This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/master by this push:
new 780c13533b [SYNCOPE-1844] Support Okta authentication and attribute
repository
780c13533b is described below
commit 780c13533b9e604c2f5422f7b4a366889d1a7499
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Fri Nov 15 07:35:44 2024 +0100
[SYNCOPE-1844] Support Okta authentication and attribute repository
---
.../syncope/common/lib/AbstractOktaConf.java | 36 +++++++++++
.../syncope/common/lib/attr/AttrRepoConf.java | 2 +
.../syncope/common/lib/attr/OktaAttrRepoConf.java | 74 ++++++++++++++++++++++
.../syncope/common/lib/auth/AuthModuleConf.java | 2 +
.../common/lib/auth/OktaAuthModuleConf.java | 52 +++++++++++++++
.../concepts/attributerepositories.adoc | 1 +
.../concepts/authenticationmodules.adoc | 1 +
.../mapping/AttrRepoPropertySourceMapper.java | 15 +++++
.../mapping/AuthModulePropertySourceMapper.java | 14 ++++
wa/starter/pom.xml | 8 +++
10 files changed, 205 insertions(+)
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java
new file mode 100644
index 0000000000..a19d96df9d
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/AbstractOktaConf.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib;
+
+import java.io.Serializable;
+
+public abstract class AbstractOktaConf implements Serializable {
+
+ private static final long serialVersionUID = -7800528759438661362L;
+
+ private String organizationUrl;
+
+ public String getOrganizationUrl() {
+ return organizationUrl;
+ }
+
+ public void setOrganizationUrl(final String organizationUrl) {
+ this.organizationUrl = organizationUrl;
+ }
+}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
index 682d875f94..1942b7c424 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/AttrRepoConf.java
@@ -37,6 +37,8 @@ public interface AttrRepoConf extends BaseBean {
Map<String, Object> map(AttrRepoTO attrRepo, SyncopeAttrRepoConf conf);
Map<String, Object> map(AttrRepoTO attrRepo,
AzureActiveDirectoryAttrRepoConf conf);
+
+ Map<String, Object> map(AttrRepoTO attrRepo, OktaAttrRepoConf conf);
}
Map<String, Object> map(AttrRepoTO attrRepo, Mapper mapper);
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java
new file mode 100644
index 0000000000..2cfa6d6e1a
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/attr/OktaAttrRepoConf.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.attr;
+
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.apache.syncope.common.lib.AbstractOktaConf;
+import org.apache.syncope.common.lib.to.AttrRepoTO;
+
+public class OktaAttrRepoConf extends AbstractOktaConf implements AttrRepoConf
{
+
+ private static final long serialVersionUID = 1019473980380211566L;
+
+ /**
+ * Username attribute to fetch attributes by.
+ */
+ private String usernameAttribute = "username";
+
+ /**
+ * Okta allows you to interact with Okta APIs using scoped OAuth 2.0
access tokens. Each access token
+ * enables the bearer to perform specific actions on specific Okta
endpoints, with that
+ * ability controlled by which scopes the access token contains. Scopes
are only used
+ * when using client id and private-key.
+ */
+ private final List<String> scopes = Stream.of("okta.users.read",
"okta.apps.read").collect(Collectors.toList());
+
+ /**
+ * Okta API token.
+ */
+ private String apiToken;
+
+ public String getUsernameAttribute() {
+ return usernameAttribute;
+ }
+
+ public void setUsernameAttribute(final String usernameAttribute) {
+ this.usernameAttribute = usernameAttribute;
+ }
+
+ public String getApiToken() {
+ return apiToken;
+ }
+
+ public void setApiToken(final String apiToken) {
+ this.apiToken = apiToken;
+ }
+
+ public List<String> getScopes() {
+ return scopes;
+ }
+
+ @Override
+ public Map<String, Object> map(final AttrRepoTO attrRepo, final Mapper
mapper) {
+ return mapper.map(attrRepo, this);
+ }
+}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
index 265b4b457b..955f13efc7 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
@@ -63,6 +63,8 @@ public interface AuthModuleConf extends BaseBean {
Map<String, Object> map(AuthModuleTO authModule,
SimpleMfaAuthModuleConf conf);
Map<String, Object> map(AuthModuleTO authModule, SpnegoAuthModuleConf
conf);
+
+ Map<String, Object> map(AuthModuleTO authModule, OktaAuthModuleConf
conf);
}
Map<String, Object> map(AuthModuleTO authModule, Mapper mapper);
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java
new file mode 100644
index 0000000000..487d00d840
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/OktaAuthModuleConf.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.auth;
+
+import java.util.Map;
+import org.apache.syncope.common.lib.AbstractOktaConf;
+import org.apache.syncope.common.lib.to.AuthModuleTO;
+
+public class OktaAuthModuleConf extends AbstractOktaConf implements
AuthModuleConf {
+
+ private static final long serialVersionUID = -696882546462937138L;
+
+ /**
+ * A number of authentication handlers are allowed to determine whether
they can operate on the provided credential
+ * and as such lend themselves to be tried and tested during the
authentication handler selection phase.
+ * The credential criteria may be one of the following options:<ul>
+ * <li>A regular expression pattern that is tested against the credential
identifier.</li>
+ * <li>A fully qualified class name of your own design that implements
{@code Predicate}.</li>
+ * <li>Path to an external Groovy script that implements the same
interface.</li>
+ * </ul>
+ */
+ private String credentialCriteria;
+
+ public String getCredentialCriteria() {
+ return credentialCriteria;
+ }
+
+ public void setCredentialCriteria(final String credentialCriteria) {
+ this.credentialCriteria = credentialCriteria;
+ }
+
+ @Override
+ public Map<String, Object> map(final AuthModuleTO authModule, final Mapper
mapper) {
+ return mapper.map(authModule, this);
+ }
+}
diff --git
a/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
b/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
index 163d017c43..0aad019ae1 100644
--- a/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/attributerepositories.adoc
@@ -28,6 +28,7 @@ Some attribute repositories are provided:
*
https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-Stub.html[Stub^]
*
https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-Syncope.html[Syncope^]
*
https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-AzureAD.html[Azure
Active Directory^]
+*
https://apereo.github.io/cas/7.1.x/integration/Attribute-Resolution-Okta.html[Okta^]
[TIP]
====
diff --git
a/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
b/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
index 692d920c18..1930eb16f6 100644
--- a/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
@@ -30,6 +30,7 @@ Several authentication modules are provided:
**
https://apereo.github.io/cas/7.1.x/authentication/SPNEGO-Authentication.html[SPNEGO^]
**
https://apereo.github.io/cas/7.1.x/authentication/Syncope-Authentication.html[Syncope^]
**
https://apereo.github.io/cas/7.1.x/authentication/Azure-ActiveDirectory-Authentication.html[Azure
Active Directory^]
+ **
https://apereo.github.io/cas/7.1.x/authentication/Okta-Authentication.html[Okta^]
**
https://apereo.github.io/cas/7.1.x/authentication/X509-Authentication.html[X509^]
**
https://apereo.github.io/cas/7.1.x/integration/Delegate-Authentication-Generic-OpenID-Connect.html[OpenID
Connect^]
**
https://apereo.github.io/cas/7.1.x/integration/Delegate-Authentication-OAuth20.html[OAuth2^]
diff --git
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
index a42880a42b..8ed21fc83d 100644
---
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
+++
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AttrRepoPropertySourceMapper.java
@@ -26,6 +26,7 @@ import org.apache.syncope.common.lib.attr.AttrRepoConf;
import org.apache.syncope.common.lib.attr.AzureActiveDirectoryAttrRepoConf;
import org.apache.syncope.common.lib.attr.JDBCAttrRepoConf;
import org.apache.syncope.common.lib.attr.LDAPAttrRepoConf;
+import org.apache.syncope.common.lib.attr.OktaAttrRepoConf;
import org.apache.syncope.common.lib.attr.StubAttrRepoConf;
import org.apache.syncope.common.lib.attr.SyncopeAttrRepoConf;
import org.apache.syncope.common.lib.to.AttrRepoTO;
@@ -36,6 +37,7 @@ import
org.apereo.cas.configuration.model.core.authentication.StubPrincipalAttri
import
org.apereo.cas.configuration.model.support.azuread.AzureActiveDirectoryAttributesProperties;
import
org.apereo.cas.configuration.model.support.jdbc.JdbcPrincipalAttributesProperties;
import
org.apereo.cas.configuration.model.support.ldap.LdapPrincipalAttributesProperties;
+import
org.apereo.cas.configuration.model.support.okta.OktaPrincipalAttributesProperties;
import
org.apereo.cas.configuration.model.support.syncope.SyncopePrincipalAttributesProperties;
public class AttrRepoPropertySourceMapper extends PropertySourceMapper
implements AttrRepoConf.Mapper {
@@ -134,4 +136,17 @@ public class AttrRepoPropertySourceMapper extends
PropertySourceMapper implement
return
prefix("cas.authn.attribute-repository.azure-active-directory[].",
WAConfUtils.asMap(props));
}
+
+ @Override
+ public Map<String, Object> map(final AttrRepoTO attrRepoTO, final
OktaAttrRepoConf conf) {
+ OktaPrincipalAttributesProperties props = new
OktaPrincipalAttributesProperties();
+ props.setId(attrRepoTO.getKey());
+ props.setOrder(attrRepoTO.getOrder());
+ props.setOrganizationUrl(conf.getOrganizationUrl());
+ props.setUsernameAttribute(conf.getUsernameAttribute());
+ props.setScopes(conf.getScopes());
+ props.setApiToken(conf.getApiToken());
+
+ return prefix("cas.authn.attribute-repository.okta.",
WAConfUtils.asMap(props));
+ }
}
diff --git
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
index 36a0f061b7..8baafec87a 100644
---
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
+++
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
@@ -39,6 +39,7 @@ import
org.apache.syncope.common.lib.auth.KeycloakOIDCAuthModuleConf;
import org.apache.syncope.common.lib.auth.LDAPAuthModuleConf;
import org.apache.syncope.common.lib.auth.OAuth20AuthModuleConf;
import org.apache.syncope.common.lib.auth.OIDCAuthModuleConf;
+import org.apache.syncope.common.lib.auth.OktaAuthModuleConf;
import org.apache.syncope.common.lib.auth.SAML2IdPAuthModuleConf;
import org.apache.syncope.common.lib.auth.SimpleMfaAuthModuleConf;
import org.apache.syncope.common.lib.auth.SpnegoAuthModuleConf;
@@ -61,6 +62,7 @@ import
org.apereo.cas.configuration.model.support.mfa.duo.DuoSecurityMultifactor
import
org.apereo.cas.configuration.model.support.mfa.gauth.GoogleAuthenticatorMultifactorProperties;
import
org.apereo.cas.configuration.model.support.mfa.gauth.LdapGoogleAuthenticatorMultifactorProperties;
import
org.apereo.cas.configuration.model.support.mfa.simple.CasSimpleMultifactorAuthenticationProperties;
+import
org.apereo.cas.configuration.model.support.okta.OktaAuthenticationProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oauth.Pac4jOAuth20ClientProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oidc.BasePac4jOidcClientProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jAppleOidcClientProperties;
@@ -413,6 +415,18 @@ public class AuthModulePropertySourceMapper extends
PropertySourceMapper impleme
return prefix("cas.authn.azure-active-directory.",
WAConfUtils.asMap(props));
}
+ @Override
+ public Map<String, Object> map(AuthModuleTO authModuleTO,
OktaAuthModuleConf conf) {
+ OktaAuthenticationProperties props = new
OktaAuthenticationProperties();
+ props.setName(authModuleTO.getKey());
+ props.setOrder(authModuleTO.getOrder());
+
props.setState(AuthenticationHandlerStates.valueOf(authModuleTO.getState().name()));
+ props.setOrganizationUrl(conf.getOrganizationUrl());
+ props.setCredentialCriteria(conf.getCredentialCriteria());
+
+ return prefix("cas.authn.okta.", WAConfUtils.asMap(props));
+ }
+
@Override
public Map<String, Object> map(final AuthModuleTO authModuleTO, final
GoogleMfaAuthModuleConf conf) {
GoogleAuthenticatorMultifactorProperties props = new
GoogleAuthenticatorMultifactorProperties();
diff --git a/wa/starter/pom.xml b/wa/starter/pom.xml
index 6cf95ac0d9..fffce787d3 100644
--- a/wa/starter/pom.xml
+++ b/wa/starter/pom.xml
@@ -165,6 +165,14 @@ under the License.
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.apereo.cas</groupId>
+ <artifactId>cas-server-support-azuread-authentication</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apereo.cas</groupId>
+ <artifactId>cas-server-support-okta-authentication</artifactId>
+ </dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
