Package org.mockserver.authentication.oidc

Class OidcAuthenticationHandler

java.lang.Object

org.mockserver.authentication.oidc.OidcAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

public class OidcAuthenticationHandler
extends Object
implements AuthenticationHandler

Control-plane authentication handler for an external OIDC IdP: verifies an Authorization: Bearer <jwt> access token's signature against the IdP's JWK set, asserts issuer, audience, exp/nbf and required scopes, and surfaces the VERIFIED sub as the principal (source verified-oidc) along with a redaction-safe subset of claims and the normalised scope set.

The JWK set is resolved either directly from controlPlaneOidcJwksUri, or by fetching {issuer}/.well-known/openid-configuration and reading its jwks_uri. Off by default — only constructed when controlPlaneOidcAuthenticationRequired is enabled.

The raw token is NEVER stored or logged; only the redacted claim subset is exposed.

Constructor Summary

Constructors

Constructor	Description
OidcAuthenticationHandler(MockServerLogger mockServerLogger, String jwksUri, String issuer, String audience, String scopeClaim, Set<String> requiredScopes)

Method Summary

Modifier and Type	Method	Description
AuthenticationResult	authenticate(HttpRequest request)	Richer authentication that additionally surfaces the VERIFIED principal, the source of verification, and a redaction-safe subset of claims/scopes for audit.
boolean	controlPlaneRequestAuthenticated(HttpRequest request)	Legacy boolean SPI: returns true if the control-plane request is authenticated.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OidcAuthenticationHandler

public OidcAuthenticationHandler(MockServerLogger mockServerLogger,
 String jwksUri,
 String issuer,
 String audience,
 String scopeClaim,
 Set<String> requiredScopes)

Method Details

authenticate

public AuthenticationResult authenticate(HttpRequest request)

Description copied from interface: AuthenticationHandler

Richer authentication that additionally surfaces the VERIFIED principal, the source of verification, and a redaction-safe subset of claims/scopes for audit.

Default-adapts the legacy AuthenticationHandler.controlPlaneRequestAuthenticated(org.mockserver.model.HttpRequest) so existing handlers need ZERO changes: a true outcome becomes an authenticated-but-anonymous result (principal null, source "none"), preserving byte-for-byte behaviour. May throw AuthenticationException (401) exactly as the boolean method does.

Specified by:

authenticate in interface AuthenticationHandler

controlPlaneRequestAuthenticated

public boolean controlPlaneRequestAuthenticated(HttpRequest request)

Description copied from interface: AuthenticationHandler

Legacy boolean SPI: returns true if the control-plane request is authenticated. Implementations may throw AuthenticationException to signal a 401 with a specific reason. Existing and third-party handlers implement only this method.

Specified by:

controlPlaneRequestAuthenticated in interface AuthenticationHandler