Package com.cloudforge.core.oidc

Class MattermostOidcIntegration

java.lang.Object
com.cloudforge.core.oidc.MattermostOidcIntegration
All Implemented Interfaces:
OidcIntegration
public class MattermostOidcIntegration extends Object implements OidcIntegration
OIDC integration for Mattermost using native OpenID Connect.

Why Use Native OIDC (vs GitLab OAuth):

  • Uses discovery endpoint for automatic configuration
  • Proper single logout support via end_session_endpoint
  • Standard OpenID Connect 1.0 compliance
  • Works directly with AWS Cognito User Pools

Limitations vs SAML:

  • No automatic group synchronization from IdP
  • No AD/LDAP sync integration
  • Manual team/channel membership management required

License Requirement:

Native OpenID Connect requires Mattermost Enterprise or Professional. For Team Edition (free), use GitLab OAuth instead.

Supported Providers:

  • Amazon Cognito User Pools (oidcProvider: "cognito")
  • Any OIDC-compliant provider with discovery endpoint
See Also:

  • Constructor Details

    • MattermostOidcIntegration

      public MattermostOidcIntegration()

  • Method Details

    • isSupported

      public boolean isSupported()
      Description copied from interface: OidcIntegration
      Returns whether this application supports OIDC integration.
      Specified by:
      isSupported in interface OidcIntegration
      Returns:
      true if application has OIDC support

    • getIntegrationMethod

      public String getIntegrationMethod()
      Description copied from interface: OidcIntegration
      Returns the OIDC integration method for this application.

      Examples:

      • jenkins: OIDC Plugin
      • gitlab: Built-in OmniAuth
      • grafana: Built-in generic_oauth
      • sonarqube: OIDC Plugin
      Specified by:
      getIntegrationMethod in interface OidcIntegration
      Returns:
      integration method description

    • getEnvironmentVariables

      public Map<String,String> getEnvironmentVariables(OidcConfiguration config)
      Description copied from interface: OidcIntegration
      Returns environment variables needed for OIDC configuration.

      These are passed to the container or EC2 userdata script.

      Example for Grafana:

       GF_AUTH_GENERIC_OAUTH_ENABLED=true
 GF_AUTH_GENERIC_OAUTH_NAME=Cognito
 GF_AUTH_GENERIC_OAUTH_CLIENT_ID=${clientId}
 GF_AUTH_GENERIC_OAUTH_AUTH_URL=${authUrl}
      Specified by:
      getEnvironmentVariables in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      Returns:
      map of environment variable name to value

    • getConfigurationFile

      public String getConfigurationFile(OidcConfiguration config)
      Description copied from interface: OidcIntegration
      Returns configuration file content for OIDC setup.

      Some applications require configuration files instead of environment variables.

      Example for GitLab gitlab.rb:

       gitlab_rails['omniauth_enabled'] = true
 gitlab_rails['omniauth_providers'] = [
   {
     name: 'openid_connect',
     args: { ... }
   }
 ]
      Specified by:
      getConfigurationFile in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      Returns:
      configuration file content (optional)

    • getConfigurationFilePath

      public String getConfigurationFilePath()
      Description copied from interface: OidcIntegration
      Returns the file path where configuration should be written.

      Only used if getConfigurationFile() returns non-null.

      Specified by:
      getConfigurationFilePath in interface OidcIntegration
      Returns:
      configuration file path (optional)

    • getUserDataCommands

      public List<String> getUserDataCommands(OidcConfiguration config, Ec2Context context)
      Description copied from interface: OidcIntegration
      Returns UserData commands for setting up OIDC integration.

      These commands are added to the EC2 userdata script to configure OIDC integration during instance initialization.

      Specified by:
      getUserDataCommands in interface OidcIntegration
      Parameters:
      config - OIDC configuration from provider
      context - EC2 context with stack information
      Returns:
      list of shell commands

    • getContainerStartupCommand

      public String getContainerStartupCommand()
      Description copied from interface: OidcIntegration
      Returns the application startup command for Fargate containers.

      This command is used to start the application after the OIDC configuration file has been created. Each application has a different startup script.

      Examples:

      • Jenkins: /usr/local/bin/jenkins.sh
      • GitLab: /assets/wrapper
      • Grafana: /run.sh
      • Mattermost: /mattermost/bin/mattermost (distroless - Go binary)
      Specified by:
      getContainerStartupCommand in interface OidcIntegration
      Returns:
      startup command path

    • getOidcCallbackPath

      public String getOidcCallbackPath()
      Description copied from interface: OidcIntegration
      Returns the OIDC callback path for this application.

      This is the path where the OIDC provider redirects after authentication. Each application has a different callback path based on its OIDC implementation.

      Examples:

      • Jenkins: /securityRealm/finishLogin
      • Mattermost: /signup/gitlab/complete (uses GitLab OAuth provider for OIDC)
      • GitLab: /users/auth/openid_connect/callback
      • Grafana: /login/generic_oauth
      Specified by:
      getOidcCallbackPath in interface OidcIntegration
      Returns:
      callback path (e.g., "/securityRealm/finishLogin")

    • supportsCognito

      public boolean supportsCognito()
      Description copied from interface: OidcIntegration
      Returns whether this application supports Cognito as an identity provider.

      Cognito provides:

      • User pool with email/password authentication
      • MFA support (TOTP, SMS)
      • OAuth 2.0 / OIDC endpoints
      • Hosted UI for login
      Specified by:
      supportsCognito in interface OidcIntegration
      Returns:
      true if Cognito OIDC is supported (default: true)

    • supportsIdentityCenterSaml

      public boolean supportsIdentityCenterSaml()
      Description copied from interface: OidcIntegration
      Returns whether this application supports IAM Identity Center SAML.

      IAM Identity Center (formerly AWS SSO) provides:

      • SAML 2.0 authentication
      • Enterprise directory integration
      • Group-based access control
      • Centralized user management

      Applications that use SAML (Mattermost, Metabase) support this. Applications that only use OIDC may not.

      Specified by:
      supportsIdentityCenterSaml in interface OidcIntegration
      Returns:
      true if IAM Identity Center SAML is supported (default: false)

    • getAuthenticationType

      public String getAuthenticationType()
      Description copied from interface: OidcIntegration
      Returns the authentication type this integration uses.
      Specified by:
      getAuthenticationType in interface OidcIntegration
      Returns:
      "OIDC" or "SAML"

    • getPostDeploymentInstructions

      public String getPostDeploymentInstructions()
      Description copied from interface: OidcIntegration
      Returns post-deployment instructions for completing OIDC setup.

      Some applications require manual steps after deployment (e.g., installing plugins).

      Specified by:
      getPostDeploymentInstructions in interface OidcIntegration
      Returns:
      human-readable instructions (optional)