I've received the code from Martijn Dashorst. It should be enough to get you up and running. This page is mounted like this: mountPage("/oidc/#{action}", KeyhubOidcPage.class); Redirect to this page to start the authentication.
package nl.topicus.iridium.conversie.web.pages.public_pages.keyhub; import static nl.topicus.iridium.conversie.keyhub.KeyhubEnvironmentVariables.Names.*; import javax.inject.Inject; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import nl.topicus.iridium.conversie.environment.Environment; import nl.topicus.iridium.conversie.web.app.ConversieWebSession; import nl.topicus.iridium.conversie.web.pages.dashboard.DashboardPage; import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.request.Url; import org.apache.wicket.request.http.WebRequest; import org.apache.wicket.request.http.WebResponse; import org.apache.wicket.request.mapper.parameter.PageParameters; import org.pac4j.core.context.JEEContext; import org.pac4j.core.context.session.JEESessionStore; import org.pac4j.core.exception.http.RedirectionAction; import org.pac4j.core.http.adapter.JEEHttpActionAdapter; import org.pac4j.oidc.client.OidcClient; import org.pac4j.oidc.config.OidcConfiguration; import org.pac4j.oidc.credentials.OidcCredentials; import org.pac4j.oidc.profile.OidcProfile; public class KeyhubOidcPage extends WebPage { private static final long serialVersionUID = 1L; @Inject private Environment environment; public KeyhubOidcPage(PageParameters pars) { super(pars); OidcConfiguration configuration = new OidcConfiguration(); configuration.setClientId(environment.getRequiredValue(KEYHUB_API_CLIENTID)); configuration.setSecret(environment.getRequiredValue(KEYHUB_API_SECRET)); configuration.setConnectTimeout(2000); configuration.setReadTimeout(5000); configuration .setDiscoveryURI("https://keyhub.topicusonderwijs.nl/.well-known/openid-configuration"); HttpServletRequest request = (HttpServletRequest) ((WebRequest) getRequest()).getContainerRequest(); HttpServletResponse response = (HttpServletResponse) ((WebResponse) getResponse()).getContainerResponse(); JEEContext context = new JEEContext(request, response); OidcClient keyhub = new OidcClient(configuration); keyhub.setCallbackUrl(getAuthenticateCallbackUrl()); if (pars.isEmpty()) { keyhub.getRedirectionAction(context, JEESessionStore.INSTANCE) .ifPresent(action -> apply(action, context)); } else { OidcCredentials credentials = (OidcCredentials) keyhub.getCredentials(context, JEESessionStore.INSTANCE).get(); OidcProfile profile = (OidcProfile) keyhub.getUserProfile(credentials, context, JEESessionStore.INSTANCE) .get(); ConversieWebSession.get().setKeyhubProfile(profile); continueToOriginalDestination(); setResponsePage(DashboardPage.class); } } private String getAuthenticateCallbackUrl() { PageParameters callbackPars = new PageParameters(); callbackPars.set("action", "callback"); return getRequestCycle().getUrlRenderer() .renderFullUrl(Url.parse(urlFor(KeyhubOidcPage.class, callbackPars))) .toString(); } private void apply(RedirectionAction action, JEEContext context) { JEEHttpActionAdapter.INSTANCE.adapt(action, context); } } On Wed, Jan 19, 2022 at 8:36 AM Emond Papegaaij <emond.papega...@gmail.com> wrote: > Hi Boris, > > I would go for pac4j-oidc. It does not provide Wicket integration out of > the box, but it is very easy to setup and you only need a few lines of code > to check the authentication. Perhaps @dashorst can share the code: > https://twitter.com/dashorst/status/1111280001847054336 > > You can find an example of the pac4j code in a presentation a gave some > time ago: > https://blog.topicus-keyhub.com/oauth-2-0-demystified-j-spring-2019/ > > Best regards, > Emond > > On Tue, Jan 18, 2022 at 11:39 PM Boris Goldowsky <bgoldow...@cast.org> > wrote: > >> What is the current best practice for allowing users to sign in to a >> Wicket application using an OAuth2 provider (eg Google account, Twitter, >> Canvas, etc). >> >> * Is Apache Shiro a possibility? Looks like it’s got some Wicket >> integration, but OAuth2 is listed as “coming”. >> * PicketLink? >> * Something from https://oauth.net/code/java/ ? >> >> Anyone with a working implementation care to give some pointers? >> >> Looks like there may have been some discussion of this 10 years ago on >> this list, but not more recently that I can find. >> >> Thank you! >> >> Boris >> >>