• Home
• io.helidon.microprofile.jwt
• helidon-microprofile-jwt-auth
• 4.1.2
• source code
• JwtAuthProvider.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.helidon.microprofile.jwt.auth.JwtAuthProvider Maven / Gradle / Ivy

/*
 * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.helidon.microprofile.jwt.auth;

import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
import java.lang.System.Logger.Level;
import java.lang.annotation.Annotation;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.IdentityHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import io.helidon.common.Errors;
import io.helidon.common.LazyValue;
import io.helidon.common.config.Config;
import io.helidon.common.configurable.Resource;
import io.helidon.common.pki.Keys;
import io.helidon.config.metadata.Configured;
import io.helidon.config.metadata.ConfiguredOption;
import io.helidon.config.metadata.ConfiguredValue;
import io.helidon.http.HeaderNames;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.Grant;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.Security;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityException;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.jwt.EncryptedJwt;
import io.helidon.security.jwt.Jwt;
import io.helidon.security.jwt.JwtException;
import io.helidon.security.jwt.JwtHeaders;
import io.helidon.security.jwt.JwtValidator;
import io.helidon.security.jwt.SignedJwt;
import io.helidon.security.jwt.Validator;
import io.helidon.security.jwt.jwk.Jwk;
import io.helidon.security.jwt.jwk.JwkEC;
import io.helidon.security.jwt.jwk.JwkKeys;
import io.helidon.security.jwt.jwk.JwkRSA;
import io.helidon.security.providers.common.OutboundConfig;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.providers.common.TokenCredential;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.util.TokenHandler;

import jakarta.enterprise.inject.spi.DeploymentException;
import jakarta.json.Json;
import jakarta.json.JsonObject;
import jakarta.json.JsonReaderFactory;
import org.eclipse.microprofile.auth.LoginConfig;
import org.eclipse.microprofile.config.spi.ConfigProviderResolver;
import org.eclipse.microprofile.jwt.JsonWebToken;

import static io.helidon.security.EndpointConfig.PROPERTY_OUTBOUND_ID;
import static java.nio.charset.StandardCharsets.UTF_8;

/**
 * Provider that provides JWT authentication.
 */
public class JwtAuthProvider implements AuthenticationProvider, OutboundSecurityProvider {

    /**
     * Configuration key for expected issuer of incoming tokens. Used for validation of JWT.
     */
    public static final String CONFIG_EXPECTED_ISSUER = "mp.jwt.verify.issuer";
    /**
     * Configuration key for expected audiences of incoming tokens. Used for validation of JWT.
     */
    public static final String CONFIG_EXPECTED_AUDIENCES = "mp.jwt.verify.audiences";

    private static final String CONFIG_EXPECTED_MAX_TOKEN_AGE = "mp.jwt.verify.token.age";
    private static final String CONFIG_CLOCK_SKEW = "mp.jwt.verify.clock.skew";
    /**
     * Configuration of Cookie property name which contains JWT token.
     *
     * This will be ignored unless {@link #CONFIG_JWT_HEADER} is set to {@link io.helidon.http.HeaderNames#COOKIE}.
     */
    private static final String CONFIG_COOKIE_PROPERTY_NAME = "mp.jwt.token.cookie";
    /**
     * Configuration of the header where the JWT token is set.
     *
     * Default value is {@link io.helidon.http.HeaderNames#AUTHORIZATION}.
     */
    private static final String CONFIG_JWT_HEADER = "mp.jwt.token.header";
    private static final System.Logger LOGGER = System.getLogger(JwtAuthProvider.class.getName());
    private static final JsonReaderFactory JSON = Json.createReaderFactory(Collections.emptyMap());

    private final boolean optional;
    private final boolean authenticate;
    private final boolean propagate;
    private final boolean allowImpersonation;
    private final SubjectType subjectType;
    private final TokenHandler atnTokenHandler;
    private final TokenHandler defaultTokenHandler;
    private final LazyValue verifyKeys;
    private final Set expectedAudiences;
    private final JwkKeys signKeys;
    private final LazyValue decryptionKeys;
    private final OutboundConfig outboundConfig;
    private final String issuer;
    private final LazyValue defaultJwk;
    private final LazyValue defaultDecryptionJwk;
    private final Map targetToJwtConfig = new IdentityHashMap<>();
    private final ReentrantLock targetToJwtConfigLock = new ReentrantLock();
    private final String expectedIssuer;
    private final String cookiePrefix;
    private final String decryptionKeyAlgorithm;
    private final boolean useCookie;
    private final Duration expectedMaxTokenAge;
    private final Duration clockSkew;

    private JwtAuthProvider(Builder builder) {
        this.optional = builder.optional;
        this.authenticate = builder.authenticate;
        this.propagate = builder.propagate && builder.outboundConfig.targets().size() > 0;
        this.allowImpersonation = builder.allowImpersonation;
        this.subjectType = builder.subjectType;
        this.atnTokenHandler = builder.atnTokenHandler;
        this.outboundConfig = builder.outboundConfig;
        this.verifyKeys = builder.verifyKeys;
        this.signKeys = builder.signKeys;
        this.issuer = builder.issuer;
        this.expectedAudiences = builder.expectedAudiences;
        this.defaultJwk = builder.defaultJwk;
        this.expectedIssuer = builder.expectedIssuer;
        this.cookiePrefix = builder.cookieProperty + "=";
        this.useCookie = builder.useCookie;
        this.decryptionKeys = builder.decryptionKeys;
        this.defaultDecryptionJwk = builder.defaultDecryptionJwk;
        this.decryptionKeyAlgorithm = builder.decryptionKeyAlgorithm;
        this.expectedMaxTokenAge = builder.expectedMaxTokenAge;
        this.clockSkew = builder.clockSkew;

        if (null == atnTokenHandler) {
            defaultTokenHandler = TokenHandler.builder()
                    .tokenHeader("Authorization")
                    .tokenPrefix("bearer ")
                    .build();
        } else {
            defaultTokenHandler = atnTokenHandler;
        }
    }

    /**
     * A builder for this provider.
     *
     * @return builder to create a new instance
     */
    public static Builder builder() {
        return new Builder();
    }

    /**
     * Create provider instance from configuration.
     *
     * @param config configuration of this provider
     * @return provider instance
     */
    public static JwtAuthProvider create(Config config) {
        return builder().config(config).build();
    }

    @Override
    public Collection> supportedAnnotations() {
        return Set.of(LoginConfig.class);
    }

    @Override
    public AuthenticationResponse authenticate(ProviderRequest providerRequest) {
        if (!authenticate) {
            return AuthenticationResponse.abstain();
        }

        //Obtains Application level of security
        List loginConfigs = providerRequest.endpointConfig().securityLevels().get(0)
                .filterAnnotations(LoginConfig.class, EndpointConfig.AnnotationScope.CLASS);

        try {
            return loginConfigs.stream()
                    .filter(JwtAuthAnnotationAnalyzer::isMpJwt)
                    .findFirst()
                    .map(loginConfig -> authenticate(providerRequest, loginConfig))
                    .orElseGet(AuthenticationResponse::abstain);
        } catch (java.lang.SecurityException e) {
            return AuthenticationResponse.failed("Failed to process authentication header", e);
        }
    }

    AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) {
        Optional maybeToken;
        try {
            Map> headers = providerRequest.env().headers();
            if (useCookie) {
                maybeToken = findCookie(headers);
            } else {
                maybeToken = atnTokenHandler.extractToken(headers);
            }
        } catch (Exception e) {
            if (optional) {
                return AuthenticationResponse.abstain();
            } else {
                return AuthenticationResponse.failed("Header not available or in a wrong format", e);
            }
        }

        return maybeToken
                .map(token -> {
                    JwtHeaders headers;
                    SignedJwt signedJwt;
                    try {
                        headers = JwtHeaders.parseToken(token);
                        if (headers.encryption().isPresent() || decryptionKeys.get() != null) {
                            EncryptedJwt encryptedJwt = EncryptedJwt.parseToken(headers, token);
                            if (!headers.contentType().map("JWT"::equals).orElse(false)) {
                                throw new JwtException("Header \"cty\" (content type) must be set to \"JWT\" "
                                                               + "for encrypted tokens");
                            }
                            List> validators = new LinkedList<>();
                            EncryptedJwt.addKekValidator(validators, decryptionKeyAlgorithm, true);
                            Errors errors = encryptedJwt.validate(validators);
                            if (errors.isValid()) {
                                signedJwt = encryptedJwt.decrypt(decryptionKeys.get(), defaultDecryptionJwk.get());
                            } else {
                                return AuthenticationResponse.failed(errors.toString());
                            }
                        } else {
                            signedJwt = SignedJwt.parseToken(token);
                        }
                    } catch (Exception e) {
                        if (LOGGER.isLoggable(Level.TRACE)) {
                            LOGGER.log(Level.TRACE, "Failed to parse token String into JWT", e);
                        }
                        //invalid token
                        return AuthenticationResponse.failed("Invalid token", e);
                    }
                    Errors errors = signedJwt.verifySignature(verifyKeys.get(), defaultJwk.get());
                    if (errors.isValid()) {
                        Jwt jwt = signedJwt.getJwt();
                        JwtValidator.Builder valBuilder = JwtValidator.builder();
                        if (expectedIssuer != null) {
                            // validate issuer
                            valBuilder.addIssuerValidator(expectedIssuer);
                        }
                        if (!expectedAudiences.isEmpty()) {
                            // validate audience(s)
                            valBuilder.addAudienceValidator(expectedAudiences);
                        }
                        // validate user principal is present
                        valBuilder.addUserPrincipalValidator()
                                .addExpirationValidator(builder -> builder.now(Instant.now())
                                        .allowedTimeSkew(clockSkew)
                                        .mandatory(true));
                        if (expectedMaxTokenAge != null) {
                            valBuilder.addMaxTokenAgeValidator(builder -> builder.expectedMaxTokenAge(expectedMaxTokenAge)
                                    .allowedTimeSkew(clockSkew)
                                    .mandatory(true));
                        }
                        JwtValidator jwtValidator = valBuilder.build();
                        Errors validate = jwtValidator.validate(jwt);

                        if (validate.isValid()) {
                            return AuthenticationResponse.success(buildSubject(jwt, signedJwt));
                        } else {
                            return AuthenticationResponse.failed(errors.toString());
                        }
                    } else {
                        return AuthenticationResponse.failed(errors.toString());
                    }
                }).orElseGet(AuthenticationResponse::abstain);
    }

    private Optional findCookie(Map> headers) {
        List cookies = headers.get(HeaderNames.COOKIE.defaultCase());
        if ((null == cookies) || cookies.isEmpty()) {
            return Optional.empty();
        }

        for (String cookie : cookies) {
            //a=b; c=d; e=f
            String[] cookieValues = cookie.split(";\\s?");
            for (String cookieValue : cookieValues) {
                String trimmed = cookieValue.trim();
                if (trimmed.startsWith(cookiePrefix)) {
                    return Optional.of(trimmed.substring(cookiePrefix.length()));
                }
            }
        }

        return Optional.empty();
    }

    Subject buildSubject(Jwt jwt, SignedJwt signedJwt) {
        JsonWebTokenImpl principal = buildPrincipal(signedJwt);

        TokenCredential.Builder builder = TokenCredential.builder();
        jwt.issueTime().ifPresent(builder::issueTime);
        jwt.expirationTime().ifPresent(builder::expTime);
        jwt.issuer().ifPresent(builder::issuer);
        builder.token(signedJwt.tokenContent());
        builder.addToken(JsonWebToken.class, principal);
        builder.addToken(Jwt.class, jwt);
        builder.addToken(SignedJwt.class, signedJwt);

        Subject.Builder subjectBuilder = Subject.builder()
                .principal(principal)
                .addPublicCredential(TokenCredential.class, builder.build());

        Optional> userGroups = jwt.userGroups();
        userGroups.ifPresent(groups -> groups.forEach(group -> subjectBuilder.addGrant(Role.create(group))));

        Optional> scopes = jwt.scopes();
        scopes.ifPresent(scopeList ->
                                 scopeList.forEach(scope -> subjectBuilder.addGrant(Grant.builder()
                                                                                            .name(scope)
                                                                                            .type("scope")
                                                                                            .build())));

        return subjectBuilder.build();
    }

    static JsonWebTokenImpl buildPrincipal(SignedJwt signedJwt) {
        return JsonWebTokenImpl.create(signedJwt);
    }

    @Override
    public boolean isOutboundSupported(ProviderRequest providerRequest,
                                       SecurityEnvironment outboundEnv,
                                       EndpointConfig outboundConfig) {
        // only propagate if we have an actual target configured
        return propagate && this.outboundConfig.findTarget(outboundEnv).isPresent();
    }

    @Override
    public OutboundSecurityResponse outboundSecurity(ProviderRequest providerRequest,
                                                     SecurityEnvironment outboundEnv,
                                                     EndpointConfig outboundEndpointConfig) {

        Optional