This repository contains an OAuth2 / OpenID Connect authentication plugin for FROST-Server to be used in combination with the STAplus plugin.
This plugin is tested with the Authorization Server AUTHENIX.
This plugin applies the sub
value from the OAuth2 TokenInfo response as the REMOTE_USER
. Technically, the plugin creates a FROST-Server PrincipalExtended
and adds the entire response from the TokenInfo and UserInfo to the context:
PrincipalExtended.name = sub
PrincipalExtended['TokenInfo'] = <response from TokenInfo>
PrincipalExtended['UserInfo'] = <response from UserInfo>
The result from the TokenInfo and UserInfo is cached in separate self-expiring ConcurrentHashMap instances. The cache timeout can be configured via oauth.cacheExpires
with a default of 60 seconds.
The deployment of the STAplus plugin requires a working deployment of the FROST-Server and the STAplus plugin.
This repository builds with the FROST-Server 2.2.0 SNAPSHOT.
The command mvn install
produces the JAR file FROST-Server.Auth.OAuth2-2.2.0-SNAPSHOT.jar
. Make sure you copy the JAR-file to the appropriate FROST-Server directory.
You can enable this plugin in FROST-Server and configure the behavior by modifying the FROST-Server context.xml
file.
The plugin is activated by adding the auth.provider
parameter to the file context.xml
:
<Parameter override="false" name="auth.provider" value="de.securedimensions.frostserver.auth.oauth2.OAuth2AuthProvider" description="The java class used to configure authentication/authorisation."/>
The realm for the Authentication challenge can be configured via
<Parameter override="false" name="auth.realmName" value="FROST-Server-STAplus" />
This plugin can be configured to make authentication optional for HTTP GET which enables anonymous read. To activate anonymous read, please add the following parameter to context.xml
:
<Parameter override="false" name="auth.allowAnonymousRead" value="true" />
The plugin can also be configured to undertake authentication only (so no authorization on roles is enforced) by adding the following parameter to context.xml
:
<Parameter override="false" name="auth.authenticateOnly" value="true" />
To enforce simple role based authorization, it is possible to provide the role required for read, create, update and delete. Also, the admin role can configured this way:
<Parameter override="false" name="auth.role.read" value="..." />
<Parameter override="false" name="auth.role.create" value="..." />
<Parameter override="false" name="auth.role.update" value="..." />
<Parameter override="false" name="auth.role.delete" value="..." />
<Parameter override="false" name="auth.role.admin" value="..." />
Please add the auth.adminUid
to the configuration. If using AUTHENIX for authentication, the REMOTE_USER is identified by a UUIDv3.
<Parameter override="false" name="auth.adminUid" value="<user identifier>" />
The following configuration reflects the use of AUTHENIX.
<Parameter override="false" name="auth.oauth.introspectionUrl" value="https://www.authenix.eu/oauth/tokeninfo" />
<Parameter override="false" name="auth.oauth.userinfoUrl" value="https://www.authenix.eu/openid/userinfo" />
<Parameter override="false" name="auth.oauth.scope" value="openid" />
<Parameter override="false" name="auth.oauth.clientId" value="<client_id>" />
<Parameter override="false" name="auth.oauth.clientSecret" value="<client_secret>" />
The client_id
and client_secret
can be obtained from registering the plugin as a Service
with AUTHENIX register app.
The auth.oauth.cacheExpires
parameter allows to configure the timeout for the token and user info cache:
<Parameter override="false" name="auth.oauth.cacheExpires" value="60" />