[ALS-5514] AIM-AHEAD PIC-SURE AuthN #148
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OktaAuthenticationService has been added to handle interactions with Okta's SDK for user authentication. Session status is fetched and checked to verify if a user is authenticated. The necessary Okta SDK dependency is also included in the pic-sure-auth-services module.
This update modifies the HTTP method for the authenticate method in OktaAuthenticationService from POST to GET. This change aligns with our data retrieval patterns, and adapts it to receive parameters from the URL instead of the request body. The import statement also refactored to use wildcard import for javax.ws.rs package.
The commit updates the version of the Okta SDK used in the project to 1.4.0 and introduces a new dependency, okta-sdk-impl. The new dependency and version number are now managed through a property, improving consistency and making version management easier.
This commit adjusts the Okta authentication process to use JNDI lookups instead of environment variables, improving the security and flexibility of the authentication process in `OktaAuthenticationService`. It also includes aesthetic code changes for better readability, like correcting indentation, removing unnecessary imports and refining logger messages for the user.
The error logging code for the Okta provider check has been updated to include the exception message before displaying its custom error. This will facilitate troubleshooting by providing the actual error message alongside potential configuration fixes. Code readability has also been enhanced with minor formatting adjustments.
This commit updates the version of the maven-war-plugin to 3.2.2 in the pom.xml file for the project pic-sure-auth-services. This change is necessary for compatibility with newer versions of Apache Maven.
The Okta authentication service has been restructured. The previous OktaAuthenticationService.java file has been deleted and replaced with a new OktaAuthenticationController.java and a OktaOAuthAuthenticationService.java file. The JAXRSConfiguration.java file also has been updated to reflect the changes in the authentication process with the focus on OAuth authentication rather than sessions.
Added Okta Identity Provider (IDP) setup in JAXRSConfiguration.java, enabling SAML error messages to be logged correctly when fields are missing. Also, irrelevant Okta client secret
A new variable `spClientSecret` is introduced in JAXRSConfiguration.java replacing `clientSecret` for Okta Identity Provider setup. The update also changes the way the fence auth header is formed in OktaOAuthAuthenticationService.java, where the new `spClientSecret` is now used. Efficient error logging is ensured for Okta IDP.
The logging in the OktaAuthenticationController has been updated to more comprehensively record login attempts. It no longer logs just the "code" from the authentication request but builds a loop to log each key-value pair within the request for a detailed tracking.
HashMap data structures in the OktaAuthenticationController and OktaOAuthAuthenticationService have been replaced with more generic Map structures. This improves flexibility and maintainability as it's not restrictively tied to the HashMap implementation.
The URLs used for Okta introspect and token requests have been corrected. Previously they erroneously included "/user", which has now been removed to conform with the standard protocol. The token URL has also been amended to include the "https://" protocol, ensuring proper connection handling.
Removed excess log lines in OktaAuthenticationController and added more specific logging in OktaOAuthAuthenticationService. This refines the logging process by reducing verbosity and improving the clarity of the authentication tracking.
Additionally, add logging for redirectURL debugging
Gcolon021
changed the base branch from
fence-integration-release/0005
to
fence-integration
Additional logging has been inserted into the OktaOAuthAuthenticationService class. The log records token introspection response and a new check is also implemented to ensure user activity, logging failure if the user is not active.
The Okta introspect endpoint URL in the OktaOAuthAuthenticationService class has been modified. The path "/oauth2/v1/introspect" has been replaced with "/oauth2/default/v1/introspect" to correct the route for token introspection.
Added a new parameter for content type in the doOktaRequest method of the OktaOAuthAuthenticationService class. This allows setting different content types when making requests to Okta API endpoints, improving flexibility and code reuse.
Changes made to the authentication method to rely on the 'access_token'. Previously, the code used our ability to introspect this token; however, the updated format now utilizes the inherent data in "access_token" to properly register PIC-SURE user in the application.
…uthenticationService. The changes wrap the introspectToken method call in a try/catch block to handle potential IOExceptions and interrupted exceptions. In case of any exceptions, appropriate error messages are logged and returned. The initialization of the user is also moved inside a conditional check to keep it only valid if the introspectResponse exists.
The introspectToken method in OktaOAuthAuthenticationService has been optimized to improve error handling. The HttpClient implementation previously used was replaced by a new method, 'doOktaRequest', to simplify the process. Error messages have been updated for better interpretation in case of exceptions. Code responsible for user initialization has been moved to ensure it only occurs if valid introspectResponse exists.
Refactored the introspectToken method in the OktaOAuthAuthenticationService to improve error handling process. Removed the try-catch block for checking token and replaced with a simpler implementation. User initialization now only occurs if a valid introspectResponse is present. This leads to cleaner, more readable code and better exception interpretation.
This commit updates the Okta API documentation link in the introspectToken method's comments. It also removes the redundant contentType parameter in the doOktaRequest function calls, favoring a standard content type of "application/x-www-form-urlencoded" for all of these methods. These changes simplify and streamline the functions while updating reference information.
The commit updates the Okta token URL in OktaOAuthAuthenticationService.java file. The newer URL now points to the 'default' endpoint instead of 'v1' endpoint in the okta oauth2 services.
# Conflicts: # pic-sure-auth-services/pom.xml # pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/JAXRSConfiguration.java
Load the user by the email and connection. If the user is found, but does not have a subject we should set it using the introspection token claims.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.