jenkinsci · jtnord · Sep 9, 2025 · May 28, 2025 · Aug 22, 2025 · Aug 22, 2025
@@ -1,5 +1,6 @@
 package org.jenkinsci.plugins.oic;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
@@ -10,7 +11,10 @@
 public abstract class AbstractKeyValueDescribable<T extends AbstractKeyValueDescribable<T>>
         extends AbstractDescribableImpl<T> {
 
+    @NonNull
     private final String key;
+
+    @NonNull
     private final String value;
 
     /**
@@ -52,10 +56,12 @@ public AbstractKeyValueDescribable(String key, String value, boolean allowBlankV
         this.value = value == null ? "" : value.trim();
     }
 
+    @NonNull
     public String getKey() {
         return key;
     }
 
+    @NonNull
     public String getValue() {
         return value;
     }

@@ -1,5 +1,6 @@
 package org.jenkinsci.plugins.oic;
 
+import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.model.Descriptor;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
@@ -25,6 +26,7 @@ public String getURLEncodedKey() {
     /**
      * Return {@link #getValue()} encoded with {@code application/x-www-form-urlencoded} in {@code UTF-8}
      */
+    @NonNull
     public String getURLEncodedValue() {
         return URLEncoder.encode(getValue(), StandardCharsets.UTF_8);
     }

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicProperty.java b/src/main/java/org/jenkinsci/plugins/oic/OicProperty.java
@@ -0,0 +1,38 @@
+package org.jenkinsci.plugins.oic;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.model.AbstractDescribableImpl;
+import java.util.List;
+import java.util.Optional;
+import org.springframework.security.core.Authentication;
+
+/**
+ * Represents a property that can be configured for OIDC authentication.
+ */
+public abstract class OicProperty extends AbstractDescribableImpl<OicProperty> {
+    /**
+     * @return a new execution for this property, holding any required state.
+     */
+    @NonNull
+    public OicPropertyExecution newExecution(@NonNull OicServerConfiguration serverConfiguration) {
+        return new EmptyExecution();
+    }
+
+    private record EmptyExecution() implements OicPropertyExecution {}
+
+    /**
+     * Allows a property to authenticate the user.
+     * @see org.jenkinsci.plugins.oic.properties.EscapeHatch
+     */
+    public Optional<Authentication> authenticate(Authentication authentication) {
+        return Optional.empty();
+    }
+
+    /**
+     * Allows a property to contribute additional query parameters to the logout request.
+     */
+    @NonNull
+    public List<LogoutQueryParameter> contributeLogoutQueryParameters() {
+        return List.of();
+    }
+}
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicPropertyDescriptor.java b/src/main/java/org/jenkinsci/plugins/oic/OicPropertyDescriptor.java
@@ -0,0 +1,28 @@
+package org.jenkinsci.plugins.oic;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.ExtensionList;
+import hudson.ExtensionPoint;
+import hudson.model.Descriptor;
+import org.pac4j.oidc.config.OidcConfiguration;
+
+public abstract class OicPropertyDescriptor extends Descriptor<OicProperty> implements ExtensionPoint {
+    public static ExtensionList<OicPropertyDescriptor> all() {
+        return ExtensionList.lookup(OicPropertyDescriptor.class);
+    }
+
+    /**
+     * Allows the property to restrict its applicability depending on the context (for example, FIPS)
-     * Allows the property to restrict its applicability depending on the context (for example, FIPS)
+     * Allows the property to restrict its applicability depending on the context (for example, FIPS).
+     * This is different to not registering the {@code Descriptor} in Jenkins so that default (fallback) configuration can be used.
+     * @see #getFallbackConfiguration
-     * Allows the property to restrict its applicability depending on the context (for example, FIPS)
+     * Allows the property to restrict its applicability depending on the context (for example, FIPS).
+     * This is different to not registering the {@code Descriptor} in Jenkins so that default (fallback) configuration can be used.
+     * @see #getFallbackConfiguration
+     */
+    public boolean isApplicable() {
+        return true;
+    }
+
+    /**
+     * This method gets called if the property is not configured explicitly. For example, providing a default value.
+     */
+    public void getFallbackConfiguration(
+            @NonNull OicServerConfiguration serverConfiguration, @NonNull OidcConfiguration configuration) {
+        // no-op
+    }
+}
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicPropertyExecution.java b/src/main/java/org/jenkinsci/plugins/oic/OicPropertyExecution.java
@@ -0,0 +1,23 @@
+package org.jenkinsci.plugins.oic;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import org.pac4j.oidc.client.OidcClient;
+import org.pac4j.oidc.config.OidcConfiguration;
+
+public interface OicPropertyExecution {
+    /**
+     * Customize the OIDC configuration.
+     *
+     * @param configuration the OIDC configuration to customize
+     */
+    default void customizeConfiguration(@NonNull OidcConfiguration configuration) {}
+
+    /**
+     * Customize the OIDC client.
+     * <br/>
+     * Always called after {@link #customizeConfiguration(OidcConfiguration)}.
+     *
+     * @param client the OIDC client to customize
+     */
+    default void customizeClient(@NonNull OidcClient client) {}
+}