View Javadoc
1   /*
2    * Copyright (c) 2002-2025, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.plugins.oauth2.business;
35  
36  import java.io.IOException;
37  import java.util.Objects;
38  import java.util.Set;
39  
40  import com.fasterxml.jackson.databind.DeserializationFeature;
41  import com.fasterxml.jackson.databind.ObjectMapper;
42  
43  import fr.paris.lutece.plugins.oauth2.service.CachingHttpAccessService;
44  import fr.paris.lutece.portal.service.util.AppException;
45  import fr.paris.lutece.util.httpaccess.HttpAccess;
46  import fr.paris.lutece.util.httpaccess.HttpAccessException;
47  import fr.paris.lutece.util.httpaccess.HttpAccessService;
48  import fr.paris.lutece.util.httpaccess.PropertiesHttpClientConfiguration;
49  
50  /**
51   * Server configuration for OpenID Connect
52   * 
53   * @since 2.0.0
54   */
55  public class OIDCAuthServerConf extends AuthServerConf
56  {
57      private static final long serialVersionUID = 3459341547945895738L;
58      private static final String WELLKNOWN_PATH = ".well-known/openid-configuration";
59  
60      private final HttpAccess _httpAccess;
61      private final ObjectMapper _mapper;
62  
63      public OIDCAuthServerConf( )
64      {
65          HttpAccessService accessService = new CachingHttpAccessService( new PropertiesHttpClientConfiguration( ) );
66          this._httpAccess = new HttpAccess( accessService );
67          this._mapper = new ObjectMapper( );
68          this._mapper.configure( DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false );
69      }
70  
71      @Override
72      public boolean isEnableJwtParser( )
73      {
74          return true;
75      }
76  
77      @Override
78      public String getAuthorizationEndpointUri( )
79      {
80          if ( super.getAuthorizationEndpointUri( ) != null )
81          {
82              return super.getAuthorizationEndpointUri( );
83          }
84          return getOpenidConfiguration( ).getAuthorizationEndpoint( );
85      }
86  
87      @Override
88      public String getTokenEndpointUri( )
89      {
90          if ( super.getTokenEndpointUri( ) != null )
91          {
92              return super.getTokenEndpointUri( );
93          }
94          return getOpenidConfiguration( ).getTokenEndpoint( );
95      }
96  
97      @Override
98      public Set<String> getIDTokenSignatureAlgorithmNames( )
99      {
100         if ( super.getIDTokenSignatureAlgorithmNames( ) != null )
101         {
102             return super.getIDTokenSignatureAlgorithmNames( );
103         }
104         return Set.of( getOpenidConfiguration( ).getIDTokenSigningAlgValuesSupported( ) );
105     }
106 
107     @Override
108     public String getJwksEndpointUri( )
109     {
110         if ( super.getJwksEndpointUri( ) != null )
111         {
112             return super.getJwksEndpointUri( );
113         }
114         return getOpenidConfiguration( ).getJwksURI( );
115     }
116 
117     @Override
118     public String getLogoutEndpointUri( )
119     {
120         if ( super.getLogoutEndpointUri( ) != null )
121         {
122             return super.getLogoutEndpointUri( );
123         }
124         return getOpenidConfiguration( ).getEndSessionEndpoint( );
125     }
126 
127     private OpenIDConfiguration getOpenidConfiguration( )
128     {
129         String issuer = getIssuer( );
130         Objects.requireNonNull( issuer, "issuer must not be null" );
131         if ( !issuer.startsWith( "https" ) )
132         {
133             throw new UnsupportedOperationException( "The issuer must start with https, but is " + issuer );
134         }
135         String strConfURL;
136         if ( issuer.endsWith( "/" ) )
137         {
138             strConfURL = issuer + WELLKNOWN_PATH;
139         }
140         else
141         {
142             strConfURL = issuer + "/" + WELLKNOWN_PATH;
143         }
144         try
145         {
146             String strConfiguration = _httpAccess.doGet( strConfURL );
147             OpenIDConfiguration res = this._mapper.readValue( strConfiguration, OpenIDConfiguration.class );
148             res.validate( issuer );
149             return res;
150         }
151         catch( HttpAccessException | IOException e )
152         {
153             throw new AppException( e.getMessage( ), e );
154         }
155     }
156 }