Package com.cloudforgeci.api.security
Class OidcAuthenticationFactory
java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
com.cloudforgeci.api.core.annotation.BaseFactory
com.cloudforgeci.api.security.OidcAuthenticationFactory
- All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable,software.constructs.IConstruct,software.constructs.IDependable
OIDC Authentication Factory for ALB-based authentication with AWS IAM Identity Center.
This factory handles OIDC authentication ONLY for AWS IAM Identity Center (formerly AWS SSO).
For Cognito User Pool authentication, use CognitoAuthenticationFactory instead.
Provides:
- Infrastructure-level authentication before requests reach Jenkins
- Integration with AWS IAM Identity Center for enterprise SSO
- Compliance with security requirements (PCI-DSS Req 8, HIPAA ยง164.312(d), SOC 2 CC6.2, GDPR Art. 32)
Configuration (MANUAL OIDC ENDPOINTS - Recommended):
- authMode: "alb-oidc" to enable this factory
- oidcIssuer: OIDC issuer URL from IAM Identity Center application
- oidcAuthorizationEndpoint: Authorization endpoint URL
- oidcTokenEndpoint: Token endpoint URL
- oidcUserInfoEndpoint: UserInfo endpoint URL
- oidcClientId: Client ID from IAM Identity Center application
- oidcClientSecretName: Secrets Manager secret name (default: jenkins/oidc/client-secret)
Setup steps for IAM Identity Center:
1. Go to AWS IAM Identity Center console
2. Navigate to "Applications" > "Add application"
3. Choose "I have an application I want to set up" > "OAuth 2.0" or "OIDC"
4. Configure the application:
- Redirect URLs: https://your-domain.com/oauth2/idpresponse
- Grant types: Authorization code
- Scopes: openid
5. Copy the OIDC endpoints and client ID
6. Add them to your deployment-context.json
7. After deployment, update the client secret in AWS Secrets Manager
Legacy Configuration (AUTO-CONSTRUCTED ENDPOINTS - Not recommended):
- authMode: "alb-oidc"
- ssoInstanceArn: AWS IAM Identity Center instance ARN
Note: This auto-constructs endpoints but may not work with all IAM Identity Center configurations
Note: For Cognito User Pool authentication, use CognitoAuthenticationFactory which provides
native ALB Cognito integration without requiring Secrets Manager.
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationModeNested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default, software.constructs.IConstruct.Jsii$Proxy -
Field Summary
Fields inherited from class com.cloudforgeci.api.core.annotation.BaseFactory
cfc, config, ctx -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidcreate()Abstract method that must be implemented by all factory subclasses.Methods inherited from class com.cloudforgeci.api.core.annotation.BaseFactory
getDeploymentContext, getSecurityProfileConfiguration, getSystemContextMethods inherited from class software.constructs.Construct
getNode, isConstruct, toStringMethods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSetMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitMethods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Constructor Details
-
OidcAuthenticationFactory
-
-
Method Details
-
create
public void create()Description copied from class:BaseFactoryAbstract method that must be implemented by all factory subclasses. This method should contain the actual infrastructure creation logic.- Specified by:
createin classBaseFactory
-