Re: OAuth authentication

2022-01-19 Thread Emond Papegaaij 
I've received the code from Martijn Dashorst. It should be enough to get
you up and running.
This page is mounted like this: mountPage("/oidc/#{action}",
KeyhubOidcPage.class);
Redirect to this page to start the authentication.


package nl.topicus.iridium.conversie.web.pages.public_pages.keyhub;

import static 
nl.topicus.iridium.conversie.keyhub.KeyhubEnvironmentVariables.Names.*;

import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import nl.topicus.iridium.conversie.environment.Environment;
import nl.topicus.iridium.conversie.web.app.ConversieWebSession;
import nl.topicus.iridium.conversie.web.pages.dashboard.DashboardPage;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.request.Url;
import org.apache.wicket.request.http.WebRequest;
import org.apache.wicket.request.http.WebResponse;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.JEESessionStore;
import org.pac4j.core.exception.http.RedirectionAction;
import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.profile.OidcProfile;

public class KeyhubOidcPage extends WebPage
{
private static final long serialVersionUID = 1L;

@Inject
private Environment environment;

public KeyhubOidcPage(PageParameters pars)
{
super(pars);

OidcConfiguration configuration = new OidcConfiguration();

configuration.setClientId(environment.getRequiredValue(KEYHUB_API_CLIENTID));

configuration.setSecret(environment.getRequiredValue(KEYHUB_API_SECRET));
configuration.setConnectTimeout(2000);
configuration.setReadTimeout(5000);
configuration

.setDiscoveryURI("https://keyhub.topicusonderwijs.nl/.well-known/openid-configuration";);

HttpServletRequest request =
(HttpServletRequest) ((WebRequest) 
getRequest()).getContainerRequest();
HttpServletResponse response =
(HttpServletResponse) ((WebResponse) 
getResponse()).getContainerResponse();

JEEContext context = new JEEContext(request, response);

OidcClient keyhub = new OidcClient(configuration);
keyhub.setCallbackUrl(getAuthenticateCallbackUrl());

if (pars.isEmpty())
{
keyhub.getRedirectionAction(context, 
JEESessionStore.INSTANCE)
.ifPresent(action -> apply(action, context));
}
else
{
OidcCredentials credentials =
(OidcCredentials) keyhub.getCredentials(context,
JEESessionStore.INSTANCE).get();
OidcProfile profile =
(OidcProfile) 
keyhub.getUserProfile(credentials, context,
JEESessionStore.INSTANCE)
.get();

ConversieWebSession.get().setKeyhubProfile(profile);
continueToOriginalDestination();
setResponsePage(DashboardPage.class);
}
}

private String getAuthenticateCallbackUrl()
{
PageParameters callbackPars = new PageParameters();
callbackPars.set("action", "callback");

return getRequestCycle().getUrlRenderer()
.renderFullUrl(Url.parse(urlFor(KeyhubOidcPage.class, 
callbackPars)))
.toString();
}

private void apply(RedirectionAction action, JEEContext context)
{
JEEHttpActionAdapter.INSTANCE.adapt(action, context);
}
}


On Wed, Jan 19, 2022 at 8:36 AM Emond Papegaaij 
wrote:

> Hi Boris,
>
> I would go for pac4j-oidc. It does not provide Wicket integration out of
> the box, but it is very easy to setup and you only need a few lines of code
> to check the authentication. Perhaps @dashorst can share the code:
> https://twitter.com/dashorst/status/280001847054336
>
> You can find an example of the pac4j code in a presentation a gave some
> time ago:
> https://blog.topicus-keyhub.com/oauth-2-0-demystified-j-spring-2019/
>
> Best regards,
> Emond
>
> On Tue, Jan 18, 2022 at 11:39 PM Boris Goldowsky 
> wrote:
>
>> What is the current best practice for allowing users to sign in to a
>> Wicket application using an OAuth2 provider (eg Google account, Twitter,
>> Canvas, etc).
>>
>>   *   Is Apache Shiro a possibility?  Looks like it’s got some Wicket
>> integration, but OAuth2 is listed as “coming”.
>>   *   PicketLink?
>>   *   Something from https:

Re: OAuth authentication

2022-01-18 Thread Martin Grigorov 
Hi,

You could use any OAuth library you like.
The idea is:
- when an unauthenticated user requests a secured page Wicket should
redirect to the login page
- that logic page is not managed by Wicket but by your preferred OAuth
library
- in the callback from the OAuth library you should save the data in your
WebSession, e.g. principal, roles, etc. which you should use later for
authorization

On Wed, Jan 19, 2022 at 12:39 AM Boris Goldowsky 
wrote:

> What is the current best practice for allowing users to sign in to a
> Wicket application using an OAuth2 provider (eg Google account, Twitter,
> Canvas, etc).
>
>   *   Is Apache Shiro a possibility?  Looks like it’s got some Wicket
> integration, but OAuth2 is listed as “coming”.
>   *   PicketLink?
>   *   Something from https://oauth.net/code/java/ ?
>
> Anyone with a working implementation care to give some pointers?
>
> Looks like there may have been some discussion of this 10 years ago on
> this list, but not more recently that I can find.
>
> Thank you!
>
> Boris
>
>

Re: OAuth authentication

2022-01-18 Thread Emond Papegaaij 
Hi Boris,

I would go for pac4j-oidc. It does not provide Wicket integration out of
the box, but it is very easy to setup and you only need a few lines of code
to check the authentication. Perhaps @dashorst can share the code:
https://twitter.com/dashorst/status/280001847054336

You can find an example of the pac4j code in a presentation a gave some
time ago:
https://blog.topicus-keyhub.com/oauth-2-0-demystified-j-spring-2019/

Best regards,
Emond

On Tue, Jan 18, 2022 at 11:39 PM Boris Goldowsky 
wrote:

> What is the current best practice for allowing users to sign in to a
> Wicket application using an OAuth2 provider (eg Google account, Twitter,
> Canvas, etc).
>
>   *   Is Apache Shiro a possibility?  Looks like it’s got some Wicket
> integration, but OAuth2 is listed as “coming”.
>   *   PicketLink?
>   *   Something from https://oauth.net/code/java/ ?
>
> Anyone with a working implementation care to give some pointers?
>
> Looks like there may have been some discussion of this 10 years ago on
> this list, but not more recently that I can find.
>
> Thank you!
>
> Boris
>
>

Re: OAuth authentication

2022-01-18 Thread Shengche Hsiao 
Hello, I’m using 
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions 
to implement OpenID Connect and OAuth 2 providers and consume oauth2 protected 
resource in Wicket project

From: Boris Goldowsky 
Date: Wednesday, January 19, 2022 at 06:39
To: users@wicket.apache.org 
Subject: OAuth authentication
What is the current best practice for allowing users to sign in to a Wicket 
application using an OAuth2 provider (eg Google account, Twitter, Canvas, etc).

  *   Is Apache Shiro a possibility?  Looks like it’s got some Wicket 
integration, but OAuth2 is listed as “coming”.
  *   PicketLink?
  *   Something from https://oauth.net/code/java/ ?

Anyone with a working implementation care to give some pointers?

Looks like there may have been some discussion of this 10 years ago on this 
list, but not more recently that I can find.

Thank you!

Boris

OAuth authentication

2022-01-18 Thread Boris Goldowsky 
What is the current best practice for allowing users to sign in to a Wicket 
application using an OAuth2 provider (eg Google account, Twitter, Canvas, etc).

  *   Is Apache Shiro a possibility?  Looks like it’s got some Wicket 
integration, but OAuth2 is listed as “coming”.
  *   PicketLink?
  *   Something from https://oauth.net/code/java/ ?

Anyone with a working implementation care to give some pointers?

Looks like there may have been some discussion of this 10 years ago on this 
list, but not more recently that I can find.

Thank you!

Boris