The client sends the end-user's browser to this endpoint to request their authentication and consent. This endpoint is used in the code and implicit OAuth 2.0 flows which require end-user interaction.
The client sends the end-user's browser to this endpoint to request their authentication and consent. This endpoint is used in the code and implicit OAuth 2.0 flows which require end-user interaction.
Releases any resources or timers used by this instance. Users are expected to call this method when the provider isn't needed any more to return the used resources back to the platform.
The logout (end-session) endpoint is specified in OpenID Connect Session Management 1.0. More info: https://openid.net/specs/openid-connect-session-1_0.html.
The logout (end-session) endpoint is specified in OpenID Connect Session Management 1.0. More info: https://openid.net/specs/openid-connect-session-1_0.html.
Retrieve the public server JSON Web Key (JWK) required to verify the authenticity of issued ID and access tokens. The provider will refresh the keys according to: https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys
This means that the provider will look at the cache headers and will refresh when the max-age is reached. If the server does not return any cache headers it shall be up to the end user to call this method to refresh.
To avoid the refresh to happen too late, this means that they keys will be invalid, if the OAuth2Options JWTOptions config contains a positive leeway, it will be used to request the refresh ahead of time.
Key rotation can be controled by OAuth2Options.
Retrieve the public server JSON Web Key (JWK) required to verify the authenticity of issued ID and access tokens. The provider will refresh the keys according to: https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys
This means that the provider will look at the cache headers and will refresh when the max-age is reached. If the server does not return any cache headers it shall be up to the end user to call this method to refresh.
To avoid the refresh to happen too late, this means that they keys will be invalid, if the OAuth2Options JWTOptions config contains a positive leeway, it will be used to request the refresh ahead of time.
Key rotation can be controled by OAuth2Options.
Handled to be called when a key (mentioned on a JWT) is missing from the current config. Users are advised to call {@link OAuth2Auth#jWKSet} but being careful to implement some rate limiting function.
This method isn't generic for several reasons. The provider is not aware of the capabilities of the backend IdP in terms of max allowed API calls. Some validation could be done at the key id, which only the end user is aware of.
A base implementation for this handler is:
// are we already updating the jwks?
private final AtomicBoolean updating = new AtomicBoolean(false);
// default missing key handler, will try to reload with debounce
oauth2.missingKeyHandler(keyId -> {
if (updating.compareAndSet(false, true)) {
// Refreshing JWKs due missing key
jWKSet(done -> {
updating.compareAndSet(true, false);
if (done.failed()) {
done.cause().printStackTrace();
});
}
});
}This handler will purely debounce calls and allow only a single request to {@link OAuth2Auth#jWKSet} at a time. No special handling is done to avoid requests on wrong key ids or prevent to many requests to the IdP server. Users should probably also account for the number of errors to present DDoS the IdP.
Refresh the current User (access token).
Refresh the current User (access token).
Revoke an obtained access or refresh token. More info https://tools.ietf.org/html/rfc7009.
Revoke an obtained access or refresh token. More info https://tools.ietf.org/html/rfc7009.
Revoke an obtained access token. More info https://tools.ietf.org/html/rfc7009.
Revoke an obtained access token. More info https://tools.ietf.org/html/rfc7009.
Retrieve profile information and other attributes for a logged-in end-user. More info https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
Retrieve profile information and other attributes for a logged-in end-user. More info https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
Create a OAuth2 auth provider.
Create a OAuth2 auth provider
Generated using TypeDoc
Factory interface for creating OAuth2 based {@link AuthenticationProvider} instances.