WIP: Add OIDC authentication #169
Conversation
| return new ResourceCollection(Resource.newClassPathResource("static")); | ||
| } | ||
|
|
||
| public static void main(String[] args) { |
There was a problem hiding this comment.
So looks like this was manually tested?
I.e. you can use this example call the main method and pass params.
Can you comment in this file or in the commit message
- An example of how you ran this, (against Okta)?
- What the expected behavior is if no creds are are passed, if the creds are wrong, if the creds are right.
There was a problem hiding this comment.
Yea I wasn't super sure how to write a test for this. I'll see if there is a mock OIDC provider in the jetty code base somewhere. If memory serves they use google as a provider in their tests which isn't super awesome. I'll try to think of something
-
OIDC (the protocol) isn't vendor specific, but their admin apis are. We could link their docs I suppose. In the long run(not the initial PR) I'd like to support dynamic client registration in rest utils but thats for another day.
-
Ack will add some comments around this.
There was a problem hiding this comment.
found a mock OpenIdProvider I think 👍
|
Hi @rnpridgeon , Is there one page for this PR? |
Transitioned to WIP as I investigate extending Jetty's existing Authenticator to more appropriately suite the needs of all our CP components. The existing implementation only supports promptable
authorization codeflows andclient-credential(BYOT). At first I was thinking Bring Your Own Token was fine but in retrospect it's kind of annoying for things like POC or experimentation adding unnecessary friction. I'll also be adding support forresource owner password credential flow(ROPG).ROPG will facilitate the use of HTTP Basic Authentication by clients backed by and OIDC provider. It's usage is highly discouraged and not supported by all OIDC providers. We will want to document this. ROPG takes away the biggest advantage provided by OAuth, no apis see your password, but still provides us with an authentication protocol independent of the backing IdPs.
Additional notes about the implementation:
Jetty's version is being bumped to
9.4.23.v20191118; this was done so we could include the jetty-openid package.Jersey's version is being bumped to
2.3.0to handle a breaking changed introduced by Jetty.jetty/jetty.project#4121 (comment)