emiliosetiadarma commented on code in PR #6637:
URL: https://github.com/apache/nifi/pull/6637#discussion_r1027563567
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/api/AccessResource.java:
##########
@@ -832,4 +950,133 @@ private boolean isBasicLoginSupported(HttpServletRequest
request) {
private boolean isOIDCLoginSupported(HttpServletRequest request) {
return request.isSecure() && oidcService != null &&
oidcService.isOidcEnabled();
}
+
+ private String determineLogoutMethod() {
+ if (oidcService.getEndSessionEndpoint() != null) {
+ return ID_TOKEN_LOGOUT;
+ } else if (oidcService.getRevocationEndpoint() != null) {
+ return REVOKE_ACCESS_TOKEN_LOGOUT;
+ } else {
+ return STANDARD_LOGOUT;
+ }
+ }
+
+ /**
+ * Generates the request Authorization URI for the OpenID Connect
Provider. Returns an authorization
+ * URI using the provided callback URI.
+ *
+ * @param httpServletResponse the servlet response
+ * @param callback the OIDC callback URI
+ * @return the authorization URI
+ */
+ private URI oidcRequestAuthorizationCode(@Context final
HttpServletResponse httpServletResponse, final String callback) {
+ final String oidcRequestIdentifier = UUID.randomUUID().toString();
+ // generate a cookie to associate this login sequence
+ final Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER,
oidcRequestIdentifier);
+ cookie.setPath("/");
+ cookie.setHttpOnly(true);
+ cookie.setMaxAge(60);
+ cookie.setSecure(true);
+ httpServletResponse.addCookie(cookie);
+
+ // get the state for this request
+ final State state = oidcService.createState(oidcRequestIdentifier);
+
+ // build the authorization uri
+ final URI authorizationUri =
UriBuilder.fromUri(oidcService.getAuthorizationEndpoint())
+ .queryParam("client_id", oidcService.getClientId())
+ .queryParam("response_type", "code")
+ .queryParam("scope", oidcService.getScope().toString())
+ .queryParam("state", state.getValue())
+ .queryParam("redirect_uri", callback)
+ .build();
+ return authorizationUri;
+ }
+
+ private String getOidcRequestIdentifier(final HttpServletRequest
httpServletRequest) {
+ return getCookieValue(httpServletRequest.getCookies(),
OIDC_REQUEST_IDENTIFIER);
+ }
+
+ private com.nimbusds.openid.connect.sdk.AuthenticationResponse
parseAuthenticationResponse(final URI requestUri,
+
final HttpServletResponse httpServletResponse,
+
final boolean isLogin) {
+ final com.nimbusds.openid.connect.sdk.AuthenticationResponse
oidcResponse;
+ try {
+ oidcResponse = AuthenticationResponseParser.parse(requestUri);
+ } catch (final ParseException e) {
+ final String loginOrLogoutString = isLogin ? "login" : "logout";
+ logger.error(String.format("Unable to parse the redirect URI from
the OpenId Connect Provider. Unable to continue %s process.",
loginOrLogoutString));
+
+ // remove the oidc request cookie
+ removeOidcRequestCookie(httpServletResponse);
+
+ throw new IllegalStateException(String.format("Unable to parse the
redirect URI from the OpenId Connect Provider. Unable to continue %s process.",
loginOrLogoutString));
+ }
+ return oidcResponse;
+ }
+
+ private void validateOIDCState(final String oidcRequestIdentifier,
+ final AuthenticationSuccessResponse
successfulOidcResponse,
+ final HttpServletResponse
httpServletResponse,
+ final boolean isLogin) {
+ // confirm state
+ final State state = successfulOidcResponse.getState();
+ if (state == null || !oidcService.isStateValid(oidcRequestIdentifier,
state)) {
+ final String loginOrLogoutMessage = isLogin ? "login" : "logout";
+ logger.error(String.format("The state value returned by the OpenId
Connect Provider does not match the stored state. Unable to continue %s
process.", loginOrLogoutMessage));
+
+ // remove the oidc request cookie
+ removeOidcRequestCookie(httpServletResponse);
+
+ throw new IllegalStateException(String.format("Purposed state does
not match the stored state. Unable to continue %s process.",
loginOrLogoutMessage));
+ }
+ }
+
+ /**
+ * Sends a POST request to the revoke endpoint to log out of the ID
Provider.
+ *
+ * @param httpServletResponse the servlet response
+ * @param accessToken the OpenID Connect Provider access token
+ * @param revokeEndpoint the name of the cookie
+ * @throws IOException exceptional case for communication error with the
OpenId Connect Provider
+ */
+ private void revokeEndpointRequest(@Context HttpServletResponse
httpServletResponse, String accessToken, URI revokeEndpoint) throws
IOException, NoSuchAlgorithmException {
+ final CloseableHttpClient httpClient = getHttpClient();
+ HttpPost httpPost = new HttpPost(revokeEndpoint);
+
+ List<NameValuePair> params = new ArrayList<>();
+ // Append a query param with the access token
+ params.add(new BasicNameValuePair("token", accessToken));
+ httpPost.setEntity(new UrlEncodedFormEntity(params));
+
+ try (CloseableHttpResponse response = httpClient.execute(httpPost)) {
+ if (response.getStatusLine().getStatusCode() ==
HTTPResponse.SC_OK) {
+ // redirect to NiFi Registry page after logout completes
+ logger.debug("You are logged out of the OpenId Connect
Provider.");
+ final String postLogoutRedirectUri = getNiFiRegistryUri();
+ httpServletResponse.sendRedirect(postLogoutRedirectUri);
+ } else {
+ logger.error("There was an error logging out of the OpenId
Connect Provider. " +
+ "Response status: " +
response.getStatusLine().getStatusCode());
+ }
+ } finally {
+ httpClient.close();
+ }
+ }
+
+ private CloseableHttpClient getHttpClient() throws
NoSuchAlgorithmException {
+ final int msTimeout = 30_000;
Review Comment:
Thanks for letting me know, will make the changes!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
