com.aspc.cms.rest.plugin.oidc

Class OidcConfig

java.lang.Object

com.aspc.cms.rest.plugin.oidc.OidcConfig

public final class OidcConfig
extends java.lang.Object

Centralised OIDC configuration for Cognito settings. Provides a single source of truth for all Cognito OIDC configuration required by the OIDC REST endpoints. Configuration values are loaded from system properties via CProperties.findProperty(String), falling back to AWS Secrets Manager via AWSSecretUtil.findCommonSecret(String) when not set in system properties.

Environment-aware configuration (dev/uat/prod) is supported through property naming conventions — each environment sets its own property values.

Only PROP_OIDC_COGNITO_DOMAIN and PROP_OIDC_CLIENT_ID are required to load the singleton. Other properties are optional until an endpoint that needs them runs: ensureConfiguredForExchange(), ensureConfiguredForCallback(), or ensureConfiguredForLogout().

Omit PROP_OIDC_CLIENT_SECRET for public app clients using PKCE; OidcTokenExchange omits client_secret when it is blank.

Author:

Claude

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	PROP_OIDC_ALLOWED_REDIRECT_ORIGINS Property name for the comma-separated whitelist of allowed frontend origins.
static java.lang.String	PROP_OIDC_CLIENT_ID Property name for the Cognito app client ID.
static java.lang.String	PROP_OIDC_CLIENT_SECRET Property name for the Cognito app client secret (optional for public clients).
static java.lang.String	PROP_OIDC_COGNITO_DOMAIN Property name for the Cognito hosted UI domain.
static java.lang.String	PROP_OIDC_FRONTEND_REDIRECT_URL Property name for the browser redirect target after GET /oidc/callback only (HTTP 302 success and error).
static java.lang.String	PROP_OIDC_JWKS_URL Property name for the JSON Web Key Set URL (optional at load; for JWT validators outside this flow).
static java.lang.String	PROP_OIDC_POST_LOGOUT_REDIRECT_URI Property name for the URL passed to Cognito as logout_uri after local logout.
static java.lang.String	PROP_OIDC_REDIRECT_URI Property name for the backend callback URL.

Method Summary

Modifier and Type	Method and Description
static void	clearInstance() Clears the cached instance.
void	ensureConfiguredForCallback() Ensures properties required by GET /oidc/callback are set (confidential client flow).
void	ensureConfiguredForExchange() Ensures properties required by POST /oidc/exchange are set.
void	ensureConfiguredForLogout() Ensures properties required by POST /oidc/logout are set.
java.lang.String	getAllowedRedirectOrigins() Returns the comma-separated whitelist of allowed frontend origins for redirect validation.
java.lang.String	getClientId() Returns the Cognito app client ID.
java.lang.String	getClientSecret() Returns the Cognito app client secret, or an empty string if unset (public app client).
java.lang.String	getCognitoDomain() Returns the Cognito hosted UI domain.
java.lang.String	getFrontendRedirectUrl() Returns the URL for HTTP redirects from GET /oidc/callback (success and Cognito error query params).
static OidcConfig	getInstance() Returns the singleton OidcConfig instance.
java.lang.String	getJwksUrl() Returns the JSON Web Key Set URL used for token verification.
java.lang.String	getLogoutEndpoint() Returns Cognito's /logout endpoint URL, derived from the Cognito domain.
java.lang.String	getPostLogoutRedirectUri() Returns the URL used as Cognito logout_uri when building the hosted logout link.
java.lang.String	getRedirectUri() Returns the backend callback URL for the OIDC authorisation code flow.
java.lang.String	getTokenEndpoint() Returns Cognito's /oauth2/token endpoint URL, derived from the Cognito domain.
boolean	isRedirectOriginAllowed(java.lang.String origin) Checks whether the given origin is in the allowed redirect origins whitelist.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PROP_OIDC_COGNITO_DOMAIN

public static final java.lang.String PROP_OIDC_COGNITO_DOMAIN

Property name for the Cognito hosted UI domain.

See Also:

Constant Field Values

PROP_OIDC_CLIENT_ID

public static final java.lang.String PROP_OIDC_CLIENT_ID

Property name for the Cognito app client ID.

See Also:

Constant Field Values

PROP_OIDC_CLIENT_SECRET

public static final java.lang.String PROP_OIDC_CLIENT_SECRET

Property name for the Cognito app client secret (optional for public clients).

See Also:

Constant Field Values

PROP_OIDC_REDIRECT_URI

public static final java.lang.String PROP_OIDC_REDIRECT_URI

Property name for the backend callback URL.

See Also:

Constant Field Values

PROP_OIDC_JWKS_URL

public static final java.lang.String PROP_OIDC_JWKS_URL

Property name for the JSON Web Key Set URL (optional at load; for JWT validators outside this flow).

See Also:

Constant Field Values

PROP_OIDC_POST_LOGOUT_REDIRECT_URI

public static final java.lang.String PROP_OIDC_POST_LOGOUT_REDIRECT_URI

Property name for the URL passed to Cognito as logout_uri after local logout.

See Also:

Constant Field Values

PROP_OIDC_FRONTEND_REDIRECT_URL

public static final java.lang.String PROP_OIDC_FRONTEND_REDIRECT_URL

Property name for the browser redirect target after GET /oidc/callback only (HTTP 302 success and error). Not used by POST /oidc/exchange.

See Also:

Constant Field Values

PROP_OIDC_ALLOWED_REDIRECT_ORIGINS

public static final java.lang.String PROP_OIDC_ALLOWED_REDIRECT_ORIGINS

Property name for the comma-separated whitelist of allowed frontend origins.

See Also:

Constant Field Values

Method Detail

getInstance

@CheckReturnValue
 @Nonnull
public static OidcConfig getInstance()

Returns the singleton OidcConfig instance.

An IllegalStateException is thrown only if PROP_OIDC_COGNITO_DOMAIN or PROP_OIDC_CLIENT_ID is missing.

Returns:

the OidcConfig instance

Throws:

java.lang.IllegalStateException - if Cognito domain or client ID is missing

clearInstance

public static void clearInstance()

Clears the cached instance. Intended for testing only.

getCognitoDomain

@CheckReturnValue
 @Nonnull
public java.lang.String getCognitoDomain()

Returns the Cognito hosted UI domain.

Returns:

the Cognito domain (e.g. https://your-domain.auth.ap-southeast-2.amazoncognito.com)

getClientId

@CheckReturnValue
 @Nonnull
public java.lang.String getClientId()

Returns the Cognito app client ID.

Returns:

the client ID

getClientSecret

@CheckReturnValue
 @Nonnull
public java.lang.String getClientSecret()

Returns the Cognito app client secret, or an empty string if unset (public app client).

Returns:

the client secret, or empty when not configured

getRedirectUri

@CheckReturnValue
 @Nonnull
public java.lang.String getRedirectUri()

Returns the backend callback URL for the OIDC authorisation code flow.

Returns:

the redirect URI (e.g. https://your-app.com/api/oidc/callback)

getJwksUrl

@CheckReturnValue
 @Nonnull
public java.lang.String getJwksUrl()

Returns the JSON Web Key Set URL used for token verification.

Returns:

the JWKS URL, or empty if not configured

ensureConfiguredForExchange

public void ensureConfiguredForExchange()
                                 throws RestExceptionResponse

Ensures properties required by POST /oidc/exchange are set.

Throws:

RestExceptionResponse - HTTP 500 if PROP_OIDC_ALLOWED_REDIRECT_ORIGINS is missing or has no valid entries

ensureConfiguredForCallback

public void ensureConfiguredForCallback()
                                 throws RestExceptionResponse

Ensures properties required by GET /oidc/callback are set (confidential client flow).

Throws:

RestExceptionResponse - HTTP 500 if any of client secret, backend redirect URI, frontend redirect URL, or allowed origins is missing or invalid

ensureConfiguredForLogout

public void ensureConfiguredForLogout()
                               throws RestExceptionResponse

Ensures properties required by POST /oidc/logout are set.

Throws:

RestExceptionResponse - HTTP 500 if PROP_OIDC_POST_LOGOUT_REDIRECT_URI is missing

getPostLogoutRedirectUri

@CheckReturnValue
 @Nonnull
public java.lang.String getPostLogoutRedirectUri()

Returns the URL used as Cognito logout_uri when building the hosted logout link.

Returns:

post-logout redirect URI (typically your SPA entry or sign-in page)

getFrontendRedirectUrl

@CheckReturnValue
 @Nonnull
public java.lang.String getFrontendRedirectUrl()

Returns the URL for HTTP redirects from GET /oidc/callback (success and Cognito error query params). Used only by OidcCallbackV1; not used by POST /oidc/exchange.

Returns:

frontend redirect URL (origin must be in getAllowedRedirectOrigins())

getAllowedRedirectOrigins

@CheckReturnValue
 @Nonnull
public java.lang.String getAllowedRedirectOrigins()

Returns the comma-separated whitelist of allowed frontend origins for redirect validation.

Returns:

the allowed redirect origins string

getTokenEndpoint

@CheckReturnValue
 @Nonnull
public java.lang.String getTokenEndpoint()

Returns Cognito's /oauth2/token endpoint URL, derived from the Cognito domain.

Returns:

the token endpoint URL

getLogoutEndpoint

@CheckReturnValue
 @Nonnull
public java.lang.String getLogoutEndpoint()

Returns Cognito's /logout endpoint URL, derived from the Cognito domain.

Returns:

the logout endpoint URL

isRedirectOriginAllowed

@CheckReturnValue
public boolean isRedirectOriginAllowed(@Nullable
                                                         java.lang.String origin)

Checks whether the given origin is in the allowed redirect origins whitelist.

Parameters:

origin - the origin to check

Returns:

true if the origin is allowed, false otherwise