This library provides client-functionality for the login-service.
Include the library in your project:
<dependency> <groupId>za.co.absa</groupId> <artifactId>login-service-client-library_2.12</artifactId> <version>1.0.0</version> </dependency>
libraryDependencies += "za.co.absa" % "login-service-client-library_2.12" % "1.0.0"
See the examples for a more detailed view of how to use the library.
The library provides a PublicKeyRetrievalClient class that can be used to retrieve the public key to verify tokens' signatures.
Public Key is available without authorization so just the relevant host needs to be provided. Public Key is available as a String and as a JWKS.
The library provides a TokenRetrievalClient class that can be used to retrieve access and refresh tokens.
Refresh and Access Keys require authorization.
There are 2 authentication methods available:
- Basic Auth is used for the initial retrieval so a valid username and password is required. Please see the login-service documentation for more information on what a valid username and password is.
- Spnego authentication. Please ensure that kerberos is enabled and configured correctly in your environment.
In order to support kerberos, we allow for the use of Keytabs as well as the use of Ticketcache authentication.
If required, you may specify a jaas configuration file and custom krb5 location programmatically using the
setKerberosPropertiesfunction.
Refresh token from initial retrieval is used to refresh the access token.
The User can create and use the org.springframework.security.oauth2.jwt.NimbusJwtDecoder by utilizing the 'JwtDecoderProvider' object.
This allows the user to create the decoder from a publicKey object, String or URL.
AccessTokenClaimsParser object is used to parse decoded Access Token claims.
RefreshTokenClaimsParser object is used to parse decoded Refresh Token claims.
Both are used to extract the claims from the respective decoded jwt which can be used to check and verify the token claims.
For example, one may check an access token for the groups claim to indicate what a user may or may not do.
The TokenVerifiers are used to verify if a token is valid.
The AccessTokenVerifier is used to verify an access token.
The RefreshTokenVerifier is used to verify a refresh token.
These verifiers check if the token has the following:
- A valid signature
- The token is not expired
- The token is of the correct type
It will Return a JWT Object with claims that can be read if the token is valid.
An example of how to use the library can be found in the examples folder. The example makes use of a configuration file to provide the necessary configuration to the library.
Configurations required are:
host- the url of the login-service (Including Port if required)