This is a document of Personium Authentication Plugin Developer Manual.
It describes the information necessary for developing Personium's Authentication plugin.
Please refer to Setup Authentication Plugins for details of Authentication Plugin.
This document explains the procedure for creating Authentication plugin.
Method of development
Specifically, the plugin defines the following three points.
- What kind of AccountType value should be handled
- What kind of grant_type value should be handled
- How to evaluate the input parameter values other than grant_type of the token endpoint and what kind of entity should be recognized as a result
In other words, the plugin author implements the above three pieces of information as concrete Java code. Personium further evaluates the authenticated identification subject information (AuthenticatedIdentity object) returned by the Authentication Plugin as the response 3 above from the following point of view, We decide whether or not to issue a token, determine the content of issue token, and issue token.
- Is there an Account with a Name attribute in the string that can be obtained with getAccountName()
- If it exists, whether the type value of 1 above is included in the type value of the hit account
Naturally, the plug-in author should generally implement the "parameter value evaluation" above in 2 so that the access agent goes through the appropriate authentication process. For example, a specific subject (such as a real person who is not a guest etc.) to be originally protected without checking any input value, Creating such a plug-in as to recognize it and placing it in the unit causes serious security problems. Therefore, it is necessary for the plug-in author to implement a secure implementation, and the plug-in user (unit administrator) to use only plug-ins that are believed to be secure.
The following is an example using the google version Authentication Plugin.
Class structure of Plugin
The border part of the creation plug-in is created.
The class structure diagram of Authentication Plugin is shown below.
Note: Return value of authentication processing
- If authentication succeeds, AuthenticatedIdentity is returned.
- If authentication fails, PluginException is thrown or null is returned.
The operation of Authentication Plugin is shown below.
1. Plugin initialization processing PluginManager is called in the PersoniumCoreApplication class and reads all plugins.
2. Call authentication process In the TokenEndPointResouce class, select the target GrantType Plugin. Execute the authenticate method of the selected plugin.
- Personium Plugin can be executed simply by placing it in the Plugins folder.
- The Authenticate Plugin specifies each provider for "auth" and GrantType as Type, and by writing the authenticate method, the target plugin is selected and the authenticate method is executed.
1.Plugin initialization processing
pm = new PluginManager();
Generate the PluginManager class.
2.Call authentication process
Calling authentication process with callAuthPlugins() method.
The method to be implemented is as follows.
- Returns the type of Plugin. Currently only "auth".
- Returns the corresponding grant_type value.
- Returns the Type value of the corresponding account.
- Authentication processing.
Procedure for creating plugin
Please refer to Setup Authentication Plugins.