Class AuthenticationProviderOpenID
java.lang.Object
org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID
- All Implemented Interfaces:
Closeable,AutoCloseable,AuthenticationProvider
An
AuthenticationProvider implementation that supports the usage of a JSON Web Token (JWT)
for client authentication. This implementation retrieves the PublicKey from the JWT issuer (assuming the
issuer is in the configured allowed list) and then uses that Public Key to verify the validity of the JWT's
signature.
The Public Keys for a given provider are cached based on certain configured parameters to improve performance.
The tradeoff here is that the longer Public Keys are cached, the longer an invalidated token could be used. One way
to ensure caches are cleared is to restart all brokers.
Class is called from multiple threads. The implementation must be thread safe. This class expects to be loaded once
and then called concurrently for each new connection. The cache is backed by a GuavaCachedJwkProvider, which is
thread-safe.
Supported algorithms are: RS256, RS384, RS512, ES256, ES384, ES512 where the naming conventions follow
this RFC: https://datatracker.ietf.org/doc/html/rfc7518#section-3.1.-
Nested Class Summary
Nested classes/interfaces inherited from interface org.apache.pulsar.broker.authentication.AuthenticationProvider
AuthenticationProvider.Context -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionauthenticateAsync(AuthenticationDataSource authData) Authenticate the parameterizedAuthenticationDataSourceby verifying the issuer is an allowed issuer, then retrieving the JWKS URI from the issuer, then retrieving the Public key from the JWKS URI, and finally verifying the JWT signature and claims.voidclose()voidincrementFailureMetric(Enum<?> errorCode) voidinitialize(AuthenticationProvider.Context context) voidinitialize(ServiceConfiguration config) newAuthState(org.apache.pulsar.common.api.AuthData authData, SocketAddress remoteAddress, SSLSession sslSession) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.pulsar.broker.authentication.AuthenticationProvider
authenticate, authenticateHttpRequest, authenticateHttpRequestAsync, newHttpAuthState
-
Constructor Details
-
AuthenticationProviderOpenID
public AuthenticationProviderOpenID()
-
-
Method Details
-
initialize
- Specified by:
initializein interfaceAuthenticationProvider- Throws:
IOException
-
initialize
- Specified by:
initializein interfaceAuthenticationProvider- Throws:
IOException
-
getAuthMethodName
- Specified by:
getAuthMethodNamein interfaceAuthenticationProvider
-
incrementFailureMetric
- Specified by:
incrementFailureMetricin interfaceAuthenticationProvider
-
authenticateAsync
Authenticate the parameterizedAuthenticationDataSourceby verifying the issuer is an allowed issuer, then retrieving the JWKS URI from the issuer, then retrieving the Public key from the JWKS URI, and finally verifying the JWT signature and claims.- Specified by:
authenticateAsyncin interfaceAuthenticationProvider- Parameters:
authData- - the authData passed by the Pulsar Broker containing the token.- Returns:
- the role, if the JWT is authenticated, otherwise a failed future.
-
newAuthState
public AuthenticationState newAuthState(org.apache.pulsar.common.api.AuthData authData, SocketAddress remoteAddress, SSLSession sslSession) throws AuthenticationException - Specified by:
newAuthStatein interfaceAuthenticationProvider- Throws:
AuthenticationException
-
close
- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Throws:
IOException
-