-
Notifications
You must be signed in to change notification settings - Fork 38
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(bundle-saas): support m2m authentication in SaaS
- Loading branch information
1 parent
ed10c6c
commit 0d7d245
Showing
3 changed files
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
...da-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
package io.camunda.connector.runtime.security; | ||
|
||
import org.springframework.security.oauth2.core.OAuth2Error; | ||
import org.springframework.security.oauth2.core.OAuth2TokenValidator; | ||
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; | ||
import org.springframework.security.oauth2.jwt.Jwt; | ||
|
||
public class AudienceValidator implements OAuth2TokenValidator<Jwt> { | ||
private final String audience; | ||
|
||
AudienceValidator(String audience) { | ||
this.audience = audience; | ||
} | ||
|
||
public OAuth2TokenValidatorResult validate(Jwt jwt) { | ||
OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null); | ||
|
||
if (jwt.getAudience().contains(audience)) { | ||
return OAuth2TokenValidatorResult.success(); | ||
} | ||
return OAuth2TokenValidatorResult.failure(error); | ||
} | ||
} |
57 changes: 57 additions & 0 deletions
57
...aas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package io.camunda.connector.runtime.security; | ||
|
||
import org.springframework.beans.factory.annotation.Value; | ||
import org.springframework.context.annotation.Bean; | ||
import org.springframework.context.annotation.Configuration; | ||
import org.springframework.http.HttpMethod; | ||
import org.springframework.security.config.annotation.web.builders.HttpSecurity; | ||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | ||
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; | ||
import org.springframework.security.oauth2.core.OAuth2TokenValidator; | ||
import org.springframework.security.oauth2.jwt.Jwt; | ||
import org.springframework.security.oauth2.jwt.JwtDecoder; | ||
import org.springframework.security.oauth2.jwt.JwtDecoders; | ||
import org.springframework.security.oauth2.jwt.JwtValidators; | ||
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; | ||
import org.springframework.security.web.SecurityFilterChain; | ||
|
||
@EnableWebSecurity | ||
@Configuration | ||
public class SecurityConfiguration { | ||
|
||
@Value("${camunda.connector.auth.audience}") | ||
private String audience; | ||
|
||
@Value("${camunda.connector.auth.issuer}") | ||
private String issuer; | ||
|
||
@Bean | ||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { | ||
http.csrf() | ||
.disable() | ||
.authorizeRequests() | ||
.antMatchers(HttpMethod.POST, "/inbound/**") | ||
.permitAll() | ||
.antMatchers("/inbound") | ||
.hasAuthority("SCOPE_inbound:read") | ||
.anyRequest() | ||
.authenticated() | ||
.and() | ||
.oauth2ResourceServer() | ||
.jwt(); | ||
return http.build(); | ||
} | ||
|
||
@Bean | ||
JwtDecoder jwtDecoder() { | ||
NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer); | ||
|
||
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience); | ||
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer); | ||
OAuth2TokenValidator<Jwt> withAudience = | ||
new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator); | ||
|
||
jwtDecoder.setJwtValidator(withAudience); | ||
return jwtDecoder; | ||
} | ||
} |