Add Backend Auth Handler Implementation #7
Conversation
isuruh15
changed the title
| enable = true | ||
| token_endpoint = "https://localhost:9443/oauth2/token" | ||
| client_id = "client_id" | ||
| keystore_password = "wso2carbon" |
There was a problem hiding this comment.
take from CarbonUtils
isuruh15
force-pushed
the
pkjwt-be-auth
branch
from
9ea5cae to
fc5b878
Compare
isuruh15
changed the title
| echo -e "[WARN] healthcare.backend.auth configuration already exist" | ||
| else | ||
| # code if not found | ||
| echo -e "\n[healthcare.backend.auth]\ntoken_endpoint = \"https://localhost:9443/oauth2/token\"\nclient_id = \"client_id\"\nclient_secret = \"client_secret\"\nprivate_key_alias = \"wso2carbon\"\nis_ssl_enabled = true" | tee -a "${WSO2_OH_APIM_HOME}"/repository/conf/deployment.toml >/dev/null |
There was a problem hiding this comment.
cannot use default key alias (wso2carbon) right>?
There was a problem hiding this comment.
what's the use of is_ssl_enabled?
There was a problem hiding this comment.
default alias changed in daa4bf5.
The external token request can be made with or without ssl_context, the config is to toggle that
| echo -e "[WARN] healthcare.backend.auth configuration already exist" | ||
| else | ||
| # code if not found | ||
| echo -e "\n[healthcare.backend.auth]\ntoken_endpoint = \"https://localhost:9443/oauth2/token\"\nclient_id = \"client_id\"\nclient_secret = \"client_secret\"\nprivate_key_alias = \"wso2carbon\"\nis_ssl_enabled = true" | tee -a "${WSO2_OH_APIM_HOME}"/repository/conf/deployment.toml >/dev/null |
There was a problem hiding this comment.
Add comments for these deployment toml entries
| @@ -418,6 +418,13 @@ policy.limit.time_unit = "min" | |||
| patient_id_uri = "http://wso2.org/claims/patientId" | |||
| patient_id_key = "patientId" | |||
|
|
|||
| [healthcare.backend.auth] | |||
There was a problem hiding this comment.
this should be a toml array right? in order to support multiple backends
| } | ||
| PrivateKeyJWTBackendAuthenticator privateKeyJWTBackendAuthenticator; | ||
| try { | ||
| privateKeyJWTBackendAuthenticator = new PrivateKeyJWTBackendAuthenticator(); |
There was a problem hiding this comment.
This should be initialized at the deployment time and use, you can implement managedlifecycle in the mediator class.
Also since there can be multiple backend authenticator registrations, all should be initialized and the correct one should be picked up by the policy?
There was a problem hiding this comment.
Moved the initialization to the constructor in b8da50d
| public class BackendAuthenticator extends AbstractMediator { | ||
|
|
||
| private static final Log log = LogFactory.getLog(BackendAuthenticator.class); | ||
| private String authType; |
There was a problem hiding this comment.
Can't we define the authType in the deployment toml config?
| String tokenEndpoint = backendAuthConfig.getAuthEndpoint(); | ||
| String keyAlias = backendAuthConfig.getPrivateKeyAlias(); | ||
| char[] keyStorePass = CarbonUtils.getServerConfiguration().getFirstProperty( | ||
| "Security.KeyStore.Password").toCharArray(); |
| } | ||
| accessToken = token.getAccessToken(); | ||
|
|
||
| messageContext.setProperty(Constants.PROPERTY_ACCESS_TOKEN, accessToken); |
There was a problem hiding this comment.
Why setting as a property?
| } | ||
| headersMap.put(Constants.HEADER_NAME_AUTHORIZATION, Constants.HEADER_VALUE_BEARER + accessToken); | ||
| axisMsgCtx.setProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS, headersMap); | ||
| }else { |
There was a problem hiding this comment.
Formatting issues
| echo -e "[WARN] healthcare.backend.auth configuration already exist" | ||
| else | ||
| # code if not found | ||
| echo -e "\n[[healthcare.backend.auth]]\n# Name of the authentication method. This name must be matched with the Config Name policy attribute in the -\n# - Replace Backend Auth Token policy.\nname = \"epic_pkjwt\"\n# Authentication type. Only pkjwt is supported atm.\n\nauth_type = \"pkjwt\"\n# External Auth server's Token endpoint URL.\ntoken_endpoint = \"https://localhost:9443/oauth2/token\"\nclient_id = \"client_id\"\nprivate_key_alias = \"key_alias\"\nis_ssl_enabled = true |
There was a problem hiding this comment.
We can support client credentials as well easily right? let's add that capability too with this effort.
| @@ -418,6 +418,26 @@ policy.limit.time_unit = "min" | |||
| patient_id_uri = "http://wso2.org/claims/patientId" | |||
| patient_id_key = "patientId" | |||
|
|
|||
| [[healthcare.backend.auth]] | |||
There was a problem hiding this comment.
Shall we comment these by default as well, since it should be configured to the actual values by the customer
| token_endpoint = "https://localhost:9443/oauth2/token" | ||
| client_id = "client_id" | ||
| private_key_alias = "key_alias" | ||
| is_ssl_enabled = true |
There was a problem hiding this comment.
what's the use of this "is_ssl_enabled" ?
| "policyAttributes": [ | ||
| { | ||
| "name": "configName", | ||
| "displayName": "Config Name", |
There was a problem hiding this comment.
Something like -> "Backend Auth Config" ?
| ], | ||
| "policyAttributes": [ | ||
| { | ||
| "name": "configName", |
There was a problem hiding this comment.
Something like -> "backendAuthConfig" ?
| <dependency> | ||
| <groupId>commons-logging</groupId> | ||
| <artifactId>commons-logging</artifactId> | ||
| <version>1.3.3</version> |
There was a problem hiding this comment.
versions should be handled at the root pom
There was a problem hiding this comment.
there was a build error in the tests of org.wso2.healthcare.apim.clientauth.jwt module once we specify the version of commons-logging in the root level.
Hence used the latest version
| <groupId>org.apache.felix</groupId> | ||
| <artifactId>maven-bundle-plugin</artifactId> | ||
| <extensions>true</extensions> | ||
| <version>5.1.1</version> |
There was a problem hiding this comment.
let's use the versions from the root pom
| ## Configuration Model | ||
|
|
||
| ```toml | ||
| [healthcare.backend.auth] |
There was a problem hiding this comment.
Readme should have a table to describe the config
| */ | ||
| public interface BackendAuthHandler { | ||
|
|
||
| String fetchValidAccessToken(MessageContext messageContext, BackendAuthConfig config); |
There was a problem hiding this comment.
Add java docs to interface methode
| log.error("Auth type is not defined in the message context."); | ||
| return false; | ||
| } | ||
| if (config.getAuthType().equals(Constants.POLICY_ATTR_AUTH_TYPE_PKJWT)) { |
There was a problem hiding this comment.
let's use switch cases
| if (headersMap.get(Constants.HEADER_NAME_AUTHORIZATION) != null) { | ||
| headersMap.remove(Constants.HEADER_NAME_AUTHORIZATION); | ||
| } | ||
| headersMap.put(Constants.HEADER_NAME_AUTHORIZATION, Constants.HEADER_VALUE_BEARER + accessToken); |
There was a problem hiding this comment.
Let's get the authentication scheme(i.e 'Basic', 'Bearer') from the authenticator itself. This way someone can write a backend basic authenticator or any other scheme as well.
|
|
||
| package org.wso2.healthcare.apim.backendauth.tokenmgt; | ||
|
|
||
| public class Token { |
There was a problem hiding this comment.
Let's add class comments
| import org.apache.commons.logging.LogFactory; | ||
| import org.wso2.healthcare.apim.backendauth.Constants; | ||
|
|
||
| public class TokenManager { |
There was a problem hiding this comment.
Let's add class comments
| @@ -572,6 +579,58 @@ private ScopeMgtConfig buildScopeMgtConfig() { | |||
|
|
|||
| } | |||
|
|
|||
| private Map<String, BackendAuthConfig> buildBackendAuthConfig() throws OpenHealthcareException { | |||
| // BackendAuthConfig backendAuthConfig = new BackendAuthConfig(); | |||
There was a problem hiding this comment.
Let's remove commented codes
| ```toml | ||
| [[healthcare.backend.auth]] | ||
| name = "backend-auth" | ||
| auth_type = "pkjwt" or "client-credentials" |
There was a problem hiding this comment.
Add the possible values in the comment.
|
|
||
| TOKEN_MAP.clear(); | ||
| } | ||
| } |
| /** | ||
| * Get the auth header scheme. i.e. Bearer, Basic etc. | ||
| */ | ||
| String getAuthHeaderScheme(); |
There was a problem hiding this comment.
Let's have default method maybe? with value "Bearer"
isuruh15
force-pushed
the
pkjwt-be-auth
branch
from
0551197 to
60cde3c
Compare
| @@ -0,0 +1,102 @@ | |||
| package org.wso2.healthcare.apim.backendauth.impl; | |||
Purpose
Goals
Approach