Package org.jgrapes.webconlet.oidclogin

Class LoginConlet

java.lang.Object
org.jgrapes.core.internal.ComponentVertex
org.jgrapes.core.Component
org.jgrapes.webconsole.base.AbstractConlet<S>
org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet<LoginConlet.AccountModel>
org.jgrapes.webconlet.oidclogin.LoginConlet
All Implemented Interfaces:
Iterable<ComponentType>, Channel, ComponentType, Eligible, Manager
public class LoginConlet extends FreeMarkerConlet<LoginConlet.AccountModel>
A login conlet for OIDC based logins with a fallback to password based logins.

OIDC providers can be configured as property “oidcProviders” of the conlet:

"...":
  "/LoginConlet":
    oidcProviders:
    - name: my-provider
      displayName: My Provider
      configurationEndpoint: https://test.com/.well-known/openid-configuration
      # If no configurationEndpoint is available, the authorizationEndpoint 
      # and the tokenEndpoint can be configured instead
      # authorizationEndpoint: ...
      # tokenEndpoint: ...
      clientId: "WebConsoleTest"
      secret: "(unknown)"
      # The size of the popup window for the provider's login dialog
      popup:
        # Size of the popup windows for authentication. Either
        # relative to the browser window's size or absolute in pixels
        factor: 0.6
        # width: 1600
        # height: 600
      # Only users with one of the roles listed here are allowed to login.
      # The check is performed against the roles reported by the provider
      # before any role mappings are applied (see below).
      # An empty role name in this list allows users without any role 
      # to login.
      authorizedRoles:
      - "admin"
      - "user"
      - ""
      # Mappings to be applied to the preferred user name reported
      # by the provider. The list is evaluated up to the first match.
      userMappings:
      - from: "(.*)"
        to: "$1@oidc"
      # Mappings to be applied to the role names reported by the 
      # provider. The list is evaluated up to the first match.
      roleMappings:
      - from: "(.*)"
        to: "$1@oidc"

The user id of the authenticated user is taken from the ID token’s claim preferred_username, the display name from the claim name. Roles are created from the ID token’s claim roles. Reporting the latter has usually to be added in the provider’s configuration. Of course, roles can also be added independently based on the user id by using another component, thus separating the authentication by the OIDC provider from the role management.

The component requires that an instance of OidcClient handles the StartOidcLogin events fired on the component’s channel.

As a fallback, local users can be configured as property “users”:

"...":
  "/LoginConlet":
    users:
    - name: admin
      # Full name is optional
      fullName: Administrator
      password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
    - name: test
      fullName: Test Account
      email: test@test.com
      password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"

Passwords are hashed using bcrypt.

The local login part of the dialog is only shown if at least one user is configured.