Annotation Interface OpenIdAuthenticationMechanismDefinition


@Target({TYPE,METHOD}) @Retention(RUNTIME) @Repeatable(OpenIdAuthenticationMechanismDefinition.List.class) public @interface OpenIdAuthenticationMechanismDefinition
Annotation used to define a container authentication mechanism that implements the Authorization Code flow and Refresh tokens as defined by the OpenId Connect specification and make that implementation available as an enabled CDI bean.

Attributes on this annotation make up the OpenID connect client configuration. Expression Language expressions in attributes of type String are evaluated.

It can make use of the user endpoint for retrieving claims about the user.

Note that in the OpenID terminology the authentication mechanism becomes a "Relying Party" (RP) that redirects the "End-User" (caller) to an "OpenId Connect Provider" (Identity Provider). Authentication takes place between the user and the Identity Provider, where the result of this authentication is communicated back to the authentication mechanism.

This is depicted in the following non-normative diagram:

  +--------+                                                       +--------+
  |        |                                                       |        |
  |        |---------------(1) Authentication Request------------->|        |
  |        |                                                       |        |
  |        |       +--------+                                      |        |
  |        |       |  End-  |<--(2) Authenticates the End-User---->|        |
  |   RP   |       |  User  |                                      |   OP   |
  |        |       +--------+                                      |        |
  |        |                                                       |        |
  |        |<---------(3) Returns Authorization code---------------|        |
  |        |                                                       |        |
  |        |---------(3b)                                          |        |
  |        |           | Redirect to original resource (if any)    |        |
  |        |<----------+                                           |        |
  |        |                                                       |        |
  |        |------------------------------------------------------>|        |
  |        |   (4) Request to TokenEndpoint for Access / Id Token  |        |
  | OpenId |<------------------------------------------------------| OpenId |
  | Connect|                                                       | Connect|
  | Client | ----------------------------------------------------->|Provider|
  |        |   (5) Fetch JWKS to validate ID Token                 |        |
  |        |<------------------------------------------------------|        |
  |        |                                                       |        |
  |        |------------------------------------------------------>|        |
  |        |   (6) Request to UserInfoEndpoint for End-User Claims |        |
  |        |<------------------------------------------------------|        |
  |        |                                                       |        |
  +--------+                                                       +--------+
 

Because of the way this authentication mechanism and protocol works, there is no requirement to explicitly define an identity store. However, the authentication mechanism MUST validate the token received from the "TokenEndpoint" by calling the IdentityStoreHandler. This allows for extra identity stores and/or a custom IdentityStoreHandler to participate in the final authentication result (e.g. adding extra groups).