Package org.gcube.common.iam

Class D4ScienceIAMClient

  • public class D4ScienceIAMClient
extends Object
    Helper class that acts as IAM client providing authentication and authorization using the IAM hiding the underlying implementation
    Author:
    Mauro Mugnaini

    • Field Detail

      • logger

        protected static org.slf4j.Logger logger

      • USE_DYNAMIC_SCOPES

        public static boolean USE_DYNAMIC_SCOPES

    • Method Detail

      • setDefaultGatewayClientID

        public static void setDefaultGatewayClientID​(String gatewayClientId)
        Sets the new default GW clientId used for all the queries to the IAM server. Note: The operation will logged as WARN to be visible.
        Parameters:
        gatewayClientId - the new GW clientId

      • newInstance

        public static D4ScienceIAMClient newInstance​(String contextInfra)
                                      throws D4ScienceIAMClientException
        Creates a new client for the specific context, in the default IAM realm.
        Parameters:
        contextInfra - the context to be used to obtain the base URL of the infrastructure
        Returns:
        the client to be used for authn and authz requests
        Throws:
        D4ScienceIAMClientException - if an error occurs obtaining the base URL

      • newInstance

        public static D4ScienceIAMClient newInstance​(String contextInfra,
                                             String realm)
                                      throws D4ScienceIAMClientException
        Creates a new client for the specific context, in the default realm.
        Parameters:
        contextInfra - the context to be used to obtain the base URL of the infrastructure
        realm - the IAM realm
        Returns:
        the client to be used for authn and authz requests
        Throws:
        D4ScienceIAMClientException - if an error occurs obtaining the base URL

      • newInstance

        public static D4ScienceIAMClient newInstance​(URL realmBaseURL)
        Creates a new client with the provided base URL.
        Parameters:
        realmBaseURL - the realm base URL
        Returns:
        the client to be used for authn and authz requests

      • getKeycloakClient

        protected org.gcube.common.keycloak.KeycloakClient getKeycloakClient()

      • getRealmBaseURL

        public URL getRealmBaseURL()

      • authenticate

        public D4ScienceIAMClientAuthn authenticate​(String clientId,
                                            String clientSecret,
                                            String context)
                                     throws D4ScienceIAMClientException
        Authenticates the client with provided credentials, reducing the token audience to the requested `context`
        Parameters:
        clientId - the client id
        clientSecret - the client secret
        context - the requested token context audience (e.g. a specific context or another client)
        Returns:
        the authn object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authn process

      • authenticateUser

        public D4ScienceIAMClientAuthn authenticateUser​(String username,
                                                String password)
                                         throws D4ScienceIAMClientException
        Deprecated.
        this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
        Authenticates the user with provided username and password by using the default clientId.
        Parameters:
        username - the user's username
        password - the user's password
        Returns:
        the authn object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authn process
        See Also:
        set

      • authenticateUser

        public D4ScienceIAMClientAuthn authenticateUser​(String username,
                                                String password,
                                                String context)
                                         throws D4ScienceIAMClientException
        Deprecated.
        this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
        Authenticates the user with provided username and password by using the default clientId.
        Parameters:
        username - the user's username
        password - the user's password
        context - the requested token context audience (e.g. a specific context or another client)
        Returns:
        the authn object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authn process
        See Also:
        set

      • authenticateUser

        public D4ScienceIAMClientAuthn authenticateUser​(String clientId,
                                                String clientSecret,
                                                String username,
                                                String password)
                                         throws D4ScienceIAMClientException
        Deprecated.
        this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
        Authenticates the user with provided username and password
        Parameters:
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        Returns:
        the authn object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authn process

      • authenticateUser

        public D4ScienceIAMClientAuthn authenticateUser​(String clientId,
                                                String clientSecret,
                                                String username,
                                                String password,
                                                String context)
                                         throws D4ScienceIAMClientException
        Deprecated.
        this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
        Authenticates the user with provided credentials, reducing the token audience to the requested `context`.
        Parameters:
        clientId - the client id
        clientSecret - the client secret
        username - the user's username
        password - the user's password
        context - the requested token context audience (e.g. a specific context or another client)
        Returns:
        the authn object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authn process

      • authorize

        public D4ScienceIAMClientAuthz authorize​(String clientId,
                                         String clientSecret,
                                         String context)
                                  throws D4ScienceIAMClientException
        Directly authorizes the client by using the provided credentials, for the specific context audience and with no optional permissions
        Parameters:
        clientId - the client id
        clientSecret - the client secret
        context - the requested token context audience (e.g. a specific context or another client)
        Returns:
        the authz object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authz process

      • authorize

        public D4ScienceIAMClientAuthz authorize​(String clientId,
                                         String clientSecret,
                                         String context,
                                         List<String> permissions)
                                  throws D4ScienceIAMClientException
        Directly authorizes the client by using the provided credentials, for the specific context audience and with optional permissions
        Parameters:
        clientId - the client id
        clientSecret - the client secret
        context - the requested token context audience (e.g. a specific context or another client)
        permissions - the optional permissions
        Returns:
        the authz object
        Throws:
        D4ScienceIAMClientException - if an error occurs during authz process

      • verifyToken

        public void verifyToken​(String token)
                 throws org.gcube.io.jsonwebtoken.security.SignatureException,
                        org.gcube.io.jsonwebtoken.ExpiredJwtException,
                        org.gcube.io.jsonwebtoken.JwtException,
                        Exception
        Verifies the token signature and expiration
        Parameters:
        token - the base64 JWT token string
        Throws:
        org.gcube.io.jsonwebtoken.security.SignatureException - if the token signature is invalid
        org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token is expired
        org.gcube.io.jsonwebtoken.JwtException - if another JWT related problem is found
        Exception - if an unexpected error occurs (e.g. constructing the verifier)