHM = SignatureAlgorithm.RS256;
- private final IdentityServiceConfig config;
- private final Set signatureAlgorithms;
-
- JwtDecoderProvider(IdentityServiceConfig config)
- {
- this.config = requireNonNull(config);
- this.signatureAlgorithms = ofNullable(config.getSignatureAlgorithms())
- .filter(not(Set::isEmpty))
- .orElseGet(() -> {
- LOGGER.warn("Unable to find any valid signature algorithms in the configuration. "
- + "Using the default signature algorithm: " + DEFAULT_SIGNATURE_ALGORITHM.getName() + ".");
- return Set.of(DEFAULT_SIGNATURE_ALGORITHM);
- });
- }
-
- public JwtDecoder createJwtDecoder(RestOperations rest, ProviderDetails providerDetails)
- {
- try
- {
- final NimbusJwtDecoder decoder = buildJwtDecoder(rest, providerDetails);
-
- decoder.setJwtValidator(createJwtTokenValidator(providerDetails));
- decoder.setClaimSetConverter(
- new ClaimTypeConverter(OidcIdTokenDecoderFactory.createDefaultClaimTypeConverters()));
-
- return decoder;
- }
- catch (RuntimeException e)
- {
- LOGGER.warn("Failed to create JwtDecoder.", e);
- throw authorizationServerCantBeUsedException(e);
- }
- }
-
- private NimbusJwtDecoder buildJwtDecoder(RestOperations rest, ProviderDetails providerDetails)
- {
- if (isDefined(config.getRealmKey()))
- {
- final RSAPublicKey publicKey = parsePublicKey(config.getRealmKey());
- return NimbusJwtDecoder.withPublicKey(publicKey)
- .signatureAlgorithm(DEFAULT_SIGNATURE_ALGORITHM)
- .build();
- }
- final String jwkSetUri = requireValidJwkSetUri(providerDetails);
- final NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder decoderBuilder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri);
- signatureAlgorithms.forEach(decoderBuilder::jwsAlgorithm);
- return decoderBuilder
- .restOperations(rest)
- .jwtProcessorCustomizer(this::reconfigureJWKSCache)
- .build();
- }
-
- private void reconfigureJWKSCache(ConfigurableJWTProcessor jwtProcessor)
- {
- final Optional> jwkSource = ofNullable(jwtProcessor)
- .map(ConfigurableJWTProcessor::getJWSKeySelector)
- .filter(JWSVerificationKeySelector.class::isInstance)
- .map(o -> (JWSVerificationKeySelector) o)
- .map(JWSVerificationKeySelector::getJWKSource)
- .filter(RemoteJWKSet.class::isInstance).map(o -> (RemoteJWKSet) o);
- if (jwkSource.isEmpty())
- {
- LOGGER.warn("Not able to reconfigure the JWK Cache. Unexpected JWKSource.");
- return;
- }
-
- final Optional jwkSetUrl = jwkSource.map(RemoteJWKSet::getJWKSetURL);
- if (jwkSetUrl.isEmpty())
- {
- LOGGER.warn("Not able to reconfigure the JWK Cache. Unknown JWKSetURL.");
- return;
- }
-
- final Optional resourceRetriever = jwkSource.map(RemoteJWKSet::getResourceRetriever);
- if (resourceRetriever.isEmpty())
- {
- LOGGER.warn("Not able to reconfigure the JWK Cache. Unknown ResourceRetriever.");
- return;
- }
-
- final DefaultJWKSetCache cache = new DefaultJWKSetCache(config.getPublicKeyCacheTtl(), -1,
- TimeUnit.SECONDS);
- final JWKSource cachingJWKSource = new RemoteJWKSet<>(jwkSetUrl.get(),
- resourceRetriever.get(), cache);
-
- jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector<>(
- signatureAlgorithms.stream()
- .map(signatureAlgorithm -> JWSAlgorithm.parse(signatureAlgorithm.getName()))
- .collect(Collectors.toSet()),
- cachingJWKSource));
- jwtProcessor.setJWSTypeVerifier(new CustomJOSEObjectTypeVerifier(JOSEObjectType.JWT, AT_JWT));
- }
-
- private OAuth2TokenValidator createJwtTokenValidator(ProviderDetails providerDetails)
- {
- List> validators = new ArrayList<>();
- validators.add(new JwtTimestampValidator(Duration.of(0, ChronoUnit.MILLIS)));
- validators.add(new JwtIssuerValidator(providerDetails.getIssuerUri()));
- if (!config.isClientIdValidationDisabled())
- {
- validators.add(new JwtClaimValidator("azp", config.getResource()::equals));
- }
- if (StringUtils.isNotBlank(config.getAudience()))
- {
- validators.add(new JwtAudienceValidator(config.getAudience()));
- }
- return new DelegatingOAuth2TokenValidator<>(validators);
- }
-
- private RSAPublicKey parsePublicKey(String pem)
- {
- try
- {
- return tryToParsePublicKey(pem);
- }
- catch (Exception e)
- {
- if (isPemFormatException(e))
- {
- //For backward compatibility with Keycloak adapter
- return tryToParsePublicKey("-----BEGIN PUBLIC KEY-----\n" + pem + "\n-----END PUBLIC KEY-----");
- }
- throw e;
- }
- }
-
- private RSAPublicKey tryToParsePublicKey(String pem)
- {
- final InputStream pemStream = new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8));
- return RsaKeyConverters.x509().convert(pemStream);
- }
-
- private boolean isPemFormatException(Exception e)
- {
- return e.getMessage() != null && e.getMessage().contains("-----BEGIN PUBLIC KEY-----");
- }
-
- private String requireValidJwkSetUri(ProviderDetails providerDetails)
- {
- final String uri = providerDetails.getJwkSetUri();
- if (!isDefined(uri))
- {
- OAuth2Error oauth2Error = new OAuth2Error("missing_signature_verifier",
- "Failed to find a Signature Verifier for: '"
- + providerDetails.getIssuerUri()
- + "'. Check to ensure you have configured the JwkSet URI.",
- null);
- throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
- }
- return uri;
- }
- }
-
- static class JwtIssuerValidator implements OAuth2TokenValidator
- {
- private final String requiredIssuer;
-
- public JwtIssuerValidator(String issuer)
- {
- this.requiredIssuer = requireNonNull(issuer, "issuer cannot be null");
- }
-
- @Override
- public OAuth2TokenValidatorResult validate(Jwt token)
- {
- requireNonNull(token, "token cannot be null");
- final Object issuer = token.getClaim(JwtClaimNames.ISS);
- if (issuer != null && requiredIssuer.equals(issuer.toString()))
- {
- return OAuth2TokenValidatorResult.success();
- }
-
- final OAuth2Error error = new OAuth2Error(
- OAuth2ErrorCodes.INVALID_TOKEN,
- "The iss claim is not valid. Expected `%s` but got `%s`.".formatted(requiredIssuer, issuer),
- "https://tools.ietf.org/html/rfc6750#section-3.1");
- return OAuth2TokenValidatorResult.failure(error);
- }
-
- }
-
- static class JwtAudienceValidator implements OAuth2TokenValidator
- {
- private final String configuredAudience;
-
- public JwtAudienceValidator(String configuredAudience)
- {
- this.configuredAudience = configuredAudience;
- }
-
- @Override
- public OAuth2TokenValidatorResult validate(Jwt token)
- {
- requireNonNull(token, "token cannot be null");
- final Object audience = token.getClaim(JwtClaimNames.AUD);
- if (audience != null)
- {
- if(audience instanceof List && ((List) audience).contains(configuredAudience))
- {
- return OAuth2TokenValidatorResult.success();
- }
- if(audience instanceof String && audience.equals(configuredAudience))
- {
- return OAuth2TokenValidatorResult.success();
- }
- }
-
- final OAuth2Error error = new OAuth2Error(
- OAuth2ErrorCodes.INVALID_TOKEN,
- "The aud claim is not valid. Expected configured audience `%s` not found.".formatted(configuredAudience),
- "https://tools.ietf.org/html/rfc6750#section-3.1");
- return OAuth2TokenValidatorResult.failure(error);
- }
- }
-
- static class CustomClientHttpRequestFactory extends HttpComponentsClientHttpRequestFactory
- {
- CustomClientHttpRequestFactory(HttpClient httpClient)
- {
- super(httpClient);
- }
-
- @Override
- public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IOException
- {
- /*
- * This is to avoid the Brotli content encoding that is not well-supported by the combination of
- * the Apache Http Client and the Spring RestTemplate
- */
- ClientHttpRequest request = super.createRequest(uri, httpMethod);
- request.getHeaders()
- .add("Accept-Encoding", "gzip, deflate");
- return request;
- }
- }
-
- static class CustomJOSEObjectTypeVerifier extends DefaultJOSEObjectTypeVerifier
- {
- public CustomJOSEObjectTypeVerifier(JOSEObjectType... allowedTypes)
- {
- super(Set.of(allowedTypes));
- }
-
- @Override
- public void verify(JOSEObjectType type, SecurityContext context) throws BadJOSEException
- {
- super.verify(type, context);
- }
- }
-
- private static boolean isDefined(String value)
- {
- return value != null && !value.isBlank();
- }
-}
\ No newline at end of file
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice;
+
+import static java.util.Objects.requireNonNull;
+import static java.util.Optional.ofNullable;
+import static java.util.function.Predicate.not;
+
+import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.AUDIENCE;
+import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.SCOPES_SUPPORTED;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.interfaces.RSAPublicKey;
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+import java.util.function.Supplier;
+import java.util.stream.Collectors;
+
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.source.DefaultJWKSetCache;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.jwk.source.RemoteJWKSet;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
+import com.nimbusds.jose.proc.JWSVerificationKeySelector;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jose.util.ResourceRetriever;
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
+import com.nimbusds.oauth2.sdk.Scope;
+import com.nimbusds.oauth2.sdk.id.Identifier;
+import com.nimbusds.oauth2.sdk.id.Issuer;
+import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.config.ConnectionConfig;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder;
+import org.apache.hc.client5.http.ssl.TrustAllStrategy;
+import org.apache.hc.core5.ssl.SSLContextBuilder;
+import org.apache.hc.core5.ssl.SSLContexts;
+import org.springframework.beans.factory.FactoryBean;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.client.ClientHttpRequest;
+import org.springframework.http.client.ClientHttpRequestFactory;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.http.converter.FormHttpMessageConverter;
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.security.converter.RsaKeyConverters;
+import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
+import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistration.Builder;
+import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
+import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtClaimNames;
+import org.springframework.security.oauth2.jwt.JwtClaimValidator;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.web.client.RestOperations;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
+/**
+ * Creates an instance of {@link IdentityServiceFacade}.
+ * This factory can return a null if it is disabled.
+ */
+public class IdentityServiceFacadeFactoryBean implements FactoryBean
+{
+ private static final Log LOGGER = LogFactory.getLog(IdentityServiceFacadeFactoryBean.class);
+
+ private static final JOSEObjectType AT_JWT = new JOSEObjectType("at+jwt");
+ private static final String DEFAULT_ISSUER_ATTR = "issuer";
+
+ private boolean enabled;
+ private SpringBasedIdentityServiceFacadeFactory factory;
+
+ public void setEnabled(boolean enabled)
+ {
+ this.enabled = enabled;
+ }
+
+ public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig)
+ {
+ factory = new SpringBasedIdentityServiceFacadeFactory(
+ new HttpClientProvider(identityServiceConfig)::createHttpClient,
+ new ClientRegistrationProvider(identityServiceConfig)::createClientRegistration,
+ new JwtDecoderProvider(identityServiceConfig)::createJwtDecoder);
+ }
+
+ @Override
+ public IdentityServiceFacade getObject() throws Exception
+ {
+ // The creation of the client can be disabled for testing or when the username/password authentication is not required,
+ // for instance when Identity Service is configured for 'bearer only' authentication or Direct Access Grants are disabled.
+ if (!enabled)
+ {
+ return null;
+ }
+
+ return new LazyInstantiatingIdentityServiceFacade(factory::createIdentityServiceFacade);
+ }
+
+ @Override
+ public Class getObjectType()
+ {
+ return IdentityServiceFacade.class;
+ }
+
+ @Override
+ public boolean isSingleton()
+ {
+ return true;
+ }
+
+ private static IdentityServiceFacadeException authorizationServerCantBeUsedException(RuntimeException cause)
+ {
+ return new IdentityServiceFacadeException("Unable to use the Authorization Server.", cause);
+ }
+
+ // The target facade is created lazily to improve resiliency on Identity Service
+ // (Keycloak/Authorization Server) failures when Spring Context is starting up.
+ static class LazyInstantiatingIdentityServiceFacade implements IdentityServiceFacade
+ {
+ private final AtomicReference targetFacade = new AtomicReference<>();
+ private final Supplier targetFacadeCreator;
+
+ LazyInstantiatingIdentityServiceFacade(Supplier targetFacadeCreator)
+ {
+ this.targetFacadeCreator = requireNonNull(targetFacadeCreator);
+ }
+
+ @Override
+ public AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException
+ {
+ return getTargetFacade().authorize(grant);
+ }
+
+ @Override
+ public DecodedAccessToken decodeToken(String token) throws TokenDecodingException
+ {
+ return getTargetFacade().decodeToken(token);
+ }
+
+ @Override
+ public Optional getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping)
+ {
+ return getTargetFacade().getUserInfo(token, userInfoAttrMapping);
+ }
+
+ @Override
+ public ClientRegistration getClientRegistration()
+ {
+ return getTargetFacade().getClientRegistration();
+ }
+
+ private IdentityServiceFacade getTargetFacade()
+ {
+ return ofNullable(targetFacade.get())
+ .orElseGet(() -> targetFacade.updateAndGet(prev -> ofNullable(prev).orElseGet(this::createTargetFacade)));
+ }
+
+ private IdentityServiceFacade createTargetFacade()
+ {
+ try
+ {
+ return targetFacadeCreator.get();
+ }
+ catch (IdentityServiceFacadeException e)
+ {
+ throw e;
+ }
+ catch (RuntimeException e)
+ {
+ LOGGER.warn("Failed to instantiate IdentityServiceFacade.", e);
+ throw authorizationServerCantBeUsedException(e);
+ }
+ }
+ }
+
+ private static class SpringBasedIdentityServiceFacadeFactory
+ {
+ private final Supplier httpClientProvider;
+ private final Function clientRegistrationProvider;
+ private final BiFunction jwtDecoderProvider;
+
+ SpringBasedIdentityServiceFacadeFactory(
+ Supplier httpClientProvider,
+ Function clientRegistrationProvider,
+ BiFunction jwtDecoderProvider)
+ {
+ this.httpClientProvider = requireNonNull(httpClientProvider);
+ this.clientRegistrationProvider = requireNonNull(clientRegistrationProvider);
+ this.jwtDecoderProvider = requireNonNull(jwtDecoderProvider);
+ }
+
+ private IdentityServiceFacade createIdentityServiceFacade()
+ {
+ // Here we preserve the behaviour of previously used Keycloak Adapter
+ // * Client is authenticating itself using basic auth
+ // * Resource Owner Password Credentials Flow is used to authenticate Resource Owner
+
+ final ClientHttpRequestFactory httpRequestFactory = new CustomClientHttpRequestFactory(
+ httpClientProvider.get());
+ final RestTemplate restTemplate = new RestTemplate(httpRequestFactory);
+ final ClientRegistration clientRegistration = clientRegistrationProvider.apply(restTemplate);
+ final JwtDecoder jwtDecoder = jwtDecoderProvider.apply(restTemplate,
+ clientRegistration.getProviderDetails());
+
+ return new SpringBasedIdentityServiceFacade(createOAuth2RestTemplate(httpRequestFactory),
+ clientRegistration, jwtDecoder);
+ }
+
+ private RestTemplate createOAuth2RestTemplate(ClientHttpRequestFactory requestFactory)
+ {
+ final RestTemplate restTemplate = new RestTemplate(
+ Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter(), new MappingJackson2HttpMessageConverter()));
+ restTemplate.setRequestFactory(requestFactory);
+ restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
+
+ return restTemplate;
+ }
+ }
+
+ private static class HttpClientProvider
+ {
+ private final IdentityServiceConfig config;
+
+ private HttpClientProvider(IdentityServiceConfig config)
+ {
+ this.config = requireNonNull(config);
+ }
+
+ private HttpClient createHttpClient()
+ {
+ try
+ {
+ HttpClientBuilder clientBuilder = HttpClients.custom();
+ applyConfiguration(clientBuilder);
+ return clientBuilder.build();
+ }
+ catch (Exception e)
+ {
+ throw new IllegalStateException("Failed to create ClientHttpRequestFactory. " + e.getMessage(), e);
+ }
+ }
+
+ private void applyConfiguration(HttpClientBuilder builder) throws Exception
+ {
+ final PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder = PoolingHttpClientConnectionManagerBuilder.create();
+
+ applyConnectionConfiguration(connectionManagerBuilder);
+ applySSLConfiguration(connectionManagerBuilder);
+
+ builder.setConnectionManager(connectionManagerBuilder.build());
+ }
+
+ private void applyConnectionConfiguration(PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder)
+ {
+ final ConnectionConfig connectionConfig = ConnectionConfig.custom()
+ .setConnectTimeout(config.getClientConnectionTimeout(), TimeUnit.MILLISECONDS)
+ .setSocketTimeout(config.getClientSocketTimeout(), TimeUnit.MILLISECONDS)
+ .build();
+
+ connectionManagerBuilder.setMaxConnTotal(config.getConnectionPoolSize());
+ connectionManagerBuilder.setDefaultConnectionConfig(connectionConfig);
+ }
+
+ private void applySSLConfiguration(PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder)
+ throws Exception
+ {
+ SSLContextBuilder sslContextBuilder = null;
+ if (config.isDisableTrustManager())
+ {
+ sslContextBuilder = SSLContexts.custom()
+ .loadTrustMaterial(TrustAllStrategy.INSTANCE);
+
+ }
+ else if (isDefined(config.getTruststore()))
+ {
+ final char[] truststorePassword = asCharArray(config.getTruststorePassword(), null);
+ sslContextBuilder = SSLContexts.custom()
+ .loadTrustMaterial(new File(config.getTruststore()), truststorePassword);
+ }
+
+ if (isDefined(config.getClientKeystore()))
+ {
+ if (sslContextBuilder == null)
+ {
+ sslContextBuilder = SSLContexts.custom();
+ }
+ final char[] keystorePassword = asCharArray(config.getClientKeystorePassword(), null);
+ final char[] keyPassword = asCharArray(config.getClientKeyPassword(), keystorePassword);
+ sslContextBuilder.loadKeyMaterial(new File(config.getClientKeystore()), keystorePassword, keyPassword);
+ }
+
+ final SSLConnectionSocketFactoryBuilder sslConnectionSocketFactoryBuilder = SSLConnectionSocketFactoryBuilder.create();
+
+ if (sslContextBuilder != null)
+ {
+ sslConnectionSocketFactoryBuilder.setSslContext(sslContextBuilder.build());
+ }
+
+ if (config.isDisableTrustManager() || config.isAllowAnyHostname())
+ {
+ sslConnectionSocketFactoryBuilder.setHostnameVerifier(NoopHostnameVerifier.INSTANCE);
+ }
+ final SSLConnectionSocketFactory sslConnectionSocketFactory = sslConnectionSocketFactoryBuilder.build();
+ connectionManagerBuilder.setSSLSocketFactory(sslConnectionSocketFactory);
+ }
+
+ private char[] asCharArray(String value, char... nullValue)
+ {
+ return ofNullable(value)
+ .filter(not(String::isBlank))
+ .map(String::toCharArray)
+ .orElse(nullValue);
+ }
+ }
+
+ static class ClientRegistrationProvider
+ {
+ private final IdentityServiceConfig config;
+
+ ClientRegistrationProvider(IdentityServiceConfig config)
+ {
+ this.config = requireNonNull(config);
+ }
+
+ public ClientRegistration createClientRegistration(final RestOperations rest)
+ {
+ return possibleMetadataURIs()
+ .stream()
+ .map(u -> extractMetadata(rest, u))
+ .filter(Optional::isPresent)
+ .map(Optional::get)
+ .findFirst()
+ .map(this::validateDiscoveryDocument)
+ .map(this::createBuilder)
+ .map(this::configureClientAuthentication)
+ .map(Builder::build)
+ .orElseThrow(() -> new IllegalStateException("Failed to create ClientRegistration."));
+ }
+
+ private OIDCProviderMetadata validateDiscoveryDocument(OIDCProviderMetadata metadata)
+ {
+ validateOIDCEndpoint(metadata.getTokenEndpointURI(), "Token");
+ validateOIDCEndpoint(metadata.getAuthorizationEndpointURI(), "Authorization");
+ validateOIDCEndpoint(metadata.getUserInfoEndpointURI(), "User Info");
+ validateOIDCEndpoint(metadata.getJWKSetURI(), "JWK Set");
+
+ if (metadata.getIssuer() != null)
+ {
+ try
+ {
+ URI metadataIssuerURI = new URI(metadata.getIssuer().getValue());
+ validateOIDCEndpoint(metadataIssuerURI, "Issuer");
+ if (StringUtils.isNotBlank(config.getIssuerUrl()) &&
+ !metadataIssuerURI.equals(URI.create(config.getIssuerUrl())))
+ {
+ throw new IdentityServiceException("Failed to create ClientRegistration. "
+ + "The Issuer value from the OIDC Discovery Endpoint does not align with the provided Issuer. Expected `%s` but found `%s`"
+ .formatted(config.getIssuerUrl(), metadata.getIssuer().getValue()));
+ }
+ }
+ catch (URISyntaxException e)
+ {
+ throw new IdentityServiceException("The provided Issuer value could not be parsed as a URI reference.", e);
+ }
+ }
+ else
+ {
+ throw new IdentityServiceException("The Issuer retrieved from the OIDC Discovery Endpoint cannot be null.");
+ }
+
+ return metadata;
+ }
+
+ private void validateOIDCEndpoint(URI value, String endpointName)
+ {
+ if (value == null || value.toASCIIString().isBlank())
+ {
+ throw new IdentityServiceException("The `%s` Endpoint retrieved from the OIDC Discovery Endpoint cannot be empty.".formatted(endpointName));
+ }
+ }
+
+ private ClientRegistration.Builder createBuilder(OIDCProviderMetadata metadata)
+ {
+ final String authUri = Optional.of(metadata)
+ .map(OIDCProviderMetadata::getAuthorizationEndpointURI)
+ .map(URI::toASCIIString)
+ .orElse(null);
+
+ var metadataIssuer = getMetadataIssuer(metadata, config);
+ final String issuerUri = metadataIssuer
+ .orElseGet(() -> (StringUtils.isNotBlank(config.getRealm()) && StringUtils.isBlank(config.getIssuerUrl())) ? config.getAuthServerUrl() : config.getIssuerUrl());
+
+ final var usernameAttribute = StringUtils.isNotBlank(config.getPrincipalAttribute()) ? config.getPrincipalAttribute() : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
+
+ return ClientRegistration
+ .withRegistrationId("ids")
+ .authorizationUri(authUri)
+ .tokenUri(metadata.getTokenEndpointURI().toASCIIString())
+ .jwkSetUri(metadata.getJWKSetURI().toASCIIString())
+ .issuerUri(issuerUri)
+ .userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString())
+ .userNameAttributeName(usernameAttribute)
+ .scope(getSupportedScopes(metadata.getScopes()))
+ .providerConfigurationMetadata(createMetadata(metadata))
+ .authorizationGrantType(AuthorizationGrantType.PASSWORD);
+ }
+
+ private Map createMetadata(OIDCProviderMetadata metadata)
+ {
+ Map configurationMetadata = new LinkedHashMap<>();
+ if (metadata.getScopes() != null)
+ {
+ configurationMetadata.put(SCOPES_SUPPORTED.getValue(), metadata.getScopes());
+ }
+ if (StringUtils.isNotBlank(config.getAudience()))
+ {
+ configurationMetadata.put(AUDIENCE.getValue(), config.getAudience());
+ }
+ return configurationMetadata;
+ }
+
+ private Builder configureClientAuthentication(Builder builder)
+ {
+ builder.clientId(config.getResource());
+ if (config.isPublicClient())
+ {
+ return builder.clientSecret(null)
+ .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST);
+ }
+ return builder.clientSecret(config.getClientSecret())
+ .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
+ }
+
+ private Set getSupportedScopes(Scope scopes)
+ {
+ return scopes.stream()
+ .filter(this::hasPasswordGrantScope)
+ .map(Identifier::getValue)
+ .collect(Collectors.toSet());
+ }
+
+ private boolean hasPasswordGrantScope(Scope.Value scope)
+ {
+ return config.getPasswordGrantScopes().contains(scope.getValue());
+ }
+
+ private Optional extractMetadata(RestOperations rest, URI metadataUri)
+ {
+ final String response;
+ try
+ {
+ final ResponseEntity r = rest.exchange(RequestEntity.get(metadataUri).build(), String.class);
+ if (r.getStatusCode() != HttpStatus.OK || !r.hasBody())
+ {
+ LOGGER.warn("Unexpected response from " + metadataUri + ". Status code: " + r.getStatusCode()
+ + ", has body: " + r.hasBody() + ".");
+ return Optional.empty();
+ }
+ response = r.getBody();
+ }
+ catch (Exception e)
+ {
+ LOGGER.warn("Failed to get response from " + metadataUri + ". " + e.getMessage(), e);
+ return Optional.empty();
+ }
+ try
+ {
+ return Optional.of(OIDCProviderMetadata.parse(response));
+ }
+ catch (Exception e)
+ {
+ LOGGER.warn("Failed to parse metadata. " + e.getMessage(), e);
+ return Optional.empty();
+ }
+ }
+
+ private Collection possibleMetadataURIs()
+ {
+ if (StringUtils.isBlank(config.getAuthServerUrl()) && StringUtils.isBlank(config.getIssuerUrl()))
+ {
+ throw new IdentityServiceException(
+ "Failed to create ClientRegistration. The values of issuer url and auth server url cannot both be empty.");
+ }
+
+ String baseUrl = StringUtils.isNotBlank(config.getAuthServerUrl()) ? config.getAuthServerUrl() : config.getIssuerUrl();
+
+ return List.of(UriComponentsBuilder.fromUriString(baseUrl)
+ .pathSegment(".well-known", "openid-configuration")
+ .build().toUri());
+ }
+ }
+
+ private static Optional getMetadataIssuer(OIDCProviderMetadata metadata, IdentityServiceConfig config)
+ {
+ return DEFAULT_ISSUER_ATTR.equals(config.getIssuerAttribute()) ? Optional.of(metadata)
+ .map(OIDCProviderMetadata::getIssuer)
+ .map(Issuer::getValue)
+ : Optional.of(metadata)
+ .map(OIDCProviderMetadata::getCustomParameters)
+ .map(map -> map.get(config.getIssuerAttribute()))
+ .filter(String.class::isInstance)
+ .map(String.class::cast);
+ }
+
+ static class JwtDecoderProvider
+ {
+ private static final SignatureAlgorithm DEFAULT_SIGNATURE_ALGORITHM = SignatureAlgorithm.RS256;
+ private final IdentityServiceConfig config;
+ private final Set signatureAlgorithms;
+
+ JwtDecoderProvider(IdentityServiceConfig config)
+ {
+ this.config = requireNonNull(config);
+ this.signatureAlgorithms = ofNullable(config.getSignatureAlgorithms())
+ .filter(not(Set::isEmpty))
+ .orElseGet(() -> {
+ LOGGER.warn("Unable to find any valid signature algorithms in the configuration. "
+ + "Using the default signature algorithm: " + DEFAULT_SIGNATURE_ALGORITHM.getName() + ".");
+ return Set.of(DEFAULT_SIGNATURE_ALGORITHM);
+ });
+ }
+
+ public JwtDecoder createJwtDecoder(RestOperations rest, ProviderDetails providerDetails)
+ {
+ try
+ {
+ final NimbusJwtDecoder decoder = buildJwtDecoder(rest, providerDetails);
+
+ decoder.setJwtValidator(createJwtTokenValidator(providerDetails));
+ decoder.setClaimSetConverter(
+ new ClaimTypeConverter(OidcIdTokenDecoderFactory.createDefaultClaimTypeConverters()));
+
+ return decoder;
+ }
+ catch (RuntimeException e)
+ {
+ LOGGER.warn("Failed to create JwtDecoder.", e);
+ throw authorizationServerCantBeUsedException(e);
+ }
+ }
+
+ private NimbusJwtDecoder buildJwtDecoder(RestOperations rest, ProviderDetails providerDetails)
+ {
+ if (isDefined(config.getRealmKey()))
+ {
+ final RSAPublicKey publicKey = parsePublicKey(config.getRealmKey());
+ return NimbusJwtDecoder.withPublicKey(publicKey)
+ .signatureAlgorithm(DEFAULT_SIGNATURE_ALGORITHM)
+ .build();
+ }
+ final String jwkSetUri = requireValidJwkSetUri(providerDetails);
+ final NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder decoderBuilder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri);
+ signatureAlgorithms.forEach(decoderBuilder::jwsAlgorithm);
+ return decoderBuilder
+ .restOperations(rest)
+ .jwtProcessorCustomizer(this::reconfigureJWKSCache)
+ .build();
+ }
+
+ private void reconfigureJWKSCache(ConfigurableJWTProcessor jwtProcessor)
+ {
+ final Optional> jwkSource = ofNullable(jwtProcessor)
+ .map(ConfigurableJWTProcessor::getJWSKeySelector)
+ .filter(JWSVerificationKeySelector.class::isInstance)
+ .map(o -> (JWSVerificationKeySelector) o)
+ .map(JWSVerificationKeySelector::getJWKSource)
+ .filter(RemoteJWKSet.class::isInstance).map(o -> (RemoteJWKSet) o);
+ if (jwkSource.isEmpty())
+ {
+ LOGGER.warn("Not able to reconfigure the JWK Cache. Unexpected JWKSource.");
+ return;
+ }
+
+ final Optional jwkSetUrl = jwkSource.map(RemoteJWKSet::getJWKSetURL);
+ if (jwkSetUrl.isEmpty())
+ {
+ LOGGER.warn("Not able to reconfigure the JWK Cache. Unknown JWKSetURL.");
+ return;
+ }
+
+ final Optional resourceRetriever = jwkSource.map(RemoteJWKSet::getResourceRetriever);
+ if (resourceRetriever.isEmpty())
+ {
+ LOGGER.warn("Not able to reconfigure the JWK Cache. Unknown ResourceRetriever.");
+ return;
+ }
+
+ final DefaultJWKSetCache cache = new DefaultJWKSetCache(config.getPublicKeyCacheTtl(), -1,
+ TimeUnit.SECONDS);
+ final JWKSource cachingJWKSource = new RemoteJWKSet<>(jwkSetUrl.get(),
+ resourceRetriever.get(), cache);
+
+ jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector<>(
+ signatureAlgorithms.stream()
+ .map(signatureAlgorithm -> JWSAlgorithm.parse(signatureAlgorithm.getName()))
+ .collect(Collectors.toSet()),
+ cachingJWKSource));
+ jwtProcessor.setJWSTypeVerifier(new CustomJOSEObjectTypeVerifier(JOSEObjectType.JWT, AT_JWT));
+ }
+
+ private OAuth2TokenValidator createJwtTokenValidator(ProviderDetails providerDetails)
+ {
+ List> validators = new ArrayList<>();
+ validators.add(new JwtTimestampValidator(Duration.of(config.getJwtClockSkewMs(), ChronoUnit.MILLIS)));
+ validators.add(new JwtIssuerValidator(providerDetails.getIssuerUri()));
+ if (!config.isClientIdValidationDisabled())
+ {
+ validators.add(new JwtClaimValidator("azp", config.getResource()::equals));
+ }
+ if (StringUtils.isNotBlank(config.getAudience()))
+ {
+ validators.add(new JwtAudienceValidator(config.getAudience()));
+ }
+ return new DelegatingOAuth2TokenValidator<>(validators);
+ }
+
+ private RSAPublicKey parsePublicKey(String pem)
+ {
+ try
+ {
+ return tryToParsePublicKey(pem);
+ }
+ catch (Exception e)
+ {
+ if (isPemFormatException(e))
+ {
+ // For backward compatibility with Keycloak adapter
+ return tryToParsePublicKey("-----BEGIN PUBLIC KEY-----\n" + pem + "\n-----END PUBLIC KEY-----");
+ }
+ throw e;
+ }
+ }
+
+ private RSAPublicKey tryToParsePublicKey(String pem)
+ {
+ final InputStream pemStream = new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8));
+ return RsaKeyConverters.x509().convert(pemStream);
+ }
+
+ private boolean isPemFormatException(Exception e)
+ {
+ return e.getMessage() != null && e.getMessage().contains("-----BEGIN PUBLIC KEY-----");
+ }
+
+ private String requireValidJwkSetUri(ProviderDetails providerDetails)
+ {
+ final String uri = providerDetails.getJwkSetUri();
+ if (!isDefined(uri))
+ {
+ OAuth2Error oauth2Error = new OAuth2Error("missing_signature_verifier",
+ "Failed to find a Signature Verifier for: '"
+ + providerDetails.getIssuerUri()
+ + "'. Check to ensure you have configured the JwkSet URI.",
+ null);
+ throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
+ }
+ return uri;
+ }
+ }
+
+ static class JwtIssuerValidator implements OAuth2TokenValidator
+ {
+ private final String requiredIssuer;
+
+ public JwtIssuerValidator(String issuer)
+ {
+ this.requiredIssuer = requireNonNull(issuer, "issuer cannot be null");
+ }
+
+ @Override
+ public OAuth2TokenValidatorResult validate(Jwt token)
+ {
+ requireNonNull(token, "token cannot be null");
+ final Object issuer = token.getClaim(JwtClaimNames.ISS);
+ if (issuer != null && requiredIssuer.equals(issuer.toString()))
+ {
+ return OAuth2TokenValidatorResult.success();
+ }
+
+ final OAuth2Error error = new OAuth2Error(
+ OAuth2ErrorCodes.INVALID_TOKEN,
+ "The iss claim is not valid. Expected `%s` but got `%s`.".formatted(requiredIssuer, issuer),
+ "https://tools.ietf.org/html/rfc6750#section-3.1");
+ return OAuth2TokenValidatorResult.failure(error);
+ }
+
+ }
+
+ static class JwtAudienceValidator implements OAuth2TokenValidator
+ {
+ private final String configuredAudience;
+
+ public JwtAudienceValidator(String configuredAudience)
+ {
+ this.configuredAudience = configuredAudience;
+ }
+
+ @Override
+ public OAuth2TokenValidatorResult validate(Jwt token)
+ {
+ requireNonNull(token, "token cannot be null");
+ final Object audience = token.getClaim(JwtClaimNames.AUD);
+ if (audience != null)
+ {
+ if (audience instanceof List && ((List) audience).contains(configuredAudience))
+ {
+ return OAuth2TokenValidatorResult.success();
+ }
+ if (audience instanceof String && audience.equals(configuredAudience))
+ {
+ return OAuth2TokenValidatorResult.success();
+ }
+ }
+
+ final OAuth2Error error = new OAuth2Error(
+ OAuth2ErrorCodes.INVALID_TOKEN,
+ "The aud claim is not valid. Expected configured audience `%s` not found.".formatted(configuredAudience),
+ "https://tools.ietf.org/html/rfc6750#section-3.1");
+ return OAuth2TokenValidatorResult.failure(error);
+ }
+ }
+
+ static class CustomClientHttpRequestFactory extends HttpComponentsClientHttpRequestFactory
+ {
+ CustomClientHttpRequestFactory(HttpClient httpClient)
+ {
+ super(httpClient);
+ }
+
+ @Override
+ public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IOException
+ {
+ /* This is to avoid the Brotli content encoding that is not well-supported by the combination of the Apache Http Client and the Spring RestTemplate */
+ ClientHttpRequest request = super.createRequest(uri, httpMethod);
+ request.getHeaders()
+ .add("Accept-Encoding", "gzip, deflate");
+ return request;
+ }
+ }
+
+ static class CustomJOSEObjectTypeVerifier extends DefaultJOSEObjectTypeVerifier
+ {
+ public CustomJOSEObjectTypeVerifier(JOSEObjectType... allowedTypes)
+ {
+ super(Set.of(allowedTypes));
+ }
+
+ @Override
+ public void verify(JOSEObjectType type, SecurityContext context) throws BadJOSEException
+ {
+ super.verify(type, context);
+ }
+ }
+
+ private static boolean isDefined(String value)
+ {
+ return value != null && !value.isBlank();
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandler.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandler.java
index 8c77c73054..599bc06292 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandler.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandler.java
@@ -30,59 +30,38 @@ import java.io.Serializable;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
-import java.util.function.BiFunction;
import java.util.function.Predicate;
-import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
-import com.nimbusds.openid.connect.sdk.claims.UserInfo;
+import org.apache.commons.lang3.StringUtils;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken;
+import org.alfresco.repo.security.authentication.identityservice.user.AccessTokenToDecodedTokenUserMapper;
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
+import org.alfresco.repo.security.authentication.identityservice.user.TokenUserToOIDCUserMapper;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.transaction.TransactionService;
-import org.apache.commons.lang3.StringUtils;
/**
- * This class handles Just in Time user provisioning. It extracts {@link OIDCUserInfo}
- * from {@link IdentityServiceFacade.DecodedAccessToken} or {@link UserInfo}
- * and creates a new user if it does not exist in the repository.
+ * This class handles Just in Time user provisioning. It extracts {@link OIDCUserInfo} from the given bearer token and creates a new user if it does not exist in the repository.
*/
public class IdentityServiceJITProvisioningHandler
{
- private final IdentityServiceConfig identityServiceConfig;
private final IdentityServiceFacade identityServiceFacade;
private final PersonService personService;
private final TransactionService transactionService;
-
- private final BiFunction> mapTokenToUserInfoResponse = (token, usernameMappingClaim) -> {
- Optional firstName = Optional.ofNullable(token)
- .map(jwtToken -> jwtToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME))
- .filter(String.class::isInstance)
- .map(String.class::cast);
- Optional lastName = Optional.ofNullable(token)
- .map(jwtToken -> jwtToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME))
- .filter(String.class::isInstance)
- .map(String.class::cast);
- Optional email = Optional.ofNullable(token)
- .map(jwtToken -> jwtToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME))
- .filter(String.class::isInstance)
- .map(String.class::cast);
-
- return Optional.ofNullable(token.getClaim(Optional.ofNullable(usernameMappingClaim)
- .filter(StringUtils::isNotBlank)
- .orElse(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)))
- .filter(String.class::isInstance)
- .map(String.class::cast)
- .map(this::normalizeUserId)
- .map(username -> new OIDCUserInfo(username, firstName.orElse(""), lastName.orElse(""), email.orElse("")));
- };
+ private final IdentityServiceConfig identityServiceConfig;
+ private UserInfoAttrMapping userInfoAttrMapping;
+ private TokenUserToOIDCUserMapper tokenUserToOIDCUserMapper;
+ private AccessTokenToDecodedTokenUserMapper tokenToDecodedTokenUserMapper;
public IdentityServiceJITProvisioningHandler(IdentityServiceFacade identityServiceFacade,
- PersonService personService,
- TransactionService transactionService,
- IdentityServiceConfig identityServiceConfig)
+ PersonService personService,
+ TransactionService transactionService,
+ IdentityServiceConfig identityServiceConfig)
{
this.identityServiceFacade = identityServiceFacade;
this.personService = personService;
@@ -90,94 +69,95 @@ public class IdentityServiceJITProvisioningHandler
this.identityServiceConfig = identityServiceConfig;
}
+ /**
+ * Extracts {@link OIDCUserInfo} from the given bearer token and creates a new user if it does not exist in the repository. Call to the UserInfo endpoint is made only if the token does not contain a username claim or if user needs to be created and some of the {@link OIDCUserInfo} fields are empty.
+ */
public Optional extractUserInfoAndCreateUserIfNeeded(String bearerToken)
{
- Optional userInfoResponse = Optional.ofNullable(bearerToken)
- .filter(Predicate.not(String::isEmpty))
- .flatMap(token -> extractUserInfoResponseFromAccessToken(token)
- .filter(userInfo -> StringUtils.isNotEmpty(userInfo.username()))
- .or(() -> extractUserInfoResponseFromEndpoint(token)));
-
- if (transactionService.isReadOnly() || userInfoResponse.isEmpty())
+ if (userInfoAttrMapping == null)
{
- return userInfoResponse;
+ initMappers(identityServiceConfig);
}
- return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork>()
+
+ Optional oidcUserInfo = Optional.ofNullable(bearerToken)
+ .filter(Predicate.not(String::isEmpty))
+ .flatMap(token -> extractUserInfoResponseFromAccessToken(token).filter(decodedTokenUser -> StringUtils.isNotEmpty(decodedTokenUser.username()))
+ .or(() -> extractUserInfoResponseFromEndpoint(token, userInfoAttrMapping)))
+ .map(tokenUserToOIDCUserMapper::toOIDCUser);
+
+ if (transactionService.isReadOnly() || oidcUserInfo.isEmpty())
{
+ return oidcUserInfo;
+ }
+ return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<>() {
@Override
public Optional doWork() throws Exception
{
- return userInfoResponse.map(userInfo -> {
- if (userInfo.username() != null && personService.createMissingPeople()
- && !personService.personExists(userInfo.username()))
+ return oidcUserInfo.map(oidcUser -> {
+ if (userDoesNotExistsAndCanBeCreated(oidcUser))
{
- if (!userInfo.allFieldsNotEmpty())
+ if (!oidcUser.allFieldsNotEmpty())
{
- userInfo = extractUserInfoResponseFromEndpoint(bearerToken).orElse(userInfo);
+ oidcUser = extractUserInfoResponseFromEndpoint(bearerToken, userInfoAttrMapping)
+ .map(tokenUserToOIDCUserMapper::toOIDCUser)
+ .orElse(oidcUser);
}
- Map properties = new HashMap<>();
- properties.put(ContentModel.PROP_USERNAME, userInfo.username());
- properties.put(ContentModel.PROP_FIRSTNAME, userInfo.firstName());
- properties.put(ContentModel.PROP_LASTNAME, userInfo.lastName());
- properties.put(ContentModel.PROP_EMAIL, userInfo.email());
- properties.put(ContentModel.PROP_ORGID, "");
- properties.put(ContentModel.PROP_HOME_FOLDER_PROVIDER, null);
-
- properties.put(ContentModel.PROP_SIZE_CURRENT, 0L);
- properties.put(ContentModel.PROP_SIZE_QUOTA, -1L); // no quota
-
- personService.createPerson(properties);
+ createPerson(oidcUser);
}
- return userInfo;
+ return oidcUser;
});
}
+
}, AuthenticationUtil.getSystemUserName());
}
- private Optional extractUserInfoResponseFromAccessToken(String bearerToken)
+ private void initMappers(IdentityServiceConfig identityServiceConfig)
+ {
+ this.userInfoAttrMapping = initUserInfoAttrMapping(identityServiceConfig);
+ this.tokenUserToOIDCUserMapper = new TokenUserToOIDCUserMapper(personService);
+ this.tokenToDecodedTokenUserMapper = new AccessTokenToDecodedTokenUserMapper(userInfoAttrMapping);
+ }
+
+ private boolean userDoesNotExistsAndCanBeCreated(OIDCUserInfo userInfo)
+ {
+ return userInfo.username() != null && personService.createMissingPeople()
+ && !personService.personExists(userInfo.username());
+ }
+
+ private Optional extractUserInfoResponseFromAccessToken(String bearerToken)
{
return Optional.ofNullable(bearerToken)
- .map(identityServiceFacade::decodeToken)
- .flatMap(decodedToken -> mapTokenToUserInfoResponse.apply(decodedToken,
- identityServiceConfig.getPrincipalAttribute()));
+ .map(identityServiceFacade::decodeToken)
+ .flatMap(tokenToDecodedTokenUserMapper::toDecodedTokenUser);
}
- private Optional extractUserInfoResponseFromEndpoint(String bearerToken)
+ private Optional extractUserInfoResponseFromEndpoint(String bearerToken, UserInfoAttrMapping userInfoAttrMapping)
{
- return identityServiceFacade.getUserInfo(bearerToken,
- StringUtils.isNotBlank(identityServiceConfig.getPrincipalAttribute()) ?
- identityServiceConfig.getPrincipalAttribute() : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)
- .filter(userInfo -> userInfo.username() != null && !userInfo.username().isEmpty())
- .map(userInfo -> new OIDCUserInfo(normalizeUserId(userInfo.username()),
- Optional.ofNullable(userInfo.firstName()).orElse(""),
- Optional.ofNullable(userInfo.lastName()).orElse(""),
- Optional.ofNullable(userInfo.email()).orElse("")));
+ return identityServiceFacade.getUserInfo(bearerToken, userInfoAttrMapping)
+ .filter(userInfo -> userInfo.username() != null && !userInfo.username().isEmpty());
}
- /**
- * Normalizes a user id, taking into account existing user accounts and case sensitivity settings.
- *
- * @param userId the user id
- * @return the string
- */
- private String normalizeUserId(final String userId)
+ private void createPerson(OIDCUserInfo userInfo)
{
- if (userId == null)
- {
- return null;
- }
+ Map properties = new HashMap<>();
+ properties.put(ContentModel.PROP_USERNAME, userInfo.username());
+ properties.put(ContentModel.PROP_FIRSTNAME, userInfo.firstName());
+ properties.put(ContentModel.PROP_LASTNAME, userInfo.lastName());
+ properties.put(ContentModel.PROP_EMAIL, userInfo.email());
+ properties.put(ContentModel.PROP_ORGID, "");
+ properties.put(ContentModel.PROP_HOME_FOLDER_PROVIDER, null);
+ properties.put(ContentModel.PROP_SIZE_CURRENT, 0L);
+ properties.put(ContentModel.PROP_SIZE_QUOTA, -1L); // no quota
- String normalized = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork()
- {
- @Override
- public String doWork() throws Exception
- {
- return personService.getUserIdentifier(userId);
- }
- }, AuthenticationUtil.getSystemUserName());
-
- return normalized == null ? userId : normalized;
+ personService.createPerson(properties);
}
-}
\ No newline at end of file
+ private UserInfoAttrMapping initUserInfoAttrMapping(IdentityServiceConfig identityServiceConfig)
+ {
+ return new UserInfoAttrMapping(identityServiceFacade.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName(),
+ identityServiceConfig.getFirstNameAttribute(),
+ identityServiceConfig.getLastNameAttribute(),
+ identityServiceConfig.getEmailAttribute());
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java
index 2c91ef75ac..5302116dc7 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java
@@ -1,181 +1,181 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.identityservice;
-
-import jakarta.servlet.http.HttpServletRequest;
-
-import java.util.Optional;
-
-import org.alfresco.repo.management.subsystems.ActivateableBean;
-import org.alfresco.repo.security.authentication.AuthenticationException;
-import org.alfresco.repo.security.authentication.AuthenticationUtil;
-import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
-import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
-
-/**
- * A {@link RemoteUserMapper} implementation that detects and validates JWTs
- * issued by the Alfresco Identity Service.
- *
- * @author Gavin Cornwell
- */
-public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, ActivateableBean
-{
- private static final Log LOGGER = LogFactory.getLog(IdentityServiceRemoteUserMapper.class);
-
- /** Is the mapper enabled */
- private boolean isEnabled;
-
- /** Are token validation failures handled silently? */
- private boolean isValidationFailureSilent;
-
- private BearerTokenResolver bearerTokenResolver;
-
- private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
-
- /**
- * Sets the active flag
- *
- * @param isEnabled true to enable the subsystem
- */
- public void setActive(boolean isEnabled)
- {
- this.isEnabled = isEnabled;
- }
-
- /**
- * Determines whether token validation failures are silent
- *
- * @param silent true to silently fail, false to throw an exception
- */
- public void setValidationFailureSilent(boolean silent)
- {
- this.isValidationFailureSilent = silent;
- }
-
- public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver)
- {
- this.bearerTokenResolver = bearerTokenResolver;
- }
-
- public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler)
- {
- this.jitProvisioningHandler = jitProvisioningHandler;
- }
-
- /*
- * (non-Javadoc)
- * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(jakarta.servlet.http.HttpServletRequest)
- */
- @Override
- public String getRemoteUser(HttpServletRequest request)
- {
- LOGGER.trace("Retrieving username from http request...");
-
- if (!this.isEnabled)
- {
- LOGGER.debug("IdentityServiceRemoteUserMapper is disabled, returning null.");
- return null;
- }
- try
- {
- String normalizedUserId = extractUserFromHeader(request);
-
-
- if (normalizedUserId != null)
- {
- // Normalize the user ID taking into account case sensitivity settings
- LOGGER.trace("Returning userId: " + AuthenticationUtil.maskUsername(normalizedUserId));
- return normalizedUserId;
- }
- }
- catch (IdentityServiceFacadeException e)
- {
- if (!isValidationFailureSilent)
- {
- throw new AuthenticationException("Failed to extract username from token: " + e.getMessage(), e);
- }
- LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
- }
- catch (RuntimeException e)
- {
- LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
- }
- LOGGER.trace("Could not identify a userId. Returning null.");
- return null;
- }
-
- /*
- * (non-Javadoc)
- * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
- */
- public boolean isActive()
- {
- return this.isEnabled;
- }
-
- /**
- * Extracts the user name from the JWT in the given request.
- *
- * @param request The request containing the JWT
- * @return The username or null if it can not be determined
- */
- private String extractUserFromHeader(HttpServletRequest request)
- {
- // try authenticating with bearer token first
- LOGGER.debug("Trying bearer token...");
-
- final String bearerToken;
- try
- {
- bearerToken = bearerTokenResolver.resolve(request);
- }
- catch (OAuth2AuthenticationException e)
- {
- LOGGER.debug("Failed to resolve Bearer token.", e);
- return null;
- }
-
- final Optional possibleUsername = jitProvisioningHandler
- .extractUserInfoAndCreateUserIfNeeded(bearerToken)
- .map(OIDCUserInfo::username);
-
- if (possibleUsername.isEmpty())
- {
- LOGGER.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
- return null;
- }
-
- String normalizedUsername = possibleUsername.get();
- LOGGER.trace("Extracted username: " + AuthenticationUtil.maskUsername(normalizedUsername));
-
- return normalizedUsername;
- }
-
-}
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice;
+
+import java.util.Optional;
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
+
+import org.alfresco.repo.management.subsystems.ActivateableBean;
+import org.alfresco.repo.security.authentication.AuthenticationException;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
+
+/**
+ * A {@link RemoteUserMapper} implementation that detects and validates JWTs issued by the Alfresco Identity Service.
+ *
+ * @author Gavin Cornwell
+ */
+public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, ActivateableBean
+{
+ private static final Log LOGGER = LogFactory.getLog(IdentityServiceRemoteUserMapper.class);
+
+ /** Is the mapper enabled */
+ private boolean isEnabled;
+
+ /** Are token validation failures handled silently? */
+ private boolean isValidationFailureSilent;
+
+ private BearerTokenResolver bearerTokenResolver;
+
+ private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
+
+ /**
+ * Sets the active flag
+ *
+ * @param isEnabled
+ * true to enable the subsystem
+ */
+ public void setActive(boolean isEnabled)
+ {
+ this.isEnabled = isEnabled;
+ }
+
+ /**
+ * Determines whether token validation failures are silent
+ *
+ * @param silent
+ * true to silently fail, false to throw an exception
+ */
+ public void setValidationFailureSilent(boolean silent)
+ {
+ this.isValidationFailureSilent = silent;
+ }
+
+ public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver)
+ {
+ this.bearerTokenResolver = bearerTokenResolver;
+ }
+
+ public void setJitProvisioningHandler(IdentityServiceJITProvisioningHandler jitProvisioningHandler)
+ {
+ this.jitProvisioningHandler = jitProvisioningHandler;
+ }
+
+ /* (non-Javadoc)
+ *
+ * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(jakarta.servlet.http.HttpServletRequest) */
+ @Override
+ public String getRemoteUser(HttpServletRequest request)
+ {
+ LOGGER.trace("Retrieving username from http request...");
+
+ if (!this.isEnabled)
+ {
+ LOGGER.debug("IdentityServiceRemoteUserMapper is disabled, returning null.");
+ return null;
+ }
+ try
+ {
+ String normalizedUserId = extractUserFromHeader(request);
+
+ if (normalizedUserId != null)
+ {
+ // Normalize the user ID taking into account case sensitivity settings
+ LOGGER.trace("Returning userId: " + AuthenticationUtil.maskUsername(normalizedUserId));
+ return normalizedUserId;
+ }
+ }
+ catch (IdentityServiceFacadeException e)
+ {
+ if (!isValidationFailureSilent)
+ {
+ throw new AuthenticationException("Failed to extract username from token: " + e.getMessage(), e);
+ }
+ LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
+ }
+ catch (RuntimeException e)
+ {
+ LOGGER.error("Failed to authenticate user using IdentityServiceRemoteUserMapper: " + e.getMessage(), e);
+ }
+ LOGGER.trace("Could not identify a userId. Returning null.");
+ return null;
+ }
+
+ /* (non-Javadoc)
+ *
+ * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive() */
+ public boolean isActive()
+ {
+ return this.isEnabled;
+ }
+
+ /**
+ * Extracts the user name from the JWT in the given request.
+ *
+ * @param request
+ * The request containing the JWT
+ * @return The username or null if it can not be determined
+ */
+ private String extractUserFromHeader(HttpServletRequest request)
+ {
+ // try authenticating with bearer token first
+ LOGGER.debug("Trying bearer token...");
+
+ final String bearerToken;
+ try
+ {
+ bearerToken = bearerTokenResolver.resolve(request);
+ }
+ catch (OAuth2AuthenticationException e)
+ {
+ LOGGER.debug("Failed to resolve Bearer token.", e);
+ return null;
+ }
+
+ final Optional possibleUsername = jitProvisioningHandler
+ .extractUserInfoAndCreateUserIfNeeded(bearerToken)
+ .map(OIDCUserInfo::username);
+
+ if (possibleUsername.isEmpty())
+ {
+ LOGGER.debug("User could not be authenticated by IdentityServiceRemoteUserMapper.");
+ return null;
+ }
+
+ String normalizedUsername = possibleUsername.get();
+ LOGGER.trace("Extracted username: " + AuthenticationUtil.maskUsername(normalizedUsername));
+
+ return normalizedUsername;
+ }
+
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.java
index 8eb0eff806..de39c53b27 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.java
@@ -30,21 +30,12 @@ import static java.util.Objects.requireNonNull;
import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.AUDIENCE;
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
import java.time.Instant;
import java.util.Map;
import java.util.Optional;
-import java.util.function.Predicate;
-import com.nimbusds.oauth2.sdk.ErrorObject;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
-import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
-import com.nimbusds.openid.connect.sdk.UserInfoRequest;
-import com.nimbusds.openid.connect.sdk.UserInfoResponse;
-import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
+import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.converter.Converter;
@@ -59,27 +50,35 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRe
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
+import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
+import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestOperations;
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
{
private static final Log LOGGER = LogFactory.getLog(SpringBasedIdentityServiceFacade.class);
private static final Instant SOME_INSIGNIFICANT_DATE_IN_THE_PAST = Instant.MIN.plusSeconds(12345);
private final Map clients;
+ private final DefaultOAuth2UserService defaultOAuth2UserService;
private final ClientRegistration clientRegistration;
private final JwtDecoder jwtDecoder;
@@ -93,6 +92,7 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
AuthorizationGrantType.AUTHORIZATION_CODE, createAuthorizationCodeClient(restOperations),
AuthorizationGrantType.REFRESH_TOKEN, createRefreshTokenClient(restOperations),
AuthorizationGrantType.PASSWORD, createPasswordClient(restOperations, clientRegistration));
+ this.defaultOAuth2UserService = createOAuth2UserService(restOperations);
}
@Override
@@ -121,51 +121,18 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
}
@Override
- public Optional getUserInfo(String tokenParameter, String principalAttribute)
+ public Optional getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping)
{
- return Optional.ofNullable(tokenParameter)
- .filter(Predicate.not(String::isEmpty))
- .flatMap(token -> Optional.ofNullable(clientRegistration)
- .map(ClientRegistration::getProviderDetails)
- .map(ClientRegistration.ProviderDetails::getUserInfoEndpoint)
- .map(ClientRegistration.ProviderDetails.UserInfoEndpoint::getUri)
- .flatMap(uri -> {
- try
- {
- return Optional.of(
- new UserInfoRequest(new URI(uri), new BearerAccessToken(token)).toHTTPRequest().send());
- }
- catch (IOException | URISyntaxException e)
- {
- LOGGER.warn("Failed to get user information. Reason: " + e.getMessage());
- return Optional.empty();
- }
- })
- .flatMap(httpResponse -> {
- try
- {
- UserInfoResponse userInfoResponse = UserInfoResponse.parse(httpResponse);
-
- if (userInfoResponse instanceof UserInfoErrorResponse userInfoErrorResponse)
- {
- String errorMessage = Optional.ofNullable(userInfoErrorResponse.getErrorObject())
- .map(ErrorObject::getDescription)
- .orElse("No error description found");
- LOGGER.warn("User Info Request failed: " + errorMessage);
- throw new UserInfoException(errorMessage);
- }
- return Optional.of(userInfoResponse);
- }
- catch (ParseException e)
- {
- LOGGER.warn("Failed to parse user info response. Reason: " + e.getMessage());
- return Optional.empty();
- }
- })
- .map(UserInfoResponse::toSuccessResponse)
- .map(UserInfoSuccessResponse::getUserInfo))
- .map(userInfo -> new OIDCUserInfo(userInfo.getStringClaim(principalAttribute), userInfo.getGivenName(),
- userInfo.getFamilyName(), userInfo.getEmailAddress()));
+ try
+ {
+ return Optional.ofNullable(defaultOAuth2UserService.loadUser(new OAuth2UserRequest(clientRegistration, getSpringAccessToken(token))))
+ .flatMap(oAuth2User -> mapOAuth2UserToDecodedTokenUser(oAuth2User, userInfoAttrMapping));
+ }
+ catch (OAuth2AuthenticationException exception)
+ {
+ LOGGER.warn("User Info Request failed: " + exception.getMessage());
+ return Optional.empty();
+ }
}
@Override
@@ -202,11 +169,7 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
if (grant.isRefreshToken())
{
- final OAuth2AccessToken expiredAccessToken = new OAuth2AccessToken(
- TokenType.BEARER,
- "JUST_FOR_FULFILLING_THE_SPRING_API",
- SOME_INSIGNIFICANT_DATE_IN_THE_PAST,
- SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1));
+ final OAuth2AccessToken expiredAccessToken = getSpringAccessToken("JUST_FOR_FULFILLING_THE_SPRING_API");
final OAuth2RefreshToken refreshToken = new OAuth2RefreshToken(grant.getRefreshToken(), null);
return new OAuth2RefreshTokenGrantRequest(clientRegistration, expiredAccessToken, refreshToken,
@@ -258,6 +221,26 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
return client;
}
+ private static DefaultOAuth2UserService createOAuth2UserService(RestOperations rest)
+ {
+ final DefaultOAuth2UserService userService = new DefaultOAuth2UserService();
+ userService.setRestOperations(rest);
+ return userService;
+ }
+
+ private Optional mapOAuth2UserToDecodedTokenUser(OAuth2User oAuth2User, UserInfoAttrMapping userInfoAttrMapping)
+ {
+ var preferredUsername = Optional.ofNullable(oAuth2User.getAttribute(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME))
+ .filter(String.class::isInstance)
+ .map(String.class::cast)
+ .filter(StringUtils::isNotEmpty);
+ var userName = Optional.ofNullable(oAuth2User.getName()).filter(username -> !username.isEmpty()).or(() -> preferredUsername);
+ return userName.map(name -> DecodedTokenUser.validateAndCreate(name,
+ oAuth2User.getAttribute(userInfoAttrMapping.firstNameClaim()),
+ oAuth2User.getAttribute(userInfoAttrMapping.lastNameClaim()),
+ oAuth2User.getAttribute(userInfoAttrMapping.emailClaim())));
+ }
+
private static OAuth2AccessTokenResponseClient createPasswordClient(RestOperations rest,
ClientRegistration clientRegistration)
{
@@ -288,6 +271,16 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
};
}
+ private static OAuth2AccessToken getSpringAccessToken(String token)
+ {
+ // Just for fulfilling the Spring API
+ return new OAuth2AccessToken(
+ TokenType.BEARER,
+ token,
+ SOME_INSIGNIFICANT_DATE_IN_THE_PAST,
+ SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1));
+ }
+
private static class SpringAccessTokenAuthorization implements AccessTokenAuthorization
{
private final OAuth2AccessTokenResponse tokenResponse;
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java
index fa9e38de53..8907c2f808 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java
@@ -37,13 +37,19 @@ import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.Identifier;
import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
+import org.springframework.web.util.UriComponentsBuilder;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator;
@@ -53,16 +59,9 @@ import org.alfresco.repo.security.authentication.identityservice.IdentityService
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
-import org.apache.commons.lang.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
-import org.springframework.web.util.UriComponentsBuilder;
/**
- * An {@link AdminConsoleAuthenticator} implementation to extract an externally authenticated user ID
- * or to initiate the OIDC authorization code flow.
+ * An {@link AdminConsoleAuthenticator} implementation to extract an externally authenticated user ID or to initiate the OIDC authorization code flow.
*/
public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAuthenticator, ActivateableBean
{
@@ -71,7 +70,6 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
private static final String ALFRESCO_ACCESS_TOKEN = "ALFRESCO_ACCESS_TOKEN";
private static final String ALFRESCO_REFRESH_TOKEN = "ALFRESCO_REFRESH_TOKEN";
private static final String ALFRESCO_TOKEN_EXPIRATION = "ALFRESCO_TOKEN_EXPIRATION";
- private static final Set SCOPES = Set.of("openid", "profile", "email", "offline_access");
private IdentityServiceConfig identityServiceConfig;
private IdentityServiceFacade identityServiceFacade;
@@ -145,7 +143,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
try
{
AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
- authorizationCode(code, request.getRequestURL().toString()));
+ authorizationCode(code, request.getRequestURL().toString()));
addCookies(response, accessTokenAuthorization);
bearerToken = accessTokenAuthorization.getAccessToken().getTokenValue();
}
@@ -154,8 +152,8 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
if (LOGGER.isWarnEnabled())
{
LOGGER.warn(
- "Error while trying to retrieve a response using the Authorization Code at the Token Endpoint: {}",
- exception.getMessage());
+ "Error while trying to retrieve a response using the Authorization Code at the Token Endpoint: {}",
+ exception.getMessage());
}
}
return bearerToken;
@@ -188,7 +186,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
{
cookiesService.addCookie(ALFRESCO_ACCESS_TOKEN, accessTokenAuthorization.getAccessToken().getTokenValue(), response);
cookiesService.addCookie(ALFRESCO_TOKEN_EXPIRATION, String.valueOf(
- accessTokenAuthorization.getAccessToken().getExpiresAt().toEpochMilli()), response);
+ accessTokenAuthorization.getAccessToken().getExpiresAt().toEpochMilli()), response);
cookiesService.addCookie(ALFRESCO_REFRESH_TOKEN, accessTokenAuthorization.getRefreshTokenValue(), response);
}
@@ -198,13 +196,13 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
State state = new State();
UriComponentsBuilder authRequestBuilder = UriComponentsBuilder.fromUriString(clientRegistration.getProviderDetails().getAuthorizationUri())
- .queryParam("client_id", clientRegistration.getClientId())
- .queryParam("redirect_uri", getRedirectUri(request.getRequestURL().toString()))
- .queryParam("response_type", "code")
- .queryParam("scope", String.join("+", getScopes(clientRegistration)))
- .queryParam("state", state.toString());
+ .queryParam("client_id", clientRegistration.getClientId())
+ .queryParam("redirect_uri", getRedirectUri(request.getRequestURL().toString()))
+ .queryParam("response_type", "code")
+ .queryParam("scope", String.join("+", getScopes(clientRegistration)))
+ .queryParam("state", state.toString());
- if(StringUtils.isNotBlank(identityServiceConfig.getAudience()))
+ if (StringUtils.isNotBlank(identityServiceConfig.getAudience()))
{
authRequestBuilder.queryParam("audience", identityServiceConfig.getAudience());
}
@@ -215,20 +213,25 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
private Set getScopes(ClientRegistration clientRegistration)
{
return Optional.ofNullable(clientRegistration.getProviderDetails())
- .map(ProviderDetails::getConfigurationMetadata)
- .map(metadata -> metadata.get(SCOPES_SUPPORTED.getValue()))
- .filter(Scope.class::isInstance)
- .map(Scope.class::cast)
- .map(this::getSupportedScopes)
- .orElse(clientRegistration.getScopes());
+ .map(ProviderDetails::getConfigurationMetadata)
+ .map(metadata -> metadata.get(SCOPES_SUPPORTED.getValue()))
+ .filter(Scope.class::isInstance)
+ .map(Scope.class::cast)
+ .map(this::getSupportedScopes)
+ .orElse(clientRegistration.getScopes());
}
private Set getSupportedScopes(Scope scopes)
{
return scopes.stream()
- .filter(scope -> SCOPES.contains(scope.getValue()))
- .map(Identifier::getValue)
- .collect(Collectors.toSet());
+ .filter(this::hasAdminConsoleScope)
+ .map(Identifier::getValue)
+ .collect(Collectors.toSet());
+ }
+
+ private boolean hasAdminConsoleScope(Scope.Value scope)
+ {
+ return identityServiceConfig.getAdminConsoleScopes().contains(scope.getValue());
}
private String getRedirectUri(String requestURL)
@@ -263,7 +266,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
private AccessTokenAuthorization doRefreshAuthToken(String refreshToken)
{
AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
- AuthorizationGrant.refreshToken(refreshToken));
+ AuthorizationGrant.refreshToken(refreshToken));
if (accessTokenAuthorization == null || accessTokenAuthorization.getAccessToken() == null)
{
throw new AuthenticationException("AccessTokenResponse is null or empty");
@@ -284,7 +287,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
}
public void setIdentityServiceFacade(
- IdentityServiceFacade identityServiceFacade)
+ IdentityServiceFacade identityServiceFacade)
{
this.identityServiceFacade = identityServiceFacade;
}
@@ -295,13 +298,13 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
}
public void setCookiesService(
- AdminConsoleAuthenticationCookiesService cookiesService)
+ AdminConsoleAuthenticationCookiesService cookiesService)
{
this.cookiesService = cookiesService;
}
public void setIdentityServiceConfig(
- IdentityServiceConfig identityServiceConfig)
+ IdentityServiceConfig identityServiceConfig)
{
this.identityServiceConfig = identityServiceConfig;
}
@@ -316,4 +319,4 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
{
this.isEnabled = isEnabled;
}
-}
\ No newline at end of file
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapper.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapper.java
new file mode 100644
index 0000000000..e94d6824e5
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapper.java
@@ -0,0 +1,66 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import java.util.Optional;
+
+import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
+import org.apache.commons.lang3.StringUtils;
+
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
+
+public class AccessTokenToDecodedTokenUserMapper
+{
+ private static final String DEFAULT_USERNAME_CLAIM = PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
+
+ private final UserInfoAttrMapping userInfoAttrMapping;
+
+ public AccessTokenToDecodedTokenUserMapper(UserInfoAttrMapping userInfoAttrMapping)
+ {
+ this.userInfoAttrMapping = userInfoAttrMapping;
+ }
+
+ /**
+ * Maps the given {@link IdentityServiceFacade.DecodedAccessToken} to a {@link DecodedTokenUser}.
+ *
+ * @param token
+ * the token to map
+ * @return the mapped {@link DecodedTokenUser} or {@link Optional#empty()} if the token does not contain a username claim
+ */
+ public Optional toDecodedTokenUser(IdentityServiceFacade.DecodedAccessToken token)
+ {
+ Object firstName = token.getClaim(userInfoAttrMapping.firstNameClaim());
+ Object lastName = token.getClaim(userInfoAttrMapping.lastNameClaim());
+ Object email = token.getClaim(userInfoAttrMapping.emailClaim());
+
+ return Optional.ofNullable(token.getClaim(Optional.ofNullable(userInfoAttrMapping.usernameClaim())
+ .filter(StringUtils::isNotBlank)
+ .orElse(DEFAULT_USERNAME_CLAIM)))
+ .filter(String.class::isInstance)
+ .map(String.class::cast)
+ .map(username -> DecodedTokenUser.validateAndCreate(username, firstName, lastName, email));
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/DecodedTokenUser.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/DecodedTokenUser.java
new file mode 100644
index 0000000000..305c108944
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/DecodedTokenUser.java
@@ -0,0 +1,44 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import java.util.Optional;
+
+public record DecodedTokenUser(String username, String firstName, String lastName, String email)
+{
+
+ private static final String EMPTY_STRING = "";
+
+ public static DecodedTokenUser validateAndCreate(String username, Object firstName, Object lastName, Object email)
+ {
+ return new DecodedTokenUser(username, getStringVal(firstName), getStringVal(lastName), getStringVal(email));
+ }
+
+ private static String getStringVal(Object firstName)
+ {
+ return Optional.ofNullable(firstName).filter(String.class::isInstance).map(String.class::cast).orElse(EMPTY_STRING);
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OIDCUserInfo.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/OIDCUserInfo.java
similarity index 99%
rename from repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OIDCUserInfo.java
rename to repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/OIDCUserInfo.java
index 5f8a3c25d6..8d8e98f995 100644
--- a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/OIDCUserInfo.java
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/OIDCUserInfo.java
@@ -23,7 +23,7 @@
* along with Alfresco. If not, see .
* #L%
*/
-package org.alfresco.repo.security.authentication.identityservice;
+package org.alfresco.repo.security.authentication.identityservice.user;
import java.util.stream.Stream;
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapper.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapper.java
new file mode 100644
index 0000000000..5e3cde4be9
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapper.java
@@ -0,0 +1,76 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.service.cmr.security.PersonService;
+
+public class TokenUserToOIDCUserMapper
+{
+ private final PersonService personService;
+
+ public TokenUserToOIDCUserMapper(PersonService personService)
+ {
+ this.personService = personService;
+ }
+
+ /**
+ * Maps a decoded token user to an OIDC user where the user id (username) is normalized.
+ *
+ * @param decodedTokenUser
+ * the decoded token user
+ * @return the OIDC user
+ */
+ public OIDCUserInfo toOIDCUser(DecodedTokenUser decodedTokenUser)
+ {
+ return new OIDCUserInfo(usernameToUserId(decodedTokenUser.username()), decodedTokenUser.firstName(), decodedTokenUser.lastName(), decodedTokenUser.email());
+ }
+
+ /**
+ * Normalizes a username, taking into account existing user accounts and case sensitivity settings.
+ *
+ * @param caseSensitiveUserName
+ * the case-sensitive username
+ * @return the string
+ */
+ private String usernameToUserId(final String caseSensitiveUserName)
+ {
+ if (caseSensitiveUserName == null)
+ {
+ return null;
+ }
+
+ String normalized = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() {
+ @Override
+ public String doWork() throws Exception
+ {
+ return personService.getUserIdentifier(caseSensitiveUserName);
+ }
+ }, AuthenticationUtil.getSystemUserName());
+
+ return normalized == null ? caseSensitiveUserName : normalized;
+ }
+}
diff --git a/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/UserInfoAttrMapping.java b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/UserInfoAttrMapping.java
new file mode 100644
index 0000000000..d748dfe2fd
--- /dev/null
+++ b/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/UserInfoAttrMapping.java
@@ -0,0 +1,41 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+/**
+ * The UserInfoAttrMapping record represents the mapping of claims fetched from the UserInfo endpoint to create an Alfresco user.
+ *
+ * @param usernameClaim
+ * the claim that represents the username
+ * @param firstNameClaim
+ * the claim that represents the first name
+ * @param lastNameClaim
+ * the claim that represents the last name
+ * @param emailClaim
+ * the claim that represents the email
+ */
+public record UserInfoAttrMapping(String usernameClaim, String firstNameClaim, String lastNameClaim, String emailClaim)
+{}
diff --git a/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml b/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml
index 748baf8cec..8bc16b3c06 100644
--- a/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml
+++ b/repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml
@@ -149,6 +149,15 @@
${identity-service.principal-attribute:preferred_username}
+
+ ${identity-service.first-name-attribute:given_name}
+
+
+ ${identity-service.last-name-attribute:family_name}
+
+
+ ${identity-service.email-attribute:email}
+
${identity-service.client-id.validation.disabled:true}
@@ -158,6 +167,18 @@
${identity-service.signature-algorithms:RS256,PS256}
+
+ ${identity-service.admin-console.scopes:openid,profile,email,offline_access}
+
+
+ ${identity-service.password-grant.scopes:openid,profile,email}
+
+
+ ${identity-service.issuer-attribute:issuer}
+
+
+ ${identity-service.jwt-clock-skew-ms:0}
+
@@ -219,4 +240,4 @@