Package auth.gui

Class SigninOidc

  • All Implemented Interfaces:
    play.mvc.Http.HeaderNames, play.mvc.Http.Status
    Direct Known Subclasses:
    SigninBasicOidc, SigninConext, SigninOrcid, SigninSram
    public abstract class SigninOidc
extends play.mvc.Controller
    OpenID Connect (OIDC) authentication using Authorization Code Flow with Proof Key for Code Exchange (PKCE). OIDC is just used for authentication - authorization and session management are still done with the session cookies from the Play Framework.

    This class is meant to be extended by the actual OIDC implementations.

    Using library: Nimbus OAuth 2.0 SDK with OpenID Connect extensions https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/guides/java-cookbook-for-openid-connect-public-clients

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  SigninOidc.OidcConfig
      Configuration needed for an OIDC auth implementation

    • Field Summary

      • Fields inherited from interface play.mvc.Http.HeaderNames

        ACCEPT, ACCEPT_CHARSET, ACCEPT_ENCODING, ACCEPT_LANGUAGE, ACCEPT_RANGES, ACCESS_CONTROL_ALLOW_CREDENTIALS, ACCESS_CONTROL_ALLOW_HEADERS, ACCESS_CONTROL_ALLOW_METHODS, ACCESS_CONTROL_ALLOW_ORIGIN, ACCESS_CONTROL_EXPOSE_HEADERS, ACCESS_CONTROL_MAX_AGE, ACCESS_CONTROL_REQUEST_HEADERS, ACCESS_CONTROL_REQUEST_METHOD, AGE, ALLOW, AUTHORIZATION, CACHE_CONTROL, CONNECTION, CONTENT_DISPOSITION, CONTENT_ENCODING, CONTENT_LANGUAGE, CONTENT_LENGTH, CONTENT_LOCATION, CONTENT_MD5, CONTENT_RANGE, CONTENT_SECURITY_POLICY, CONTENT_SECURITY_POLICY_REPORT_ONLY, CONTENT_TRANSFER_ENCODING, CONTENT_TYPE, COOKIE, DATE, ETAG, EXPECT, EXPIRES, FORWARDED, FROM, HOST, IF_MATCH, IF_MODIFIED_SINCE, IF_NONE_MATCH, IF_RANGE, IF_UNMODIFIED_SINCE, LAST_MODIFIED, LINK, LOCATION, MAX_FORWARDS, ORIGIN, PRAGMA, PROXY_AUTHENTICATE, PROXY_AUTHORIZATION, RANGE, REFERER, REFERRER_POLICY, RETRY_AFTER, SERVER, SET_COOKIE, SET_COOKIE2, STRICT_TRANSPORT_SECURITY, TE, TRAILER, TRANSFER_ENCODING, UPGRADE, USER_AGENT, VARY, VIA, WARNING, WWW_AUTHENTICATE, X_CONTENT_SECURITY_POLICY_NONCE_HEADER, X_CONTENT_TYPE_OPTIONS, X_FORWARDED_FOR, X_FORWARDED_HOST, X_FORWARDED_PORT, X_FORWARDED_PROTO, X_FRAME_OPTIONS, X_PERMITTED_CROSS_DOMAIN_POLICIES, X_REQUESTED_WITH, X_XSS_PROTECTION

      • Fields inherited from interface play.mvc.Http.Status

        ACCEPTED, BAD_GATEWAY, BAD_REQUEST, CONFLICT, CONTINUE, CREATED, EXPECTATION_FAILED, FAILED_DEPENDENCY, FORBIDDEN, FOUND, GATEWAY_TIMEOUT, GONE, HTTP_VERSION_NOT_SUPPORTED, IM_A_TEAPOT, INSUFFICIENT_STORAGE, INTERNAL_SERVER_ERROR, LENGTH_REQUIRED, LOCKED, METHOD_NOT_ALLOWED, MOVED_PERMANENTLY, MULTI_STATUS, MULTIPLE_CHOICES, NETWORK_AUTHENTICATION_REQUIRED, NO_CONTENT, NON_AUTHORITATIVE_INFORMATION, NOT_ACCEPTABLE, NOT_FOUND, NOT_IMPLEMENTED, NOT_MODIFIED, OK, PARTIAL_CONTENT, PAYMENT_REQUIRED, PERMANENT_REDIRECT, PRECONDITION_FAILED, PRECONDITION_REQUIRED, PROXY_AUTHENTICATION_REQUIRED, REQUEST_ENTITY_TOO_LARGE, REQUEST_HEADER_FIELDS_TOO_LARGE, REQUEST_TIMEOUT, REQUEST_URI_TOO_LONG, REQUESTED_RANGE_NOT_SATISFIABLE, RESET_CONTENT, SEE_OTHER, SERVICE_UNAVAILABLE, SWITCHING_PROTOCOLS, TEMPORARY_REDIRECT, TOO_MANY_REQUESTS, UNAUTHORIZED, UNPROCESSABLE_ENTITY, UNSUPPORTED_MEDIA_TYPE, UPGRADE_REQUIRED, USE_PROXY

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      play.mvc.Result callback​(play.mvc.Http.Request request)
      Callback handed to the OIDC provider to be called after authentication
      protected java.lang.String getUsername​(com.nimbusds.openid.connect.sdk.claims.UserInfo userInfo, java.lang.String usernameFrom)  
      play.mvc.Result signin​(play.mvc.Http.Request request, java.lang.String realHostUrl, boolean keepSignedin)
      Initiates the OpenID Connect (OIDC) authentication process by constructing a URI for an authentication request.

      • Methods inherited from class play.mvc.Controller

        changeLang, changeLang, clearLang, ctx, flash, flash, flash, lang, request, response, session, session, session, TODO, TODO

      • Methods inherited from class play.mvc.Results

        badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, badRequest, contentDispositionHeader, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, created, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, forbidden, found, found, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, internalServerError, movedPermanently, movedPermanently, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, networkAuthenticationRequired, noContent, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notAcceptable, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, notFound, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, ok, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, paymentRequired, permanentRedirect, permanentRedirect, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, preconditionRequired, redirect, redirect, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, requestHeaderFieldsTooLarge, seeOther, seeOther, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, status, temporaryRedirect, temporaryRedirect, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, tooManyRequests, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unauthorized, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType, unsupportedMediaType

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • signin

        public final play.mvc.Result signin​(play.mvc.Http.Request request,
                                    java.lang.String realHostUrl,
                                    boolean keepSignedin)
                             throws java.net.URISyntaxException,
                                    com.nimbusds.oauth2.sdk.ParseException,
                                    AuthException
        Initiates the OpenID Connect (OIDC) authentication process by constructing a URI for an authentication request. This URI is returned in the response and can then be used by the GUI in the browser to start the authentication. The method stores the OIDC state, nonce, and a flag indicating whether to keep the user signed in, in the Play session.
        Parameters:
        request - the HTTP request received from the client
        realHostUrl - the real host URL to be used for constructing the callback URL
        keepSignedin - a flag indicating whether the user should remain signed in
        Returns:
        the authentication request URI as String
        Throws:
        java.net.URISyntaxException - if an invalid URI is encountered during the process
        com.nimbusds.oauth2.sdk.ParseException - if parsing operations fail while working with OIDC configurations
        AuthException - if an authentication-related error occurs

      • callback

        public final play.mvc.Result callback​(play.mvc.Http.Request request)
        Callback handed to the OIDC provider to be called after authentication

      • getUsername

        protected java.lang.String getUsername​(com.nimbusds.openid.connect.sdk.claims.UserInfo userInfo,
                                       java.lang.String usernameFrom)
                                throws AuthException
        Throws:
        AuthException