All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.camunda.identity.sdk.authentication.Authentication Maven / Gradle / Ivy

The newest version!
/*
 * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH under
 * one or more contributor license agreements. Licensed under a proprietary license. See the
 * License.txt file for more information. You may not use this file except in compliance with the
 * proprietary license.
 */

package io.camunda.identity.sdk.authentication;

import com.auth0.jwt.interfaces.DecodedJWT;
import io.camunda.identity.sdk.IdentityConfiguration;
import io.camunda.identity.sdk.annotation.AnnotationProcessor;
import io.camunda.identity.sdk.annotation.RequiresOAuthCredentials;
import io.camunda.identity.sdk.authentication.dto.AuthCodeDto;
import io.camunda.identity.sdk.authentication.exception.CodeExchangeException;
import io.camunda.identity.sdk.authentication.exception.InvalidClaimException;
import io.camunda.identity.sdk.authentication.exception.InvalidSignatureException;
import io.camunda.identity.sdk.authentication.exception.JsonWebKeyException;
import io.camunda.identity.sdk.authentication.exception.TokenDecodeException;
import io.camunda.identity.sdk.authentication.exception.TokenExpiredException;
import io.camunda.identity.sdk.exception.IdentityException;
import io.camunda.identity.sdk.impl.auth0.authentication.Auth0Authentication;
import io.camunda.identity.sdk.impl.generic.GenericAuthentication;
import io.camunda.identity.sdk.impl.keycloak.KeycloakAuthentication;
import io.camunda.identity.sdk.impl.microsoft.MicrosoftAuthentication;
import io.camunda.identity.sdk.impl.rest.RestClient;
import java.net.URI;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.lang3.NotImplementedException;

/**
 * The Authentication class provides functionality to authenticate a user with Identity
 * and verify access tokens.
 */
public interface Authentication {
  /**
   * Factory function to create a new authentication instance
   *
   * @param configuration Identity configuration
   * @return Authentication instance
   */
  static Authentication create(final IdentityConfiguration configuration) {
    final Authentication authentication;
    switch (configuration.getType()) {
      case AUTH0:
        authentication = new Auth0Authentication(configuration, new RestClient());
        break;
      case KEYCLOAK:
        authentication = new KeycloakAuthentication(configuration, new RestClient());
        break;
      case MICROSOFT:
        authentication = new MicrosoftAuthentication(configuration, new RestClient());
        break;
      case GENERIC:
        authentication = new GenericAuthentication(configuration, new RestClient());
        break;
      default:
        throw new RuntimeException("not implemented");
    }

    return AnnotationProcessor.apply(configuration, Authentication.class, authentication);
  }

  /**
   * Returns a true/false indicating if authentication is available or not.
   *
   * @return the availability of authentication
   */
  boolean isAvailable();

  /**
   * Returns a new Authorize uri builder. It is used to build the authorize uri
   * for user authentication.
   *
   * @param redirectUri the redirect uri
   * @return the authorize uri builder
   */
  @RequiresOAuthCredentials
  AuthorizeUriBuilder authorizeUriBuilder(final String redirectUri);


  /**
   * Exchanges provided auth code with access tokens. The provided redirect uri argument must match
   * the redirect uri that was used to build the authorize uri.
   *
   * @param authCodeDto the auth code dto
   * @param redirectUri the redirect uri
   * @return the tokens
   * @throws CodeExchangeException if code exchange fails
   */
  @RequiresOAuthCredentials
  Tokens exchangeAuthCode(final AuthCodeDto authCodeDto, final String redirectUri)
      throws CodeExchangeException;

  /**
   * Exchanges provided refresh token with an access tokens.
   *
   * @param refreshToken refresh token used for the request
   * @return the tokens
   * @throws IdentityException if token renewal has failed
   */
  @RequiresOAuthCredentials
  Tokens renewToken(final String refreshToken);

  /**
   * Logs out from Identity backend. This will invalidate the given refresh token
   * and refresh tokens issued for other applications during the same session. The user's session
   * or access token still has to be deleted by the client application.
   *
   * @param refreshToken refresh token used for the request
   * @throws IdentityException if token revocation has failed
   */
  @RequiresOAuthCredentials
  void revokeToken(final String refreshToken);

  /**
   * Logs out from Identity backend based on the configuration, one of these cases is possible:
   * 1. The refresh token is not empty and OP has provided a revoke endpoint,
   * then see {@link #revokeToken}, in this case the method return an empty Optional.
   * 2. end-session endpoint is available, so in this case the url for logout is returned and
   * client should handle the redirection
   * 3. otherwise this method will throw exception
   *
   * @param refreshToken refresh token used for the request
   * @param callbackUrl the URL to redirect to post-SSO if supported by SSO provider
   * @throws IdentityException       if token revocation has failed or neither revoke
   * @throws NotImplementedException if case 3 happens
   */
  @RequiresOAuthCredentials
  Optional singleSignOut(final String refreshToken, final String callbackUrl);

  /**
   * Requests a client token from the cache if available. If
   * no token is found with the required audience, a new token
   * will be requested from the authentication provider and stored.
   *
   * @param audience the audience of the resource server
   * @return the tokens
   * @throws IdentityException if case of a failure
   */
  @RequiresOAuthCredentials
  Tokens requestToken(final String audience);

  /**
   * Decodes a token. Can be used to access tokens data without validation
   *
   * @param token token in JWT format
   * @return decoded token
   * @throws TokenDecodeException the token can not be decoded
   */
  DecodedJWT decodeJWT(final String token);

  /**
   * Verifies the validity of the passed token. Following checks will be performed:
   * 
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @return the decoded jwt * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ AccessToken verifyToken(final String token); /** * Verifies the validity of the passed token and organisation. Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @param organizationId the organisation of the token * @return the decoded jwt * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ AccessToken verifyToken(final String token, final String organizationId); /** * Verifies the validity of the passed token. Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
* * @param token the token * @return the decoded jwt * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ AccessToken verifyTokenIgnoringAudience(final String token); /** * Checks if the token passed in is considered an M2M token. * * @param token the token * @return true if the token is a M2M token, else false */ boolean isM2MToken(final String token); /** * Gets the client ID associated to the token * * @param token the token * @return the clientID */ String getClientId(final String token); DecodedJWT verifyAndDecode(String token, String audience); Map> getAssignedOrganizations(DecodedJWT token); /** * Verifies the validity of the passed token and return permissions assigned to it. * Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @return list of permissions assigned to the token * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ List getPermissions(String token); /** * Verifies the validity of the passed token and audience and return permissions assigned to it. * Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @param audience the audience * @return list of permissions assigned to the token * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ List getPermissions(String token, String audience); /** * Verifies the validity of the passed token and return groups assigned to it. * Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @return list of groups assigned to the token * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ List getGroups(String token); /** * Verifies the validity of the passed token and audience and return groups assigned to it. * Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @param audience the audience * @return list of groups assigned to the token * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ List getGroups(String token, String audience); /** * Verifies the validity of the passed token and return groups assigned * to it within the organization. * Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @param organization the organization * @return list of groups assigned to the token within the organization. If organization is null, * it returns groups that has no organization assigned to them. * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ List getGroupsInOrganization(String token, String organization); /** * Verifies the validity of the passed token and audience and return groups assigned * to it within the organization. * Following checks will be performed: *
    *
  • The token is correctly signed
  • *
  • The token has not expired
  • *
  • Token's audience (aud claim) matches application's audience
  • *
* * @param token the token * @param audience the audience * @param organization the organization * @return list of groups assigned to the token within the organization. If organization is null, * it returns groups that has no organization assigned to them. * @throws TokenDecodeException the token can not be decoded * @throws InvalidSignatureException the token's signature is invalid * @throws TokenExpiredException the token has expired * @throws InvalidClaimException the provided claim is invalid * @throws JsonWebKeyException the JWK needed to verify token's signature can not be * retrieved */ List getGroupsInOrganization(String token, String audience, String organization); }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy