/* * Copyright 2015 Red Hat, Inc. * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 * and Apache License v2.0 which accompanies this distribution. * * The Eclipse Public License is available at * http://www.eclipse.org/legal/epl-v10.html * * The Apache License v2.0 is available at * http://www.opensource.org/licenses/apache2.0.php * * You may elect to redistribute this code under either of these licenses. */ package io.vertx.ext.auth.jwt.authorization.impl; import io.vertx.core.AsyncResult; import io.vertx.core.Future; import io.vertx.core.Handler; import io.vertx.core.json.JsonArray; import io.vertx.core.json.JsonObject; import io.vertx.ext.auth.authorization.Authorization; import io.vertx.ext.auth.authorization.RoleBasedAuthorization; import io.vertx.ext.auth.User; import io.vertx.ext.auth.jwt.authorization.MicroProfileAuthorization; import java.util.HashSet; import java.util.Set; /** * Default implementation for Micro Profile JWT 1.1 */ public class MicroProfileAuthorizationImpl implements MicroProfileAuthorization { @Override public String getId() { return "mp-jwt"; } @Override public void getAuthorizations(User user, Handler<AsyncResult<Void>> handler) { final String rootClaim = user.attributes().getString("rootClaim"); final JsonObject accessToken = rootClaim == null ? user.principal() : user.attributes().getJsonObject(rootClaim); if (accessToken == null) { handler.handle(Future.failedFuture("User doesn't contain a decoded Token")); return; } final Set<Authorization> authorizations = new HashSet<>(); // the spec MP-JWT 1.1 defines a custom grant called "groups" final JsonArray groups = accessToken.getJsonArray("groups"); // This MP-JWT custom claim is the list of group names that have been assigned to the principal of the MP-JWT. // This typically will required a mapping at the application container level to application deployment roles, // but a a one-to-one between group names and application role names is required to be performed in addition // to any other mapping. if (groups != null && groups.size() >= 0) { for (Object el : groups) { // convert to the authorization type if (el instanceof String) { authorizations.add(RoleBasedAuthorization.create((String) el)); } else { // abort the parsing handler.handle(Future.failedFuture("Cannot parse role: " + el)); return; } } } user.authorizations().add(getId(), authorizations); // return handler.handle(Future.succeededFuture()); } }