Package org.gcube.common.iam

Class D4ScienceIAMClient

java.lang.Object
org.gcube.common.iam.D4ScienceIAMClient
public class D4ScienceIAMClient extends Object
Helper class that acts as IAM client providing authentication and authorization using the IAM hiding the underlying implementation
Author:
Mauro Mugnaini

  • Field Details

    • logger

      protected static org.slf4j.Logger logger
      Logger instance for this class

    • USE_DYNAMIC_SCOPES

      public static boolean USE_DYNAMIC_SCOPES
      Flag to enable/disable dynamic scopes functionality

  • Method Details

    • setDefaultGatewayClientID

      public static void setDefaultGatewayClientID(String gatewayClientId)
      Sets the new default GW clientId used for all the queries to the IAM server. Note: The operation will logged as WARN to be visible.
      Parameters:
      gatewayClientId - the new GW clientId

    • newInstance

      public static D4ScienceIAMClient newInstance(String contextInfra) throws D4ScienceIAMClientException
      Creates a new client for the specific context, in the default IAM realm.
      Parameters:
      contextInfra - the context to be used to obtain the base URL of the infrastructure
      Returns:
      the client to be used for authn and authz requests
      Throws:
      D4ScienceIAMClientException - if an error occurs obtaining the base URL

    • newInstance

      public static D4ScienceIAMClient newInstance(String contextInfra, String realm) throws D4ScienceIAMClientException
      Creates a new client for the specific context, in the default realm.
      Parameters:
      contextInfra - the context to be used to obtain the base URL of the infrastructure
      realm - the IAM realm
      Returns:
      the client to be used for authn and authz requests
      Throws:
      D4ScienceIAMClientException - if an error occurs obtaining the base URL

    • newInstance

      public static D4ScienceIAMClient newInstance(URL realmBaseURL)
      Creates a new client with the provided base URL.
      Parameters:
      realmBaseURL - the realm base URL
      Returns:
      the client to be used for authn and authz requests

    • getKeycloakClient

      protected org.gcube.common.keycloak.KeycloakClient getKeycloakClient()
      Returns the underlying Keycloak client instance.
      Returns:
      the Keycloak client

    • getRealmBaseURL

      public URL getRealmBaseURL()
      Returns the base URL of the realm.
      Returns:
      the realm base URL

    • authenticate

      public D4ScienceIAMClientAuthn authenticate(String clientId, String clientSecret) throws D4ScienceIAMClientException
      Authenticates the client with provided id and secret
      Parameters:
      clientId - the client id
      clientSecret - the client secret
      Returns:
      the authn object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authn process

    • authenticate

      public D4ScienceIAMClientAuthn authenticate(String clientId, String clientSecret, String context) throws D4ScienceIAMClientException
      Authenticates the client with provided credentials, reducing the token audience to the requested `context`
      Parameters:
      clientId - the client id
      clientSecret - the client secret
      context - the requested token context audience (e.g. a specific context or another client)
      Returns:
      the authn object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authn process

    • authenticateUser

      public D4ScienceIAMClientAuthn authenticateUser(String username, String password) throws D4ScienceIAMClientException
      Deprecated.
      this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
      Authenticates the user with provided username and password by using the default clientId.
      Parameters:
      username - the user's username
      password - the user's password
      Returns:
      the authn object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authn process

    • authenticateUser

      public D4ScienceIAMClientAuthn authenticateUser(String username, String password, String context) throws D4ScienceIAMClientException
      Deprecated.
      this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
      Authenticates the user with provided username and password by using the default clientId.
      Parameters:
      username - the user's username
      password - the user's password
      context - the requested token context audience (e.g. a specific context or another client)
      Returns:
      the authn object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authn process

    • authenticateUser

      public D4ScienceIAMClientAuthn authenticateUser(String clientId, String clientSecret, String username, String password) throws D4ScienceIAMClientException
      Deprecated.
      this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
      Authenticates the user with provided username and password
      Parameters:
      clientId - the client id
      clientSecret - the client secret
      username - the user's username
      password - the user's password
      Returns:
      the authn object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authn process

    • authenticateUser

      public D4ScienceIAMClientAuthn authenticateUser(String clientId, String clientSecret, String username, String password, String context) throws D4ScienceIAMClientException
      Deprecated.
      this authn method is deprecated in the oauth2 specifications (see https://oauth.net/2/grant-types/password/)
      Authenticates the user with provided credentials, reducing the token audience to the requested `context`.
      Parameters:
      clientId - the client id
      clientSecret - the client secret
      username - the user's username
      password - the user's password
      context - the requested token context audience (e.g. a specific context or another client)
      Returns:
      the authn object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authn process

    • authorize

      public D4ScienceIAMClientAuthz authorize(String clientId, String clientSecret, String context) throws D4ScienceIAMClientException
      Directly authorizes the client by using the provided credentials, for the specific context audience and with no optional permissions
      Parameters:
      clientId - the client id
      clientSecret - the client secret
      context - the requested token context audience (e.g. a specific context or another client)
      Returns:
      the authz object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authz process

    • authorize

      public D4ScienceIAMClientAuthz authorize(String clientId, String clientSecret, String context, List<String> permissions) throws D4ScienceIAMClientException
      Directly authorizes the client by using the provided credentials, for the specific context audience and with optional permissions
      Parameters:
      clientId - the client id
      clientSecret - the client secret
      context - the requested token context audience (e.g. a specific context or another client)
      permissions - the optional permissions
      Returns:
      the authz object
      Throws:
      D4ScienceIAMClientException - if an error occurs during authz process

    • verifyToken

      public void verifyToken(String token) throws org.gcube.io.jsonwebtoken.security.SignatureException, org.gcube.io.jsonwebtoken.ExpiredJwtException, org.gcube.io.jsonwebtoken.JwtException, Exception
      Verifies the token signature and expiration
      Parameters:
      token - the base64 JWT token string
      Throws:
      org.gcube.io.jsonwebtoken.security.SignatureException - if the token signature is invalid
      org.gcube.io.jsonwebtoken.ExpiredJwtException - if the token is expired
      org.gcube.io.jsonwebtoken.JwtException - if another JWT related problem is found
      Exception - if an unexpected error occurs (e.g. constructing the verifier)