Package io.strimzi.kafka.oauth.common

Class OAuthAuthenticator

java.lang.Object
io.strimzi.kafka.oauth.common.OAuthAuthenticator
public class OAuthAuthenticator extends Object
A class with methods to authenticate a user or a client to the authorization server's token endpoint, and obtain an access token in the form of a TokenInfo object.

  • Constructor Details

    • OAuthAuthenticator

      public OAuthAuthenticator()

  • Method Details

    • loginWithAccessToken

      public static TokenInfo loginWithAccessToken(String token, boolean isJwt, PrincipalExtractor principalExtractor)
      Wrap an access token into TokenInfo extracting information from the token if it is a JWT token. If not a JWT token the principal is set to 'undefined', token creation time to current time, and expiry to 1 year.
      Parameters:
      token - A raw access token
      isJwt - If the access token is a JWT token
      principalExtractor - A PrincipalExtractor used to extract the principal (user id)
      Returns:
      A TokenInfo with access token and information extracted from it or set to default values

    • loginWithClientSecret

      public static TokenInfo loginWithClientSecret(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using client_credentials grant (clientId + secret), and connect and read timeouts of 60 seconds.
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithClientSecret

      public static TokenInfo loginWithClientSecret(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using client_credentials grant (clientId + secret), and connect and read timeouts of 60 seconds.
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithClientSecret

      public static TokenInfo loginWithClientSecret(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, int connectTimeout, int readTimeout, MetricsHandler metrics, int retries, long retryPauseMillis, boolean includeAcceptHeader, String grantType) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using client_credentials grant (clientId + secret).
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      connectTimeout - A connect timeout in seconds
      readTimeout - A read timeout in seconds
      metrics - A MetricsHandler object to receive metrics collection callbacks
      retries - A maximum number of retries if the request fails due to network, or unexpected response status
      retryPauseMillis - A pause between consecutive requests
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      grantType - The grant type to be used, typically "client_credentials"
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithClientAssertion

      public static TokenInfo loginWithClientAssertion(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String clientId, String clientAssertion, String clientAssertionType, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using client_credentials grant with client assertion (clientId + assertion + assertion type), and connect and read timeouts of 60 seconds.
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      clientId - A client id
      clientAssertion - A client assertion
      clientAssertionType - A client assertion type
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithClientAssertion

      public static TokenInfo loginWithClientAssertion(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String clientId, String clientAssertion, String clientAssertionType, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, int connectTimeout, int readTimeout, MetricsHandler metrics, int retries, long retryPauseMillis, boolean includeAcceptHeader, String grantType) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using client_credentials grant with client assertion (clientId + assertion + assertion type).
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      clientId - A client id
      clientAssertion - A client assertion
      clientAssertionType - A client assertion type
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      connectTimeout - A connect timeout in seconds
      readTimeout - A read timeout in seconds
      metrics - A MetricsHandler object to receive metrics collection callbacks
      retries - A maximum number of retries if the request fails due to network, or unexpected response status
      retryPauseMillis - A pause between consecutive requests
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      grantType - The grant type to be used, typically "client_credentials"
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithPassword

      public static TokenInfo loginWithPassword(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String username, String password, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using password grant (username + password), and connect and read timeouts of 60 seconds.
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      username - A username
      password - A password
      clientId - A client id
      clientSecret - A (optional) client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithPassword

      public static TokenInfo loginWithPassword(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String username, String password, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, int connectTimeout, int readTimeout, int retries, long retryPauseMillis, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using password grant (username + password).
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      username - A username
      password - A password
      clientId - A client id
      clientSecret - A (optional) client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      connectTimeout - A connect timeout in seconds
      readTimeout - A read timeout in seconds
      retries - A maximum number of retries if the request fails due to network, or unexpected response status
      retryPauseMillis - A pause between consecutive requests
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithPassword

      public static TokenInfo loginWithPassword(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String username, String password, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, int connectTimeout, int readTimeout, MetricsHandler metrics, int retries, long retryPauseMillis, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using password grant (username + password).
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      username - A username
      password - A password
      clientId - A client id
      clientSecret - A (optional) client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      connectTimeout - A connect timeout in seconds
      readTimeout - A read timeout in seconds
      metrics - A MetricsHandler object to receive metrics collection callbacks
      retries - A maximum number of retries if the request fails due to network, or unexpected response status
      retryPauseMillis - A pause between consecutive requests
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithRefreshToken

      public static TokenInfo loginWithRefreshToken(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String refreshToken, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using a refresh token, and connect and read timeouts of 60 seconds.
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      refreshToken - A refresh token
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithRefreshToken

      public static TokenInfo loginWithRefreshToken(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String refreshToken, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, boolean includeAcceptHeader) throws IOException
      Obtain an access token wrapped into TokenInfo by authenticating to the authorization server's token endpoint using a refresh token, and connect and read timeouts of 60 seconds.
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      refreshToken - A refresh token
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithRefreshToken

      public static TokenInfo loginWithRefreshToken(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String refreshToken, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, int connectTimeout, int readTimeout, int retries, long retryPauseMillis, boolean includeAcceptHeader) throws IOException
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      refreshToken - A refresh token
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      connectTimeout - A connect timeout in seconds
      readTimeout - A read timeout in seconds
      retries - A maximum number of retries if the request fails due to network, or unexpected response status
      retryPauseMillis - A pause between consecutive requests
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • loginWithRefreshToken

      public static TokenInfo loginWithRefreshToken(URI tokenEndpointUrl, SSLSocketFactory socketFactory, HostnameVerifier hostnameVerifier, String refreshToken, String clientId, String clientSecret, boolean isJwt, PrincipalExtractor principalExtractor, String scope, String audience, int connectTimeout, int readTimeout, MetricsHandler metrics, int retries, long retryPauseMillis, boolean includeAcceptHeader) throws IOException
      Parameters:
      tokenEndpointUrl - A token endpoint url
      socketFactory - A socket factory to use with 'https'
      hostnameVerifier - A hostname verifier to use with 'https'
      refreshToken - A refresh token
      clientId - A client id
      clientSecret - A client secret
      isJwt - If the returned token is expected to be a JWT token
      principalExtractor - A PrincipalExtractor to use to determine the principal (user id)
      scope - A scope to request when authenticating
      audience - An 'audience' attribute to set on the request when authenticating
      connectTimeout - A connect timeout in seconds
      readTimeout - A read timeout in seconds
      metrics - A MetricsHandler object to receive metrics collection callbacks
      retries - A maximum number of retries if the request fails due to network, or unexpected response status
      retryPauseMillis - A pause between consecutive requests
      includeAcceptHeader - Should we skip sending the Accept header when making outbound http requests
      Returns:
      A TokenInfo with access token and information extracted from it
      Throws:
      IOException - If the request to the authorization server has failed
      IllegalStateException - If the response from the authorization server could not be handled

    • base64encode

      public static String base64encode(String value)
      A helper method to base64 encode a given string
      Parameters:
      value - A string to encode as base64
      Returns:
      Base64 encoded string

    • base64decode

      public static String base64decode(String value)
      A helper method to decode a base64 encoded string
      Parameters:
      value - A string to decode from base64
      Returns:
      A decoded string

    • urlencode

      public static String urlencode(String value)
      A helper method to urlencode a given value
      Parameters:
      value - A string to urlencode
      Returns:
      Urlencoded string