diff --git a/pom.xml b/pom.xml
index b4ef035fea..9b189a825b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -951,6 +951,17 @@
+
+ org.pac4j
+ pac4j-http
+ ${pac4j.version}
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
org.pac4j
pac4j-saml-opensamlv3
diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
index 4fb4e65286..67e27df70b 100644
--- a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
+++ b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java
@@ -38,11 +38,13 @@
import org.pac4j.core.http.callback.CallbackUrlResolver;
import org.pac4j.core.http.callback.PathParameterCallbackUrlResolver;
import org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver;
+import org.pac4j.http.client.direct.HeaderClient;
import org.pac4j.oauth.client.FacebookClient;
import org.pac4j.oauth.client.GitHubClient;
import org.pac4j.oauth.client.Google2Client;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.slf4j.Logger;
@@ -322,11 +324,19 @@ public Map getFilters() {
if (this.openidAuthEnabled) {
OidcConfiguration configuration = oidcConfCreator.build();
- OidcClient oidcClient = new OidcClient(configuration);
- oidcClient.setCallbackUrl(oauthApiCallback);
- oidcClient.setCallbackUrlResolver(urlResolver);
if (StringUtils.isNotBlank(configuration.getClientId())) {
+ // https://www.pac4j.org/4.0.x/docs/clients/openid-connect.html
+ // OidcClient allows indirect login through UI with code flow
+ OidcClient oidcClient = new OidcClient(configuration);
+ oidcClient.setCallbackUrl(oauthApiCallback);
+ oidcClient.setCallbackUrlResolver(urlResolver);
clients.add(oidcClient);
+ // HeaderClient allows api access with a bearer token from the identity provider
+ UserInfoOidcAuthenticator authenticator = new UserInfoOidcAuthenticator(configuration);
+ HeaderClient headerClient = new HeaderClient("Authorization", "Bearer ", authenticator);
+ clients.add(headerClient);
+ } else {
+ logger.warn("openidAuth is enabled but no client id is provided");
}
}
@@ -366,6 +376,11 @@ public Map getFilters() {
oidcFilter.setConfig(cfg);
oidcFilter.setClients("OidcClient");
filters.put(OIDC_AUTH, oidcFilter);
+
+ SecurityFilter oidcDirectFilter = new SecurityFilter();
+ oidcDirectFilter.setConfig(cfg);
+ oidcDirectFilter.setClients("HeaderClient");
+ filters.put(OIDC_DIRECT_AUTH, oidcDirectFilter);
}
CallbackFilter callbackFilter = new CallbackFilter();
@@ -409,7 +424,9 @@ protected FilterChainBuilder getFilterChainBuilder() {
}
if (this.openidAuthEnabled) {
- filterChainBuilder.addRestPath("/user/login/openid", FORCE_SESSION_CREATION, OIDC_AUTH, UPDATE_TOKEN, SEND_TOKEN_IN_URL);
+ filterChainBuilder
+ .addRestPath("/user/login/openid", FORCE_SESSION_CREATION, OIDC_AUTH, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
+ .addRestPath("/user/login/openidDirect", FORCE_SESSION_CREATION, OIDC_DIRECT_AUTH, UPDATE_TOKEN, SEND_TOKEN_IN_HEADER);
}
if (this.googleAuthEnabled) {
@@ -453,11 +470,11 @@ protected FilterChainBuilder getFilterChainBuilder() {
if (this.samlEnabled) {
filterChainBuilder
- .addPath("/user/login/saml", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
- .addPath("/user/login/samlForce", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC_FORCE, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
- .addPath("/user/saml/callback", SSL, HANDLE_SAML, UPDATE_TOKEN, SEND_TOKEN_IN_URL);
+ .addPath("/user/login/saml", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
+ .addPath("/user/login/samlForce", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC_FORCE, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
+ .addPath("/user/saml/callback", SSL, HANDLE_SAML, UPDATE_TOKEN, SEND_TOKEN_IN_URL);
}
-
+
setupProtectedPaths(filterChainBuilder);
return filterChainBuilder.addRestPath("/**");
diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/FilterTemplates.java b/src/main/java/org/ohdsi/webapi/shiro/management/FilterTemplates.java
index 5b94fec71a..cc3e578fde 100644
--- a/src/main/java/org/ohdsi/webapi/shiro/management/FilterTemplates.java
+++ b/src/main/java/org/ohdsi/webapi/shiro/management/FilterTemplates.java
@@ -31,6 +31,7 @@ public enum FilterTemplates {
LDAP_FILTER("ldapFilter"),
AD_FILTER("adFilter"),
OIDC_AUTH("oidcAuth"),
+ OIDC_DIRECT_AUTH("oidcDirectAuth"),
OAUTH_CALLBACK("oauthCallback"),
HANDLE_UNSUCCESSFUL_OAUTH("handleUnsuccessfullOAuth"),
HANDLE_CAS("handleCas"),