[FEATURE] usage of JWKS with JWT (w/o OpenID connect)

sebastianmichalski · sebastianmichalski · commit 052836e1b67c · 2023-05-29T09:46:51.000+02:00
Signed-off-by: Sebastian Michalski &lt;shekerama@gmail.com&gt;
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
@@ -55,6 +55,8 @@ public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator
     private final String jwtUrlParameter;
     private final String subjectKey;
     private final String rolesKey;
+    private final String requiredAudience;
+    private final String requiredIssuer;
 
     public static final int DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS = 30;
     private final int clockSkewToleranceSeconds ;
@@ -66,10 +68,12 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
         rolesKey = settings.get("roles_key");
         subjectKey = settings.get("subject_key");
         clockSkewToleranceSeconds = settings.getAsInt("jwt_clock_skew_tolerance_seconds", DEFAULT_CLOCK_SKEW_TOLERANCE_SECONDS);
+        requiredAudience = settings.get("required_audience");
+        requiredIssuer = settings.get("required_issuer");
 
         try {
             this.keyProvider = this.initKeyProvider(settings, configPath);
-            jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds );
+            jwtVerifier = new JwtVerifier(keyProvider, clockSkewToleranceSeconds, requiredIssuer, requiredAudience);
 
         } catch (Exception e) {
             log.error("Error creating JWT authenticator. JWT authentication will not work", e);
@@ -233,4 +237,12 @@ public boolean reRequestAuthentication(RestChannel channel, AuthCredentials auth
         return true;
     }
 
+    public String getRequiredAudience() {
+        return requiredAudience;
+    }
+
+    public String getRequiredIssuer() {
+        return requiredIssuer;
+    }
+
 }
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java
@@ -32,9 +32,15 @@ protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws
 
 		int refreshRateLimitTimeWindowMs = settings.getAsInt("refresh_rate_limit_time_window_ms", 10000);
 		int refreshRateLimitCount = settings.getAsInt("refresh_rate_limit_count", 10);
-
-		KeySetRetriever keySetRetriever = new KeySetRetriever(settings.get("openid_connect_url"),
-				getSSLConfig(settings, configPath), settings.getAsBoolean("cache_jwks_endpoint", false));
+		var jwksUri = settings.get("jwks_uri");
+
+		KeySetRetriever keySetRetriever;
+		if(jwksUri != null && !jwksUri.isBlank()) {
+			keySetRetriever =
+				new KeySetRetriever(getSSLConfig(settings, configPath), settings.getAsBoolean("cache_jwks_endpoint", false), jwksUri);
+		} else {
+			keySetRetriever = new KeySetRetriever(settings.get("openid_connect_url"), getSSLConfig(settings, configPath), settings.getAsBoolean("cache_jwks_endpoint", false));
+		}
 
 		keySetRetriever.setRequestTimeoutMs(idpRequestTimeoutMs);
 
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java
@@ -33,10 +33,14 @@ public class JwtVerifier {
 
 	private final KeyProvider keyProvider;
 	private final int clockSkewToleranceSeconds;
-
-	public JwtVerifier(KeyProvider keyProvider, int clockSkewToleranceSeconds ) {
+	private final String requiredIssuer;
+	private final String requiredAudience;
+	
+	public JwtVerifier(KeyProvider keyProvider, int clockSkewToleranceSeconds, String requiredIssuer, String requiredAudience) {
 		this.keyProvider = keyProvider;
 		this.clockSkewToleranceSeconds = clockSkewToleranceSeconds;
+		this.requiredIssuer = requiredIssuer;
+		this.requiredAudience = requiredAudience;
 	}
 
 	public JwtToken getVerifiedJwtToken(String encodedJwt) throws BadCredentialsException {
@@ -112,6 +116,20 @@ private void validateClaims(JwtToken jwt) throws BadCredentialsException, JwtExc
 		if (claims != null) {
 			JwtUtils.validateJwtExpiry(claims, clockSkewToleranceSeconds, false);
 			JwtUtils.validateJwtNotBefore(claims, clockSkewToleranceSeconds, false);
+			validateRequiredAudienceAndIssuer(claims);
+		}
+	}
+
+	private void validateRequiredAudienceAndIssuer(JwtClaims claims) {
+		String audience = claims.getAudience();
+		String issuer = claims.getIssuer();
+
+		if (!audience.equals(requiredAudience)) {
+			throw new JwtException("Invalid issuer");
+		}
+
+		if (!issuer.equals(requiredIssuer)) {
+			throw new JwtException("Invalid issuer");
 		}
 	}
 }
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java
@@ -54,15 +54,20 @@ public class KeySetRetriever implements KeySetProvider {
 	private int oidcCacheModuleResponses = 0;
 	private long oidcRequests = 0;
 	private long lastCacheStatusLog = 0;
+	private String jwksUri;
 
 	KeySetRetriever(String openIdConnectEndpoint, SSLConfig sslConfig, boolean useCacheForOidConnectEndpoint) {
 		this.openIdConnectEndpoint = openIdConnectEndpoint;
 		this.sslConfig = sslConfig;
 
-		if (useCacheForOidConnectEndpoint) {
-			cacheConfig = CacheConfig.custom().setMaxCacheEntries(10).setMaxObjectSize(1024L * 1024L).build();
-			oidcHttpCacheStorage = new BasicHttpCacheStorage(cacheConfig);
-		}
+		configureCache(useCacheForOidConnectEndpoint);
+	}
+
+	KeySetRetriever(SSLConfig sslConfig, boolean useCacheForOidConnectEndpoint, String jwksUri) {
+		this.jwksUri = jwksUri;
+		this.sslConfig = sslConfig;
+
+		configureCache(useCacheForOidConnectEndpoint);
 	}
 
 	public JsonWebKeys get() throws AuthenticatorUnavailableException {
@@ -101,6 +106,10 @@ public JsonWebKeys get() throws AuthenticatorUnavailableException {
 
 	String getJwksUri() throws AuthenticatorUnavailableException {
 
+		if (jwksUri != null && !jwksUri.isBlank()) {
+			return jwksUri;
+		}
+
 		try (CloseableHttpClient httpClient = createHttpClient(oidcHttpCacheStorage)) {
 
 			HttpGet httpGet = new HttpGet(openIdConnectEndpoint);
@@ -204,6 +213,13 @@ private CloseableHttpClient createHttpClient(HttpCacheStorage httpCacheStorage)
 		return builder.build();
 	}
 
+	private void configureCache(boolean useCacheForOidConnectEndpoint) {
+		if (useCacheForOidConnectEndpoint) {
+			cacheConfig = CacheConfig.custom().setMaxCacheEntries(10).setMaxObjectSize(1024L * 1024L).build();
+			oidcHttpCacheStorage = new BasicHttpCacheStorage(cacheConfig);
+		}
+	}
+
 	public int getOidcCacheHits() {
 		return oidcCacheHits;
 	}
diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java
@@ -18,6 +18,7 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.util.FakeRestRequest;
@@ -44,7 +45,11 @@ public static void tearDown() {
 
 	@Test
 	public void basicTest() {
-		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri()).build();
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
@@ -55,12 +60,110 @@ public void basicTest() {
 		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
 		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
 		Assert.assertEquals(0, creds.getBackendRoles().size());
-		Assert.assertEquals(3, creds.getAttributes().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
+	}
+
+
+	@Test
+	public void jwksUriTest() {
+		Settings settings = Settings.builder()
+			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
+
+		Assert.assertNotNull(creds);
+		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
+		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
+		Assert.assertEquals(0, creds.getBackendRoles().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
+	}
+
+	@Test
+	public void jwksMissingRequiredIssuerInClaimTest() {
+		Settings settings = Settings.builder()
+			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
+
+		Assert.assertNull(creds);
+	}
+
+	@Test
+	public void jwksNotMatchingRequiredIssuerInClaimTest() {
+		Settings settings = Settings.builder()
+			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_issuer", "Wrong Issuer")
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
+
+		Assert.assertNull(creds);
+	}
+
+	@Test
+	public void jwksMissingRequiredAudienceInClaimTest() {
+		Settings settings = Settings.builder()
+			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
+
+		Assert.assertNull(creds);
+	}
+
+	@Test
+	public void jwksNotMatchingRequiredAudienceInClaimTest() {
+		Settings settings = Settings.builder()
+			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_audience", "Wrong Audience")
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
+
+		Assert.assertNull(creds);
+	}
+
+	@Test
+	public void jwksUriMissingTest() {
+		var exception = Assert.assertThrows(Exception.class, () -> {
+			HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().build(), null);
+			jwtAuth.extractCredentials(
+				new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap<>()),
+				null);
+		});
+
+		Assert.assertEquals("Authentication backend failed", exception.getMessage());
+		Assert.assertEquals(OpenSearchSecurityException.class, exception.getClass());
 	}
 
 	@Test
 	public void testEscapeKid() {
-		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri()).build();
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
@@ -71,12 +174,16 @@ public void testEscapeKid() {
 		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
 		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
 		Assert.assertEquals(0, creds.getBackendRoles().size());
-		Assert.assertEquals(3, creds.getAttributes().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
 	}
 
 	@Test
 	public void bearerTest() {
-		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri()).build();
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
@@ -89,13 +196,17 @@ public void bearerTest() {
 		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
 		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
 		Assert.assertEquals(0, creds.getBackendRoles().size());
-		Assert.assertEquals(3, creds.getAttributes().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
 	}
 
 	@Test
 	public void testRoles() throws Exception {
-		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri())
-				.put("roles_key", TestJwts.ROLES_CLAIM).build();
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("roles_key", TestJwts.ROLES_CLAIM)
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
@@ -126,6 +237,8 @@ public void testExpInSkew() throws Exception {
 		Settings settings = Settings.builder()
 			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
 			.put("jwt_clock_skew_tolerance_seconds", "10")
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
 			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
@@ -149,6 +262,8 @@ public void testNbf() throws Exception {
 		Settings settings = Settings.builder()
 			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
 			.put("jwt_clock_skew_tolerance_seconds", "0")
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
 			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
@@ -172,6 +287,8 @@ public void testNbfInSkew() throws Exception {
 		Settings settings = Settings.builder()
 			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
 			.put("jwt_clock_skew_tolerance_seconds", "10")
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
 			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
@@ -192,7 +309,11 @@ public void testNbfInSkew() throws Exception {
 	@Test
 	public void testRS256() throws Exception {
 
-		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri()).build();
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
@@ -203,7 +324,7 @@ public void testRS256() throws Exception {
 		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
 		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
 		Assert.assertEquals(0, creds.getBackendRoles().size());
-		Assert.assertEquals(3, creds.getAttributes().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
 	}
 
 	@Test
@@ -221,7 +342,11 @@ public void testBadSignature() throws Exception {
 
 	@Test
 	public void testPeculiarJsonEscaping() {
-		Settings settings = Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri()).build();
+		Settings settings = Settings.builder()
+			.put("openid_connect_url", mockIdpServer.getDiscoverUri())
+			.put("required_issuer", TestJwts.TEST_ISSUER)
+			.put("required_audience", TestJwts.TEST_AUDIENCE)
+			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
@@ -233,7 +358,7 @@ public void testPeculiarJsonEscaping() {
 		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
 		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
 		Assert.assertEquals(0, creds.getBackendRoles().size());
-		Assert.assertEquals(3, creds.getAttributes().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
 	}
 
 }
diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/MockIpdServer.java b/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/MockIpdServer.java
@@ -118,6 +118,10 @@ public String getDiscoverUri() {
 		return uri + CTX_DISCOVER;
 	}
 
+	public String getJwksUri() {
+		return uri + CTX_KEYS;
+	}
+
 	public int getPort() {
 		return port;
 	}
diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/TestJwts.java b/src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/TestJwts.java

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,10 @@ public String getDiscoverUri() {`
`118`	`118`	`return uri + CTX_DISCOVER;`
`119`	`119`	`}`
`120`	`120`
	`121`	`+ public String getJwksUri() {`
	`122`	`+ return uri + CTX_KEYS;`
	`123`	`+ }`
	`124`	`+`
`121`	`125`	`public int getPort() {`
`122`	`126`	`return port;`
`123`	`127`	`}`