From 81f3d36a917837458b0cfac997fe41593e0146b4 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Wed, 8 Jan 2025 17:51:03 +1100 Subject: [PATCH 1/4] Issue #12644 - use builder API to construct OpenIdConfiguration Signed-off-by: Lachlan Roberts --- .../security/openid/OpenIdAuthenticator.java | 2 +- .../openid/OpenIdAuthenticationTest.java | 13 +- .../src/main/config/etc/jetty-openid.xml | 47 ++-- .../security/openid/OpenIdAuthenticator.java | 2 +- .../security/openid/OpenIdConfiguration.java | 258 ++++++++++++++++-- .../openid/OpenIdAuthenticationTest.java | 13 +- .../openid/OpenIdCredentialsTest.java | 3 +- .../security/openid/OpenIdRealmNameTest.java | 18 +- .../jetty/tests/distribution/OpenIdTests.java | 1 - 9 files changed, 283 insertions(+), 74 deletions(-) diff --git a/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticator.java b/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticator.java index 4e3663a2b921..0f602f1e66d3 100644 --- a/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticator.java +++ b/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticator.java @@ -638,7 +638,7 @@ protected String getChallengeUri(Request request) scopes.append(" ").append(s); } - return _openIdConfiguration.getAuthEndpoint() + + return _openIdConfiguration.getAuthorizationEndpoint() + "?client_id=" + UrlEncoded.encodeString(_openIdConfiguration.getClientId(), StandardCharsets.UTF_8) + "&redirect_uri=" + UrlEncoded.encodeString(getRedirectUri(request), StandardCharsets.UTF_8) + "&scope=openid" + UrlEncoded.encodeString(scopes.toString(), StandardCharsets.UTF_8) + diff --git a/jetty-ee9/jetty-ee9-openid/src/test/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticationTest.java b/jetty-ee9/jetty-ee9-openid/src/test/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticationTest.java index b98937811847..ec5375a1266a 100644 --- a/jetty-ee9/jetty-ee9-openid/src/test/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticationTest.java +++ b/jetty-ee9/jetty-ee9-openid/src/test/java/org/eclipse/jetty/ee9/security/openid/OpenIdAuthenticationTest.java @@ -19,7 +19,6 @@ import java.util.List; import java.util.Map; import java.util.concurrent.atomic.AtomicBoolean; -import java.util.function.Consumer; import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServlet; @@ -70,10 +69,10 @@ public class OpenIdAuthenticationTest public void setup(LoginService loginService) throws Exception { - setup(loginService, null); + setup(loginService, false); } - public void setup(LoginService loginService, Consumer configure) throws Exception + public void setup(LoginService loginService, boolean logoutWhenIdTokenIsExpired) throws Exception { openIdProvider = new OpenIdProvider(CLIENT_ID, CLIENT_SECRET); openIdProvider.start(); @@ -123,9 +122,9 @@ public void setup(LoginService loginService, Consumer confi securityHandler.addConstraintMapping(adminMapping); // Authentication using local OIDC Provider - OpenIdConfiguration openIdConfiguration = new OpenIdConfiguration(openIdProvider.getProvider(), CLIENT_ID, CLIENT_SECRET); - if (configure != null) - configure.accept(openIdConfiguration); + OpenIdConfiguration openIdConfiguration = new OpenIdConfiguration.Builder(openIdProvider.getProvider(), CLIENT_ID, CLIENT_SECRET) + .logoutWhenIdTokenIsExpired(logoutWhenIdTokenIsExpired) + .build(); server.addBean(openIdConfiguration); securityHandler.setInitParameter(OpenIdAuthenticator.REDIRECT_PATH, "/redirect_path"); securityHandler.setInitParameter(OpenIdAuthenticator.ERROR_PAGE, "/error"); @@ -284,7 +283,7 @@ public boolean validate(UserIdentity user) @Test public void testExpiredIdToken() throws Exception { - setup(null, config -> config.setLogoutWhenIdTokenIsExpired(true)); + setup(null, true); long idTokenExpiryTime = 2000; openIdProvider.setIdTokenDuration(idTokenExpiryTime); openIdProvider.setUser(new OpenIdProvider.User("123456789", "Alice")); diff --git a/jetty-integrations/jetty-openid/src/main/config/etc/jetty-openid.xml b/jetty-integrations/jetty-openid/src/main/config/etc/jetty-openid.xml index 7e6760891dc4..4f05e76265e7 100644 --- a/jetty-integrations/jetty-openid/src/main/config/etc/jetty-openid.xml +++ b/jetty-integrations/jetty-openid/src/main/config/etc/jetty-openid.xml @@ -1,5 +1,5 @@ - + @@ -20,35 +20,34 @@ + + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - - - - - - - - - - - - - - + diff --git a/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java b/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java index 4bef49c31530..63c791a667a5 100644 --- a/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java +++ b/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java @@ -687,7 +687,7 @@ protected String getChallengeUri(Request request) scopes.append(" ").append(s); } - return _openIdConfiguration.getAuthEndpoint() + + return _openIdConfiguration.getAuthorizationEndpoint() + "?client_id=" + UrlEncoded.encodeString(_openIdConfiguration.getClientId(), StandardCharsets.UTF_8) + "&redirect_uri=" + UrlEncoded.encodeString(getRedirectUri(request), StandardCharsets.UTF_8) + "&scope=openid" + UrlEncoded.encodeString(scopes.toString(), StandardCharsets.UTF_8) + diff --git a/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java index fcd9049c990d..613dca9e7a54 100644 --- a/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java +++ b/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java @@ -38,6 +38,165 @@ */ public class OpenIdConfiguration extends ContainerLifeCycle { +/** + *

Builder for {@link OpenIdConfiguration}.

+ *

The only required parameters are {@link #issuer}, {@link #clientId} and {@link #clientSecret}.

+ *

The {@link #authorizationEndpoint}, {@link #tokenEndpoint} and {@link #endSessionEndpoint} will be retrieved + * from the OpenID metadata at .well-known/openid-configuration if they are not explicitly specified.

+ */ + public static class Builder + { + private String issuer; + private String clientId; + private String clientSecret; + + private String authorizationEndpoint; + private String tokenEndpoint; + private String endSessionEndpoint; + private String authenticationMethod; + private HttpClient httpClient; + + private boolean authenticateNewUsers = false; + private boolean logoutWhenIdTokenIsExpired = false; + private final List scopes = new ArrayList<>(); + + /** + * Create a Builder for an OpenID Configuration. + */ + public Builder() + { + } + + /** + * Create a Builder for an OpenID Configuration. + * @param issuer The URL of the OpenID provider. + * @param clientId OAuth 2.0 Client Identifier valid at the OpenID provider. + * @param clientSecret The client secret known only by the Client and the OpenID provider. + */ + public Builder(@Name("issuer") String issuer, @Name("clientId") String clientId, @Name("clientSecret") String clientSecret) + { + issuer(issuer); + clientId(clientId); + clientSecret(clientSecret); + } + + /** + * @param issuer The URL of the OpenID provider. + */ + public Builder issuer(String issuer) + { + this.issuer = issuer; + return this; + } + + /** + * @param clientId OAuth 2.0 Client Identifier valid at the OpenID provider. + */ + public Builder clientId(String clientId) + { + this.clientId = clientId; + return this; + } + + /** + * @param clientSecret The client secret known only by the Client and the OpenID provider. + */ + public Builder clientSecret(String clientSecret) + { + this.clientSecret = clientSecret; + return this; + } + + /** + * @param authorizationEndpoint the URL of the OpenID provider's authorization endpoint if configured. + */ + public Builder authorizationEndpoint(String authorizationEndpoint) + { + this.authorizationEndpoint = authorizationEndpoint; + return this; + } + + /** + * @param tokenEndpoint the URL of the OpenID provider's token endpoint if configured. + */ + public Builder tokenEndpoint(String tokenEndpoint) + { + this.tokenEndpoint = tokenEndpoint; + return this; + } + + /** + * @param endSessionEndpoint the URL of the OpenID provider's end session endpoint if configured. + */ + public Builder endSessionEndpoint(String endSessionEndpoint) + { + this.endSessionEndpoint = endSessionEndpoint; + return this; + } + + /** + * @param authenticationMethod Authentication method to use with the Token Endpoint. + */ + public Builder authenticationMethod(String authenticationMethod) + { + this.authenticationMethod = authenticationMethod; + return this; + } + + /** + * @param httpClient The {@link HttpClient} instance to use. + */ + public Builder httpClient(HttpClient httpClient) + { + this.httpClient = httpClient; + return this; + } + + /** + * @param authenticateNewUsers Whether to authenticate new users. + */ + public Builder authenticateNewUsers(boolean authenticateNewUsers) + { + this.authenticateNewUsers = authenticateNewUsers; + return this; + } + + /** + * @param scopes The scopes to request. + */ + public Builder scopes(String... scopes) + { + if (scopes != null) + Collections.addAll(this.scopes, scopes); + return this; + } + + /** + * @param logoutWhenIdTokenIsExpired Whether to logout when the ID token is expired. + */ + public Builder logoutWhenIdTokenIsExpired(boolean logoutWhenIdTokenIsExpired) + { + this.logoutWhenIdTokenIsExpired = logoutWhenIdTokenIsExpired; + return this; + } + + /** + * @return a new {@link OpenIdConfiguration} instance. + */ + public OpenIdConfiguration build() + { + if (issuer == null) + throw new IllegalArgumentException("Issuer was not configured"); + if (clientId == null) + throw new IllegalArgumentException("clientId was not configured"); + if (clientSecret == null) + throw new IllegalArgumentException("clientSecret was not configured"); + + return new OpenIdConfiguration(issuer, clientId, clientSecret, authorizationEndpoint, tokenEndpoint, + endSessionEndpoint, authenticationMethod, httpClient, authenticateNewUsers, logoutWhenIdTokenIsExpired, scopes); + } + } + private static final Logger LOG = LoggerFactory.getLogger(OpenIdConfiguration.class); private static final String CONFIG_PATH = "/.well-known/openid-configuration"; private static final String AUTHORIZATION_ENDPOINT = "authorization_endpoint"; @@ -51,18 +210,20 @@ public class OpenIdConfiguration extends ContainerLifeCycle private final String clientSecret; private final List scopes = new ArrayList<>(); private final String authenticationMethod; - private String authEndpoint; + private String authorizationEndpoint; private String tokenEndpoint; private String endSessionEndpoint; - private boolean authenticateNewUsers = false; - private boolean logoutWhenIdTokenIsExpired = false; + private boolean authenticateNewUsers; + private boolean logoutWhenIdTokenIsExpired; /** * Create an OpenID configuration for a specific OIDC provider. * @param provider The URL of the OpenID provider. * @param clientId OAuth 2.0 Client Identifier valid at the Authorization Server. * @param clientSecret The client secret known only by the Client and the Authorization Server. + * @deprecated Use {@link Builder} instead. */ + @Deprecated(since = "12.1.0", forRemoval = true) public OpenIdConfiguration(String provider, String clientId, String clientSecret) { this(provider, null, null, clientId, clientSecret, null); @@ -76,7 +237,9 @@ public OpenIdConfiguration(String provider, String clientId, String clientSecret * @param clientId OAuth 2.0 Client Identifier valid at the Authorization Server. * @param clientSecret The client secret known only by the Client and the Authorization Server. * @param httpClient The {@link HttpClient} instance to use. + * @deprecated Use {@link Builder} instead. */ + @Deprecated(since = "12.1.0", forRemoval = true) public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, String clientId, String clientSecret, HttpClient httpClient) { @@ -92,7 +255,9 @@ public OpenIdConfiguration(String issuer, String authorizationEndpoint, String t * @param clientSecret The client secret known only by the Client and the Authorization Server. * @param authenticationMethod Authentication method to use with the Token Endpoint. * @param httpClient The {@link HttpClient} instance to use. + * @deprecated Use {@link Builder} instead. */ + @Deprecated(since = "12.1.0", forRemoval = true) public OpenIdConfiguration(@Name("issuer") String issuer, @Name("authorizationEndpoint") String authorizationEndpoint, @Name("tokenEndpoint") String tokenEndpoint, @@ -114,7 +279,9 @@ public OpenIdConfiguration(@Name("issuer") String issuer, * @param clientSecret The client secret known only by the Client and the Authorization Server. * @param authenticationMethod Authentication method to use with the Token Endpoint. * @param httpClient The {@link HttpClient} instance to use. + * @deprecated Use {@link Builder} instead. */ + @Deprecated(since = "12.1.0", forRemoval = true) public OpenIdConfiguration(@Name("issuer") String issuer, @Name("authorizationEndpoint") String authorizationEndpoint, @Name("tokenEndpoint") String tokenEndpoint, @@ -123,15 +290,47 @@ public OpenIdConfiguration(@Name("issuer") String issuer, @Name("clientSecret") String clientSecret, @Name("authenticationMethod") String authenticationMethod, @Name("httpClient") HttpClient httpClient) + { + this(issuer, clientId, clientSecret, authorizationEndpoint, tokenEndpoint, endSessionEndpoint, authenticationMethod, httpClient, false, false, Collections.emptyList()); + } + + /** + * Create an OpenID configuration for a specific OIDC provider. + * @param issuer The URL of the OpenID provider. + * @param clientId OAuth 2.0 Client Identifier valid at the Authorization Server. + * @param clientSecret The client secret known only by the Client and the Authorization Server. + * @param authorizationEndpoint the URL of the OpenID provider's authorization endpoint if configured. + * @param tokenEndpoint the URL of the OpenID provider's token endpoint if configured. + * @param endSessionEndpoint the URL of the OpdnID provider's end session endpoint if configured. + * @param authenticationMethod Authentication method to use with the Token Endpoint. + * @param httpClient The {@link HttpClient} instance to use. + * @param authenticateNewUsers Whether to authenticate new users. + * @param logoutWhenIdTokenIsExpired Whether to logout when the ID token is expired. + * @param scopes The scopes to request. + */ + private OpenIdConfiguration(@Name("issuer") String issuer, + @Name("clientId") String clientId, + @Name("clientSecret") String clientSecret, + @Name("authorizationEndpoint") String authorizationEndpoint, + @Name("tokenEndpoint") String tokenEndpoint, + @Name("endSessionEndpoint") String endSessionEndpoint, + @Name("authenticationMethod") String authenticationMethod, + @Name("httpClient") HttpClient httpClient, + @Name("authenticateNewUsers") boolean authenticateNewUsers, + @Name("logoutWhenIdTokenIsExpired") boolean logoutWhenIdTokenIsExpired, + @Name("scopes") List scopes) { this.issuer = issuer; this.clientId = clientId; this.clientSecret = clientSecret; - this.authEndpoint = authorizationEndpoint; + this.authorizationEndpoint = authorizationEndpoint; this.endSessionEndpoint = endSessionEndpoint; this.tokenEndpoint = tokenEndpoint; this.httpClient = httpClient != null ? httpClient : newHttpClient(); this.authenticationMethod = authenticationMethod == null ? "client_secret_post" : authenticationMethod; + this.authenticateNewUsers = authenticateNewUsers; + this.logoutWhenIdTokenIsExpired = logoutWhenIdTokenIsExpired; + this.scopes.addAll(scopes); if (this.issuer == null) throw new IllegalArgumentException("Issuer was not configured"); @@ -144,7 +343,7 @@ protected void doStart() throws Exception { super.doStart(); - if (authEndpoint == null || tokenEndpoint == null) + if (authorizationEndpoint == null || tokenEndpoint == null) { Map discoveryDocument = fetchOpenIdConnectMetadata(); processMetadata(discoveryDocument); @@ -159,8 +358,8 @@ protected void doStart() throws Exception */ protected void processMetadata(Map discoveryDocument) { - authEndpoint = (String)discoveryDocument.get(AUTHORIZATION_ENDPOINT); - if (authEndpoint == null) + authorizationEndpoint = (String)discoveryDocument.get(AUTHORIZATION_ENDPOINT); + if (authorizationEndpoint == null) throw new IllegalStateException(AUTHORIZATION_ENDPOINT); tokenEndpoint = (String)discoveryDocument.get(TOKEN_ENDPOINT); @@ -220,9 +419,9 @@ public HttpClient getHttpClient() return httpClient; } - public String getAuthEndpoint() + public String getAuthorizationEndpoint() { - return authEndpoint; + return authorizationEndpoint; } public String getClientId() @@ -255,15 +454,9 @@ public String getAuthenticationMethod() return authenticationMethod; } - public void addScopes(String... scopes) - { - if (scopes != null) - Collections.addAll(this.scopes, scopes); - } - public List getScopes() { - return scopes; + return Collections.unmodifiableList(scopes); } public boolean isAuthenticateNewUsers() @@ -271,16 +464,43 @@ public boolean isAuthenticateNewUsers() return authenticateNewUsers; } + public boolean isLogoutWhenIdTokenIsExpired() + { + return logoutWhenIdTokenIsExpired; + } + + /** + * @deprecated use {@link #getAuthorizationEndpoint()} instead. + */ + @Deprecated(since = "12.1.0", forRemoval = true) + public String getAuthEndpoint() + { + return authorizationEndpoint; + } + + /** + * @deprecated use {@link Builder} to configure the OpenID Configuration. + */ + @Deprecated(since = "12.1.0", forRemoval = true) public void setAuthenticateNewUsers(boolean authenticateNewUsers) { this.authenticateNewUsers = authenticateNewUsers; } - public boolean isLogoutWhenIdTokenIsExpired() + /** + * @deprecated use {@link Builder} to configure the OpenID Configuration. + */ + @Deprecated(since = "12.1.0", forRemoval = true) + public void addScopes(String... scopes) { - return logoutWhenIdTokenIsExpired; + if (scopes != null) + Collections.addAll(this.scopes, scopes); } + /** + * @deprecated use {@link Builder} to configure the OpenID Configuration. + */ + @Deprecated(since = "12.1.0", forRemoval = true) public void setLogoutWhenIdTokenIsExpired(boolean logoutWhenIdTokenIsExpired) { this.logoutWhenIdTokenIsExpired = logoutWhenIdTokenIsExpired; @@ -297,6 +517,6 @@ private static HttpClient newHttpClient() public String toString() { return String.format("%s@%x{iss=%s, clientId=%s, authEndpoint=%s, authenticator=%s, tokenEndpoint=%s, scopes=%s, authNewUsers=%s}", - getClass().getSimpleName(), hashCode(), issuer, clientId, authEndpoint, authenticationMethod, tokenEndpoint, scopes, authenticateNewUsers); + getClass().getSimpleName(), hashCode(), issuer, clientId, authorizationEndpoint, authenticationMethod, tokenEndpoint, scopes, authenticateNewUsers); } } diff --git a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java index e122d9b8e5d6..01391100e7d6 100644 --- a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java +++ b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java @@ -19,7 +19,6 @@ import java.util.List; import java.util.Map; import java.util.concurrent.atomic.AtomicBoolean; -import java.util.function.Consumer; import org.eclipse.jetty.client.ContentResponse; import org.eclipse.jetty.client.HttpClient; @@ -71,10 +70,10 @@ public class OpenIdAuthenticationTest public void setup(LoginService loginService) throws Exception { - setup(loginService, null); + setup(loginService, false); } - public void setup(LoginService loginService, Consumer configure) throws Exception + public void setup(LoginService loginService, boolean logoutWhenIdTokenIsExpired) throws Exception { server = new Server(); connector = new ServerConnector(server); @@ -84,9 +83,9 @@ public void setup(LoginService loginService, Consumer confi openIdProvider = new OpenIdProvider(CLIENT_ID, CLIENT_SECRET); openIdProvider.start(); - OpenIdConfiguration openIdConfiguration = new OpenIdConfiguration(openIdProvider.getProvider(), CLIENT_ID, CLIENT_SECRET); - if (configure != null) - configure.accept(openIdConfiguration); + OpenIdConfiguration openIdConfiguration = new OpenIdConfiguration.Builder(openIdProvider.getProvider(), CLIENT_ID, CLIENT_SECRET) + .logoutWhenIdTokenIsExpired(logoutWhenIdTokenIsExpired) + .build(); server.addBean(openIdConfiguration); // Configure SecurityHandler. @@ -274,7 +273,7 @@ public boolean validate(UserIdentity user) @Test public void testExpiredIdToken() throws Exception { - setup(null, config -> config.setLogoutWhenIdTokenIsExpired(true)); + setup(null, true); long idTokenExpiryTime = 2000; openIdProvider.setIdTokenDuration(idTokenExpiryTime); openIdProvider.setUser(new OpenIdProvider.User("123456789", "Alice")); diff --git a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java index 961b01d30e1d..88389699ec66 100644 --- a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java +++ b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java @@ -16,7 +16,6 @@ import java.util.HashMap; import java.util.Map; -import org.eclipse.jetty.client.HttpClient; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; @@ -28,7 +27,7 @@ public void testSingleAudienceValueInArray() throws Exception { String issuer = "myIssuer123"; String clientId = "myClientId456"; - OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient()); + OpenIdConfiguration configuration = new OpenIdConfiguration.Builder(issuer, clientId, "secret").build(); Map claims = new HashMap<>(); claims.put("iss", issuer); diff --git a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java index 7ad52bbf145f..fb8ad10d533e 100644 --- a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java +++ b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java @@ -43,8 +43,7 @@ public static SecurityHandler configureOpenIdContext(String realmName) public void testSingleConfiguration() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration("provider1", - "", "", "", "", null); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); server.addBean(config1); // Configure two webapps to select configs based on realm name. @@ -74,8 +73,7 @@ public void testSingleConfiguration() throws Exception public void testSingleConfigurationNoRealmName() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration("provider1", - "", "", "", "", null); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); server.addBean(config1); // Configure two webapps to select configs based on realm name. @@ -105,10 +103,8 @@ public void testSingleConfigurationNoRealmName() throws Exception public void testMultipleConfiguration() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration("provider1", - "", "", "", "", null); - OpenIdConfiguration config2 = new OpenIdConfiguration("provider2", - "", "", "", "", null); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); + OpenIdConfiguration config2 = new OpenIdConfiguration.Builder("provider2", "", "").build(); server.addBean(config1); server.addBean(config2); @@ -148,10 +144,8 @@ public void testMultipleConfiguration() throws Exception public void testMultipleConfigurationNoMatch() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration("provider1", - "", "", "", "", null); - OpenIdConfiguration config2 = new OpenIdConfiguration("provider2", - "", "", "", "", null); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); + OpenIdConfiguration config2 = new OpenIdConfiguration.Builder("provider2", "", "").build(); server.addBean(config1); server.addBean(config2); diff --git a/tests/test-distribution/test-distribution-common/src/test/java/org/eclipse/jetty/tests/distribution/OpenIdTests.java b/tests/test-distribution/test-distribution-common/src/test/java/org/eclipse/jetty/tests/distribution/OpenIdTests.java index 113500ff6ee0..de7d6d5c127e 100644 --- a/tests/test-distribution/test-distribution-common/src/test/java/org/eclipse/jetty/tests/distribution/OpenIdTests.java +++ b/tests/test-distribution/test-distribution-common/src/test/java/org/eclipse/jetty/tests/distribution/OpenIdTests.java @@ -42,7 +42,6 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; public class OpenIdTests extends AbstractJettyHomeTest From 3ca5f0ad0d2fb4d1e0a4c9f926701d95a334bb5e Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Fri, 10 Jan 2025 15:22:40 +1100 Subject: [PATCH 2/4] PR #12682 - fix test failures in OpenIdRealmNameTest Signed-off-by: Lachlan Roberts --- .../security/openid/OpenIdRealmNameTest.java | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java index fb8ad10d533e..3fcc06196c26 100644 --- a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java +++ b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java @@ -43,7 +43,10 @@ public static SecurityHandler configureOpenIdContext(String realmName) public void testSingleConfiguration() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "") + .authorizationEndpoint("") + .tokenEndpoint("") + .build(); server.addBean(config1); // Configure two webapps to select configs based on realm name. @@ -73,7 +76,10 @@ public void testSingleConfiguration() throws Exception public void testSingleConfigurationNoRealmName() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "") + .authorizationEndpoint("") + .tokenEndpoint("") + .build(); server.addBean(config1); // Configure two webapps to select configs based on realm name. @@ -103,8 +109,14 @@ public void testSingleConfigurationNoRealmName() throws Exception public void testMultipleConfiguration() throws Exception { // Add some OpenID configurations. - OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "").build(); - OpenIdConfiguration config2 = new OpenIdConfiguration.Builder("provider2", "", "").build(); + OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "") + .authorizationEndpoint("") + .tokenEndpoint("") + .build(); + OpenIdConfiguration config2 = new OpenIdConfiguration.Builder("provider2", "", "") + .authorizationEndpoint("") + .tokenEndpoint("") + .build(); server.addBean(config1); server.addBean(config2); From a84a9bbf56494779a9efbbcfaa8c3e0e7c584aff Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 13 Jan 2025 16:06:25 +1100 Subject: [PATCH 3/4] PR #12682 - changes from review Signed-off-by: Lachlan Roberts --- .../security/openid/OpenIdConfiguration.java | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java index 613dca9e7a54..bb7050af7941 100644 --- a/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java +++ b/jetty-integrations/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java @@ -75,6 +75,7 @@ public Builder() */ public Builder(@Name("issuer") String issuer, @Name("clientId") String clientId, @Name("clientSecret") String clientSecret) { + this(); issuer(issuer); clientId(clientId); clientSecret(clientSecret); @@ -308,17 +309,17 @@ public OpenIdConfiguration(@Name("issuer") String issuer, * @param logoutWhenIdTokenIsExpired Whether to logout when the ID token is expired. * @param scopes The scopes to request. */ - private OpenIdConfiguration(@Name("issuer") String issuer, - @Name("clientId") String clientId, - @Name("clientSecret") String clientSecret, - @Name("authorizationEndpoint") String authorizationEndpoint, - @Name("tokenEndpoint") String tokenEndpoint, - @Name("endSessionEndpoint") String endSessionEndpoint, - @Name("authenticationMethod") String authenticationMethod, - @Name("httpClient") HttpClient httpClient, - @Name("authenticateNewUsers") boolean authenticateNewUsers, - @Name("logoutWhenIdTokenIsExpired") boolean logoutWhenIdTokenIsExpired, - @Name("scopes") List scopes) + private OpenIdConfiguration(String issuer, + String clientId, + String clientSecret, + String authorizationEndpoint, + String tokenEndpoint, + String endSessionEndpoint, + String authenticationMethod, + HttpClient httpClient, + boolean authenticateNewUsers, + boolean logoutWhenIdTokenIsExpired, + List scopes) { this.issuer = issuer; this.clientId = clientId; From 3b8761198c2943cc6eb51fd2fc7fcb2c8f9dde16 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 13 Jan 2025 20:46:37 +1100 Subject: [PATCH 4/4] PR #12682 - changes from review Signed-off-by: Lachlan Roberts --- .../security/openid/OpenIdRealmNameTest.java | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java index 3fcc06196c26..453b33d422ff 100644 --- a/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java +++ b/jetty-integrations/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdRealmNameTest.java @@ -44,8 +44,8 @@ public void testSingleConfiguration() throws Exception { // Add some OpenID configurations. OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "") - .authorizationEndpoint("") - .tokenEndpoint("") + .authorizationEndpoint("test") + .tokenEndpoint("test") .build(); server.addBean(config1); @@ -77,8 +77,8 @@ public void testSingleConfigurationNoRealmName() throws Exception { // Add some OpenID configurations. OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "") - .authorizationEndpoint("") - .tokenEndpoint("") + .authorizationEndpoint("test") + .tokenEndpoint("test") .build(); server.addBean(config1); @@ -110,12 +110,12 @@ public void testMultipleConfiguration() throws Exception { // Add some OpenID configurations. OpenIdConfiguration config1 = new OpenIdConfiguration.Builder("provider1", "", "") - .authorizationEndpoint("") - .tokenEndpoint("") + .authorizationEndpoint("test") + .tokenEndpoint("test") .build(); OpenIdConfiguration config2 = new OpenIdConfiguration.Builder("provider2", "", "") - .authorizationEndpoint("") - .tokenEndpoint("") + .authorizationEndpoint("test") + .tokenEndpoint("test") .build(); server.addBean(config1); server.addBean(config2);