Package org.jenkinsci.plugins.oic

Class OicSecurityRealm

java.lang.Object
hudson.model.AbstractDescribableImpl<SecurityRealm>
hudson.security.SecurityRealm
org.jenkinsci.plugins.oic.OicSecurityRealm
All Implemented Interfaces:
ExtensionPoint, Describable<SecurityRealm>, Serializable
public class OicSecurityRealm extends SecurityRealm implements Serializable
Login with OpenID Connect / OAuth 2
Author:
Michael Bischoff, Steve Arch
See Also:

  • Constructor Details

  • Method Details

    • readResolve

      protected Object readResolve() throws ObjectStreamException
      Throws:
      ObjectStreamException

    • getClientId

      public String getClientId()

    • getClientSecret

      public Secret getClientSecret()

    • getServerConfiguration

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public OicServerConfiguration getServerConfiguration()

    • getUserNameField

      public String getUserNameField()

    • getTokenFieldToCheckKey

      public String getTokenFieldToCheckKey()

    • getTokenFieldToCheckValue

      public String getTokenFieldToCheckValue()

    • getFullNameFieldName

      public String getFullNameFieldName()

    • getEmailFieldName

      public String getEmailFieldName()

    • getGroupsFieldName

      public String getGroupsFieldName()

    • isDisableSslVerification

      public boolean isDisableSslVerification()

    • isLogoutFromOpenidProvider

      public boolean isLogoutFromOpenidProvider()

    • getPostLogoutRedirectUrl

      public String getPostLogoutRedirectUrl()

    • isEscapeHatchEnabled

      public boolean isEscapeHatchEnabled()

    • getEscapeHatchUsername

      public String getEscapeHatchUsername()

    • getEscapeHatchSecret

      public Secret getEscapeHatchSecret()

    • getEscapeHatchGroup

      public String getEscapeHatchGroup()

    • isRootURLFromRequest

      public boolean isRootURLFromRequest()

    • isSendScopesInTokenRequest

      public boolean isSendScopesInTokenRequest()

    • isPkceEnabled

      public boolean isPkceEnabled()

    • isDisableTokenVerification

      public boolean isDisableTokenVerification()

    • isNonceDisabled

      public boolean isNonceDisabled()

    • isTokenExpirationCheckDisabled

      public boolean isTokenExpirationCheckDisabled()

    • isAllowTokenAccessWithoutOicSession

      public boolean isAllowTokenAccessWithoutOicSession()

    • getAllowedTokenExpirationClockSkewSeconds

      public Long getAllowedTokenExpirationClockSkewSeconds()

    • createProxyAwareResourceRetriver

      @PostConstruct @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void createProxyAwareResourceRetriver()

    • filterNonFIPS140CompliantAlgorithms

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) protected void filterNonFIPS140CompliantAlgorithms(@NonNull com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata oidcProviderMetadata)

    • buildOidcClient

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) protected org.pac4j.oidc.client.OidcClient buildOidcClient()

    • setUserNameField

      @DataBoundSetter public void setUserNameField(String userNameField)

    • setTokenFieldToCheckKey

      @DataBoundSetter public void setTokenFieldToCheckKey(String tokenFieldToCheckKey)

    • setTokenFieldToCheckValue

      @DataBoundSetter public void setTokenFieldToCheckValue(String tokenFieldToCheckValue)

    • setFullNameFieldName

      @DataBoundSetter public void setFullNameFieldName(String fullNameFieldName)

    • setEmailFieldName

      @DataBoundSetter public void setEmailFieldName(String emailFieldName)

    • compileJMESPath

      protected static io.burt.jmespath.Expression<Object> compileJMESPath(String str, String logComment)

    • setGroupsFieldName

      @DataBoundSetter public void setGroupsFieldName(String groupsFieldName)

    • setLogoutFromOpenidProvider

      @DataBoundSetter public void setLogoutFromOpenidProvider(boolean logoutFromOpenidProvider)

    • setPostLogoutRedirectUrl

      @DataBoundSetter public void setPostLogoutRedirectUrl(String postLogoutRedirectUrl)

    • setEscapeHatchEnabled

      @DataBoundSetter public void setEscapeHatchEnabled(boolean escapeHatchEnabled) throws Descriptor.FormException
      Throws:
      Descriptor.FormException

    • setEscapeHatchUsername

      @DataBoundSetter public void setEscapeHatchUsername(String escapeHatchUsername)

    • setEscapeHatchSecret

      @DataBoundSetter public void setEscapeHatchSecret(Secret escapeHatchSecret)

    • checkEscapeHatch

      protected boolean checkEscapeHatch(String username, String password)

    • setEscapeHatchGroup

      @DataBoundSetter public void setEscapeHatchGroup(String escapeHatchGroup)

    • setRootURLFromRequest

      @DataBoundSetter public void setRootURLFromRequest(boolean rootURLFromRequest)

    • setSendScopesInTokenRequest

      @DataBoundSetter public void setSendScopesInTokenRequest(boolean sendScopesInTokenRequest)

    • setPkceEnabled

      @DataBoundSetter public void setPkceEnabled(boolean pkceEnabled)

    • setDisableTokenVerification

      @DataBoundSetter public void setDisableTokenVerification(boolean disableTokenVerification) throws Descriptor.FormException
      Throws:
      Descriptor.FormException

    • setNonceDisabled

      @DataBoundSetter public void setNonceDisabled(boolean nonceDisabled)

    • setTokenExpirationCheckDisabled

      @DataBoundSetter public void setTokenExpirationCheckDisabled(boolean tokenExpirationCheckDisabled)

    • setAllowTokenAccessWithoutOicSession

      @DataBoundSetter public void setAllowTokenAccessWithoutOicSession(boolean allowTokenAccessWithoutOicSession)

    • setAllowedTokenExpirationClockSkewSeconds

      @DataBoundSetter public void setAllowedTokenExpirationClockSkewSeconds(Long allowedTokenExpirationClockSkewSeconds)

    • getLoginUrl

      public String getLoginUrl()
      Overrides:
      getLoginUrl in class SecurityRealm

    • getAuthenticationGatewayUrl

      public String getAuthenticationGatewayUrl()
      Overrides:
      getAuthenticationGatewayUrl in class SecurityRealm

    • createFilter

      public javax.servlet.Filter createFilter(javax.servlet.FilterConfig filterConfig)
      Overrides:
      createFilter in class SecurityRealm

    • createSecurityComponents

      public SecurityRealm.SecurityComponents createSecurityComponents()
      Specified by:
      createSecurityComponents in class SecurityRealm

    • getValidRedirectUrl

      protected String getValidRedirectUrl(String url)
      Validate post-login redirect URL For security reasons, the login must not redirect outside Jenkins realm. For useablility reason, the logout page should redirect to root url.

    • doCommenceLogin

      @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public void doCommenceLogin(@QueryParameter String from, @Header("Referer") String referer) throws URISyntaxException
      Handles the the securityRealm/commenceLogin resource and sends the user off to the IdP
      Parameters:
      from - the relative URL to the page that the user has just come from
      referer - the HTTP referer header (where to redirect the user back to after login has finished)
      Throws:
      URISyntaxException - if the provided data is invalid

    • getStringField

      protected String getStringField(Object object, io.burt.jmespath.Expression<Object> fieldExpr)

    • doLogout

      @Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public void doLogout(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp) throws IOException, javax.servlet.ServletException
      Overrides:
      doLogout in class SecurityRealm
      Throws:
      IOException
      javax.servlet.ServletException

    • getPostLogOutUrl2

      public String getPostLogOutUrl2(org.kohsuke.stapler.StaplerRequest req, org.springframework.security.core.Authentication auth)
      Overrides:
      getPostLogOutUrl2 in class SecurityRealm

    • doFinishLogin

      public void doFinishLogin(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response) throws IOException, ParseException
      This is where the user comes back to at the end of the OpenID redirect ping-pong.
      Parameters:
      request - The user's request
      Throws:
      ParseException - if the JWT (or other response) could not be parsed.
      IOException

    • handleTokenExpiration

      public boolean handleTokenExpiration(javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) throws IOException, javax.servlet.ServletException
      Handles Token Expiration.
      Throws:
      IOException - a low level exception
      javax.servlet.ServletException

    • isExpired

      public boolean isExpired(OicCredentials credentials)