java 在基于servlet的应用程序中对oidc(pac 4j-oidc)进行身份验证时,无法从IDP(Azure Ad App角色)获取已配置的角色

dbf7pr2w  于 2023-06-04  发布在  Java
关注(0)|答案(1)|浏览(242)

我使用javaee-pac 4j:7.1.0和pac 4j-oidc:5.7.0到我的应用程序,在基于servlet的应用程序中使用OIDC(最初是Azure AD)进行身份验证,我可以重定向到Azure进行身份验证,回调API也会被登录的用户详细信息调用。但是不知道如何将appRoles定义为Azure AD。在我的流程中,我需要应用程序角色,然后必须在应用程序中创建用户和角色Map。
我跟随jee-pac 4j-demo来获得这个工作,但没有从IDP OIDC获得应用程序角色的线索。请指示。
我的web.xml

<filter>
        <filter-name>callbackFilter</filter-name>
        <filter-class>com.xxx.yyy.security.oidc.CallbackFilter</filter-class>

        <init-param>
            <param-name>renewSession</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>multiProfile</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>callbackFilter</filter-name>
        <url-pattern>/oidc/rest/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter>
        <filter-name>JwtParameterFilter</filter-name>
        <filter-class>org.pac4j.jee.filter.SecurityFilter</filter-class>
        <init-param>
            <param-name>configFactory</param-name>
            <param-value>com.xxx.yyy.security.oidc.DemoConfigFactory</param-value>
        </init-param>
        <init-param>
            <param-name>authorizers</param-name>
            <param-value>custom</param-value>
        </init-param>
        <init-param>
            <param-name>clients</param-name>
            <param-value>OidcClient</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>JwtParameterFilter</filter-name>
        <url-pattern>/rest/rest-jwt/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

DemoConfigFactory

@Override
    public Config build(final Object... parameters) {

        System.out.print("Building Security configuration...\n");

         oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId("sdfdsf-02f9-401f-bbf3-dd87d64a6a2a");
        oidcConfiguration.setSecret("iGc8Q~wZ_~dffsdfsdfs");
        oidcConfiguration.setDiscoveryURI("https://login.microsoftonline.com/sdfsdfs-2cb0-44dc-88cd-fdfs/v2.0/.well-known/openid-configuration");
        oidcConfiguration.setUseNonce(true);
        oidcConfiguration.addCustomParam("prompt", "consent");

        oidcClient = new OidcClient(oidcConfiguration);
       /* oidcClient.setAuthorizationGenerator((webContext, sessionStore, userProfile) -> {
                    userProfile.addRole("ConfiguratorOne");
                    return java.util.Optional.of(userProfile);
                }
                );*/

        // REST authent with JWT for a token passed in the url as the token parameter
        final List<SignatureConfiguration> signatures = new ArrayList<>();
        signatures.add(new SecretSignatureConfiguration(JWT_SALT));
        ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(signatures));
        parameterClient.setSupportGetRequest(true);
        parameterClient.setSupportPostRequest(false);

 final Clients clients = new Clients("https://localhost:8443/myapplication/oidc/rest/sp/consumer", oidcClient);
  final Config config = new Config(clients);
   config.addAuthorizer("custom", new CustomAuthorizer());
        return config;
    }

CallbackFilter.java

@WebFilter(filterName = "CallbackFilter", urlPatterns = {"/oidc/rest/*", "/oidc/rest"})
public class CallbackFilter extends AbstractConfigFilter implements javax.servlet.Filter {

    private static final Log LOG = LogFactory.getLog(CallbackFilter.class);
    private static final String AUTHENTICATED_SESSION_ATTRIBUTE = "authenticated";
    private ProfileManager profileManager;

    @Inject
    private DemoConfigFactory demoConfigFactory;

    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response,
                         final FilterChain chain) throws IOException, ServletException {

        final HttpServletRequest req = (HttpServletRequest) request;
        final HttpServletResponse resp = (HttpServletResponse) response;
        this.internalFilter(req, resp, chain);
        UserProfile userProfile = profileManager.getProfile().get();

        LOG.info("OIDC response received" +userProfile.getUsername());

            LOG.info("" + userProfile.getRoles().toString());
            String authenticatedUser = userProfile.getUsername();
         
            setAuthenticatedSession(req);
            redirectToGotoURL(req, resp, authenticatedUser);

    }

    @Override
    protected void internalFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        Config config = this.getSharedConfig();
        HttpActionAdapter bestAdapter = FindBest.httpActionAdapter((HttpActionAdapter)null, config, JEEHttpActionAdapter.INSTANCE);
        CallbackLogic bestLogic = FindBest.callbackLogic(this.callbackLogic, config, DefaultCallbackLogic.INSTANCE);
        WebContext context = FindBest.webContextFactory((WebContextFactory)null, config, JEEContextFactory.INSTANCE).newContext(new Object[]{request, response});
        SessionStore sessionStore = FindBest.sessionStoreFactory((SessionStoreFactory)null, config, JEESessionStoreFactory.INSTANCE).newSessionStore(new Object[]{request, response});
        bestLogic.perform(context, sessionStore, config, bestAdapter, this.defaultUrl, this.renewSession, this.defaultClient);
        profileManager = new ProfileManager(context,sessionStore);
      
    }
e37o9pze

e37o9pze1#

我搜索了pac 4j文档,发现我在OidcConfiguration对象中设置范围时丢失了。
setScope(“openid email profile phone”);
在设置范围后,现在我正在获取IDP发送的声明中的角色。

相关问题