Package com.cloudforge.core.interfaces

Interface OidcConfiguration

All Known Implementing Classes:
CognitoOidcConfiguration, IdentityCenterOidcConfiguration
public interface OidcConfiguration
OIDC configuration for application-level authentication.

This interface provides OIDC endpoints and credentials for integrating CloudForge-managed authentication (Cognito, IAM Identity Center) with application-level authentication systems.

Supported Applications:

  • Jenkins (via OIDC plugin)
  • GitLab (built-in OIDC)
  • Grafana (built-in OIDC)
  • SonarQube (OIDC plugin)
  • Nexus (OIDC support)

CloudForge 3.0.0: Universal Authentication Integration

See Also:

  • Method Details

    • getProviderType

      String getProviderType()
      Returns the OIDC provider type.
      Returns:
      provider type (cognito, identity-center, external)

    • getIssuerUrl

      String getIssuerUrl()
      Returns the OIDC issuer URL. This is the base URL for the OIDC provider.

      Examples:

      • Cognito: https://cognito-idp.{region}.amazonaws.com/{userPoolId}
      • Identity Center: https://{tenant}.awsapps.com/start
      Returns:
      issuer URL

    • getAuthorizationEndpoint

      String getAuthorizationEndpoint()
      Returns the OIDC authorization endpoint.

      This is where users are redirected to authenticate.

      Returns:
      authorization endpoint URL

    • getTokenEndpoint

      String getTokenEndpoint()
      Returns the OIDC token endpoint.

      This is where applications exchange authorization codes for tokens.

      Returns:
      token endpoint URL

    • getUserInfoEndpoint

      String getUserInfoEndpoint()
      Returns the OIDC userinfo endpoint.

      This is where applications retrieve user profile information.

      Returns:
      userinfo endpoint URL

    • getJwksUri

      String getJwksUri()
      Returns the OIDC JWKS (JSON Web Key Set) endpoint.

      This is where applications retrieve public keys to verify JWT signatures.

      Returns:
      JWKS endpoint URL

    • getLogoutEndpoint

      default String getLogoutEndpoint()
      Returns the OIDC logout endpoint.

      For Cognito, this is: https://{domain}.auth.{region}.amazoncognito.com/logout

      The full logout URL requires client_id and logout_uri parameters.

      Returns:
      logout endpoint URL (may be null if not supported)

    • getClientId

      String getClientId()
      Returns the OAuth 2.0 client ID.

      This is the application identifier registered with the OIDC provider.

      Returns:
      client ID

    • getClientSecretArn

      String getClientSecretArn()
      Returns the AWS Secrets Manager ARN for the client secret.

      The client secret is stored securely in AWS Secrets Manager. Applications retrieve it at runtime using IAM permissions.

      Returns:
      Secrets Manager ARN for client secret

    • getRedirectUrl

      String getRedirectUrl()
      Returns the redirect URL for this application.

      This is the callback URL where the OIDC provider redirects after authentication. Typically: https://{application-domain}/oauth2/callback or similar.

      Returns:
      redirect URL

    • getScopes

      String getScopes()
      Returns the OAuth 2.0 scopes requested by this application.

      Common scopes: openid, profile, email, groups

      Returns:
      space-separated list of scopes

    • getUsernameClaim

      String getUsernameClaim()
      Returns the claim name for username mapping.

      This JWT claim is used as the application username.

      Common values: preferred_username, email, sub

      Returns:
      username claim name

    • getFullNameClaim

      default String getFullNameClaim()
      Returns the claim name for user's full name.

      Common values: name, full_name

      Returns:
      full name claim name (optional)

    • getEmailClaim

      default String getEmailClaim()
      Returns the claim name for user's email.

      Common values: email

      Returns:
      email claim name (optional)

    • getGroupsClaim

      default String getGroupsClaim()
      Returns the claim name for group membership.

      This is used for role-based access control in applications.

      Common values: cognito:groups, groups

      Returns:
      groups claim name (optional)

    • isAutoCreateUsers

      default boolean isAutoCreateUsers()
      Returns whether to automatically create users on first login.

      Most applications support auto-provisioning via OIDC.

      Returns:
      true if users should be auto-created

    • getAdminGroupName

      default String getAdminGroupName()
      Returns the admin group name for role mapping.

      Users in this group receive admin privileges in the application.

      Returns:
      admin group name (optional)

    • getDeveloperGroupName

      default String getDeveloperGroupName()
      Returns the developer group name for role mapping.

      Users in this group receive build and configure permissions in the application.

      Returns:
      developer group name (optional)

    • getViewerGroupName

      default String getViewerGroupName()
      Returns the viewer group name for role mapping.

      Users in this group receive read-only permissions in the application.

      Returns:
      viewer group name (optional)

    • usePkce

      default boolean usePkce()
      Returns whether to use PKCE (Proof Key for Code Exchange).

      PKCE is recommended for enhanced security, especially for public clients.

      Returns:
      true if PKCE should be used

    • getAdditionalProperties

      default Map<String,String> getAdditionalProperties()
      Returns additional OIDC configuration properties.

      Application-specific OIDC settings can be passed here.

      Returns:
      map of additional properties

    • getApplicationUrl

      default String getApplicationUrl()
      Returns the application root URL.

      This is the base URL where the application is accessible (e.g., https://jenkins.example.com). Used by applications to configure their root URL for features like email notifications, PR status updates, and environment variables like BUILD_URL.

      Returns:
      application root URL (may be null if not configured)

    • isGroupBasedAccessEnabled

      default boolean isGroupBasedAccessEnabled()
      Returns whether group-based access control is enabled.

      When false, applications should grant full access to all authenticated users rather than using group-based permissions. This is useful when Cognito groups are not created (cognitoCreateGroups = false).

      Returns:
      true if group-based access control is enabled, false for open access