Package org.apache.pulsar.broker.authentication.oidc

Class AuthenticationProviderOpenID

java.lang.Object

org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID

All Implemented Interfaces:

Closeable, AutoCloseable, AuthenticationProvider

public class AuthenticationProviderOpenID
extends Object
implements AuthenticationProvider

An AuthenticationProvider implementation that supports the usage of a JSON Web Token (JWT) for client authentication. This implementation retrieves the PublicKey from the JWT issuer (assuming the issuer is in the configured allowed list) and then uses that Public Key to verify the validity of the JWT's signature. The Public Keys for a given provider are cached based on certain configured parameters to improve performance. The tradeoff here is that the longer Public Keys are cached, the longer an invalidated token could be used. One way to ensure caches are cleared is to restart all brokers. Class is called from multiple threads. The implementation must be thread safe. This class expects to be loaded once and then called concurrently for each new connection. The cache is backed by a GuavaCachedJwkProvider, which is thread-safe. Supported algorithms are: RS256, RS384, RS512, ES256, ES384, ES512 where the naming conventions follow this RFC: https://datatracker.ietf.org/doc/html/rfc7518#section-3.1.

Constructor Summary

Constructors

Constructor	Description
AuthenticationProviderOpenID()

Method Summary

Modifier and Type	Method	Description
CompletableFuture<String>	authenticateAsync(AuthenticationDataSource authData)	Authenticate the parameterized AuthenticationDataSource by verifying the issuer is an allowed issuer, then retrieving the JWKS URI from the issuer, then retrieving the Public key from the JWKS URI, and finally verifying the JWT signature and claims.
void	close()
String	getAuthMethodName()
void	initialize(ServiceConfiguration config)
AuthenticationState	newAuthState(org.apache.pulsar.common.api.AuthData authData, SocketAddress remoteAddress, SSLSession sslSession)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.pulsar.broker.authentication.AuthenticationProvider

authenticate, authenticateHttpRequest, authenticateHttpRequestAsync, incrementFailureMetric, newHttpAuthState

Constructor Details

AuthenticationProviderOpenID

public AuthenticationProviderOpenID()

Method Details

initialize

public void initialize(ServiceConfiguration config)
                throws IOException

Specified by:

initialize in interface AuthenticationProvider

Throws:

IOException

getAuthMethodName

public String getAuthMethodName()

Specified by:

getAuthMethodName in interface AuthenticationProvider

authenticateAsync

public CompletableFuture<String> authenticateAsync(AuthenticationDataSource authData)

Authenticate the parameterized AuthenticationDataSource by verifying the issuer is an allowed issuer, then retrieving the JWKS URI from the issuer, then retrieving the Public key from the JWKS URI, and finally verifying the JWT signature and claims.

Specified by:

authenticateAsync in interface AuthenticationProvider

Parameters:

authData - - the authData passed by the Pulsar Broker containing the token.

Returns:

the role, if the JWT is authenticated, otherwise a failed future.

newAuthState

public AuthenticationState newAuthState(org.apache.pulsar.common.api.AuthData authData,
 SocketAddress remoteAddress,
 SSLSession sslSession)
                                 throws AuthenticationException

Specified by:

newAuthState in interface AuthenticationProvider

Throws:

AuthenticationException

close

public void close()
           throws IOException

Specified by:

close in interface AutoCloseable

Specified by:

close in interface Closeable

Throws:

IOException