forked from dhis2/dhis2-core
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add Azure AD OpenID Connect provider support (dhis2#6189)
Adds support for using Azure AD as an OIDC provider Add support for logout session with OIDC providers that support it Adjust Authmanager configurations to be explicit for each authentication endpoint Remove redundant Lombok dependency in main pom.xml Small adjustment to comments text
- Loading branch information
Showing
10 changed files
with
477 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,22 +30,17 @@ | |
*/ | ||
|
||
import org.hisp.dhis.external.conf.DhisConfigurationProvider; | ||
import org.hisp.dhis.security.oidc.provider.AzureAdProvider; | ||
import org.hisp.dhis.security.oidc.provider.GoogleProvider; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider; | ||
import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; | ||
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; | ||
import org.springframework.stereotype.Component; | ||
|
||
import javax.annotation.PostConstruct; | ||
import java.util.HashMap; | ||
import java.util.Set; | ||
|
||
import static org.hisp.dhis.external.conf.ConfigurationKey.OIDC_PROVIDER_GOOGLE_CLIENT_ID; | ||
import static org.hisp.dhis.external.conf.ConfigurationKey.OIDC_PROVIDER_GOOGLE_CLIENT_SECRET; | ||
import static org.hisp.dhis.external.conf.ConfigurationKey.OIDC_PROVIDER_GOOGLE_MAPPING_CLAIM; | ||
import static org.hisp.dhis.external.conf.ConfigurationKey.OIDC_PROVIDER_GOOGLE_REDIR_BASE_URL; | ||
|
||
/** | ||
* @author Morten Svanæs <[email protected]> | ||
*/ | ||
|
@@ -54,43 +49,31 @@ | |
public class DhisClientRegistrationRepository | ||
implements ClientRegistrationRepository | ||
{ | ||
private InMemoryClientRegistrationRepository repository; | ||
|
||
@Autowired | ||
private DhisConfigurationProvider dhisConfigurationProvider; | ||
private DhisConfigurationProvider config; | ||
|
||
private static final HashMap<String, DhisOidcClientRegistration> registrationHashMap = new HashMap<>(); | ||
|
||
@PostConstruct | ||
public void init() | ||
{ | ||
String googleClientId = dhisConfigurationProvider.getProperty( OIDC_PROVIDER_GOOGLE_CLIENT_ID ); | ||
String googleClientSecret = dhisConfigurationProvider.getProperty( OIDC_PROVIDER_GOOGLE_CLIENT_SECRET ); | ||
String googleClientRedirBaseUri = dhisConfigurationProvider.getProperty( OIDC_PROVIDER_GOOGLE_REDIR_BASE_URL ); | ||
String googleClientMappingClaim = dhisConfigurationProvider.getProperty( OIDC_PROVIDER_GOOGLE_MAPPING_CLAIM ); | ||
|
||
String registrationId = "google"; | ||
ClientRegistration google = CommonOAuth2Provider.GOOGLE.getBuilder( registrationId ) | ||
.clientId( googleClientId ) | ||
.clientSecret( googleClientSecret ) | ||
.redirectUriTemplate( googleClientRedirBaseUri + "/oauth2/code/{registrationId}" ) | ||
.build(); | ||
|
||
DhisOidcClientRegistration registration = DhisOidcClientRegistration.builder() | ||
.clientRegistration( google ) | ||
.mappingClaimKey( googleClientMappingClaim ) | ||
.registrationId( registrationId ) | ||
.build(); | ||
|
||
registrationHashMap.put( registrationId, registration ); | ||
addRegistration( GoogleProvider.build( config ) ); | ||
AzureAdProvider.buildList( config ).forEach( this::addRegistration ); | ||
} | ||
|
||
repository = new InMemoryClientRegistrationRepository( google ); | ||
public void addRegistration( DhisOidcClientRegistration registration ) | ||
{ | ||
if ( registration == null ) | ||
{ | ||
return; | ||
} | ||
registrationHashMap.put( registration.getRegistrationId(), registration ); | ||
} | ||
|
||
@Override | ||
public ClientRegistration findByRegistrationId( String registrationId ) | ||
{ | ||
return repository.findByRegistrationId( registrationId ); | ||
return registrationHashMap.get( registrationId ).getClientRegistration(); | ||
} | ||
|
||
public DhisOidcClientRegistration getDhisOidcClientRegistration( String registrationId ) | ||
|
79 changes: 79 additions & 0 deletions
79
...-service-core/src/main/java/org/hisp/dhis/security/oidc/DhisOidcLogoutSuccessHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
package org.hisp.dhis.security.oidc; | ||
|
||
/* | ||
* Copyright (c) 2004-2020, University of Oslo | ||
* All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* Redistributions of source code must retain the above copyright notice, this | ||
* list of conditions and the following disclaimer. | ||
* | ||
* Redistributions in binary form must reproduce the above copyright notice, | ||
* this list of conditions and the following disclaimer in the documentation | ||
* and/or other materials provided with the distribution. | ||
* Neither the name of the HISP project nor the names of its contributors may | ||
* be used to endorse or promote products derived from this software without | ||
* specific prior written permission. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND | ||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR | ||
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON | ||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
* | ||
*/ | ||
|
||
import lombok.extern.slf4j.Slf4j; | ||
import org.hisp.dhis.external.conf.DhisConfigurationProvider; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler; | ||
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; | ||
import org.springframework.stereotype.Component; | ||
|
||
import javax.annotation.PostConstruct; | ||
import javax.servlet.ServletException; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
|
||
import static org.hisp.dhis.external.conf.ConfigurationKey.OIDC_LOGOUT_REDIRECT_URL; | ||
|
||
/** | ||
* @author Morten Svanæs <[email protected]> | ||
*/ | ||
@Slf4j | ||
@Component | ||
public class DhisOidcLogoutSuccessHandler | ||
implements LogoutSuccessHandler | ||
{ | ||
private OidcClientInitiatedLogoutSuccessHandler handler; | ||
|
||
@Autowired | ||
private DhisClientRegistrationRepository dhisClientRegistrationRepository; | ||
|
||
@Autowired | ||
public DhisConfigurationProvider dhisConfigurationProvider; | ||
|
||
@PostConstruct | ||
public void init() | ||
{ | ||
String logoutUri = dhisConfigurationProvider.getProperty( OIDC_LOGOUT_REDIRECT_URL ); | ||
this.handler = new OidcClientInitiatedLogoutSuccessHandler( dhisClientRegistrationRepository ); | ||
this.handler.setPostLogoutRedirectUri( logoutUri ); | ||
} | ||
|
||
@Override | ||
public void onLogoutSuccess( HttpServletRequest request, HttpServletResponse response, | ||
Authentication authentication ) | ||
throws IOException, ServletException | ||
{ | ||
handler.onLogoutSuccess( request, response, authentication ); | ||
} | ||
} |
161 changes: 161 additions & 0 deletions
161
...dhis-service-core/src/main/java/org/hisp/dhis/security/oidc/provider/AzureAdProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,161 @@ | ||
package org.hisp.dhis.security.oidc.provider; | ||
|
||
/* | ||
* Copyright (c) 2004-2020, University of Oslo | ||
* All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* Redistributions of source code must retain the above copyright notice, this | ||
* list of conditions and the following disclaimer. | ||
* | ||
* Redistributions in binary form must reproduce the above copyright notice, | ||
* this list of conditions and the following disclaimer in the documentation | ||
* and/or other materials provided with the distribution. | ||
* Neither the name of the HISP project nor the names of its contributors may | ||
* be used to endorse or promote products derived from this software without | ||
* specific prior written permission. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND | ||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR | ||
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON | ||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
*/ | ||
|
||
import com.google.common.base.MoreObjects; | ||
import com.google.common.collect.ImmutableList; | ||
import org.hisp.dhis.external.conf.DhisConfigurationProvider; | ||
import org.hisp.dhis.security.oidc.DhisOidcClientRegistration; | ||
import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
import org.springframework.security.oauth2.core.AuthenticationMethod; | ||
import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod; | ||
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames; | ||
|
||
import java.util.HashMap; | ||
import java.util.List; | ||
import java.util.Objects; | ||
import java.util.Properties; | ||
|
||
/** | ||
* @author Morten Svanæs <[email protected]> | ||
*/ | ||
public class AzureAdProvider extends DhisOidcProvider | ||
{ | ||
public static final String PROVIDER_PREFIX = "oidc.provider.azure."; | ||
|
||
public static final String AZURE_TENANT = ".tenant"; | ||
|
||
public static final String AZURE_CLIENT_ID = ".client_id"; | ||
|
||
public static final String AZURE_CLIENT_SECRET = ".client_secret"; | ||
|
||
public static final String AZURE_REDIRECT_BASE_URL = ".redirect_baseurl"; | ||
|
||
public static final String AZURE_MAPPING_CLAIM = ".mapping_claim"; | ||
|
||
public static final String AZURE_SUPPORT_LOGOUT = ".support_logout"; | ||
|
||
private AzureAdProvider() | ||
{ | ||
throw new IllegalStateException( "Utility class" ); | ||
} | ||
|
||
public static List<DhisOidcClientRegistration> buildList( DhisConfigurationProvider config ) | ||
{ | ||
Objects.requireNonNull( config, "DhisConfigurationProvider is missing!" ); | ||
|
||
ImmutableList.Builder<DhisOidcClientRegistration> clients = ImmutableList.builder(); | ||
|
||
int i = 0; | ||
|
||
while ( true ) | ||
{ | ||
Properties properties = config.getProperties(); | ||
String tenantKey = PROVIDER_PREFIX + i + AZURE_TENANT; | ||
String tenant = properties.getProperty( tenantKey, "" ); | ||
if ( tenant.isEmpty() ) | ||
{ | ||
break; | ||
} | ||
|
||
String key = PROVIDER_PREFIX + i + AZURE_CLIENT_ID; | ||
String clientId = properties.getProperty( key, "" ); | ||
if ( clientId.isEmpty() ) | ||
{ | ||
throw new IllegalArgumentException( "Azure client id is missing! tenant=" + tenant ); | ||
} | ||
|
||
String clientSecret = config.getProperties() | ||
.getProperty( PROVIDER_PREFIX + i + AZURE_CLIENT_SECRET ); | ||
if ( clientSecret.isEmpty() ) | ||
{ | ||
throw new IllegalArgumentException( "Azure client secret is missing! tenant=" + tenant ); | ||
} | ||
String redirectBaseUrl = MoreObjects | ||
.firstNonNull( config.getProperties().getProperty( PROVIDER_PREFIX + i + AZURE_REDIRECT_BASE_URL ), | ||
"http://localhost:8080" ); | ||
|
||
String mappingClaims = MoreObjects.firstNonNull( config.getProperties() | ||
.getProperty( PROVIDER_PREFIX + i + AZURE_MAPPING_CLAIM ), "email" ); | ||
|
||
// Well known url for reference. In a perfect world we would dynamically parse this. | ||
// https://login.microsoftonline.com/"+tenant+"/v2.0/.well-known/openid-configuration | ||
|
||
String baseUrl = "https://login.microsoftonline.com/"; | ||
|
||
ClientRegistration.Builder builder = getBuilder( tenant ); | ||
builder.scope( "openid", "profile", "email" ); | ||
builder.authorizationUri( baseUrl + tenant + "/oauth2/v2.0/authorize" ); | ||
builder.tokenUri( baseUrl + tenant + "/oauth2/v2.0/token" ); | ||
builder.jwkSetUri( baseUrl + tenant + "/discovery/v2.0/keys" ); | ||
builder.userInfoUri( "https://graph.microsoft.com/oidc/userinfo" ); | ||
|
||
builder.clientName( tenant ); | ||
builder.clientId( clientId ); | ||
builder.clientSecret( clientSecret ); | ||
|
||
builder.redirectUriTemplate( redirectBaseUrl + DEFAULT_CODE_URL_TEMPLATE ); | ||
builder.userInfoAuthenticationMethod( AuthenticationMethod.HEADER ); | ||
builder.userNameAttributeName( IdTokenClaimNames.SUB ); | ||
|
||
boolean supportLogout = Boolean.parseBoolean( MoreObjects.firstNonNull( config.getProperties() | ||
.getProperty( PROVIDER_PREFIX + i + AZURE_MAPPING_CLAIM ), "TRUE" ) ); | ||
|
||
if ( supportLogout ) | ||
{ | ||
HashMap<String, Object> metadata = new HashMap<>(); | ||
metadata.put( "end_session_endpoint", | ||
baseUrl + tenant + "/oauth2/v2.0/logout" ); | ||
builder.providerConfigurationMetadata( metadata ); | ||
} | ||
|
||
DhisOidcClientRegistration dhisClient = DhisOidcClientRegistration.builder() | ||
.clientRegistration( builder.build() ) | ||
.mappingClaimKey( mappingClaims ) | ||
.registrationId( tenant ) | ||
.build(); | ||
|
||
clients.add( dhisClient ); | ||
|
||
i++; | ||
} | ||
|
||
return clients.build(); | ||
} | ||
|
||
private static ClientRegistration.Builder getBuilder( String registrationId ) | ||
{ | ||
ClientRegistration.Builder builder = ClientRegistration.withRegistrationId( registrationId ); | ||
builder.clientAuthenticationMethod( ClientAuthenticationMethod.BASIC ); | ||
builder.authorizationGrantType( AuthorizationGrantType.AUTHORIZATION_CODE ); | ||
builder.redirectUriTemplate( DEFAULT_REDIRECT_URL ); | ||
return builder; | ||
} | ||
} |
38 changes: 38 additions & 0 deletions
38
...his-service-core/src/main/java/org/hisp/dhis/security/oidc/provider/DhisOidcProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package org.hisp.dhis.security.oidc.provider;/* | ||
* Copyright (c) 2004-2020, University of Oslo | ||
* All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* Redistributions of source code must retain the above copyright notice, this | ||
* list of conditions and the following disclaimer. | ||
* | ||
* Redistributions in binary form must reproduce the above copyright notice, | ||
* this list of conditions and the following disclaimer in the documentation | ||
* and/or other materials provided with the distribution. | ||
* Neither the name of the HISP project nor the names of its contributors may | ||
* be used to endorse or promote products derived from this software without | ||
* specific prior written permission. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND | ||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR | ||
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON | ||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
*/ | ||
|
||
/** | ||
* @author Morten Svanæs <[email protected]> | ||
*/ | ||
public abstract class DhisOidcProvider | ||
{ | ||
protected static final String DEFAULT_REDIRECT_URL = "{baseUrl}/{action}/oauth2/code/{registrationId}"; | ||
|
||
protected static final String DEFAULT_CODE_URL_TEMPLATE = "/oauth2/code/{registrationId}"; | ||
} | ||
|
Oops, something went wrong.