Common holder for authenticated user information

[heruan]

When authenticating against an OIDC provider with Spring, we can find user information using the Authentication.getPrincipal() method.

The method signature returns a generic Object, so each provider might return different types.

Prototyping with the three selected providers turns out:

• Keycloak [Discovering Keycloak #11] returns an instance of KeycloakPrincipal (which implements Java Security Principal);
• Okta [Discovering Okta #12] and Azure [Discovering Azure #13] return an instance of Spring's OidcUser

To provide a consistent API, we should provide a common holder for these informations, such as a VaadinUser object. An instance of said type would then be filled with informations from each provided and available in the Vaadin session or by bean injection.

[heruan]

Update on this: using only Spring to configure OIDC (no provider's libraries) and setting the correct scopes (profile and openid) we get an instance of OidcUser from all the three providers.

We might still want to provide a Vaadin wrapper for user information, to be used for example with other authentication method (e.g. internal form), but it comes easier to build one from the same interface.

The OIDC standard defines the concept of claim (see spec) as a piece of information that is provided about the user. Several claims are already defined by the standards, and they're all mapped to OidcUser properties (via StandardClaimAccessor).

[heruan]

We should investigate if this way of injecting the authentication principal works in Vaadin views and, if not, why:

@Route("/foo")
public class MyView extends VerticalLayout {

    public MyView(@AuthenticatedPrincipal OidcUser user) {
        // ...
    }
}

The other method to get the user instance is statically from the Authentication object:

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
OidcUser user = (OidcUser) auth.getPrincipal();

Spring's OAuth2LoginConfigurer has also a method to set a login success handler that we can use to get the OidcUser instance and set it somewhere later accessible, like:

        oauth2Login.successHandler((req, res, auth) -> {
                            OidcUser user = (OidcUser) auth.getPrincipal();
                            // set the user somewhere, like req.getSession()
                        });

[heruan]

We could provide accessors to the user object via an injectable context bean, something like:

interface VaadinAuthContext {

   Optional<OidcUser> getAuthenticatedUser();
}

And then expose it in the starter as a bean:

@Configuration
public class VaadinAuthSecurityConfiguration extends VaadinWebSecurity {
    // ...
    @Bean
    public VaadinAuthContext getAuthContext() {
        return () -> Optional.of(SecurityContextHolder.getContext())
                             .map(SecurityContext::getAuthentication)
                             .map(Authentication::getPrincipal)
                             .filter(OidcUser.class::isInstance)
                             .map(OidcUser.class::cast);
    }
}

Then the bean would be injectable in Vaadin views and used to get the authenticated user, e.g.

@Route("/foo")
public class FooView extends VerticalLayout {

    public FooView(VaadinAuthContext authContext) {
        authContext.getAuthenticatedUser().ifPresentOrElse(
            user -> add(new Text("Hello " + user.getFullName())),
            () -> add(new Text("You are not authenticated."));
    }
}