[FEATURE] usage of JWKS with JWT (w/o OpenID connect)

[cwperks]

Re-creating #2708 with the jar hell fix merged into main and addressing 2 minor comments from the PR.

Description

Extending auth with jwks_uri parameter to omit passing openid_connect_url with openid-configuration

• Category: feature
• Why these changes are required? To add possibility to define a JWKS endpoint for JWT-based authentication
• What is the old behavior before changes and new behavior after changes? Old behavior remains the same, new one omits the part with calling openid-configuration endpoint of IdP

Issues Resolved

#1858

Check List

• New functionality includes testing
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[stephen-crawford]

I think we want strongly typed where possible.

[cwperks]

Switched this to String

[stephen-crawford]

Is there a reason you make a second identical token? It does not look it is every compared to MC_COY so it seems like any tests using MC_COY_SIGNED_OCT_2 could just use MC_COY_SIGNED_OCT_1? Perhaps I am misreading things?

[cwperks]

Looks like the intention was that it was signed with a larger octet key, but it was not being configured correctly down below. I updated it now to ensure its using TestJwk.OCT_2 as expected.

[cwperks]

These Jwks are originally used for SelfRefreshingKeySetTest and are being re-purposed for these tests.

[DarshitChanpura]

Should we close the other PR then?

[cwperks]

@DarshitChanpura Yes, the other PR should be closed unless there are any substantial changes requested in the review.

[cwperks]

Looking at the test failures

[cwperks]

I just pushed a fix for the tests. There were 2 issues:

1. JWTVerifier was not doing a null/empty check before checking if required issuer or required audience settings matches. It would always try to compare against an unset value instead of checking if the setting was set before performing the validation.
2. A new claim was added to MCCOY_SUBJECT so the count of attributes needed to be incremented in most tests of SingleKeyHTTPJwtKeyByOpenIdConnectAuthenticatorTest.

[DarshitChanpura]

Looks like the tests are still failing😥.

[cwperks]

@DarshitChanpura I pushed another commit to fix tests. I created more TestJwts to make it more obvious what the usage of each TestJwt was by giving them a clearer name which resembles the test case they are used for.

[codecov]

Codecov Report

Merging #2808 (8ca5c52) into main (9be79bd) will increase coverage by 0.12%.
The diff coverage is 91.42%.

@@             Coverage Diff              @@
##               main    #2808      +/-   ##
============================================
+ Coverage     61.48%   61.61%   +0.12%     
- Complexity     3401     3413      +12     
============================================
  Files           266      266              
  Lines         18865    18893      +28     
  Branches       3302     3305       +3     
============================================
+ Hits          11599    11640      +41     
+ Misses         5669     5656      -13     
  Partials       1597     1597              

Impacted Files	Coverage Δ
...ic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	58.42% <60.00%> (+3.13%)	⬆️
...byoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java	90.00% <80.00%> (-4.12%)	⬇️
...azon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java	88.67% <100.00%> (+2.63%)	⬆️
.../dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java	78.94% <100.00%> (+2.75%)	⬆️

... and 2 files with indirect coverage changes