Implementation UserProfileHandler (issue #8)

imixs-oidc/README.md

@@ -4,6 +4,7 @@ This project provides a generic library to setup an OpenID Connect security mech
 
 More information:
 
+- [Imixs Office Workflow OIDC](https://doc.office-workflow.com/auth/oidc/keycloak.html)
 - [Jakarte EE Specification details](https://jakarta.ee/specifications/security/3.0/jakarta-security-spec-3.0.html#openid-connect-annotation)
 - [Keycloak integration](https://docs.payara.fish/enterprise/docs/Technical%20Documentation/Public%20API/OpenID%20Connect%20Support.html)
 - [Securing WildFly Apps](https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/)
@@ -34,11 +35,13 @@ The OpenID Client configuration attributes can be configured via Microprofile Co
 
 | Environment Param       | Description                                           |
 | ----------------------- | ----------------------------------------------------- |
-| OIDCCONFIG_ISSUERURI    | endpoint for indentity provider                       |
+| OIDCCONFIG_ISSUERURI    | endpoint for identity provider                        |
 | OIDCCONFIG_CLIENTID     | OIDC Client ID                                        |
 | OIDCCONFIG_CLIENTSECRET | Client secret                                         |
 | OIDCCONFIG_REDIRECTURI  | Redirect URI - application address with /callback uri |
 
+Note that the module provides a redirect servlet with the endpoint `/callback` this is the endpoint typically used by the identity provider as the callback uri. You will find more information about how to setup your identity provider in the [Imixs Office Workflow OIDC documentation pages](https://doc.office-workflow.com/auth/oidc/keycloak.html).
+
 ### Wildfly
 
 To Enable the OpenIdAuthenticationMechanismDefinition in Wildfly Server you need to disable the integrated jaspi module.
@@ -60,6 +63,11 @@ or by changing the standalone.xml file:
 
 Find also other options for Wildfly here: https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/
 
+### User Profile Update
+
+When using the [Imixs-Marty library](https://github.com/imixs/imixs-marty) the module automatically
+updates the user profile with the attributes provided by the OpenID provider. The class `UserProfileHandler` is a CDI Observer bean listening to the Marty Profile event (`org.imixs.marty.profile.ProfileEvent`). A project may implement an alternative mechanism to this bean.
+
 ### Debug
 
 After you have configured the library and deployed your application you can request details about the authenticated user by the Rest API endpoint /oidc:

imixs-oidc/pom.xml

@@ -1,4 +1,6 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<parent>
 		<artifactId>imixs-security</artifactId>
 		<groupId>org.imixs.security</groupId>
@@ -69,5 +71,22 @@
 			<type>pom</type>
 			<scope>provided</scope>
 		</dependency>
+
+		<!-- Imixs Workflow -->
+		<dependency>
+			<groupId>org.imixs.workflow</groupId>
+			<artifactId>imixs-workflow-core</artifactId>
+			<version>${org.imixs.workflow.version}</version>
+		</dependency>
+
+
+		<!-- Marty (optional) -->
+		<dependency>
+			<groupId>org.imixs.workflow</groupId>
+			<artifactId>imixs-marty</artifactId>
+			<version>${org.imixs.marty.version}</version>
+			<type>jar</type>
+			<scope>provided</scope>
+		</dependency>
 	</dependencies>
 </project> 

imixs-oidc/src/main/java/org/imixs/oidc/UserProfileHandler.java

@@ -0,0 +1,71 @@
+package org.imixs.oidc;
+
+import java.io.Serializable;
+import java.nio.file.AccessDeniedException;
+import java.security.Principal;
+import java.util.logging.Logger;
+
+import org.imixs.marty.profile.ProfileEvent;
+import org.imixs.workflow.ItemCollection;
+
+import jakarta.enterprise.context.RequestScoped;
+import jakarta.enterprise.event.Observes;
+import jakarta.inject.Inject;
+import jakarta.security.enterprise.identitystore.openid.AccessToken;
+import jakarta.security.enterprise.identitystore.openid.OpenIdContext;
+
+/**
+ * This class UserProfileHandler is a CDI Observer bean listening to updates of
+ * a Imixs-Marty profile during the login process.
+ * It automatically updates the user profile with the attributes provided by the
+ * OpenID provider.
+ * 
+ */
+@RequestScoped
+public class UserProfileHandler implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+    private static Logger logger = Logger.getLogger(OidcAuthenticationHandler.class.getName());
+
+    @Inject
+    Principal principal;
+
+    @Inject
+    private OpenIdContext context;
+
+    /**
+     * ProfileEvent listener to update a new profile with the user attributes
+     * provided by the OpenID provider.
+     * 
+     * @param workflowEvent
+     * @throws AccessDeniedException
+     */
+    public void onProfileEvent(@Observes ProfileEvent profileEvent) throws AccessDeniedException {
+
+        int eventType = profileEvent.getEventType();
+
+        ItemCollection profile = profileEvent.getProfile();
+        if (profile == null) {
+            return;
+        }
+
+        // reset orderItems if workItem has changed
+        if (context != null
+                && (ProfileEvent.ON_PROFILE_CREATE == eventType || ProfileEvent.ON_PROFILE_LOGIN == eventType)) {
+
+            AccessToken accessToken = context.getAccessToken();
+            String userName = "" + accessToken.getClaim("name");
+            String email = "" + accessToken.getClaim("email");
+
+            if (!email.equals(profile.getItemValueString("txtemail"))
+                    || !userName.equals(profile.getItemValueString("txtusername"))) {
+                logger.info("...update profile data...");
+                profile.setItemValue("txtemail", email);
+                profile.setItemValue("txtusername", userName);
+            }
+
+        }
+
+    }
+
+}

pom.xml

@@ -1,4 +1,6 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.imixs.security</groupId>
 	<artifactId>imixs-security</artifactId>
@@ -79,6 +81,8 @@
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<jakarta.version>10.0.0</jakarta.version>
+		<org.imixs.workflow.version>6.1.0</org.imixs.workflow.version>
+		<org.imixs.marty.version>5.0.2</org.imixs.marty.version>
 		<microprofile.version>3.0</microprofile.version>
 	</properties>