Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-116678

com.liferay.portal.security.sso.openid.connect.api - APIsation of org.nimbusds.openid.connect.* data

    Details

      Description

      tl;dr The OpenIdConnectProviderRegistry API exposes classes that belong to private packages classes.

      While I can get the OpenIdConnectProviderRegistry API from this dependency:

      <dependency>
          <groupId>com.liferay</groupId>    <artifactId>com.liferay.portal.security.sso.openid.connect.api</artifactId>
          <scope>provided</scope>
      </dependency>

      ... OIDCClientMetadata and OIDCProviderMetadata belong to a third party library that is a private package of the OpenIdConnectProviderRegistry implementation from Liferay.
      We should change something in the Liferay core design here: a Liferay API should not expose a model consisting of private packages, they cannot be used by the consumer of the API.
      In the meantime, it's possible to do a workaround through the creation of an OSGI fragment:

      Fragment-Host: com.liferay.portal.security.sso.openid.connect.impl
      Export-Package:\
          com.nimbusds.openid.connect.sdk.op;version=6.16.2,\
          com.nimbusds.openid.connect.sdk.rp;version=6.16.2

      Same issue with https://github.com/liferay/liferay-portal/blob/master/modules/apps/portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectSessionImpl.java#L98:  com.nimbusds.openid.connect.sdk.claims.UserInfo is a useful object when one wants to write a post login LifeCycleAction. And for the moment, the same Fragment hack would be necessary to access it.
      We'd better have an class in our API model that holds the information from UserInfo without a dependency with the nimbus implementation that could potentially be replaced and should not be made visible.

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            fabian.bouche Fabian Bouché
            Votes:
            5 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:

                Packages

                Version Package