我使用javaee-pac 4j:7.1.0和pac 4j-oidc:5.7.0到我的应用程序,在基于servlet的应用程序中使用OIDC(最初是Azure AD)进行身份验证,我可以重定向到Azure进行身份验证,回调API也会被登录的用户详细信息调用。但是不知道如何将appRoles定义为Azure AD。在我的流程中,我需要应用程序角色,然后必须在应用程序中创建用户和角色Map。
我跟随jee-pac 4j-demo来获得这个工作,但没有从IDP OIDC获得应用程序角色的线索。请指示。
我的web.xml
<filter>
<filter-name>callbackFilter</filter-name>
<filter-class>com.xxx.yyy.security.oidc.CallbackFilter</filter-class>
<init-param>
<param-name>renewSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>multiProfile</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>callbackFilter</filter-name>
<url-pattern>/oidc/rest/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>JwtParameterFilter</filter-name>
<filter-class>org.pac4j.jee.filter.SecurityFilter</filter-class>
<init-param>
<param-name>configFactory</param-name>
<param-value>com.xxx.yyy.security.oidc.DemoConfigFactory</param-value>
</init-param>
<init-param>
<param-name>authorizers</param-name>
<param-value>custom</param-value>
</init-param>
<init-param>
<param-name>clients</param-name>
<param-value>OidcClient</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>JwtParameterFilter</filter-name>
<url-pattern>/rest/rest-jwt/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
DemoConfigFactory
@Override
public Config build(final Object... parameters) {
System.out.print("Building Security configuration...\n");
oidcConfiguration = new OidcConfiguration();
oidcConfiguration.setClientId("sdfdsf-02f9-401f-bbf3-dd87d64a6a2a");
oidcConfiguration.setSecret("iGc8Q~wZ_~dffsdfsdfs");
oidcConfiguration.setDiscoveryURI("https://login.microsoftonline.com/sdfsdfs-2cb0-44dc-88cd-fdfs/v2.0/.well-known/openid-configuration");
oidcConfiguration.setUseNonce(true);
oidcConfiguration.addCustomParam("prompt", "consent");
oidcClient = new OidcClient(oidcConfiguration);
/* oidcClient.setAuthorizationGenerator((webContext, sessionStore, userProfile) -> {
userProfile.addRole("ConfiguratorOne");
return java.util.Optional.of(userProfile);
}
);*/
// REST authent with JWT for a token passed in the url as the token parameter
final List<SignatureConfiguration> signatures = new ArrayList<>();
signatures.add(new SecretSignatureConfiguration(JWT_SALT));
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(signatures));
parameterClient.setSupportGetRequest(true);
parameterClient.setSupportPostRequest(false);
final Clients clients = new Clients("https://localhost:8443/myapplication/oidc/rest/sp/consumer", oidcClient);
final Config config = new Config(clients);
config.addAuthorizer("custom", new CustomAuthorizer());
return config;
}
CallbackFilter.java
@WebFilter(filterName = "CallbackFilter", urlPatterns = {"/oidc/rest/*", "/oidc/rest"})
public class CallbackFilter extends AbstractConfigFilter implements javax.servlet.Filter {
private static final Log LOG = LogFactory.getLog(CallbackFilter.class);
private static final String AUTHENTICATED_SESSION_ATTRIBUTE = "authenticated";
private ProfileManager profileManager;
@Inject
private DemoConfigFactory demoConfigFactory;
@Override
public void doFilter(final ServletRequest request, final ServletResponse response,
final FilterChain chain) throws IOException, ServletException {
final HttpServletRequest req = (HttpServletRequest) request;
final HttpServletResponse resp = (HttpServletResponse) response;
this.internalFilter(req, resp, chain);
UserProfile userProfile = profileManager.getProfile().get();
LOG.info("OIDC response received" +userProfile.getUsername());
LOG.info("" + userProfile.getRoles().toString());
String authenticatedUser = userProfile.getUsername();
setAuthenticatedSession(req);
redirectToGotoURL(req, resp, authenticatedUser);
}
@Override
protected void internalFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
Config config = this.getSharedConfig();
HttpActionAdapter bestAdapter = FindBest.httpActionAdapter((HttpActionAdapter)null, config, JEEHttpActionAdapter.INSTANCE);
CallbackLogic bestLogic = FindBest.callbackLogic(this.callbackLogic, config, DefaultCallbackLogic.INSTANCE);
WebContext context = FindBest.webContextFactory((WebContextFactory)null, config, JEEContextFactory.INSTANCE).newContext(new Object[]{request, response});
SessionStore sessionStore = FindBest.sessionStoreFactory((SessionStoreFactory)null, config, JEESessionStoreFactory.INSTANCE).newSessionStore(new Object[]{request, response});
bestLogic.perform(context, sessionStore, config, bestAdapter, this.defaultUrl, this.renewSession, this.defaultClient);
profileManager = new ProfileManager(context,sessionStore);
}
1条答案
按热度按时间e37o9pze1#
我搜索了pac 4j文档,发现我在OidcConfiguration对象中设置范围时丢失了。
setScope(“openid email profile phone”);
在设置范围后,现在我正在获取IDP发送的声明中的角色。