io.strimzi.kafka.oauth.validator

Class OAuthIntrospectionValidator

java.lang.Object

io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator

All Implemented Interfaces:

TokenValidator

public class OAuthIntrospectionValidator
extends java.lang.Object
implements TokenValidator

This class is responsible for validating the token during session authentication by using an introspection endpoint.

It works by sending the token to the configured authorization server's introspection endpoint. The endpoint returns a response with whether the token is valid or not, and it usually also returns additional attributes, that can be used to enforce additional constraints, and prevent some otherwise valid tokens from authenticating.

Constructor Summary

Constructors

Constructor and Description

OAuthIntrospectionValidator(java.lang.String introspectionEndpointUri, javax.net.ssl.SSLSocketFactory socketFactory, javax.net.ssl.HostnameVerifier verifier, PrincipalExtractor principalExtractor, java.lang.String groupsClaimQuery, java.lang.String groupsClaimDelimiter, java.lang.String issuerUri, java.lang.String userInfoUri, java.lang.String validTokenType, java.lang.String clientId, java.lang.String clientSecret, java.lang.String audience, java.lang.String customClaimCheck, int connectTimeoutSeconds, int readTimeoutSeconds) Create a new instance.

Method Summary

Modifier and Type	Method and Description
TokenInfo	validate(java.lang.String token)

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OAuthIntrospectionValidator

public OAuthIntrospectionValidator(java.lang.String introspectionEndpointUri,
                                   javax.net.ssl.SSLSocketFactory socketFactory,
                                   javax.net.ssl.HostnameVerifier verifier,
                                   PrincipalExtractor principalExtractor,
                                   java.lang.String groupsClaimQuery,
                                   java.lang.String groupsClaimDelimiter,
                                   java.lang.String issuerUri,
                                   java.lang.String userInfoUri,
                                   java.lang.String validTokenType,
                                   java.lang.String clientId,
                                   java.lang.String clientSecret,
                                   java.lang.String audience,
                                   java.lang.String customClaimCheck,
                                   int connectTimeoutSeconds,
                                   int readTimeoutSeconds)

Create a new instance.

Parameters:

introspectionEndpointUri - The introspection endpoint url at the authorization server

socketFactory - The optional SSL socket factory to use when establishing the connection to authorization server

verifier - The optional hostname verifier used to validate the TLS certificate by the authorization server

principalExtractor - The object used to extract the username from the attributes in the server's response

groupsClaimQuery - The JsonPath query for extracting groups from introspection endpoint response

groupsClaimDelimiter - The delimiter used to parse groups from the result of applying groupQuery to what introspection endpoint returns

issuerUri - The required value of the 'iss' claim in the introspection endpoint response

userInfoUri - The optional user info endpoint url at the authorization server, used as a failover when user id can't be extracted from the introspection endpoint response

validTokenType - The optional token type enforcement - only the specified token type is accepted as valid

clientId - The clientId of the OAuth2 client representing this Kafka broker - needed to authenticate to the introspection endpoint

clientSecret - The secret of the OAuth2 client representing this Kafka broker - needed to authenticate to the introspection endpoint

audience - The optional audience check. If specified, the 'aud' attribute of the introspection endpoint response needs to contain the configured clientId

customClaimCheck - The optional JSONPath filter query for additional custom attribute checking

connectTimeoutSeconds - The maximum time to wait for connection to authorization server to be established (in seconds)

readTimeoutSeconds - The maximum time to wait for response from authorization server after connection has been established and request sent (in seconds)

Method Detail

validate

public TokenInfo validate(java.lang.String token)

Specified by:

validate in interface TokenValidator