Module io.helidon.security.providers.idcs.mapper
Package io.helidon.security.providers.idcs.mapper

Class IdcsRoleMapperProviderBase

    • Field Detail

      • IDCS_SUBJECT_TYPE_USER

        public static final String IDCS_SUBJECT_TYPE_USER
        User subject type used when requesting roles from IDCS. An attempt is made to obtain it from JWT claim sub_type. If not defined, default is used as configured in IdcsRoleMapperProviderBase.Builder.
        See Also:
        Constant Field Values

      • IDCS_SUBJECT_TYPE_CLIENT

        public static final String IDCS_SUBJECT_TYPE_CLIENT
        Client subject type used when requesting roles from IDCS. An attempt is made to obtain it from JWT claim sub_type. If not defined, default is used as configured in IdcsRoleMapperProviderBase.Builder.
        See Also:
        Constant Field Values

      • ROLE_GROUP

        protected static final String ROLE_GROUP
        Json key for group roles to be retrieved from IDCS response.
        See Also:
        Constant Field Values

      • ROLE_APPROLE

        protected static final String ROLE_APPROLE
        Json key for app roles to be retrieved from IDCS response.
        See Also:
        Constant Field Values

      • ACCESS_TOKEN_KEY

        protected static final String ACCESS_TOKEN_KEY
        Json key for token to be retrieved from IDCS response when requesting application token.
        See Also:
        Constant Field Values

      • PARENT_CONTEXT_CLIENT_PROPERTY

        protected static final String PARENT_CONTEXT_CLIENT_PROPERTY
        Property sent with JAX-RS requests to override parent span context in outbound calls. We cannot use the constant declared in ClientTracingFilter, as it is not a required dependency.
        See Also:
        Constant Field Values

    • Constructor Detail

      • IdcsRoleMapperProviderBase

        protected IdcsRoleMapperProviderBase​(IdcsRoleMapperProviderBase.Builder<?> builder)
        Configures the needed fields from the provided builder.
        Parameters:
        builder - builder with oidcConfig and other needed fields.

    • Method Detail

      • map

        public CompletionStage<AuthenticationResponse> map​(ProviderRequest authenticatedRequest,
                                                   AuthenticationResponse previousResponse)
        Description copied from interface: SubjectMappingProvider
        Map grants from authenticated request (e.g. one or both of ProviderRequest.subject() or ProviderRequest.service() returns a non-empty value) to a new authentication response. The provider can change/add/remove grants (such as groups, scopes, permissions) or change the subject to a different one. This method is only invoked after a successful authentication.
        Specified by:
        map in interface SubjectMappingProvider
        Parameters:
        authenticatedRequest - request to get user and service subjects from
        previousResponse - response from previous authentication or subject mapping provider
        Returns:
        a new authentication response with updated user and/or service subjects

      • enhance

        protected abstract Subject enhance​(Subject subject,
                                   ProviderRequest request,
                                   AuthenticationResponse previousResponse)
        Enhance subject with IDCS roles.
        Parameters:
        subject - subject of the user (never null)
        request - provider request
        previousResponse - authenticated response (never null)
        Returns:
        stage with the new authentication response

      • buildSubject

        protected Subject buildSubject​(Subject originalSubject,
                               List<? extends Grant> grants)
        Updates original subject with the list of grants.
        Parameters:
        originalSubject - as was created by authentication provider
        grants - grants added by this role mapper
        Returns:
        new subject

      • processServerResponse

        protected Optional<List<? extends Grant>> processServerResponse​(javax.ws.rs.core.Response groupResponse,
                                                                String subjectName)
        Process the server response to retrieve groups and app roles from it.
        Parameters:
        groupResponse - response from IDCS
        subjectName - name of the subject
        Returns:
        list of grants obtained from the IDCS response

      • oidcConfig

        protected OidcConfig oidcConfig()
        Access to OidcConfig so the field is not duplicated by classes that extend this provider.
        Returns:
        open ID Connect configuration (also used to configure access to IDCS)

      • defaultIdcsSubjectType

        protected String defaultIdcsSubjectType()
        Default subject type to use when requesting data from IDCS.
        Returns:
        configured default subject type or IDCS_SUBJECT_TYPE_USER