EndpointInsights/endpoint-insights-api/src/main/java/com/vsp/endpointinsightsapi/config/AuthenticationProperties.java at develop · git-stuff-done/EndpointInsights · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package com.vsp.endpointinsightsapi.config;

import lombok.Data;
import lombok.Getter;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.context.properties.NestedConfigurationProperty;
import org.springframework.stereotype.Component;

import java.util.List;

/**
 * Configuration properties for authentication and authorization settings.
 *
 * <p>Loads values from application.yaml under the {@code app.authentication} prefix.
 * Provides configuration for JWT claim names, role group mappings, and public endpoints.
 *
 * <h2>Example Configuration:</h2>
 * <pre>{@code
 * app:
 *   authentication:
 *     groups:
 *       read: "ei:read"
 *       write: "ei:write"
 *     claims:
 *       username: "preferred_username"
 *       email: "email"
 *       groups: "groups"
 * }</pre>
 *
 * @see com.vsp.endpointinsightsapi.authentication.AuthorizationInterceptor
 */
@Data
@Component
@ConfigurationProperties(prefix = "app.authentication")
public class AuthenticationProperties {

    @NestedConfigurationProperty
    private Groups groups = new Groups();

    @NestedConfigurationProperty
    private Claims claims = new Claims();

    @Getter
    private String callbackUri;

    /**
     * List of additional allowed audiences for JWT validation.
     * The OIDC client ID is always implicitly allowed.
     */
    @Getter
    private List<String> allowedAudiences = List.of();

    /**
     * Group name mappings for role-based access control.
     */
    @Data
    public static class Groups {
        /** Group name for read access */
        private String read = "ei:read";
        /** Group name for write access (includes read) */
        private String write = "ei:write";
    }

    /**
     * JWT claim name mappings.
     */
    @Data
    public static class Claims {
        /** Claim name for username (default: preferred_username) */
        private String username = "preferred_username";
        /** Claim name for email (default: email) */
        private String email = "email";
        /** Claim name for groups list (default: groups) */
        private String groups = "groups";
    }
}