User & Groups SyncUser & Groups Sync
Try For Free

Groovy-Connector

Groovy-Connectors allow creating connectors by writing Groovy-code directly in the configuration. This allows

  • Synchronizing users from backends where no Connector is available

  • Implementing business-logic for the user-synchronization

User Sync has two modes of operation: "Sync" and "Single User Sync"

Sync is an asynchronous process updating all users or a limited subset of users from the backend system (e.g. Azure-AD) in a specific directory of the Atlassian-application- similar to LDAP or Crowd-directories.

Single User Sync creates or updates one specific user. This us usually triggered when a user logs in using SAML and "update user from Usersync-connector" is enabled.

Single User Sync

Sync

Examples

Pass SAML-Attributes to Connector and uses Advanced Transformations

Attribute-transformations in UserSync are more powerful as in SAML JIT. They allow taking the existing user into account. 

To allow this with SAML-Attributes, a Groovy-Connector can be used.

Create a Groovy-connector with this code:

  1. class ConnectorCode extends GroovyConnectorCode {
  2. public FindUserResult findUser(SyncSingleUserWrapper syncSingleUserWrapper) {
  3. // This just passes the additionalData (in this case the SAML-attributes) so
  4. // they can be used in the Attribute-transformations
  5. return FindUserResult.found(syncSingleUserWrapper.additionalData);
  6. }
  7. }

In the Provisioning-tab, configure transformations for all required attributes, (similar to what to configure in the SAML-config for JIT). The main-difference is that the attributes are now available under the con-prefix.

So when using a Groovy-Transformation for groups, this may look like this example merging existing groups with the new ones:

  1. def newGroups = existing?.ATTR_GROUPS ?: [] // Existing groups or an empty list if there is no existing user
  2. newGroups.addAll(con.groups) // add all groups from the SAML-Response (passed in here by the Groovy-connector)
  3. return newGroups.toUnique() // toUnique() removes duplicate entries

Set the user-update-method to "Update from UserSync-connector" and select this connector.


Update user via Jira REST-API


  1. class ConnectorCode extends GroovyConnectorCode {
  3. // This is the base url for the Jira REST-API (put in your base-url),
  4. // see https://docs.atlassian.com/software/jira/docs/api/REST/8.18.0/
  5. def restBase = "https://<Base-URL>/rest/api/2"
  7. void init() {
  8. // Add the Authorization-header to all further requests
  9. http.addDefaultHeader("Authorization",Credentials.basic("<username>","<password>"))
  10. }
  12. // Adds a user to a group
  13. void addUserToGroup(username, groupName) {
  14. debug("Adding $username to $groupName")
  16. def jsonToSend = """{ "name": "$username" }"""
  18. ResponseWrapper response = http.postJson(
  19. "$restBase/group/user?groupname=$groupName",
  20. jsonToSend)
  22. if(response.code != 201 && response.code != 400) {
  23. fail("Unexpected response adding $username to group $groupName: ${response.code}: ${response.body}")
  24. }
  25. }
  27. // Checks if a user exists
  28. boolean userExists(username) {
  30. debug("Checking if $username exists already")
  32. def response = http.get("$restBase/user?username=$username")
  34. int responseCode = response.code
  35. if(responseCode == 404) {
  36. return false
  37. } else if(responseCode == 200) {
  38. return true
  39. } else {
  40. fail("REST-call to check user existence returned unexpected result $responseCode: ${response.body}")
  41. }
  42. }
  44. // Creates a new user
  45. void createUser(username, email, displayName) {
  47. debug("Creating $username with email $email and display name $displayName")
  48. def jsonToSend = """{
  49. "name": "$username",
  50. "emailAddress": "$email",
  51. "displayName": "$displayName"
  52. }"""
  54. ResponseWrapper response = http.postJson("$restBase/user",jsonToSend)
  55. if(response.code != 201) {
  56. fail("Unexpected response creating user: ${response.code} ${response.body}")
  57. }
  58. }
  60. // This method is called for a single-user sync
  61. @Override
  62. public SyncSingleUserResult syncSingleUser(SyncSingleUserWrapper wrapper) {
  64. if(!userExists(wrapper.identifier)) {
  65. // In this example, we assume that the SAML-attributes for email and displayname
  66. // are 'email' and 'displayName'
  67. // The SAML-attributes come as lists, os we need to pick the first element
  68. def email = wrapper.additionalData.email?.first()
  69. def displayName = wrapper.additionalData.displayName?.first()
  71. // Just fail if the necessary attributes are not present
  72. if( !email || !displayName) {
  73. fail("email and displayname must be present to create a user")
  74. }
  75. createUser(wrapper.identifier,email,displayName)
  76. }
  78. def groupsToAdd = wrapper.additionalData.groups?.asList() ?: []
  80. groupsToAdd.forEach{
  81. group -> addUserToGroup(wrapper.identifier,group)
  82. }
  84. // Create SingleUSerResult of type OTHER because we don't return a user here
  85. return SyncSingleUserResult.createOther("Update triggered");
  86. }
  87. }

Update/Create user with SAML-Attributes

and some logic

  1. class ConnectorCode extends GroovyConnectorCode {
  3. @Override
  4. public SyncSingleUserResult syncSingleUser(SyncSingleUserWrapper wrapper) {
  6. // Messages from debug() are visible in the log file when enabling
  7. // debug-logging for de.resolution.usersync.builtin.groovyconnector.GroovyConnectorCode
  8. debug("Single User Sync started for $wrapper.identifier")
  11. // Read out the required data from the SAML-response
  12. // The attributes come as lists, so we take the first list-entry using Groovy's safe dereference-operator
  13. def username = wrapper.additionalData.get("ATTR_NAMEID")?.first()
  14. if(!username) {
  15. return SyncSingleUserResult.createFailure("no username in SAML-response")
  16. }
  18. def email = wrapper.additionalData.get("email")?.first()
  19. if(!email) {
  20. return SyncSingleUserResult.createFailure("no email in SAML-response")
  21. }
  23. def fullname = wrapper.additionalData.get("fullname")?.first()
  24. if(!fullname) {
  25. return SyncSingleUserResult.createFailure("no fullname in SAML-response")
  26. }
  28. def groups = wrapper.additionalData.get("groups") // no .first() groups is really a list
  29. if(groups == null) {
  30. return SyncSingleUserResult.createFailure("no groups in SAML-response")
  31. }
  33. // Search for an existing user with the SAML-NameID as username
  34. AtlasUserResult findExistingResult = wrapper.findByUsername(username)
  36. // Fail here if the search-result is unexpected (anything other than successful or not found)
  37. if(!findExistingResult.notFound && !findExistingResult.success) {
  38. return SyncSingleUserResult.createFailure("Unexpected result searching existing user by username $username : ${Utils.asJson(findExistingUserResult)}")
  39. }
  41. // Search the user by the email address (as username) if not found by the userid
  42. if(findExistingResult.notFound) {
  43. debug("User with username username not found, searching user by email $email")
  44. findExistingResult = wrapper.findByUsername(email)
  46. // Fail here if the search-result is unexpected (anything other than successful or not found)
  47. if(!findExistingResult.notFound && !findExistingResult.success) {
  48. return SyncSingleUserResult.createFailure("Unexpected result searching existing user by email address $email : ${Utils.asJson(findExistingUserResult)}")
  49. }
  50. }
  52. // Create a new user if also not found by email address
  53. if(findExistingResult.notFound) {
  54. debug("No user found with username username or email $email, creating a new user.")
  56. // Create new users in the configured directory
  57. long directoryId = connector.configuration.directoryId
  59. AtlasUser userToCreate = AtlasUser.builder()
  60. .findBy(AtlasUserKeys.ATTRIBUTE_USERNAME,username)
  61. .in(directoryId)
  62. .with(AtlasUserKeys.ATTRIBUTE_USERNAME, username)
  63. .with(AtlasUserKeys.ATTRIBUTE_EMAIL,email)
  64. .with(AtlasUserKeys.ATTRIBUTE_FULLNAME,fullname)
  65. .with(AtlasUserKeys.ATTRIBUTE_GROUPS,groups)
  66. .with("CREATED_BY_SAML",true) // Set this attribute so the user is considered as created by SAML SSO
  67. .build()
  69. AtlasUserResult createResult = wrapper.create(userToCreate)
  70. return SyncSingleUserResult.createFound(createResult)
  72. }
  74. AtlasUser existingUser = findExistingResult.resultingUser.get() // resultingUser is a Java-Optional, so we need to call .get()
  76. // If a user is found and the user has the CREATED_BY_SAML-attribute, update the user
  77. // with the data from the SAML-response
  79. if(!existingUser.containsKey("CREATED_BY_SAML")) {
  80. debug("Existing user found has the CREATED_BY_SAML-attribute, updating attributes")
  81. AtlasUser userToUpdate = existingUser.newBuilder()
  82. .with(AtlasUserKeys.ATTRIBUTE_USERNAME,username)
  83. .with(AtlasUserKeys.ATTRIBUTE_EMAIL,email)
  84. .with(AtlasUserKeys.ATTRIBUTE_FULLNAME,fullname)
  85. .with(AtlasUserKeys.ATTRIBUTE_GROUPS,groups)
  86. .build()
  88. AtlasUserResult updateResult = wrapper.update(userToUpdate)
  89. return SyncSingleUserResult.createFound(updateResult)
  91. } else {
  92. // Don't update users without the CREATED_BY_SAML-attribute, just return
  93. // success with the found user
  94. debug("Existing user found has no CREATED_BY_SAML-attribute, NOT updating attributes")
  95. return SyncSingleUserResult.createFound(findExistingResult)
  96. }
  97. }
  98. }

Create from JSON

  1. // The class must extend GroovyConnectorCode
  2. class ConnectorCode extends GroovyConnectorCode {
  4. StructuredData testData
  6. @Override
  7. void init() {
  8. testData = StructuredData.parseJson(dataJson)
  9. }
  11. /*
  12. * This method is run when a sync is started.
  13. * It should call syncFunction.apply() with all users.
  14. * Remove this method if the Connector should not be able to run full syncs.
  15. */
  17. @Override
  18. void sync(SyncWrapper sync) {
  19. testData.forEach {
  20. sync.syncUser(it)
  21. }
  22. }
  25. /*
  26. * This method is run for a single user sync.
  27. * Remove this method if the Connector should not be able to run single user syncs.
  28. */
  29. @Override
  30. FindUserResult findUser(SyncSingleUserWrapper wrapper) {
  32. StructuredData foundData = testData.find { it.USERID == wrapper.identifier}
  33. if(foundData == null) {
  34. return notFound();
  35. } else {
  36. return found(foundData)
  37. }
  38. }
  42. def dataJson = """
  43. [
  44. {
  45. "EMAIL": "devin.bashirian@example.com",
  46. "FULLNAME": "Devin Bashirian",
  47. "GROUPS": [
  48. "Aerosmith",
  49. "Blondie"
  50. ],
  51. "USERID": "devin.bashirian",
  52. "Unique_ID": "83d992e7-d326-4f54-9e07-1980497849f6"
  53. },
  54. {
  55. "EMAIL": "ambrose.nader@example.com",
  56. "FULLNAME": "Ambrose Naderx",
  57. "GROUPS": [
  58. "Aerosmith",
  59. "Blondie",
  60. "U2",
  61. "Genesis"
  62. ],
  63. "USERID": "ambrose.nader",
  64. "Unique_ID": "50930ca4-f7e9-4a57-911c-369fd90ef736"
  65. },
  66. {
  67. "EMAIL": "gabriela.price@example.com",
  68. "FULLNAME": "Gabriela Price",
  69. "GROUPS": [
  70. "Aerosmith",
  71. "Genesis",
  72. "Blondie"
  73. ],
  74. "USERID": "gabriela.price",
  75. "Unique_ID": "ed5698ad-f5ae-414a-a257-3b719cb86322"
  76. },
  77. {
  78. "EMAIL": "joseph.crona@example.com",
  79. "FULLNAME": "Joseph Crona",
  80. "GROUPS": [
  81. "Aerosmith",
  82. "Blondie",
  83. "U2"
  84. ],
  85. "USERID": "joseph.crona",
  86. "Unique_ID": "f717f7d1-5cff-46a0-8b08-ce1a5a11b2b9"
  87. },
  88. {
  89. "EMAIL": "jamee.breitenberg@example.com",
  90. "FULLNAME": "Jamee Breitenberg",
  91. "GROUPS": [
  92. "U2",
  93. "Aerosmith",
  94. "U2",
  95. "Genesis",
  96. "Blondie"
  97. ],
  98. "USERID": "jamee.breitenberg",
  99. "Unique_ID": "5446e3d2-5686-4b9b-a595-82c3ba83378f"
  100. }
  101. ]
  103. """
  104. }

Trigger single user sync on other connector

  1. class ConnectorCode extends GroovyConnectorCode {
  3. //
  4. // After the sync, all users in the directory configured for this connector are disabled
  5. // during the cleanup-phase. So make sure to configure an separate, empty directory
  6. // for this connector!
  8. /*
  9. * This method is called when a sync is started.
  10. */
  11. @Override
  12. void sync(SyncWrapper sync) {
  14. // Unique id of the connector to call
  15. def otherConnectorId = "4264572f-e481-4ee2-914c-7774a4c9b80d"
  17. // This will throw an Exception if the connector is not found and the sync
  18. // will stop as failed
  19. Connector otherConnector = connectorService.getConnectorByUniqueId(otherConnectorId)
  21. // We need to work on the other connector's directory
  22. def directory = otherConnector.configuration.directoryId
  24. SyncStatus syncStatus = sync.getSyncStatus()
  26. // With this method, apply() from CallSyncSingleUserFunction is called for
  27. // each user in the directory, so see below for what's happening there
  28. atlasUserAdapter.applyToAll(
  29. directory,
  30. new CallSyncSingleUserFunction(otherConnector,sync),
  31. syncStatus)
  32. }
  34. class CallSyncSingleUserFunction implements AtlasUserFunction {
  36. private final Connector connectorToCall
  37. private final SyncWrapper syncWrapper
  39. CallSyncSingleUserFunction(Connector con, SyncWrapper wrap) {
  40. connectorToCall = con
  41. syncWrapper = wrap
  42. }
  44. // This is called by atlasUserAdapter.applyToAll() above
  45. Optional<AtlasUserResult> apply(AtlasUser atlasUser, AtlasUserStatusObject status) {
  47. def username = atlasUser.get("ATTR_NAME").get()
  49. // Trigger the single user sync for the user
  50. def syncSingleResult = connectorToCall.syncSingleUser(username,null,null,null)
  52. // If the user was found in the connector's backend, there should be
  53. // an AtlasUserResult indicating the update.result
  54. if(syncSingleResult.status == SyncSingleUserResult.Status.FOUND) {
  55. AtlasUserResult updateResult = syncSingleResult.getUpdateUserResult()
  56. status.add(updateResult)
  57. return Optional.ofNullable(updateResult)
  59. } else if(syncSingleResult.status == SyncSingleUserResult.Status.NOT_FOUND) {
  60. syncWrapper.log("Sync single user for $username returned NOT_FOUND, disabling user")
  61. AtlasUser userToDisable = new AtlasUserBuilder()
  62. .findBy(atlasUser.getReference())
  63. .active(false)
  64. .build()
  65. AtlasUserResult disableResult = atlasUserAdapter.update(userToDisable)
  66. status.add(disableResult)
  67. return Optional.of(disableResult)
  69. } else {
  70. syncWrapper.log("Sync single user for $username returned unexpected result: ${syncSingleResult.status}")
  71. return Optional.empty()
  72. }
  73. }
  74. }
  76. }


Uni 

  1. package groovy
  2. class ConnectorCode extends GroovyConnectorCode {
  4. private static final String KEY_ACCESS_TOKEN = "accessToken";
  5. private static final String KEY_EXPIRE_DATE = "expireDate";
  8. //
  9. // Diese Werte müssen entsprechend angepasst werden
  10. //
  11. private static final String userUrl = "<https://.../api/v1.0/">
  12. private static final String tokenUrl = "<https://...">
  14. private static final String clientId = "removed"
  15. private static final String clientSecret = "removed"
  17. private static final String scope = "uaccount_jira_api"
  18. private static final String audience = null
  20. //
  21. // Hier muss das von Shibboleth gesendete Gruppenattribut eingetragen werden
  22. //
  23. private static final String GROUP_ATTR = "group"
  25. // Identifiers for testing:
  26. // student1@univie.ac.at -> mailForwardingAddress
  27. // test1@univie.ac.at -> primary email
  28. // test3@univie.ac.at -> no email
  30. @Override
  31. public SyncSingleUserResult syncSingleUser( String identifier,
  32. Map<String, Collection<String>> additionalData,
  33. Map<String, Set<String>> attributesToOverride) {
  35. def userFromBackend = findUserInBackend(identifier,false)
  37. // For debugging, user attributes can be specified here instead of loading them from the backend
  38. /*
  39. def userFromBackend = [
  40. uid : "test2",
  41. displayName : "Test User 2 ABC x",
  42. mail : "test2.user@univie.ac.at",
  43. eduPersonPrincipalName : "test2@univie.ac.at",
  44. mailForwardingAddress : ["test2.user@univie.ac.at", "test2.user@gmail.com", "test2.user@web.de"]
  45. ]
  46. */
  49. if(userFromBackend == null) {
  50. return SyncSingleUserResult.createNotFound()
  51. }
  53. // 1. Ein Benutzer mit aktiver primärer e-mail Adresse (Uni Personal oder Studierende) loggt mittels Shibboleth ins Servicedesk ein.
  54. if(userFromBackend.mail) {
  55. // Falls bereits ein Jira Account mit der verwendeten UserID vorhanden ist dann soll nur eine Aktualisierung erfolgen falls diese primäre e-mail Adresse
  56. // von der im Jira Directory vorhandenen e-mail Adresse abweicht, und/oder der Realname ein anderer ist. Die UserID bleibt unverändert.
  57. AtlasUserResult resultByName = findExistingUser(userFromBackend.uid)
  58. if (resultByName.isSuccess()) {
  59. return SyncSingleUserResult.createFound(
  60. updateUser(resultByName.getResultingUser().get(),userFromBackend,additionalData))
  61. // Ist aber kein Jira Account mit der verwendeten UserID vorhanden
  62. // dann soll nach einem Jira Account gesucht werden dessen UserID der primären e-mail Adresse entspricht.
  63. } else if (resultByName.notFound) {
  64. AtlasUserResult resultByEmail = findExistingUser(userFromBackend.mail)
  65. if (resultByEmail.isSuccess()) {
  66. return SyncSingleUserResult.createFound(
  67. updateUser(resultByEmail.getResultingUser().get(),userFromBackend,additionalData))
  68. } else if (resultByEmail.notFound) {
  69. return SyncSingleUserResult.createFound(
  70. createNewUser(userFromBackend,additionalData))
  71. } else {
  72. return SyncSingleUserResult.createFailure("Unexpected result : ${Utils.asJson(resultByEmail)}")
  73. }
  74. }
  75. }
  77. /* 2. Ein Benutzer ohne primäre e-mail Adresse (vorläufiger Account, Rolle PROSPECTIVE) loggt mittels Shibboleth ins Servicedesk ein. */
  78. if(userFromBackend.mailForwardingAddress) {
  79. AtlasUserResult resultByName = findExistingUser(userFromBackend.uid)
  80. // Falls bereits ein Jira Account mit der verwendeten UserID vorhanden ist dann soll nur eine Aktualisierung erfolgen falls diese primäre e-mail Adresse
  81. // von der im Jira Directory vorhandenen e-mail Adresse abweicht, und/oder der Realname ein anderer ist. Die UserID bleibt unverändert.
  82. if (resultByName.isSuccess()) {
  83. return SyncSingleUserResult.createFound(
  84. updateUser(resultByName.getResultingUser().get(),userFromBackend,additionalData))
  86. // Ist aber kein Jira Account mit der verwendeten UserID vorhanden dann soll nach einem Jira Account gesucht werden
  87. // dessen UserID der Weiterleitungsadresse entspricht.
  88. // Ist so ein Jira Account vorhanden so soll dessen UserID aktualisiert werden (und abweichende Daten auch).
  89. } else if (resultByName.notFound) {
  91. if(!userFromBackend.mailForwardingAddress) {
  92. return SyncSingleUserResult.createFailure("No mailForwardingAddress is set for this user")
  93. }
  95. for(forwardingAddress in userFromBackend.mailForwardingAddress) {
  96. AtlasUserResult resultByForwardingAddress = findExistingUser(forwardingAddress)
  98. if(resultByForwardingAddress.isSuccess()) {
  99. return SyncSingleUserResult.createFound(
  100. updateUser(resultByForwardingAddress.getResultingUser().get(),userFromBackend,additionalData))
  102. } else if(!resultByForwardingAddress.notFound) {
  103. return SyncSingleUserResult.createFailure("Unexpected result searching by forwardingAddress : ${Utils.asJson(resultByForwardingAddress)}")
  104. }
  105. }
  107. return SyncSingleUserResult.createFound(
  108. createNewUser(userFromBackend,additionalData))
  109. }
  110. }
  111. return SyncSingleUserResult.createFailure("User has neither a primary email nor a mailForwardingAddress")
  113. }
  115. /*
  116. * Finds a user by the username
  117. */
  118. AtlasUserResult findExistingUser(String username) {
  119. return atlasUserAdapter.readFirstUniqueUser(
  120. AtlasUserReference.create(
  121. AtlasUserKeys.ATTRIBUTE_USERNAME,
  122. username,
  123. AtlasUserKeys.ANY_DIRECTORY));
  124. }
  126. /*
  127. * Updates an existing user with the attributes from the backend
  128. */
  129. AtlasUserResult updateUser(AtlasUser existingUser, attributesFromBackend, additionalData) {
  132. AtlasUserBuilder userToUpdate = existingUser.newBuilder();
  134. if(attributesFromBackend.uid) {
  135. userToUpdate.with(AtlasUserKeys.ATTRIBUTE_USERNAME, attributesFromBackend.uid)
  136. }
  137. if(attributesFromBackend.mail) {
  138. userToUpdate.with(AtlasUserKeys.ATTRIBUTE_EMAIL,attributesFromBackend.mail)
  139. }
  140. if(attributesFromBackend.displayName) {
  141. userToUpdate.with(AtlasUserKeys.ATTRIBUTE_FULLNAME,attributesFromBackend.displayName)
  142. }
  143. if(attributesFromBackend.uid) {
  144. userToUpdate.with("uid",attributesFromBackend.uid)
  145. }
  147. if(additionalData != null && additionalData.get(GROUP_ATTR) != null) {
  149. // use getAttributeValues here, get() will return the first group only
  150. def existingGroups = existingUser.getAttributeValues('ATTR_GROUPS')
  151. def newGroups = additionalData.get(GROUP_ATTR)
  152. def effectiveGroups = existingGroups + newGroups
  154. userToUpdate.with(AtlasUserKeys.ATTRIBUTE_GROUPS,effectiveGroups)
  155. }
  157. return atlasUserAdapter.update(userToUpdate.build())
  158. }
  160. /*
  161. * Creates a new user from the attributeMap
  162. */
  163. AtlasUserResult createNewUser(attributeMap,additionalData) {
  165. logger.warn(attributeMap as String)
  167. ConnectorConfiguration cfg = connector.getConfiguration();
  168. long directory = cfg.getDirectoryId();
  170. AtlasUserBuilder userBuilder = AtlasUser.builder()
  171. .findBy(AtlasUserKeys.ATTRIBUTE_USERNAME,attributeMap.uid)
  172. .in(directory)
  173. .with(AtlasUserKeys.ATTRIBUTE_USERNAME, attributeMap.uid)
  174. .with(AtlasUserKeys.ATTRIBUTE_EMAIL,attributeMap.mail ?: attributeMap.mailForwardingAddress)
  175. .with(AtlasUserKeys.ATTRIBUTE_FULLNAME,attributeMap.displayName)
  176. .with("uid",attributeMap.uid)
  178. if(additionalData != null && additionalData.get(GROUP_ATTR) != null) {
  179. userBuilder.with(AtlasUserKeys.ATTRIBUTE_GROUPS,additionalData.get(GROUP_ATTR))
  180. }
  182. AtlasUser userToCreate = userBuilder.build()
  184. return atlasUserAdapter.create(userToCreate);
  185. }
  188. /*
  189. * Searches the user in the backend
  190. */
  191. def findUserInBackend(String identifier, boolean isRetry) {
  193. if(!read(KEY_ACCESS_TOKEN) || (new Date().getTime() > Long.valueOf(read(KEY_EXPIRE_DATE) ?: "0"))) {
  194. requestAccessToken();
  195. }
  197. def accessToken = read(KEY_ACCESS_TOKEN)
  198. if(!accessToken) {
  199. fail("No Access-Token present")
  200. }
  202. def resp = http.get("${userUrl}${identifier}",["Authorization": "Bearer " + accessToken])
  204. if(resp.code == 401) {
  205. if(isRetry) {
  206. fail("Could not load user, unauthorized after retry")
  207. } else {
  208. return findUserInBackend(identifer,true)
  209. }
  210. }
  212. if(resp.code == 404) {
  213. return null
  214. }
  216. if(!(resp.code in 200..299)) {
  217. fail("Unexpected response ${resp.code}")
  218. }
  220. return resp.parsedJson
  221. }
  224. /*
  225. * Requests a new OAUTH-Token using the client_credentials flow
  226. */
  227. void requestAccessToken() {
  229. def formData = [
  230. "grant_type" : "client_credentials",
  231. "client_id" : clientId,
  232. "client_secret": clientSecret ]
  234. if(scope) {
  235. formData.put("scope",scope)
  236. }
  238. if(audience) {
  239. formData.put("audience",audience)
  240. }
  242. def resp = http.postAsForm(tokenUrl,formData,[:])
  244. if(resp.code in (200..299)) {
  245. def parsed = resp.parsedJson
  247. def accessToken = parsed.access_token
  248. def expires = parsed.expires_in
  249. def expireDate = new Date().getTime() + ((expires - 1) * 1000)
  251. write(KEY_ACCESS_TOKEN,accessToken)
  252. write(KEY_EXPIRE_DATE,expireDate)
  254. } else {
  255. fail("Failed to load access token: $resp.code")
  256. }
  257. }