From 07e1b0ce0e4e73337a09121b5f49e10c4afb4901 Mon Sep 17 00:00:00 2001 From: Ralph Soika Date: Sat, 25 Jan 2025 10:46:01 +0100 Subject: [PATCH] Implementation UserProfileHandler (issue #8) --- imixs-oidc/README.md | 10 ++- imixs-oidc/pom.xml | 21 +++++- .../org/imixs/oidc/UserProfileHandler.java | 71 +++++++++++++++++++ pom.xml | 6 +- 4 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 imixs-oidc/src/main/java/org/imixs/oidc/UserProfileHandler.java diff --git a/imixs-oidc/README.md b/imixs-oidc/README.md index 82fdca7..855397b 100644 --- a/imixs-oidc/README.md +++ b/imixs-oidc/README.md @@ -4,6 +4,7 @@ This project provides a generic library to setup an OpenID Connect security mech More information: +- [Imixs Office Workflow OIDC](https://doc.office-workflow.com/auth/oidc/keycloak.html) - [Jakarte EE Specification details](https://jakarta.ee/specifications/security/3.0/jakarta-security-spec-3.0.html#openid-connect-annotation) - [Keycloak integration](https://docs.payara.fish/enterprise/docs/Technical%20Documentation/Public%20API/OpenID%20Connect%20Support.html) - [Securing WildFly Apps](https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/) @@ -34,11 +35,13 @@ The OpenID Client configuration attributes can be configured via Microprofile Co | Environment Param | Description | | ----------------------- | ----------------------------------------------------- | -| OIDCCONFIG_ISSUERURI | endpoint for indentity provider | +| OIDCCONFIG_ISSUERURI | endpoint for identity provider | | OIDCCONFIG_CLIENTID | OIDC Client ID | | OIDCCONFIG_CLIENTSECRET | Client secret | | OIDCCONFIG_REDIRECTURI | Redirect URI - application address with /callback uri | +Note that the module provides a redirect servlet with the endpoint `/callback` this is the endpoint typically used by the identity provider as the callback uri. You will find more information about how to setup your identity provider in the [Imixs Office Workflow OIDC documentation pages](https://doc.office-workflow.com/auth/oidc/keycloak.html). + ### Wildfly To Enable the OpenIdAuthenticationMechanismDefinition in Wildfly Server you need to disable the integrated jaspi module. @@ -60,6 +63,11 @@ or by changing the standalone.xml file: Find also other options for Wildfly here: https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/ +### User Profile Update + +When using the [Imixs-Marty library](https://github.com/imixs/imixs-marty) the module automatically +updates the user profile with the attributes provided by the OpenID provider. The class `UserProfileHandler` is a CDI Observer bean listening to the Marty Profile event (`org.imixs.marty.profile.ProfileEvent`). A project may implement an alternative mechanism to this bean. + ### Debug After you have configured the library and deployed your application you can request details about the authenticated user by the Rest API endpoint /oidc: diff --git a/imixs-oidc/pom.xml b/imixs-oidc/pom.xml index 46aff00..677dd90 100644 --- a/imixs-oidc/pom.xml +++ b/imixs-oidc/pom.xml @@ -1,4 +1,6 @@ - + imixs-security org.imixs.security @@ -69,5 +71,22 @@ pom provided + + + + org.imixs.workflow + imixs-workflow-core + ${org.imixs.workflow.version} + + + + + + org.imixs.workflow + imixs-marty + ${org.imixs.marty.version} + jar + provided + \ No newline at end of file diff --git a/imixs-oidc/src/main/java/org/imixs/oidc/UserProfileHandler.java b/imixs-oidc/src/main/java/org/imixs/oidc/UserProfileHandler.java new file mode 100644 index 0000000..5ba08d2 --- /dev/null +++ b/imixs-oidc/src/main/java/org/imixs/oidc/UserProfileHandler.java @@ -0,0 +1,71 @@ +package org.imixs.oidc; + +import java.io.Serializable; +import java.nio.file.AccessDeniedException; +import java.security.Principal; +import java.util.logging.Logger; + +import org.imixs.marty.profile.ProfileEvent; +import org.imixs.workflow.ItemCollection; + +import jakarta.enterprise.context.RequestScoped; +import jakarta.enterprise.event.Observes; +import jakarta.inject.Inject; +import jakarta.security.enterprise.identitystore.openid.AccessToken; +import jakarta.security.enterprise.identitystore.openid.OpenIdContext; + +/** + * This class UserProfileHandler is a CDI Observer bean listening to updates of + * a Imixs-Marty profile during the login process. + * It automatically updates the user profile with the attributes provided by the + * OpenID provider. + * + */ +@RequestScoped +public class UserProfileHandler implements Serializable { + + private static final long serialVersionUID = 1L; + private static Logger logger = Logger.getLogger(OidcAuthenticationHandler.class.getName()); + + @Inject + Principal principal; + + @Inject + private OpenIdContext context; + + /** + * ProfileEvent listener to update a new profile with the user attributes + * provided by the OpenID provider. + * + * @param workflowEvent + * @throws AccessDeniedException + */ + public void onProfileEvent(@Observes ProfileEvent profileEvent) throws AccessDeniedException { + + int eventType = profileEvent.getEventType(); + + ItemCollection profile = profileEvent.getProfile(); + if (profile == null) { + return; + } + + // reset orderItems if workItem has changed + if (context != null + && (ProfileEvent.ON_PROFILE_CREATE == eventType || ProfileEvent.ON_PROFILE_LOGIN == eventType)) { + + AccessToken accessToken = context.getAccessToken(); + String userName = "" + accessToken.getClaim("name"); + String email = "" + accessToken.getClaim("email"); + + if (!email.equals(profile.getItemValueString("txtemail")) + || !userName.equals(profile.getItemValueString("txtusername"))) { + logger.info("...update profile data..."); + profile.setItemValue("txtemail", email); + profile.setItemValue("txtusername", userName); + } + + } + + } + +} diff --git a/pom.xml b/pom.xml index 5f3a2ef..99d1d9f 100644 --- a/pom.xml +++ b/pom.xml @@ -1,4 +1,6 @@ - + 4.0.0 org.imixs.security imixs-security @@ -79,6 +81,8 @@ UTF-8 10.0.0 + 6.1.0 + 5.0.2 3.0