Package google.registry.request.auth

Class OidcTokenAuthenticationMechanism

java.lang.Object

google.registry.request.auth.OidcTokenAuthenticationMechanism

All Implemented Interfaces:

AuthenticationMechanism

public abstract class OidcTokenAuthenticationMechanism
extends Object
implements AuthenticationMechanism

An authenticam mechanism that verifies the OIDC token.

Currently, two flavors are supported: one that checkes for the OIDC token as a regular bearer token, and another that checks for the OIDC token passed by IAP. In both cases, the AuthResult with the highest AuthSettings.AuthLevel possible is returned. So, if the email address for which the token is minted exists both as a User and as a service account, the returned AuthResult is at AuthSettings.AuthLevel.USER.

See Also:

• OpenID Connect

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static interface	OidcTokenAuthenticationMechanism.TokenExtractor

Field Summary

Fields

Modifier and Type	Field	Description
protected final Optional<com.google.auth.oauth2.TokenVerifier>	fallbackTokenVerifier
static final com.google.common.flogger.FluentLogger	logger
protected final OidcTokenAuthenticationMechanism.TokenExtractor	tokenExtractor
protected final com.google.auth.oauth2.TokenVerifier	tokenVerifier

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	OidcTokenAuthenticationMechanism(com.google.common.collect.ImmutableSet<String> serviceAccountEmails, com.google.auth.oauth2.TokenVerifier tokenVerifier, com.google.auth.oauth2.TokenVerifier fallbackTokenVerifier, OidcTokenAuthenticationMechanism.TokenExtractor tokenExtractor)

Method Summary

Modifier and Type	Method	Description
AuthResult	authenticate(jakarta.servlet.http.HttpServletRequest request)	Attempt to authenticate an incoming request.
static void	setAuthResultForTesting(AuthResult authResult)
static void	unsetAuthResultForTesting()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

logger

public static final com.google.common.flogger.FluentLogger logger

tokenVerifier

protected final com.google.auth.oauth2.TokenVerifier tokenVerifier

fallbackTokenVerifier

protected final Optional<com.google.auth.oauth2.TokenVerifier> fallbackTokenVerifier

tokenExtractor

protected final OidcTokenAuthenticationMechanism.TokenExtractor tokenExtractor

Constructor Details

OidcTokenAuthenticationMechanism

protected OidcTokenAuthenticationMechanism(com.google.common.collect.ImmutableSet<String> serviceAccountEmails,
 com.google.auth.oauth2.TokenVerifier tokenVerifier,
 @Nullable
 com.google.auth.oauth2.TokenVerifier fallbackTokenVerifier,
 OidcTokenAuthenticationMechanism.TokenExtractor tokenExtractor)

Method Details

authenticate

public AuthResult authenticate(jakarta.servlet.http.HttpServletRequest request)

Description copied from interface: AuthenticationMechanism

Attempt to authenticate an incoming request.

Specified by:

authenticate in interface AuthenticationMechanism

Parameters:

request - the request to be authenticated

Returns:

the results of the authentication check; if the request could not be authenticated, the mechanism should return AuthResult.NOT_AUTHENTICATED

setAuthResultForTesting

public static void setAuthResultForTesting(@Nullable
 AuthResult authResult)

unsetAuthResultForTesting

public static void unsetAuthResultForTesting()