emiliosetiadarma commented on code in PR #6637:
URL: https://github.com/apache/nifi/pull/6637#discussion_r1027557062
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java:
##########
@@ -832,4 +950,133 @@ private boolean isBasicLoginSupported(HttpServletRequest
request) {
private boolean isOIDCLoginSupported(HttpServletRequest request) {
return request.isSecure() && oidcService != null &&
oidcService.isOidcEnabled();
}
+
+ private String determineLogoutMethod() {
+ if (oidcService.getEndSessionEndpoint() != null) {
+ return ID_TOKEN_LOGOUT;
+ } else if (oidcService.getRevocationEndpoint() != null) {
+ return REVOKE_ACCESS_TOKEN_LOGOUT;
+ } else {
+ return STANDARD_LOGOUT;
+ }
+ }
+
+ /**
+ * Generates the request Authorization URI for the OpenID Connect
Provider. Returns an authorization
+ * URI using the provided callback URI.
+ *
+ * @param httpServletResponse the servlet response
+ * @param callback the OIDC callback URI
+ * @return the authorization URI
+ */
+ private URI oidcRequestAuthorizationCode(@Context final
HttpServletResponse httpServletResponse, final String callback) {
+ final String oidcRequestIdentifier = UUID.randomUUID().toString();
+ // generate a cookie to associate this login sequence
+ final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER,
oidcRequestIdentifier);
+ cookie.setPath("/");
+ cookie.setHttpOnly(true);
+ cookie.setMaxAge(60);
+ cookie.setSecure(true);
+ httpServletResponse.addCookie(cookie);
+
+ // get the state for this request
+ final State state = oidcService.createState(oidcRequestIdentifier);
+
+ // build the authorization uri
+ final URI authorizationUri =
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+ .queryParam("client_id", oidcService.getClientId())
+ .queryParam("response_type", "code")
+ .queryParam("scope", oidcService.getScope().toString())
+ .queryParam("state", state.getValue())
+ .queryParam("redirect_uri", callback)
+ .build();
+ return authorizationUri;
+ }
+
+ private String getOidcRequestIdentifier(final HttpServletRequest
httpServletRequest) {
+ return getCookieValue(httpServletRequest.getCookies(),
OIDC_REQUEST_IDENTIFIER);
+ }
+
+ private com.nimbusds.openid.connect.sdk.AuthenticationResponse
parseAuthenticationResponse(final URI requestUri,
Review Comment:
The nimbusds classes were the ones used previously, just refactored some
things to make stuff more reusable. Our implementation also does not have the
`getState()` method used to validate OIDC state and the `isSuccess()` method to
indicate a successful response. I could look into expanding the capabilities of
the NiFi Registry `AuthenticationResponse`, let me know what you think!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
