All Classes and Interfaces
Class
Description
Builds an absolute URL for the current server.
Base class for cookie configuration properties classes.
A base class for authorization responses to extend from.
Abstract class to create a Client for client credentials grant.
Base class for
SecureGrant
implementations.Base class for condition implementations.
Base configuration for
CookieConfiguration
implementations.Abstract encryption configuration.
A base class to extend from to log out of an OpenID provider.
Base implementation class for
OutgoingRequestProcessorMatcher
.Binds the authentication object to a route argument.
A base
SecurityRule
class to extend from that provides
helper methods to get the roles from the claims and compare them
to the roles allowed by the rule.Abstract implementation of
TokenAuthenticationFactory
which creates an authentication for a set of claims.A base class that provides getters for common context properties.
Stores the combination of access and refresh tokens.
Contract to generate
AccessRefreshToken
for a particular user.Implementation of
LoginHandler
for Token Based Authentication.Configuration for access tokens.
Access token configuration.
Configuration for the access token cookie.
Triggered when a JWT access token is generated.
Representation of an Address Claim which represents a physical mailing address.
Utility to retrieve beans from the Application Context associated to the AOT Context.
A contract for a class convertible to a map.
A
ConvertibleValues
implementation that uses Attributes
as
the backing data source.ID Token Audience validator.
Validates JWT audience claim contains a configured value.
Provides specific configuration to logout from Auth0.
Represents the state of an authentication.
Binds the authentication object to a route argument.
A runtime exception thrown when authentication fails.
Handles the server response when an
AuthenticationException
is thrown.Signalises an authentication failure and stores the failure reason.
Enums describes the different authentication failures.
Describes a bean which attempts to read an
Authentication
from an HTTP Request being executed.Adapter from
JWTClaimsSet
to Authentication
.Deprecated, for removal: This API element is subject to removal in a future version.
Client Authentication methods constants that are used by Clients to authenticate to the Authorization Server when using the Token Endpoint.
Different authentication strategies shipped with Micronaut Security.
A condition that matches a supplied list of authentication modes.
Defines the Authentication mode being used.
Deprecated, for removal: This API element is subject to removal in a future version.
Use
AuthenticationProvider
for an imperative API or ReactiveAuthenticationProvider
for a reactive API instead.Defines an API to authenticate a user with the given request.
Represents a request to authenticate.
The response of an authentication attempt.
Options for how to handle multiple authentication providers.
An Authenticator operates on several
ReactiveAuthenticationProvider
instances returning the first
authenticated AuthenticationResponse
.Authorization Code Grant Request.
OAuth 2.0 authorization endpoint configuration.
Error codes for an Authentication Error Response message returned from the OP's Authorization Endpoint in response to the Authorization Request message sent by the RP.
Open ID Connect Authentication Error Response.
A runtime exception thrown when a Oauth 2.
An exception handler for
AuthorizationErrorResponseException
.Exception thrown when access to a protected resource is denied.
Responsible for redirecting to an OAuth 2.0 provider
for authentication.
OAuth 2.0 Authorization Request.
OAuth 2.0 Authentication Response.
Authorization Servers.
Authorized party claim validation.
Provides specific configuration to logout from AWS Cognito.
Configuration for basic authentication.
An implementation of
AuthenticationFetcher
that decodes a username
and password from the Authorization header and authenticates the credentials
against any ReactiveAuthenticationProvider
s available.Utility class for Basic Auth.
Encapsulates an Access Token response as described in RFC 6749.
Configuration for the
BearerTokenReader
.Default implementation of
BearerTokenConfiguration
.Reads JWT token from
HttpHeaders.AUTHORIZATION
header.Authentication claims.
Identifies the recipients that the JWT is intended for.
An implementation of the Authentication interface intended to be used
by clients that deserialize token information into an authentication.
Client credentials configuration.
Condition to determine if the client credentials grant is enabled
for a given OAuth 2.0 client.
Factory to create
ClientCredentialsClient
beans.Client Credentials Grant.
Propagates a token obtained via client credentials based off of a header.
HTTP header client credentials token propagation configuration.
An
HttpClientFilter
to add an access token to outgoing request thanks to a Client Credentials request.Responsible for retrieving and writing tokens obtained via a client credentials request.
A token request context for sending a client credentials request to an OAuth 2.0 provider.
Generates a Code Verifier for PKCE.
A security rule implementation backed by the
SecurityConfiguration.getInterceptUrlMap()
.Responsible for mapping the result of LDAP authentication to an
AuthenticationResponse
.Contract for building and closing LDAP contexts.
Implementation of
ContextSettings
that derives its values from
an instance of LdapConfiguration
.Contract to hold settings for creating an LDAP context.
Base configuration for all controllers.
It evaluates to true if micronaut.security.authentication is set to idtoken or cookie.
Abstract class which defines an implementation of
RedirectingLoginHandler
where a redirect response is issued.Nonce persistence with a cookie.
Utility Abstract class for Cookie Persistence.
Persists the Proof of Key Exchange (PKCE) code_verifier value in a cookie.
Stores the last unauthorized URL in a cookie to redirect back to after
logging in.
Persists the state value in a cookie.
Reads the token from the configured io.micronaut.security.token.jwt.cookie.
An annotation for use with Micronaut Data entities that will cause the annotated field to be automatically
populated on save with the identity of the currently authenticated user.
Generates http responses with access and refresh token.
Default implementation of
AuthorizationErrorResponse
.Provides the default behavior for responding to an
AuthorizationException
.Builds an authorization redirect url.
ClientCredentialsClient
for OAuth 2.0 clients which configures the token endpoint information directly.Client for Client Credentials for OAuth 2.0 clients which user open id configuration.
The default token propagator that uses the default header configuration.
DefaultImplementation
of CodeVerifierGenerator
which generates a random code verifier using PkceConfiguration.getEntropy()
.The default implementation to create an
AuthenticationResponse
from a successful
ldap authentication result.Default implementation of
ContextBuilder
.Default implementation of
EndpointConfiguration
.The default implementation of
EndSessionCallbackUrlBuilder
.A controller for the end session endpoint.
Decorates a InterceptUrlPattern}.
Validates the
IntrospectionRequest.getToken()
with the available TokenValidator
.Default implementation of
JwkSetFetcher
for JWKSet
.AOT Optimizations.
Default implementation of
JwkValidator
which uses a JSON Web Signature (JWS) verifier.Extracts the JWT claims and uses the
AuthenticationJWTClaimsSetAdapter
to construction an Authentication
object.Default implementation of
LdapGroupProcessor
.Default implementation of
LdapSearchService
.Configuration properties implementation of nonce validation configuration.
Generates a random UUID nonce.
The default implementation of
AuthorizationResponse
for
OAuth 2.0 provider authorization responses.Default implementation of
OauthAuthorizationResponseHandler
.The default implementation of
OauthClient
.Default implementation of
OauthController
.Default implementation of
OauthRouteUrlBuilder
.The default implementation of
OpenIdAuthenticationMapper
that uses
the subject claim for the username and populates the attributes with the
non JWT standard claims.Default implementation of
OpenIdAuthorizationResponseHandler
.The default implementation of
OpenIdClient
.Builder.
Default implementation of
OpenIdProviderMetadataFetcher
.AOT Optimizations.
Deprecated, for removal: This API element is subject to removal in a future version.
Use
DefaultReactiveOpenIdTokenResponseValidator
insteadGenerates a Proof Key for Code Exchange and persists.
Default implementation of
ProviderResolver
.Get redirection URLs combining context path and redirect configuration.
Default implementation of
RolesFinder
.The default implementation of
SecureEndpoint
.Default implementation of
SecureEndpointConfiguration
.Default implementation of
SecurityService
.Default state implementation.
Configuration properties implementation of state validation configuration.
A default state provider that stores the original
request URI to redirect back to after authentication.
State validator implementation.
The default implementation of
TokenEndpointClient
.Default implementation of
TokenResolver
.OpenID connect Display parameter.
Elliptic curve encryption configuration.
Creates
EncryptionConfiguration
for each ECEncryptionConfiguration
bean.Elliptic curve signature.
Elliptic curve signature configuration.
Creates
SignatureConfiguration
for each ECSignatureConfiguration
bean.Elliptic curve signature generator.
Elliptic curve signature generation configuration.
Creates
SignatureGeneratorConfiguration
for each ECSignatureGeneratorConfiguration
bean.Encryption configuration.
Converts a string to an
EncryptionMethod
.An OAuth 2.0 provider endpoint.
Endpoint configuration contract.
A contract for generating the URL used by OpenID
providers to redirect back to after logging the user out.
OpenID end session configuration.
Handles a log out request that redirects to an OpenID provider.
Represents the end session endpoint of an OpenID provider.
End session endpoint configuration.
Responsible for resolving which end session request to use for a given OpenID client configuration.
OAuth 2.0.
OAuth 2.0 Error Response.
An
AuthenticationProvider
which forces you to define the executor to be used.Validate JWT is not expired.
Failed Authentication Scenario.
Configuration about where to redirect if forbidden.
A generated file.
Any
JwtTokenValidator
which should be verified for any JWT should implement this interface.The OAuth 2.0 grant types.
Implementation of
SearchSettings
that derives values from an
instance of LdapConfiguration.GroupConfiguration
.Implementation of
JwksClient
that uses the Micronaut HttpClient
.Propagates a token based off of a header.
HTTP header token propagation configuration.
Http header token propagation configuration.
Reads a token from an HTTP request and removes prefix from HTTP Header Value.
AuthenticationProvider
for HttpRequest
.ExecutorAuthenticationProvider
for HttpRequest
.ReactiveAuthenticationProvider
for HttpRequest
.For
AuthenticationMode.IDTOKEN
authentication mode performs the following verification as described in the OpenID Connect Spec.Resolves a Id Token Hint.
Sets
CookieLoginHandler
`s cookie value to the idtoken received from an authentication provider.Decorates a
InterceptUrlMapPattern
.Encapsulates the configuration of
IntrospectionController
.Introspection endpoint configuration.
Given a
IntrospectionRequest
generates a IntrospectionResponse
.A parameter representing the token along with optional parameters representing
additional context that is known by the protected resource to aid the authorization server in its response.
Exception thrown if authorization response state parameter validation fails.
A security rule implementation backed by the
SecurityConfigurationProperties.getIpPatterns()
()}.The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
Validates JWT issuer claim matches a configured value.
A single ASCII error code as described in Issuing an Access Token - Error Response section of OAuth 2.0 spec.
Jackson based implementation for state serdes.
Allows using the
DenyAll
annotation in Micronaut.Allows using the
PermitAll
annotation in Micronaut.Allows using the
RolesAllowed
annotation in Micronaut.Decrypts an encrypted token.
JSON Web Token (JWT) parser.
API to validate the signature of a JSON Web Token with beans of type
SignatureConfiguration
.JSON Web Token (JWT) validator.
Generates the "jti" (Token ID) claim, which provides a unique identifier for the token.
Converts a string to a
JWEAlgorithm
.Defines an interface for JSON Web Key (JKW) providers.
Designates a class which caches a Json Web Key Set which may typically be fetched from a remote authorization server.
Client for loading Json Web Key Set content over http.
Fetch a Json Web Key Set by a given url.
SignatureConfiguration
backed by a JWKSet
.Optimization to fetch Json Web Key Set at build time.
Deprecated, for removal: This API element is subject to removal in a future version.
Not used.
JSON Web Key Set Configuration.
JSON Web Key Set (JWKS) Signature Configuration properties holder.
Utility class to verify signatures with a
JWKSet
.Factory to create
ReactiveJwksSignature
beans for the OpenIdProviderMetadata.getJwksUri()
of OpenID clients.Validates a JWT signature with a JSON Web Key (JWK).
Converts a string to a
JWSAlgorithm
.Creates an
Authentication
object from a JWT token.JWT bearer assertion grant.
Adapts from
JWTClaimsSet
to Claims
.Utils class to instantiate a JWClaimsSet give a map of claims.
Provides a contract to create custom JWT claims validations.
Configuration to enable or disable beans of type
JwtClaimsValidator
.ConfigurationProperties
implementation of JwtClaimsValidatorConfiguration
.Represents configuration of the JWT token.
JwtConfiguration
implementation.An implementation of
OpenIdClaims
backed by an JWTClaimsSet
.JWT Token Generation.
Deprecated, for removal: This API element is subject to removal in a future version.
Use
ReactiveJsonWebTokenValidator
instead.Deprecated, for removal: This API element is subject to removal in a future version.
Use
JsonWebTokenValidator
or ReactiveJsonWebTokenValidator
instead.A builder for
JwtValidator
.Provides specific configuration to logout from Keycloak.
Endpoint which exposes a JSON Web Key Set built with the JWK provided by
JwkProvider
beans.Encapsulates the configuration of
KeysController
.Configures the
KeysController
.Converts a string to a
KeyType
.Authenticates against an LDAP server using the configuration provided through
LdapConfiguration
.Factory to create an LDAP authentication provider if the configuration is enabled.
Configuration for LDAP authentication.
The context configuration.
The group configuration.
The user search configuration.
Condition to enable the LDAP authentication provider.
Contract to allow the list of groups returned from LDAP to be transformed
and appended to from other sources.
Contains the data returned from an LDAP search.
Contract for searching LDAP using an existing context.
Utility methods to avoid verbosity of logging statements.
Handles login requests.
Encapsulates the configuration of
LoginController
.Event triggered when an unsuccessful login takes place.
Defines how to respond to a successful or failed login attempt.
Resolves a LoginHint.
Event triggered when a successful login takes place.
Encapsulates the configuration of
LogoutController
.Implementation of
LogoutControllerConfiguration
used to configure the LogoutController
.Event triggered when the user logs out.
Responsible for logging the user out and returning
an appropriate response.
Utility class to mock authentication scenarios.
Represents a mutable state object.
Adapts from
SignatureConfiguration
to ReactiveSignatureConfiguration
.Responsible for validating the nonce claim.
Configuration options for nonce validation.
Generates a nonce.
Persists the nonce for later retrieval necessary for validation.
Validate current time is not before the not-before claim of a JWT token.
A contract for mapping an OAuth 2.0 token endpoint response to a
AuthenticationResponse
object.Configuration for Authorization Endpoint Configuration.
A marker contract to denote a given authorization request is
not part of the OpenID standard.
A marker interface for normal OAuth 2.0 authorization responses.
Responsible for handling the authorization callback response
from an OAuth 2.0 provider.
A contract for an OAuth 2.0 client.
Condition to create an
OauthClient
.OAuth 2.0 client configuration.
Stores configuration of each configured OAuth 2.0 client.
OAuth 2.0 authorization endpoint configuration.
Client credentials configuration.
Client credentials http header token propagation configuration.
Introspection endpoint configuration.
OpenID client configuration.
Authorization endpoint configuration.
End session endpoint configuration.
Registration endpoint configuration.
Token endpoint configuration.
User info endpoint configuration.
Revocation endpoint configuration.
OAuth 2.0 token endpoint configuration.
A token request context for sending an authorization
code grant request to an OAuth 2.0 provider.
OAuth 2.0 Configuration.
ConfigurationProperties
implementation of OauthClientConfiguration
.OpenID configuration.
Claims configuration.
Claims Validator configuration.
End session configuration.
A controller that handles token refresh.
Responsible for OAuth 2.0 authorization redirect, authorization
callback, and end session redirects.
Encapsulates the configuration of
OauthController
.Configures the provided
OauthController
.An Runtime exception which implements
ErrorResponse
.Returns an application/json response for a
OauthErrorResponseException
with status 400.Deprecated, for removal: This API element is subject to removal in a future version.
Use
ReactiveOauthPasswordAuthenticationProvider
instead.A token request context for sending a password grant
request to an OAuth 2.0 provider.
Responsible for building URLs to routes the client will receive.
A single ASCII error code as described in Obtaining Authorization - Error Response seciton of OAuth 2.0 spec.
Provides specific configuration to logout from Okta.
Configuration for additional claims to be added to the
resulting JWT created from an OpenID authentication.
Responsible for converting an OpenID token response to
a
Authentication
representing the authenticated user.The OpenID extensions to the standard OAuth 2.0 authorization request.
An extension of
AuthorizationResponse
that allows for
retrieval of the persisted nonce value.Responsible for handling the authorization callback response
from an OpenID provider.
ID Token.
Configuration to determine if a claim validation is enabled.
JWT Claims Validator for ID Token.
Extends the
OauthClient
with OpenID specific functionality.Condition to create an
OpenIdClient
.Configuration for an OpenID client.
A token request context for sending an authorization
code grant request to an OpenID provider.
Configuration for OpenID not specific to a client.
Deprecated, for removal: This API element is subject to removal in a future version.
Use
ReactiveOpenIdPasswordAuthenticationProvider
instead.A token request context for sending a password grant
request to an OpenID provider.
Metadata describing the configuration of OpenID Providers.
Fetches OpenIdProviderMetadata for a
OpenIdClientConfiguration
.Optimization to fetch OpenID Configuration at build time.
OpenID Connect scope values.
Id Token Access Token Response.
Deprecated, for removal: This API element is subject to removal in a future version.
Use
ReactiveOpenIdTokenResponseValidator
instead.Resource Owner Password Credentials Grant.
Condition to enable the password grant authentication flow for an OAuth provider.
Base configuration for persistable endpoints.
Proof Key for Code Exchange.
Proof Key for Code Exchange Challenge.
Configuration for PKCE.
Configuration properties implementation of PKCE.
API to Build/Persist a PKCE (Proof Key for Code Exchange).
Persists the Proof of Key Exchange (PKCE) for later retrieval.
Pkce generator for plain challenge method.
Responsible for binding a
Principal
to a route argument.Keep track of state before login.
OpenID connect prompt parameter.
Resolves the OAuth 2.0 provider that authenticated the logged in user.
Utility class to get the name qualifier value.
Defines a reactive authentication provider.
Deprecated, for removal: This API element is subject to removal in a future version.
Reactive API to validate the signature of a JSON Web Token with beans of type
ReactiveSignatureConfiguration
and SignatureConfiguration
.Reactive JSON Web Token (JWT) validator.
Signature configuration which enables verification of remote JSON Web Key Set.
An
ReactiveAuthenticationProvider
that delegates to an OAuth 2.0 provider using the
password grant flow.An
ReactiveAuthenticationProvider
that delegates to an OpenID provider using the
password grant flow.Validates an OpenID token response.
Reactive Signature Configuration.
ConfigurationProperties
implementation of RedirectConfiguration
.Forbidden redirect configuration.
Forbidden redirect configuration.
Unauthorized redirect configuration.
A marker contract to indicate the login handler
returns redirecting responses.
Get redirection URLs combining context path and redirect configuration.
Configuration about where to redirect after a successful refresh request.
Configuration for the
SignedRefreshTokenGenerator
.ConfigurationProperties
implementation of RefreshTokenConfiguration
to configure SignedRefreshTokenGenerator
.Configuration for the refresh token cookie.
Triggered when a JWT refresh token is generated.
Responsible for generating refresh tokens.
Refresh Token Grant.
Responsible for persisting refresh tokens and retrieving
user details by a refresh token.
Responsible for validating a refresh token
is in a valid format.
Implementation of
JwksClient
that uses the Nimbus library's built-in com.nimbusds.jose.util.ResourceRetriever
interface.Authentication Flows response types.
Revocation endpoint configuration.
Retrieves roles from token claims.
RSA encryption configuration.
Creates
EncryptionConfiguration
for each RSAEncryptionConfiguration
bean.RSA signature.
Encapsulates RSA Signature Configuration.
Creates
SignatureConfiguration
for each RSASignatureConfiguration
bean.RSA signature Generator.
Encapsulates RSA Signature Generation Configuration.
Creates
SignatureGeneratorConfiguration
for each RSASignatureGeneratorConfiguration
bean.SHA-256 based PKCE Generator.
SAML 2.0 bearer assertion grant.
Implementation of
SearchSettings
that derives values from an
instance of LdapConfiguration.SearchConfiguration
.Generic functional interface that returns a list of search
results from LDAP.
Contract to provide settings to search LDAP.
Secret encryption configuration.
Encapsulates Secret Encryption Configuration.
Creates
EncryptionConfiguration
for each SecretEncryptionConfiguration
bean.Create a
ConfigurationProperties
bean for each sub-property of micronaut.security.token.jwt.signatures.secret.*.Used to mark a route as requiring authorization before execution.
Security rule implementation for the
Secured
annotation.Context for supporting
Secured
annotation expressions with object references.Registers Security Evaluation Context.
A contract for an endpoint that requires authentication.
Configuration extension of
EndpointConfiguration
for endpoints which require authentication.A contract for a grant that requires authentication.
An implementation of
HashMap
that also implements SecureGrant
.Defines security configuration properties.
Stores configuration for JWT.
Base class for security events.
Security Filter.
Configuration for
SecurityFilter
.ConfigurationProperties
implementation of SecurityFilterConfiguration
.Informs the
SecurityFilter
filter what to do with the given request.The result of a security rule check.
Provides a set of convenient methods related to authentication and authorization.
Session-based Authentication configuration.
Registers security
TypeConverter
s.Finds any sensitive endpoints and processes requests that match their
id.
An implementation of the
Authentication
interfaced intended to
be used on the server side to create authentication objects from
user data found through any means.Utility methods to prepend a URL with the context path provided via
ServerContextPathProvider
.Attempts to retrieve an instance of
Authentication
from Session
.A condition to check for session authentication mode.
A
RedirectingLoginHandler
implementation for session based authentication.LogoutHandler
implementation for Session-Based Authentication.Persists the state in the session.
Persists the Proof of Key Exchange (PKCE) code_verifier in the session.
Persists the state in the session.
Condition
which evaluates to true if SHA-256 algorithm is supported.Signature configuration.
Signature Generator configuration.
The default implementation of
RefreshTokenGenerator
and RefreshTokenValidator
.Represents the state sent in the authorization request and returned in the authorization response.
State retrieval.
Base class to extend from that handles state retrieval and caching.
Generates a state parameter.
Persists the state for later retrieval necessary for validation.
Responsible for serialization and de-serialization of the state.
Configuration options for state validation.
Validates a state parameter.
Creates a
SignatureConfiguration
per bean of type StaticJwksSignatureConfiguration
.Configuration JSON Web Key Sets defined as static resources.
Creates a bean of type
StaticJwksSignatureConfiguration
per `micronaut.security.token.jwt.signatures.jwks-static.*`.Validate JWT subject claim is not null.
Successful authentication scenario.
Creates an
Authentication
object from a token.Attempts to retrieve a token form the
HttpRequest
and if existing validated.Defines Security Token Configuration.
Defines Security Token Configuration.
Clears the cookie configured via
CookieLoginHandler
.Represents configuration for a cookie that will store a token.
Deprecated, for removal: This API element is subject to removal in a future version.
Use
CookieTokenReader
instead.Responsible for sending requests to a token endpoint.
TokenEndpoint Configuration.
Represent the response of an authorization server to an invalid access token request.
Responsible for generating token strings.
Token propagation Configuration.
Token Propagation Configuration Properties.
HttpClientFilter
to enable Token propagation.Responsible for retrieving and writing tokens for the purpose
of propagation between services.
Responsible for reading the token data from a request.
Encapsulate the request to get a new access token.
Responsible for converting token information to an
AccessRefreshToken
.Represents the context of a token endpoint request.
Returns the token from the provided request.
Represent the response of an authorization server to a valid access token request.
Triggered when a token is validated.
Responsible for token validation and claims retrieval.
Configuration about where to redirect if unauthorized.
An annotation for use with Micronaut Data entities that will cause the annotated field to be automatically
populated on both save and update with the identity of the currently authenticated user.
An Authentication derived from an X509Certificate.
Binds the authentication if it's an
X509Authentication
to a route argument.Creates an Authentication if an X.509 client certificate is present and a
name (CN) can be extracted.
X.509 authentication configuration.
Configuration for X.509 authentication.
AuthenticationMethods
constants instead.