Package dev.relism.flash.ext.oidc

Class OidcUser

java.lang.Object
dev.relism.flash.ext.oidc.OidcUser
public final class OidcUser extends Object
Type-safe view over the JWT claims stored in ClaimsHolder.

Obtainable from any protected context via ClaimsHolder.user(). Class-based handlers that extend the SessionHandler hierarchy already have a provisioned DB user in currentUser; OidcUser complements that by giving access to the raw OIDC claims when needed, and is the primary API for lambda routes. 


 // Lambda route (OidcMiddleware injected):
 app.get("/api/whoami", (req, res) -> {
     OidcUser u = ClaimsHolder.user();
     return Map.of("sub", u.sub(), "email", u.email(), "roles", u.roles("realm_access.roles"), "scopes", u.scopes());
 }, oidcMw.protect());

 // Class-based handler (currentUser is the DB entity; oidcUser() for raw claims):
 protected Object handleAuthenticated(Request req, Response res) throws Exception {
     OidcUser u = oidcUser();           // same as ClaimsHolder.user()
     return json(res, currentUser);     // DB entity — provisioned from OIDC sub
 }

  • Method Details

    • sub

      public String sub()
      Subject identifier — unique, stable user ID issued by the provider.

    • email

      public String email()
      User's email address (email claim).

    • username

      public String username()
      Human-readable username (preferred_username claim).

    • name

      public String name()
      Full display name (name claim).

    • roles

      public List<String> roles(String claimPath)
      Extracts the roles list by traversing a dot-separated claim path.

      Example paths:

      • "realm_access.roles" — Keycloak realm roles
      • "resource_access.my-client.roles" — Keycloak client roles
      • "groups" — Authelia / generic IdPs
      Returns:
      list of role strings, or an empty list if the path doesn't exist

    • hasRole

      public boolean hasRole(String claimPath, String role)
      Returns true if the user holds role at the given claim path.

    • scopes

      public List<String> scopes()
      Resolves OAuth2 scopes from standard OIDC/OAuth claims using fallback order: scope then scp. Supports both space-separated string and list forms.

    • scopes

      public List<String> scopes(String claimPaths)
      Resolves scopes from comma-separated claim paths (example: "scope,scp,permissions.scopes").

    • hasScope

      public boolean hasScope(String scope)
      Returns true if the user has scope, searching default claim paths scope,scp.

    • hasScope

      public boolean hasScope(String claimPaths, String scope)
      Returns true if the user has scope in any of claimPaths.

    • claim

      public <T> T claim(String key, Class<T> type)
      Returns the value of any claim, cast to T.
      Throws:
      ClassCastException - if the stored value is not assignable to type

    • claim

      public Object claim(String key)
      Returns the raw claim value, or null if absent.

    • claims

      public Map<String,Object> claims()
      Escape hatch — returns the full unmodified claims map.