Package com.cloudforgeci.api.security

Class ApplicationOidcFactory

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
com.cloudforgeci.api.core.annotation.BaseFactory
com.cloudforgeci.api.security.ApplicationOidcFactory
All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
public class ApplicationOidcFactory extends BaseFactory
Application-level OIDC Authentication Factory.

This factory configures OIDC authentication WITHIN the application itself (e.g., Jenkins OIDC plugin, GitLab OmniAuth, Grafana OAuth), as opposed to ALB-level authentication which handles auth before requests reach the application.

Authentication Modes Comparison:

  • alb-oidc: Authentication at ALB - users auth before reaching app
    • + Works with any application
    • + No application configuration needed
    • - Requires HTTPS
    • - All requests authenticated (can't have public pages)
  • application-oidc: Authentication within application - app handles auth
    • + Application controls auth (can have public pages)
    • + Works over HTTP or HTTPS
    • + Application-specific features (role mapping, etc.)
    • - Requires application OIDC support
    • - Application-specific configuration

Supported Applications:

Only applications that implement ApplicationSpec.supportsOidcIntegration() and provide an OidcIntegration implementation can use application-level OIDC:

  • Jenkins (via oic-auth plugin)
  • GitLab (via built-in OmniAuth)
  • Grafana (via built-in generic_oauth)
  • More applications coming soon

Configuration:

Option 1: Amazon Cognito (Recommended)

 {
   "authMode": "application-oidc",
   "cognitoAutoProvision": true,
   "cognitoMfaEnabled": true
 }

Option 2: IAM Identity Center

 {
   "authMode": "application-oidc",
   "oidcIssuer": "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/...",
   "oidcAuthorizationEndpoint": "https://...",
   "oidcTokenEndpoint": "https://...",
   "oidcUserInfoEndpoint": "https://...",
   "oidcClientId": "client-id-from-identity-center"
 }

Option 3: External OIDC Provider (Okta, Auth0, etc.)

 {
   "authMode": "application-oidc",
   "oidcIssuer": "https://your-domain.okta.com",
   "oidcAuthorizationEndpoint": "https://your-domain.okta.com/oauth2/v1/authorize",
   "oidcTokenEndpoint": "https://your-domain.okta.com/oauth2/v1/token",
   "oidcUserInfoEndpoint": "https://your-domain.okta.com/oauth2/v1/userinfo",
   "oidcClientId": "client-id-from-provider"
 }

Post-Deployment Steps:

  1. Update the OIDC client secret in AWS Secrets Manager
  2. For Cognito: Secret is auto-populated
  3. For IAM Identity Center / External: Run:
    aws secretsmanager put-secret-value --secret-id STACK_NAME/APP_ID/oidc/client-secret --secret-string "YOUR_SECRET"
  4. Application-specific setup (see application logs for instructions)
Since:
3.0.0

  • Nested Class Summary

    Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

    software.amazon.jsii.JsiiObject.InitializationMode

    Nested classes/interfaces inherited from interface software.constructs.IConstruct

    software.constructs.IConstruct.Jsii$Default, software.constructs.IConstruct.Jsii$Proxy

  • Field Summary

    Fields inherited from class com.cloudforgeci.api.core.annotation.BaseFactory

    cfc, config, ctx

  • Constructor Summary

    Constructors
    Constructor
    Description
    ApplicationOidcFactory(software.constructs.Construct scope, String id)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    create()
    Abstract method that must be implemented by all factory subclasses.

    Methods inherited from class com.cloudforgeci.api.core.annotation.BaseFactory

    getDeploymentContext, getSecurityProfileConfiguration, getSystemContext

    Methods inherited from class software.constructs.Construct

    getNode, isConstruct, toString

    Methods inherited from class software.amazon.jsii.JsiiObject

    jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    Methods inherited from interface software.amazon.jsii.JsiiSerializable

    $jsii$toJson

  • Constructor Details

    • ApplicationOidcFactory

      public ApplicationOidcFactory(software.constructs.Construct scope, String id)

  • Method Details

    • create

      public void create()
      Description copied from class: BaseFactory
      Abstract method that must be implemented by all factory subclasses. This method should contain the actual infrastructure creation logic.
      Specified by:
      create in class BaseFactory