This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/3_0_X by this push:
new 5ea51295c8 [SYNCOPE-1844] Support Okta authentication and attribute
repository
5ea51295c8 is described below
commit 5ea51295c81908cfd865b6e141e65d03f54a4898
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Fri Nov 15 07:35:44 2024 +0100
[SYNCOPE-1844] Support Okta authentication and attribute repository
---
.../syncope/common/lib/AbstractOktaConf.java | 36 +++++++++++
.../syncope/common/lib/attr/AttrRepoConf.java | 2 +
.../syncope/common/lib/attr/OktaAttrRepoConf.java | 74 ++++++++++++++++++++++
.../syncope/common/lib/auth/AuthModuleConf.java | 2 +
.../common/lib/auth/OktaAuthModuleConf.java | 52 +++++++++++++++
.../concepts/attributerepositories.adoc | 1 +
.../concepts/authenticationmodules.adoc | 1 +
.../mapping/AttrRepoPropertySourceMapper.java | 18 +++++-
.../mapping/AuthModulePropertySourceMapper.java | 14 ++++
wa/starter/pom.xml | 8 +++
10 files changed, 206 insertions(+), 2 deletions(-)
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java
new file mode 100644
index 0000000000..a19d96df9d
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib;
+
+import java.io.Serializable;
+
+public abstract class AbstractOktaConf implements Serializable {
+
+ private static final long serialVersionUID = -7800528759438661362L;
+
+ private String organizationUrl;
+
+ public String getOrganizationUrl() {
+ return organizationUrl;
+ }
+
+ public void setOrganizationUrl(final String organizationUrl) {
+ this.organizationUrl = organizationUrl;
+ }
+}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
index 682d875f94..1942b7c424 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
@@ -37,6 +37,8 @@ public interface AttrRepoConf extends BaseBean {
Map<String, Object> map(AttrRepoTO attrRepo, SyncopeAttrRepoConf conf);
Map<String, Object> map(AttrRepoTO attrRepo,
AzureActiveDirectoryAttrRepoConf conf);
+
+ Map<String, Object> map(AttrRepoTO attrRepo, OktaAttrRepoConf conf);
}
Map<String, Object> map(AttrRepoTO attrRepo, Mapper mapper);
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java
new file mode 100644
index 0000000000..2cfa6d6e1a
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.attr;
+
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.syncope.common.lib.AbstractOktaConf;
+import org.apache.syncope.common.lib.to.AttrRepoTO;
+
+public class OktaAttrRepoConf extends AbstractOktaConf implements AttrRepoConf
{
+
+ private static final long serialVersionUID = 1019473980380211566L;
+
+ /**
+ * Username attribute to fetch attributes by.
+ */
+ private String usernameAttribute = "username";
+
+ /**
+ * Okta allows you to interact with Okta APIs using scoped OAuth 2.0
access tokens. Each access token
+ * enables the bearer to perform specific actions on specific Okta
endpoints, with that
+ * ability controlled by which scopes the access token contains. Scopes
are only used
+ * when using client id and private-key.
+ */
+ private final List<String> scopes = Stream.of("okta.users.read",
"okta.apps.read").collect(Collectors.toList());
+
+ /**
+ * Okta API token.
+ */
+ private String apiToken;
+
+ public String getUsernameAttribute() {
+ return usernameAttribute;
+ }
+
+ public void setUsernameAttribute(final String usernameAttribute) {
+ this.usernameAttribute = usernameAttribute;
+ }
+
+ public String getApiToken() {
+ return apiToken;
+ }
+
+ public void setApiToken(final String apiToken) {
+ this.apiToken = apiToken;
+ }
+
+ public List<String> getScopes() {
+ return scopes;
+ }
+
+ @Override
+ public Map<String, Object> map(final AttrRepoTO attrRepo, final Mapper
mapper) {
+ return mapper.map(attrRepo, this);
+ }
+}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
index ac3cc37a51..7666975eff 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
@@ -65,6 +65,8 @@ public interface AuthModuleConf extends BaseBean {
Map<String, Object> map(AuthModuleTO authModule,
SimpleMfaAuthModuleConf conf);
Map<String, Object> map(AuthModuleTO authModule, SpnegoAuthModuleConf
conf);
+
+ Map<String, Object> map(AuthModuleTO authModule, OktaAuthModuleConf
conf);
}
Map<String, Object> map(AuthModuleTO authModule, Mapper mapper);
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java
new file mode 100644
index 0000000000..487d00d840
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.auth;
+
+import java.util.Map;
+import org.apache.syncope.common.lib.AbstractOktaConf;
+import org.apache.syncope.common.lib.to.AuthModuleTO;
+
+public class OktaAuthModuleConf extends AbstractOktaConf implements
AuthModuleConf {
+
+ private static final long serialVersionUID = -696882546462937138L;
+
+ /**
+ * A number of authentication handlers are allowed to determine whether
they can operate on the provided credential
+ * and as such lend themselves to be tried and tested during the
authentication handler selection phase.
+ * The credential criteria may be one of the following options:<ul>
+ * <li>A regular expression pattern that is tested against the credential
identifier.</li>
+ * <li>A fully qualified class name of your own design that implements
{@code Predicate}.</li>
+ * <li>Path to an external Groovy script that implements the same
interface.</li>
+ * </ul>
+ */
+ private String credentialCriteria;
+
+ public String getCredentialCriteria() {
+ return credentialCriteria;
+ }
+
+ public void setCredentialCriteria(final String credentialCriteria) {
+ this.credentialCriteria = credentialCriteria;
+ }
+
+ @Override
+ public Map<String, Object> map(final AuthModuleTO authModule, final Mapper
mapper) {
+ return mapper.map(authModule, this);
+ }
+}
diff --git
a/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
b/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
index 82f56312f5..499f13132d 100644
--- a/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
@@ -28,6 +28,7 @@ Some attribute repositories are provided:
*
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-Stub.html[Stub^]
*
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-Syncope.html[Syncope^]
*
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-AzureAD.html[Azure
Active Directory^]
+*
https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution-Okta.html[Okta^]
[TIP]
====
diff --git
a/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
b/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
index dff10d3350..3e23fb1d31 100644
--- a/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
@@ -30,6 +30,7 @@ Several authentication modules are provided:
**
https://apereo.github.io/cas/6.6.x/authentication/SPNEGO-Authentication.html[SPNEGO^]
**
https://apereo.github.io/cas/6.6.x/authentication/Syncope-Authentication.html[Syncope^]
**
https://apereo.github.io/cas/6.6.x/authentication/Azure-ActiveDirectory-Authentication.html[Azure
Active Directory^]
+ **
https://apereo.github.io/cas/6.6.x/authentication/Okta-Authentication.html[Okta^]
**
https://apereo.github.io/cas/6.6.x/authentication/X509-Authentication.html[X509^]
**
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-Generic-OpenID-Connect.html[OpenID
Connect^]
**
https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-OAuth20.html[OAuth2^]
diff --git
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
index 5c6cf82f1d..9194ad882f 100644
---
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
+++
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
@@ -26,6 +26,7 @@ import org.apache.syncope.common.lib.attr.AttrRepoConf;
import org.apache.syncope.common.lib.attr.AzureActiveDirectoryAttrRepoConf;
import org.apache.syncope.common.lib.attr.JDBCAttrRepoConf;
import org.apache.syncope.common.lib.attr.LDAPAttrRepoConf;
+import org.apache.syncope.common.lib.attr.OktaAttrRepoConf;
import org.apache.syncope.common.lib.attr.StubAttrRepoConf;
import org.apache.syncope.common.lib.attr.SyncopeAttrRepoConf;
import org.apache.syncope.common.lib.to.AttrRepoTO;
@@ -37,6 +38,7 @@ import
org.apereo.cas.configuration.model.core.authentication.StubPrincipalAttri
import
org.apereo.cas.configuration.model.support.azuread.AzureActiveDirectoryAttributesProperties;
import
org.apereo.cas.configuration.model.support.jdbc.JdbcPrincipalAttributesProperties;
import
org.apereo.cas.configuration.model.support.ldap.LdapPrincipalAttributesProperties;
+import
org.apereo.cas.configuration.model.support.okta.OktaPrincipalAttributesProperties;
import
org.apereo.cas.configuration.model.support.syncope.SyncopePrincipalAttributesProperties;
public class AttrRepoPropertySourceMapper extends PropertySourceMapper
implements AttrRepoConf.Mapper {
@@ -134,7 +136,19 @@ public class AttrRepoPropertySourceMapper extends
PropertySourceMapper implement
props.setAttributes(attrRepoTO.getItems().stream().map(Item::getExtAttrName).collect(Collectors.joining(",")));
return prefix(
- "cas.authn.attribute-repository.azure-active-directory[].",
- CasCoreConfigurationUtils.asMap(props));
+ "cas.authn.attribute-repository.azure-active-directory[].",
CasCoreConfigurationUtils.asMap(props));
+ }
+
+ @Override
+ public Map<String, Object> map(final AttrRepoTO attrRepoTO, final
OktaAttrRepoConf conf) {
+ OktaPrincipalAttributesProperties props = new
OktaPrincipalAttributesProperties();
+ props.setId(attrRepoTO.getKey());
+ props.setOrder(attrRepoTO.getOrder());
+ props.setOrganizationUrl(conf.getOrganizationUrl());
+ props.setUsernameAttribute(conf.getUsernameAttribute());
+ props.setScopes(conf.getScopes());
+ props.setApiToken(conf.getApiToken());
+
+ return prefix("cas.authn.attribute-repository.okta.",
CasCoreConfigurationUtils.asMap(props));
}
}
diff --git
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
index fb1a20793b..8b9c9562ce 100644
---
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
+++
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
@@ -39,6 +39,7 @@ import
org.apache.syncope.common.lib.auth.KeycloakOIDCAuthModuleConf;
import org.apache.syncope.common.lib.auth.LDAPAuthModuleConf;
import org.apache.syncope.common.lib.auth.OAuth20AuthModuleConf;
import org.apache.syncope.common.lib.auth.OIDCAuthModuleConf;
+import org.apache.syncope.common.lib.auth.OktaAuthModuleConf;
import org.apache.syncope.common.lib.auth.SAML2IdPAuthModuleConf;
import org.apache.syncope.common.lib.auth.SimpleMfaAuthModuleConf;
import org.apache.syncope.common.lib.auth.SpnegoAuthModuleConf;
@@ -64,6 +65,7 @@ import
org.apereo.cas.configuration.model.support.mfa.gauth.GoogleAuthenticatorM
import
org.apereo.cas.configuration.model.support.mfa.gauth.LdapGoogleAuthenticatorMultifactorProperties;
import
org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationProperties;
import
org.apereo.cas.configuration.model.support.mfa.u2f.U2FMultifactorAuthenticationProperties;
+import
org.apereo.cas.configuration.model.support.okta.OktaAuthenticationProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oauth.Pac4jOAuth20ClientProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oidc.BasePac4jOidcClientProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jAppleOidcClientProperties;
@@ -418,6 +420,18 @@ public class AuthModulePropertySourceMapper extends
PropertySourceMapper impleme
return prefix("cas.authn.azure-active-directory.",
CasCoreConfigurationUtils.asMap(props));
}
+ @Override
+ public Map<String, Object> map(AuthModuleTO authModuleTO,
OktaAuthModuleConf conf) {
+ OktaAuthenticationProperties props = new
OktaAuthenticationProperties();
+ props.setName(authModuleTO.getKey());
+ props.setOrder(authModuleTO.getOrder());
+
props.setState(AuthenticationHandlerStates.valueOf(authModuleTO.getState().name()));
+ props.setOrganizationUrl(conf.getOrganizationUrl());
+ props.setCredentialCriteria(conf.getCredentialCriteria());
+
+ return prefix("cas.authn.okta.",
CasCoreConfigurationUtils.asMap(props));
+ }
+
@Override
public Map<String, Object> map(final AuthModuleTO authModuleTO, final
GoogleMfaAuthModuleConf conf) {
GoogleAuthenticatorMultifactorProperties props = new
GoogleAuthenticatorMultifactorProperties();
diff --git a/wa/starter/pom.xml b/wa/starter/pom.xml
index b20122125e..bde67018b1 100644
--- a/wa/starter/pom.xml
+++ b/wa/starter/pom.xml
@@ -150,6 +150,14 @@ under the License.
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-syncope-authentication</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.apereo.cas</groupId>
+ <artifactId>cas-server-support-azuread-authentication</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apereo.cas</groupId>
+ <artifactId>cas-server-support-okta-authentication</artifactId>
+ </dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
