Enable OIDC authentication with a direct client

Author: RowanErasmus

pom.xml

@@ -951,6 +951,17 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <artifactId>pac4j-http</artifactId>
+      <version>${pac4j.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
     <dependency>
       <groupId>org.pac4j</groupId>
       <artifactId>pac4j-saml-opensamlv3</artifactId>

src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java

@@ -38,11 +38,13 @@
 import org.pac4j.core.http.callback.CallbackUrlResolver;
 import org.pac4j.core.http.callback.PathParameterCallbackUrlResolver;
 import org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver;
+import org.pac4j.http.client.direct.HeaderClient;
 import org.pac4j.oauth.client.FacebookClient;
 import org.pac4j.oauth.client.GitHubClient;
 import org.pac4j.oauth.client.Google2Client;
 import org.pac4j.oidc.client.OidcClient;
 import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator;
 import org.pac4j.saml.client.SAML2Client;
 import org.pac4j.saml.config.SAML2Configuration;
 import org.slf4j.Logger;
@@ -322,11 +324,19 @@ public Map<FilterTemplates, Filter> getFilters() {
 
         if (this.openidAuthEnabled) {
             OidcConfiguration configuration = oidcConfCreator.build();
-            OidcClient oidcClient = new OidcClient(configuration);
-            oidcClient.setCallbackUrl(oauthApiCallback);
-            oidcClient.setCallbackUrlResolver(urlResolver);
             if (StringUtils.isNotBlank(configuration.getClientId())) {
+                // https://www.pac4j.org/4.0.x/docs/clients/openid-connect.html
+                // OidcClient allows indirect login through UI with code flow            
+                OidcClient oidcClient = new OidcClient(configuration);
+                oidcClient.setCallbackUrl(oauthApiCallback);
+                oidcClient.setCallbackUrlResolver(urlResolver);
                 clients.add(oidcClient);
+                // HeaderClient allows api access with a bearer token from the identity provider
+                UserInfoOidcAuthenticator authenticator = new UserInfoOidcAuthenticator(configuration);
+                HeaderClient headerClient = new HeaderClient("Authorization", "Bearer ", authenticator);
+                clients.add(headerClient);
+            } else {
+                logger.warn("openidAuth is enabled but no client id is provided");
             }
         }
 
@@ -366,6 +376,11 @@ public Map<FilterTemplates, Filter> getFilters() {
                 oidcFilter.setConfig(cfg);
                 oidcFilter.setClients("OidcClient");
                 filters.put(OIDC_AUTH, oidcFilter);
+
+                SecurityFilter oidcDirectFilter = new SecurityFilter();
+                oidcDirectFilter.setConfig(cfg);
+                oidcDirectFilter.setClients("HeaderClient");
+                filters.put(OIDC_DIRECT_AUTH, oidcDirectFilter);
             }
 
             CallbackFilter callbackFilter = new CallbackFilter();
@@ -409,7 +424,9 @@ protected FilterChainBuilder getFilterChainBuilder() {
         }
 
         if (this.openidAuthEnabled) {
-            filterChainBuilder.addRestPath("/user/login/openid", FORCE_SESSION_CREATION, OIDC_AUTH, UPDATE_TOKEN, SEND_TOKEN_IN_URL);
+            filterChainBuilder
+                    .addRestPath("/user/login/openid", FORCE_SESSION_CREATION, OIDC_AUTH, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
+                    .addRestPath("/user/login/openidDirect", FORCE_SESSION_CREATION, OIDC_DIRECT_AUTH, UPDATE_TOKEN, SEND_TOKEN_IN_HEADER);
         }
 
         if (this.googleAuthEnabled) {
@@ -453,11 +470,11 @@ protected FilterChainBuilder getFilterChainBuilder() {
 
         if (this.samlEnabled) {
             filterChainBuilder
-                .addPath("/user/login/saml", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
-                .addPath("/user/login/samlForce", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC_FORCE, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
-                .addPath("/user/saml/callback", SSL, HANDLE_SAML, UPDATE_TOKEN, SEND_TOKEN_IN_URL);
+                    .addPath("/user/login/saml", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
+                    .addPath("/user/login/samlForce", SSL, CORS, FORCE_SESSION_CREATION, SAML_AUTHC_FORCE, UPDATE_TOKEN, SEND_TOKEN_IN_URL)
+                    .addPath("/user/saml/callback", SSL, HANDLE_SAML, UPDATE_TOKEN, SEND_TOKEN_IN_URL);
         }
-        
+
         setupProtectedPaths(filterChainBuilder);
 
         return filterChainBuilder.addRestPath("/**");

src/main/java/org/ohdsi/webapi/shiro/management/FilterTemplates.java

@@ -31,6 +31,7 @@ public enum FilterTemplates {
     LDAP_FILTER("ldapFilter"),
     AD_FILTER("adFilter"),
     OIDC_AUTH("oidcAuth"),
+    OIDC_DIRECT_AUTH("oidcDirectAuth"),
     OAUTH_CALLBACK("oauthCallback"),
     HANDLE_UNSUCCESSFUL_OAUTH("handleUnsuccessfullOAuth"),
     HANDLE_CAS("handleCas"),