[FEATURE] usage of JWKS with JWT (w/o OpenID connect)

Signed-off-by: Sebastian Michalski <shekerama@gmail.com>

Author: sebastianmichalski

src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest.java

@@ -85,23 +85,45 @@ public void jwksUriTest() {
 	}
 
 	@Test
-	public void jwksMissingRequiredAudienceAndIssuerTest() {
+	public void jwksMatchingRequiredIssuerInClaimTest() {
+		String requiredIssuer = "requiredIssuer";
 		Settings settings = Settings.builder()
 			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_issuer", requiredIssuer)
 			.build();
 
 		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
 
 		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
-			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap<>()), null);
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
 
 		Assert.assertNotNull(creds);
 		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
 		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
 		Assert.assertEquals(0, creds.getBackendRoles().size());
-		Assert.assertEquals(3, creds.getAttributes().size());
-		Assert.assertNull(jwtAuth.getRequiredAudience());
-		Assert.assertNull(jwtAuth.getRequiredIssuer());
+		Assert.assertEquals(4, creds.getAttributes().size());
+		Assert.assertFalse(creds.getAttributes().get("attr.jwt.iss").contains(jwtAuth.getRequiredIssuer()));
+	}
+
+	@Test
+	public void jwksNotMatchingRequiredAudienceInClaimTest() {
+		String requiredAudience = "requiredAudience";
+		Settings settings = Settings.builder()
+			.put("jwks_uri", mockIdpServer.getJwksUri())
+			.put("required_audience", requiredAudience)
+			.build();
+
+		HTTPJwtKeyByOpenIdConnectAuthenticator jwtAuth = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, null);
+
+		AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(
+			ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_2), new HashMap<>()), null);
+
+		Assert.assertNotNull(creds);
+		Assert.assertEquals(TestJwts.MCCOY_SUBJECT, creds.getUsername());
+		Assert.assertEquals(TestJwts.TEST_AUDIENCE, creds.getAttributes().get("attr.jwt.aud"));
+		Assert.assertEquals(0, creds.getBackendRoles().size());
+		Assert.assertEquals(4, creds.getAttributes().size());
+		Assert.assertFalse(creds.getAttributes().get("attr.jwt.aud").contains(jwtAuth.getRequiredAudience()));
 	}
 
 	@Test

src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/TestJwts.java

@@ -33,12 +33,18 @@ class TestJwts {
 
 	static final String MCCOY_SUBJECT = "Leonard McCoy";
 
-	static final JwtToken MC_COY = create(MCCOY_SUBJECT, TEST_AUDIENCE, ROLES_CLAIM, TEST_ROLES_STRING);
+	static final String ISS = "ISSUER";
 
-    static final JwtToken MC_COY_EXPIRED = create(MCCOY_SUBJECT, TEST_AUDIENCE, ROLES_CLAIM, TEST_ROLES_STRING, JwtConstants.CLAIM_EXPIRY, 10);
+	static final JwtToken MC_COY = create(MCCOY_SUBJECT, TEST_AUDIENCE, null, ROLES_CLAIM, TEST_ROLES_STRING);
+
+	static final JwtToken MC_COY_2 = create(MCCOY_SUBJECT, TEST_AUDIENCE, ISS, ROLES_CLAIM, TEST_ROLES_STRING);
+
+    static final JwtToken MC_COY_EXPIRED = create(MCCOY_SUBJECT, TEST_AUDIENCE, null, ROLES_CLAIM, TEST_ROLES_STRING, JwtConstants.CLAIM_EXPIRY, 10);
 
 	static final String MC_COY_SIGNED_OCT_1 = createSigned(MC_COY, TestJwk.OCT_1);
 
+	static final String MC_COY_SIGNED_OCT_2 = createSigned(MC_COY_2, TestJwk.OCT_1);
+
 	static final String MC_COY_SIGNED_OCT_1_INVALID_KID = createSigned(MC_COY, TestJwk.FORWARD_SLASH_KID_OCT_1);
 
 	static final String MC_COY_SIGNED_RSA_1 = createSigned(MC_COY, TestJwk.RSA_1);
@@ -57,11 +63,12 @@ static class PeculiarEscaping {
 		static final String MC_COY_SIGNED_RSA_1 = createSignedWithPeculiarEscaping(MC_COY, TestJwk.RSA_1);
 	}
 
-	static JwtToken create(String subject, String audience, Object... moreClaims) {
+	static JwtToken create(String subject, String audience, String issuer, Object... moreClaims) {
 		JwtClaims claims = new JwtClaims();
 
 		claims.setSubject(subject);
 		claims.setAudience(audience);
+		claims.setIssuer(issuer);
 
 		if (moreClaims != null) {
 			for (int i = 0; i < moreClaims.length; i += 2) {
@@ -108,8 +115,8 @@ static String createSignedWithPeculiarEscaping(JwtToken baseJwt, JsonWebKey jwk)
 	static String createMcCoySignedOct1(long nbf, long exp)
 	{
 		JwtToken jwt_token = create(
-			MCCOY_SUBJECT, TEST_AUDIENCE, 
-			ROLES_CLAIM, TEST_ROLES_STRING, 
+			MCCOY_SUBJECT, TEST_AUDIENCE,
+			null, ROLES_CLAIM, TEST_ROLES_STRING,
 			JwtConstants.CLAIM_NOT_BEFORE, nbf, 
 			JwtConstants.CLAIM_EXPIRY, exp);