Package dev.relism.flash.ext.oidc

Class OidcMiddleware

java.lang.Object

dev.relism.flash.ext.oidc.OidcMiddleware

public class OidcMiddleware
extends Object

Request-level OIDC middleware. Exposed in the FlashContext for manual use on lambda routes; injected automatically for handlers annotated with Authenticated, RolesAllowed or ScopesAllowed.

Resolution order on each request:

1. Authorization: Bearer ... header — validated via JWKS (JwtValidator).
2. oidc_session cookie — looked up in OidcSessionStore; transparently refreshed if the access token is expired.
3. Browser clients (no Accept: application/json) → redirect to {routePrefix}/login?redirect={path}.
4. API clients → 401.

 // Manual use on a lambda route:
 OidcMiddleware oidc = app.ctx().require(OidcMiddleware.class);
 app.get("/api/me", (req, res) -> ClaimsHolder.claim("sub"), oidc.protect());
 app.delete("/admin/users/{id}", handler, oidc.requireRole("admin"));
 

Method Summary

Modifier and Type	Method	Description
Middleware	authorize(dev.relism.flash.ext.oidc.OidcAuthPolicy policy)	Compiled authorization policy path used by annotation-driven mounting.
Middleware	optional()	Silently populates ClaimsHolder if a valid bearer token or session cookie is present, but never rejects or redirects unauthenticated requests.
Middleware	protect()	Validates the bearer token or session cookie.
Middleware	requireAnyScope(String... scopes)	Requires at least one of the listed scopes to be present in the token.
Middleware	requireRole(String... roles)	Like protect() but also enforces that the caller holds at least one of the given roles (OR semantics).
Middleware	requireScopes(String... scopes)	Requires all listed scopes to be present in the token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

protect

public Middleware protect()

Validates the bearer token or session cookie. Browser clients are redirected to the login page on failure; API clients receive 401.

optional

public Middleware optional()

Silently populates ClaimsHolder if a valid bearer token or session cookie is present, but never rejects or redirects unauthenticated requests. Use this on public routes that want to personalise the response when the user happens to be logged in (e.g. showing a username on a landing page).

 app.get("/", handler, oidc.optional());
 // Inside handler: ClaimsHolder.user() is non-null iff the user is logged in.
 

authorize

public Middleware authorize(dev.relism.flash.ext.oidc.OidcAuthPolicy policy)

Compiled authorization policy path used by annotation-driven mounting. The policy is immutable and built once at boot.

requireRole

public Middleware requireRole(String... roles)

Like protect() but also enforces that the caller holds at least one of the given roles (OR semantics). Roles are extracted via OidcConfig.rolesClaimPath().

requireScopes

public Middleware requireScopes(String... scopes)

Requires all listed scopes to be present in the token. Scopes are resolved from configured claim paths (default: scope,scp).

requireAnyScope

public Middleware requireAnyScope(String... scopes)

Requires at least one of the listed scopes to be present in the token. Scopes are resolved from configured claim paths (default: scope,scp).