ORCID OpenID Connect login (#258)

* Extracted abstract `AuthorizeBase` base class

* Google-specific `IDTokenFilter`

* ORCID-specific `IDTokenFilter`

* Extracted common OAuth `LoginBase` class

* JWT verification call

* OAuth refactoring

Proper JWT token verification

* Fixed HTML reloading after OAuth login

* Extracted `JWTVerifier` class

It's reused by `IDTokenFilterBase` as well as `LoginBase`

* Fixed signup?

* Replaced relative URL check with `isSameSite`

* Cleaned up unused imports

* Ban agent and user account query requests

Author: namedgraph

src/main/java/com/atomgraph/linkeddatahub/Application.java

@@ -100,9 +100,7 @@
 import com.atomgraph.linkeddatahub.server.factory.ServiceFactory;
 import com.atomgraph.linkeddatahub.server.filter.request.OntologyFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.AuthorizationFilter;
-import com.atomgraph.linkeddatahub.server.filter.request.auth.IDTokenFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.ContentLengthLimitFilter;
-import com.atomgraph.linkeddatahub.server.filter.request.auth.ORCIDTokenFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.auth.ProxiedWebIDFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.CORSFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.ResponseHeadersFilter;
@@ -286,6 +284,7 @@ public class Application extends ResourceConfig
     private final List<Locale> supportedLanguages;
     private final ExpiringMap<URI, Model> webIDmodelCache = ExpiringMap.builder().expiration(1, TimeUnit.DAYS).build(); // TO-DO: config for the expiration period?
     private final ExpiringMap<String, Model> oidcModelCache = ExpiringMap.builder().variableExpiration().build();
+    private final ExpiringMap<String, jakarta.json.JsonObject> jwksCache = ExpiringMap.builder().expiration(1, TimeUnit.DAYS).build(); // Cache JWKS responses
     private final Map<URI, XsltExecutable> xsltExecutableCache = new ConcurrentHashMap<>();
     private final MessageDigest messageDigest;
     private final boolean enableWebIDSignUp;
@@ -1002,11 +1001,24 @@ protected void configure()
     protected void registerResourceClasses()
     {
         register(Dispatcher.class);
-        // OAuth endpoints - system-level resources not tied to dataspaces
-        register(com.atomgraph.linkeddatahub.resource.oauth2.google.Authorize.class);
-        register(com.atomgraph.linkeddatahub.resource.oauth2.google.Login.class);
-//        register(com.atomgraph.linkeddatahub.resource.admin.oauth2.orcid.Authorize.class);
-//        register(com.atomgraph.linkeddatahub.resource.admin.oauth2.orcid.Login.class);
+
+        // Conditionally register Google OAuth endpoints if configured
+        if (getProperty(com.atomgraph.linkeddatahub.vocabulary.Google.clientID.getURI()) != null &&
+            getProperty(com.atomgraph.linkeddatahub.vocabulary.Google.clientSecret.getURI()) != null)
+        {
+            register(com.atomgraph.linkeddatahub.resource.oauth2.google.Authorize.class);
+            register(com.atomgraph.linkeddatahub.resource.oauth2.google.Login.class);
+            if (log.isDebugEnabled()) log.debug("Google OAuth endpoints registered");
+        }
+
+        // Conditionally register ORCID OAuth endpoints if configured
+        if (getProperty(com.atomgraph.linkeddatahub.vocabulary.ORCID.clientID.getURI()) != null &&
+            getProperty(com.atomgraph.linkeddatahub.vocabulary.ORCID.clientSecret.getURI()) != null)
+        {
+            register(com.atomgraph.linkeddatahub.resource.oauth2.orcid.Authorize.class);
+            register(com.atomgraph.linkeddatahub.resource.oauth2.orcid.Login.class);
+            if (log.isDebugEnabled()) log.debug("ORCID OAuth endpoints registered");
+        }
     }
 
     /**
@@ -1018,11 +1030,25 @@ protected void registerContainerRequestFilters()
         register(ApplicationFilter.class);
         register(OntologyFilter.class);
         register(ProxiedWebIDFilter.class);
-        register(IDTokenFilter.class);
-        register(ORCIDTokenFilter.class);
         register(AuthorizationFilter.class);
         if (getMaxContentLength() != null) register(new ContentLengthLimitFilter(getMaxContentLength()));
         register(new RDFPostMediaTypeInterceptor()); // for application/x-www-form-urlencoded
+        
+        // Conditionally register Google OAuth filter if configured
+        if (getProperty(com.atomgraph.linkeddatahub.vocabulary.Google.clientID.getURI()) != null &&
+            getProperty(com.atomgraph.linkeddatahub.vocabulary.Google.clientSecret.getURI()) != null)
+        {
+            register(com.atomgraph.linkeddatahub.server.filter.request.auth.google.IDTokenFilter.class);
+            if (log.isDebugEnabled()) log.debug("Google OAuth filter registered");
+        }
+
+        // Conditionally register ORCID OAuth filter if configured
+        if (getProperty(com.atomgraph.linkeddatahub.vocabulary.ORCID.clientID.getURI()) != null &&
+            getProperty(com.atomgraph.linkeddatahub.vocabulary.ORCID.clientSecret.getURI()) != null)
+        {
+            register(com.atomgraph.linkeddatahub.server.filter.request.auth.orcid.IDTokenFilter.class);
+            if (log.isDebugEnabled()) log.debug("ORCID OAuth filter registered");
+        }
     }
 
     /**
@@ -2050,18 +2076,29 @@ public ExpiringMap<URI, Model> getWebIDModelCache()
     /**
      * A map of cached OpenID connect agent graphs.
      * User ID (ID token subject) is the cache key. Entries expire after the configured period of time.
-     * 
+     *
      * @return URI to model map
      */
     public ExpiringMap<String, Model> getOIDCModelCache()
     {
         return oidcModelCache;
     }
-    
+
+    /**
+     * A map of cached JWKS (JSON Web Key Set) responses for JWT verification.
+     * JWKS endpoint URI is the cache key. Entries expire after 1 day.
+     *
+     * @return JWKS endpoint to JsonObject map
+     */
+    public ExpiringMap<String, jakarta.json.JsonObject> getJWKSCache()
+    {
+        return jwksCache;
+    }
+
     /**
      * A map of cached (compiled) XSLT stylesheets.
      * Stylesheet URI is the cache key.
-     * 
+     *
      * @return URI to stylesheet map
      */
     public Map<URI, XsltExecutable> getXsltExecutableCache()

src/main/java/com/atomgraph/linkeddatahub/client/filter/auth/IDTokenDelegationFilter.java

@@ -21,7 +21,7 @@
 import jakarta.ws.rs.client.ClientRequestFilter;
 import jakarta.ws.rs.core.Cookie;
 import jakarta.ws.rs.core.HttpHeaders;
-import com.atomgraph.linkeddatahub.server.filter.request.auth.IDTokenFilter;
+import com.atomgraph.linkeddatahub.server.filter.request.auth.google.IDTokenFilter;
 import com.atomgraph.linkeddatahub.server.filter.request.auth.WebIDFilter;
 import org.apache.jena.rdf.model.Resource;
 

src/main/java/com/atomgraph/linkeddatahub/resource/admin/SignUp.java

@@ -25,6 +25,7 @@
 import com.atomgraph.linkeddatahub.apps.model.EndUserApplication;
 import com.atomgraph.linkeddatahub.model.Service;
 import com.atomgraph.linkeddatahub.listener.EMailListener;
+import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.model.impl.GraphStoreImpl;
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
 import com.atomgraph.linkeddatahub.server.util.MessageBuilder;
@@ -77,6 +78,7 @@
 import org.apache.jena.ontology.Ontology;
 import org.apache.jena.query.ParameterizedSparqlString;
 import org.apache.jena.query.Query;
+import org.apache.jena.query.ResultSet;
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
 import org.apache.jena.rdf.model.Property;
@@ -89,6 +91,7 @@
 import org.apache.jena.vocabulary.DCTerms;
 import org.apache.jena.vocabulary.RDF;
 import org.glassfish.jersey.server.internal.process.MappableException;
+import org.glassfish.jersey.uri.UriComponent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -198,10 +201,12 @@ public Response post(Model agentModel, @QueryParam("default") @DefaultValue("fal
             String password = validateAndRemovePassword(agent);
             // TO-DO: trim values
             Resource mbox = agent.getRequiredProperty(FOAF.mbox).getResource();
-            
+
             ParameterizedSparqlString pss = new ParameterizedSparqlString(getAgentQuery().toString());
             pss.setParam(FOAF.mbox.getLocalName(), mbox);
-            boolean agentExists = !getAgentService().getSPARQLClient().loadModel(pss.asQuery()).isEmpty();
+            ResultSet rs = getAgentService().getSPARQLClient().select(pss.asQuery());
+            boolean agentExists = rs.hasNext();
+            rs.close();
             if (agentExists) throw createSPINConstraintViolationException(agent, FOAF.mbox, "Agent with this mailbox already exists");
 
             String givenName = agent.getRequiredProperty(FOAF.givenName).getString();
@@ -282,6 +287,9 @@ public Response post(Model agentModel, @QueryParam("default") @DefaultValue("fal
                     throw new InternalServerErrorException("Cannot create Authorization");
                 }
 
+                // purge agent lookup from proxy cache
+                if (getAgentService().getBackendProxy() != null) ban(getAgentService().getBackendProxy(), mbox.getURI());
+
                 // remove secretary WebID from cache
                 getSystem().getEventBus().post(new com.atomgraph.linkeddatahub.server.event.SignUp(getSystem().getSecretaryWebIDURI()));
 
@@ -565,5 +573,21 @@ public Query getAgentQuery()
     {
         return getSystem().getAgentQuery();
     }
-    
+
+    /**
+     * Bans URL from the backend proxy cache.
+     *
+     * @param proxy proxy server URL
+     * @param url banned URL
+     * @return proxy server response
+     */
+    public Response ban(Resource proxy, String url)
+    {
+        if (url == null) throw new IllegalArgumentException("Resource cannot be null");
+
+        return getSystem().getClient().target(proxy.getURI()).request().
+            header(CacheInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
+            method("BAN", Response.class);
+    }
+
 }