io.confluent.security.authentication.oauthbearer

Class JwtAuthenticationConfig

java.lang.Object

io.confluent.security.authentication.AuthenticationConfig<BearerCredential,JwtPrincipal>

io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfig

public final class JwtAuthenticationConfig
extends AuthenticationConfig<BearerCredential,JwtPrincipal>

Configure JwtAuthenticator instance. JwtAuthenticator instances have two primary responsibilities: 1. Manage Issuer public key material. 2. Decode JsonWebSignature tokens and validate their claims. Key material handling is performed by the JwtAuthenticator VerificationKeyResolver. Each JwtIssuer must be provided a name which should be the URL of the JWT issuing authority. There are exceptions to this rule so any string value will do as long as it matches the incoming JWT iss claim value. There may be certain scenarios where JwtAuthenticator may want to take some action in an Issuer agnostic manner. One such use cases would be to forward the token to another trusted service for validation. In order to support this use case register a JwtIssuer with the name '*'. This will act as a catchall for any unrecognized issuer. Token verification may be restricted to a specific set of keys by setting the AlgorithmWhitelist parameter. SignatureAlgorithm.RS256 and SignatureAlgorithm.ES256 are whitelisted by default.

See Also:

JwtIssuer} for additional configuration property documentation. Stand alone configuration example:

    {@code
      kind: {@link AuthenticationConfig.Kind#JWT}
      issuers:
        - name: https://example.com/v1/identity/oidc
          verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJwks
          jwksUri: https://example.com/v1/identity/oidc/.well-known/keys
          audience:
            - C82RLLokthIFn4v4sDYKpJbksC
            - z2OPfk0pavN7Xj0UElTUaR1Xqt
        - name: Confluent
          verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJku
          domainWhitelist:
            - devel.cpdev.cloud
            - stag.cpdev.cloud
            - .gcp.priv.cpdev.cloud
        - name: pemFactory
          verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerStatic
          pems:
            - |-
              -----BEGIN PUBLIC KEY-----
              MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d
              Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd
              3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18
              73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj
              szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH
              /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi
              WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3
              J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB
              YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u
              rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq
              egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W
              QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ==
              -----END PUBLIC KEY-----
            - |-
              -----BEGIN PUBLIC KEY-----
              MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d
              Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd
              3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18
              73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj
              szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH
              /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi
              WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3
              J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB
              YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u
              rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq
              egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W
              QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ==
              -----END PUBLIC KEY-----
            # * must be escaped or quoted!
              - name: '*'
              verificationType: customForwardingVerifier
    }
  

Embedded configuration example:

    {@code
      ...
        authentication:
          kind: {@link AuthenticationConfig.Kind#JWT}
          issuers:
            - name: https://example.com/v1/identity/oidc
              verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJwks
              jwksUri: https://example.com/v1/identity/oidc/.well-known/keys
              audience:
                - C82RLLokthIFn4v4sDYKpJbksC
                - z2OPfk0pavN7Xj0UElTUaR1Xqt
            - name: Confluent
              verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerJku
              domainWhitelist:
                - devel.cpdev.cloud
                - stag.cpdev.cloud
                - .gcp.priv.cpdev.cloud
            - name: pemFactory
              verificationType: static
              pems:
                - |-
                  -----BEGIN PUBLIC KEY-----
                  MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d
                  Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd
                  3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18
                  73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj
                  szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH
                  /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi
                  WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3
                  J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB
                  YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u
                  rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq
                  egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W
                  QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ==
                  -----END PUBLIC KEY-----
              - |-
                -----BEGIN PUBLIC KEY-----
                MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuI4GHxaqm3JhiWY1y+7d
                Cr/WyYqg7cABHWuw9TawYU24BlfTyfwJiAOZwJszikTv92dfCG0rbOdrKkAaqHxd
                3M5csla5/b3XKwCDoqzhL0odhFDnPvUlhRhtyw/19kNSuntsiQFOnhaaURqT4M18
                73T4SMzJVq4N4CtQNKTjCSBoFvBpMZHR25+ERT0Y91IfuEFJSPzZLL9vz2sWltHj
                szyJ0jSxmunv32K6/nEUHLc1iLKo5IIXaYWwqjUbeD39JDt6HCoyJsh5ohuiqChH
                /ws5AYoupbKX3uohf+/DHbALLmd48TfAPN9+3WzeVKFB7pBLHt2hSLkKd2UUxXNi
                WuPBuonEJ48JlFvZCg9/KbgcxDRkyXrKRDMJP3vu5z6nJbRe7tQpxS2pbdLysNr3
                J/TorJf9oW9Mlx8L0693GYjOSUtckni3BL3LWHukXia4/blik0JdvMsdCpEaE0IB
                YzlMmVut/8v7yav+flTYLcqgZm8RjQk5M+nMaj+UR60CRmxgARX9Plg0yH3aUX1u
                rS8G/tU8P/mF2RIPiyPrP6RRpoJrDgzaS4AfjuYjnLYZiWhXxl/Nq1yvkNVUmgjq
                egCaDOQYgEYeLgULmnfiYbwhpMlW4ZPdDoY/d2ExCPVSM/iNxiiE26i4ZzFWsK3W
                QQYdbfhQjDABjEfpYiDTZ4UCAwEAAQ==
                -----END PUBLIC KEY-----
      ...
    }
  

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	JwtAuthenticationConfig.Builder

Nested classes/interfaces inherited from class io.confluent.security.authentication.AuthenticationConfig

AuthenticationConfig.Kind

Field Summary

Fields

Modifier and Type	Field and Description
static String	CONFIG_PREFIX
static String	CONFLUENT_ISSUER
static String	CONFLUENT_SPIRE_ISSUER_SUFFIX
static String	CONFLUENT_SPIRE_ISSUER_SUFFIX_PROP

Method Summary

Modifier and Type	Method and Description
Set<SignatureAlgorithm>	algorithmWhitelist()
static JwtAuthenticationConfig.Builder	builder()
Authenticator<BearerCredential,JwtPrincipal>	createAuthenticator() Creates a new Authenticator instance.
List<JwtIssuer>	issuers() List of JwtIssuers registered with this JwtAuthenticator.
AuthenticationConfig.Kind	kind() Describes the AuthenticationConfig implementation.
String	spireAgentSocketEndpoint()

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CONFLUENT_ISSUER

public static final String CONFLUENT_ISSUER

See Also:

Constant Field Values

CONFIG_PREFIX

public static final String CONFIG_PREFIX

See Also:

Constant Field Values

CONFLUENT_SPIRE_ISSUER_SUFFIX_PROP

public static final String CONFLUENT_SPIRE_ISSUER_SUFFIX_PROP

See Also:

Constant Field Values

CONFLUENT_SPIRE_ISSUER_SUFFIX

public static final String CONFLUENT_SPIRE_ISSUER_SUFFIX

See Also:

Constant Field Values

Method Detail

kind

public AuthenticationConfig.Kind kind()

Describes the AuthenticationConfig implementation.

Specified by:

kind in class AuthenticationConfig<BearerCredential,JwtPrincipal>

Returns:

AuthenticationConfig.Kind

algorithmWhitelist

public Set<SignatureAlgorithm> algorithmWhitelist()

issuers

public List<JwtIssuer> issuers()

List of JwtIssuers registered with this JwtAuthenticator.

Returns:

List

spireAgentSocketEndpoint

public String spireAgentSocketEndpoint()

Returns:

String Spire Agent Socket Endpoint

createAuthenticator

public Authenticator<BearerCredential,JwtPrincipal> createAuthenticator()

Creates a new Authenticator instance.

Specified by:

createAuthenticator in class AuthenticationConfig<BearerCredential,JwtPrincipal>

Returns:

Authenticator

builder

public static JwtAuthenticationConfig.Builder builder()