This is an automated email from the ASF dual-hosted git repository. riemer pushed a commit to branch load-openid-config in repository https://gitbox.apache.org/repos/asf/streampipes.git
commit aa69f30d15efa9c1d1d6641258d09ed707937fb6 Author: Dominik Riemer <[email protected]> AuthorDate: Mon Aug 18 20:46:40 2025 +0200 feat: Load OpenID config for external authentication --- .../service/core/WebSecurityConfig.java | 72 +++++++++++++++------- 1 file changed, 50 insertions(+), 22 deletions(-) diff --git a/streampipes-service-core/src/main/java/org/apache/streampipes/service/core/WebSecurityConfig.java b/streampipes-service-core/src/main/java/org/apache/streampipes/service/core/WebSecurityConfig.java index 2afc3b4a20..17120ebc42 100644 --- a/streampipes-service-core/src/main/java/org/apache/streampipes/service/core/WebSecurityConfig.java +++ b/streampipes-service-core/src/main/java/org/apache/streampipes/service/core/WebSecurityConfig.java @@ -20,6 +20,7 @@ package org.apache.streampipes.service.core; import org.apache.streampipes.commons.environment.Environment; import org.apache.streampipes.commons.environment.Environments; +import org.apache.streampipes.commons.environment.model.OAuthConfiguration; import org.apache.streampipes.service.base.security.UnauthorizedRequestEntryPoint; import org.apache.streampipes.service.core.filter.TokenAuthenticationFilter; import org.apache.streampipes.service.core.oauth2.CustomOAuth2UserService; @@ -33,6 +34,7 @@ import org.apache.streampipes.user.management.service.SpUserDetailsService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Conditional; @@ -53,6 +55,7 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCo import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; +import org.springframework.security.oauth2.client.registration.ClientRegistrations; import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; @@ -61,6 +64,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.util.StringUtils; import org.springframework.web.client.RestTemplate; import java.util.List; @@ -191,32 +195,56 @@ public class WebSecurityConfig { private List<ClientRegistration> getRegistrations() { var oauthConfigs = Environments.getEnvironment().getOAuthConfigurations(); - return oauthConfigs.stream().map(config -> { - ClientRegistration.Builder builder = this.getBuilder(config.getRegistrationId()); - builder.scope(config.getScopes()); - builder.authorizationUri(config.getAuthorizationUri()); - builder.tokenUri(config.getTokenUri()); - builder.jwkSetUri(config.getJwkSetUri()); - builder.issuerUri(config.getIssuerUri()); - builder.userInfoUri(config.getUserInfoUri()); - builder.clientSecret(config.getClientSecret()); - builder.userNameAttributeName(config.getEmailAttributeName()); - builder.clientName(config.getClientName()); - builder.clientId(config.getClientId()); + return oauthConfigs.stream() + .map(config -> { + ClientRegistration.Builder builder = getBuilder(config); + + builder + .registrationId(config.getRegistrationId()) + .clientId(config.getClientId()) + .clientSecret(config.getClientSecret()) + .clientName(config.getClientName()) + .scope(config.getScopes()); + + if (StringUtils.hasText(config.getEmailAttributeName())) { + builder.userNameAttributeName(config.getEmailAttributeName()); + } + + if (StringUtils.hasText(config.getAuthorizationUri())) { + builder.authorizationUri(config.getAuthorizationUri()); + } + if (StringUtils.hasText(config.getTokenUri())) { + builder.tokenUri(config.getTokenUri()); + } + if (StringUtils.hasText(config.getJwkSetUri())) { + builder.jwkSetUri(config.getJwkSetUri()); + } + if (StringUtils.hasText(config.getUserInfoUri())) { + builder.userInfoUri(config.getUserInfoUri()); + } + if (StringUtils.hasText(config.getIssuerUri())) { + builder.issuerUri(config.getIssuerUri()); + } + return builder.build(); - } - ).toList(); + }) + .toList(); } - protected final ClientRegistration.Builder getBuilder(String registrationId) { - ClientRegistration.Builder builder = ClientRegistration.withRegistrationId(registrationId); - builder.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC); - builder.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE); - builder.redirectUri( - String.format("%s/streampipes-backend/{action}/oauth2/code/{registrationId}", + protected ClientRegistration.Builder getBuilder(OAuthConfiguration config) { + ClientRegistration.Builder builder = + StringUtils.hasText(config.getIssuerUri()) + ? ClientRegistrations.fromIssuerLocation(config.getIssuerUri()) + : ClientRegistration.withRegistrationId(config.getRegistrationId()) + .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE); + + builder + .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) + .redirectUri(String.format( + "%s/streampipes-backend/{action}/oauth2/code/{registrationId}", env.getOAuthRedirectUri().getValueOrDefault() - ) - ); + )); + return builder; }
