io.strimzi.kafka.oauth.validator

Class OAuthIntrospectionValidator

java.lang.Object

io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator

All Implemented Interfaces:

TokenValidator

public class OAuthIntrospectionValidator
extends java.lang.Object
implements TokenValidator

This class is responsible for validating the token during session authentication by using an introspection endpoint.

It works by sending the token to the configured authorization server's introspection endpoint. The endpoint returns a response with whether the token is valid or not, and it usually also returns additional attributes, that can be used to enforce additional constraints, and prevent some otherwise valid tokens from authenticating.

Constructor Summary

Constructors

Constructor and Description

OAuthIntrospectionValidator(java.lang.String id, java.lang.String introspectionEndpointUri, javax.net.ssl.SSLSocketFactory socketFactory, javax.net.ssl.HostnameVerifier verifier, PrincipalExtractor principalExtractor, java.lang.String groupsClaimQuery, java.lang.String groupsClaimDelimiter, java.lang.String issuerUri, java.lang.String userInfoUri, java.lang.String validTokenType, java.lang.String clientId, java.lang.String clientSecret, java.lang.String audience, java.lang.String customClaimCheck, int connectTimeoutSeconds, int readTimeoutSeconds, boolean enableMetrics, int retries, long retryPauseMillis) Create a new instance.

Method Summary

Modifier and Type	Method and Description
java.lang.String	getValidatorId() Return the id of this validator
TokenInfo	validate(java.lang.String token) Validate the passed access token return it wrapped in TokenInfo with

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OAuthIntrospectionValidator

public OAuthIntrospectionValidator(java.lang.String id,
                                   java.lang.String introspectionEndpointUri,
                                   javax.net.ssl.SSLSocketFactory socketFactory,
                                   javax.net.ssl.HostnameVerifier verifier,
                                   PrincipalExtractor principalExtractor,
                                   java.lang.String groupsClaimQuery,
                                   java.lang.String groupsClaimDelimiter,
                                   java.lang.String issuerUri,
                                   java.lang.String userInfoUri,
                                   java.lang.String validTokenType,
                                   java.lang.String clientId,
                                   java.lang.String clientSecret,
                                   java.lang.String audience,
                                   java.lang.String customClaimCheck,
                                   int connectTimeoutSeconds,
                                   int readTimeoutSeconds,
                                   boolean enableMetrics,
                                   int retries,
                                   long retryPauseMillis)

Create a new instance.

Parameters:

id - A unique id to associate with this validator for the purpose of validator lifecycle and metrics tracking

introspectionEndpointUri - The introspection endpoint url at the authorization server

socketFactory - The optional SSL socket factory to use when establishing the connection to authorization server

verifier - The optional hostname verifier used to validate the TLS certificate by the authorization server

principalExtractor - The object used to extract the username from the attributes in the server's response

groupsClaimQuery - The JsonPath query for extracting groups from introspection endpoint response

groupsClaimDelimiter - The delimiter used to parse groups from the result of applying groupQuery to what introspection endpoint returns

issuerUri - The required value of the 'iss' claim in the introspection endpoint response

userInfoUri - The optional user info endpoint url at the authorization server, used as a failover when user id can't be extracted from the introspection endpoint response

validTokenType - The optional token type enforcement - only the specified token type is accepted as valid

clientId - The clientId of the OAuth2 client representing this Kafka broker - needed to authenticate to the introspection endpoint

clientSecret - The secret of the OAuth2 client representing this Kafka broker - needed to authenticate to the introspection endpoint

audience - The optional audience check. If specified, the 'aud' attribute of the introspection endpoint response needs to contain the configured clientId

customClaimCheck - The optional JSONPath filter query for additional custom attribute checking

connectTimeoutSeconds - The maximum time to wait for connection to authorization server to be established (in seconds)

readTimeoutSeconds - The maximum time to wait for response from authorization server after connection has been established and request sent (in seconds)

enableMetrics - The switch that enables metrics collection

retries - Maximum number of retries if request to the authorization server fails (0 means no retries)

retryPauseMillis - Time to pause before retrying the request to the authorization server

Method Detail

validate

public TokenInfo validate(java.lang.String token)

Description copied from interface: TokenValidator

Validate the passed access token return it wrapped in TokenInfo with

Specified by:

validate in interface TokenValidator

Parameters:

token - An access token to validate

Returns:

TokenInfo wrapping a valid token

getValidatorId

public java.lang.String getValidatorId()

Description copied from interface: TokenValidator

Return the id of this validator

Specified by:

getValidatorId in interface TokenValidator

Returns:

A validator id