Rewrite OIDC implementation

core/trino-main/src/main/java/io/trino/server/security/AbstractBearerAuthenticator.java

@@ -13,15 +13,14 @@
  */
 package io.trino.server.security;
 
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtException;
-import io.trino.spi.security.BasicPrincipal;
 import io.trino.spi.security.Identity;
 
 import javax.ws.rs.container.ContainerRequestContext;
 
+import java.security.Principal;
 import java.util.List;
+import java.util.Optional;
 
 import static com.google.common.net.HttpHeaders.AUTHORIZATION;
 import static java.lang.String.format;
@@ -30,12 +29,10 @@
 public abstract class AbstractBearerAuthenticator
         implements Authenticator
 {
-    private final String principalField;
     private final UserMapping userMapping;
 
-    protected AbstractBearerAuthenticator(String principalField, UserMapping userMapping)
+    protected AbstractBearerAuthenticator(UserMapping userMapping)
     {
-        this.principalField = requireNonNull(principalField, "principalField is null");
         this.userMapping = requireNonNull(userMapping, "userMapping is null");
     }
 
@@ -50,14 +47,14 @@ public Identity authenticate(ContainerRequestContext request, String token)
             throws AuthenticationException
     {
         try {
-            Jws<Claims> claimsJws = parseClaimsJws(token);
-            String principal = claimsJws.getBody().get(principalField, String.class);
-            if (principal == null) {
+            Optional<Principal> principal = extractPrincipalFromToken(token);
+            if (principal.isEmpty()) {
                 throw needAuthentication(request, "Invalid credentials");
             }
-            String authenticatedUser = userMapping.mapUser(principal);
+
+            String authenticatedUser = userMapping.mapUser(principal.get().getName());
             return Identity.forUser(authenticatedUser)
-                    .withPrincipal(new BasicPrincipal(principal))
+                    .withPrincipal(principal.get())
                     .build();
         }
         catch (JwtException | UserMappingException e) {
@@ -91,7 +88,7 @@ public String extractToken(ContainerRequestContext request)
         return token;
     }
 
-    protected abstract Jws<Claims> parseClaimsJws(String jws);
+    protected abstract Optional<Principal> extractPrincipalFromToken(String token);
 
     protected abstract AuthenticationException needAuthentication(ContainerRequestContext request, String message);
 }

core/trino-main/src/main/java/io/trino/server/security/jwt/JwtAuthenticator.java

@@ -13,28 +13,32 @@
  */
 package io.trino.server.security.jwt;
 
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtParser;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SigningKeyResolver;
 import io.trino.server.security.AbstractBearerAuthenticator;
 import io.trino.server.security.AuthenticationException;
+import io.trino.spi.security.BasicPrincipal;
 
 import javax.inject.Inject;
 import javax.ws.rs.container.ContainerRequestContext;
 
+import java.security.Principal;
+import java.util.Optional;
+
 import static io.trino.server.security.UserMapping.createUserMapping;
 
 public class JwtAuthenticator
         extends AbstractBearerAuthenticator
 {
     private final JwtParser jwtParser;
+    private final String principalField;
 
     @Inject
     public JwtAuthenticator(JwtAuthenticatorConfig config, SigningKeyResolver signingKeyResolver)
     {
-        super(config.getPrincipalField(), createUserMapping(config.getUserMappingPattern(), config.getUserMappingFile()));
+        super(createUserMapping(config.getUserMappingPattern(), config.getUserMappingFile()));
+        principalField = config.getPrincipalField();
 
         JwtParser jwtParser = Jwts.parser()
                 .setSigningKeyResolver(signingKeyResolver);
@@ -49,9 +53,12 @@ public JwtAuthenticator(JwtAuthenticatorConfig config, SigningKeyResolver signin
     }
 
     @Override
-    protected Jws<Claims> parseClaimsJws(String jws)
+    protected Optional<Principal> extractPrincipalFromToken(String token)
     {
-        return jwtParser.parseClaimsJws(jws);
+        return Optional.ofNullable(jwtParser.parseClaimsJws(token)
+                .getBody()
+                .get(principalField, String.class))
+                .map(BasicPrincipal::new);
     }
 
     @Override

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2AuthenticationSupportModule.java

@@ -26,6 +26,7 @@ public class OAuth2AuthenticationSupportModule
     protected void setup(Binder binder)
     {
         binder.bind(OAuth2TokenExchange.class).in(Scopes.SINGLETON);
+        binder.bind(OAuth2TokenHandler.class).to(OAuth2TokenExchange.class).in(Scopes.SINGLETON);
         jaxrsBinder(binder).bind(OAuth2TokenExchangeResource.class);
         install(new OAuth2ServiceModule());
     }

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Authenticator.java

@@ -13,19 +13,20 @@
  */
 package io.trino.server.security.oauth2;
 
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.Jws;
 import io.trino.server.security.AbstractBearerAuthenticator;
 import io.trino.server.security.AuthenticationException;
+import io.trino.spi.security.BasicPrincipal;
 
 import javax.inject.Inject;
 import javax.ws.rs.container.ContainerRequestContext;
 
 import java.net.URI;
+import java.security.Principal;
+import java.util.Optional;
 import java.util.UUID;
 
 import static io.trino.server.security.UserMapping.createUserMapping;
-import static io.trino.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT;
+import static io.trino.server.security.oauth2.OAuth2TokenExchangeResource.getInitiateUri;
 import static io.trino.server.security.oauth2.OAuth2TokenExchangeResource.getTokenUri;
 import static java.lang.String.format;
 import static java.util.Objects.requireNonNull;
@@ -34,26 +35,36 @@ public class OAuth2Authenticator
         extends AbstractBearerAuthenticator
 {
     private final OAuth2Service service;
+    private final String principalField;
 
     @Inject
     public OAuth2Authenticator(OAuth2Service service, OAuth2Config config)
     {
-        super(config.getPrincipalField(), createUserMapping(config.getUserMappingPattern(), config.getUserMappingFile()));
+        super(createUserMapping(config.getUserMappingPattern(), config.getUserMappingFile()));
         this.service = requireNonNull(service, "service is null");
+        this.principalField = config.getPrincipalField();
     }
 
     @Override
-    protected Jws<Claims> parseClaimsJws(String jws)
+    protected Optional<Principal> extractPrincipalFromToken(String token)
     {
-        return service.parseClaimsJws(jws);
+        try {
+            return service.convertTokenToClaims(token)
+                    .map(claims -> claims.get(principalField))
+                    .map(String.class::cast)
+                    .map(BasicPrincipal::new);
+        }
+        catch (ChallengeFailedException e) {
+            return Optional.empty();
+        }
     }
 
     @Override
     protected AuthenticationException needAuthentication(ContainerRequestContext request, String message)
     {
         UUID authId = UUID.randomUUID();
-        URI redirectUri = service.startRestChallenge(request.getUriInfo().getBaseUri().resolve(CALLBACK_ENDPOINT), authId);
+        URI initiateUri = request.getUriInfo().getBaseUri().resolve(getInitiateUri(authId));
         URI tokenUri = request.getUriInfo().getBaseUri().resolve(getTokenUri(authId));
-        return new AuthenticationException(message, format("Bearer x_redirect_server=\"%s\", x_token_server=\"%s\"", redirectUri, tokenUri));
+        return new AuthenticationException(message, format("Bearer x_redirect_server=\"%s\", x_token_server=\"%s\"", initiateUri, tokenUri));
     }
 }

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2CallbackResource.java

@@ -15,9 +15,6 @@
 
 import io.airlift.log.Logger;
 import io.trino.server.security.ResourceSecurity;
-import io.trino.server.security.oauth2.OAuth2Service.OAuthResult;
-import io.trino.server.ui.OAuth2WebUiInstalled;
-import io.trino.server.ui.OAuthWebUiCookie;
 
 import javax.inject.Inject;
 import javax.ws.rs.CookieParam;
@@ -28,20 +25,14 @@
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.UriInfo;
 
-import java.net.URI;
-import java.util.Optional;
-import java.util.UUID;
-
 import static io.trino.server.security.ResourceSecurity.AccessType.PUBLIC;
 import static io.trino.server.security.oauth2.NonceCookie.NONCE_COOKIE;
 import static io.trino.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT;
-import static io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOCATION;
-import static java.lang.String.format;
 import static java.util.Objects.requireNonNull;
 import static javax.ws.rs.core.MediaType.TEXT_HTML;
+import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
 
 @Path(CALLBACK_ENDPOINT)
 public class OAuth2CallbackResource
@@ -51,15 +42,11 @@ public class OAuth2CallbackResource
     public static final String CALLBACK_ENDPOINT = "/oauth2/callback";
 
     private final OAuth2Service service;
-    private final Optional<OAuth2TokenExchange> tokenExchange;
-    private final boolean webUiOAuthEnabled;
 
     @Inject
-    public OAuth2CallbackResource(OAuth2Service service, Optional<OAuth2TokenExchange> tokenExchange, Optional<OAuth2WebUiInstalled> webUiOAuthEnabled)
+    public OAuth2CallbackResource(OAuth2Service service)
     {
         this.service = requireNonNull(service, "service is null");
-        this.tokenExchange = requireNonNull(tokenExchange, "tokenExchange is null");
-        this.webUiOAuthEnabled = requireNonNull(webUiOAuthEnabled, "webUiOAuthEnabled is null").isPresent();
     }
 
     @ResourceSecurity(PUBLIC)
@@ -74,70 +61,21 @@ public Response callback(
             @CookieParam(NONCE_COOKIE) Cookie nonce,
             @Context UriInfo uriInfo)
     {
-        Optional<UUID> authId;
-        try {
-            authId = service.getAuthId(state);
-        }
-        catch (ChallengeFailedException e) {
-            LOG.debug(e, "Authentication response could not be verified: state=%s", state);
-            return Response.ok()
-                    .entity(service.getInternalFailureHtml("Authentication response could not be verified"))
-                    .build();
-        }
-
-        // Note: the Web UI may be disabled, so REST requests can not redirect to a success or error page inside of the Web UI
-
         if (error != null) {
-            LOG.debug("OAuth server returned an error: error=%s, error_description=%s, error_uri=%s, state=%s", error, errorDescription, errorUri, state);
-
-            if (tokenExchange.isPresent() && authId.isPresent()) {
-                tokenExchange.get().setTokenExchangeError(
-                        authId.get(),
-                        format("OAuth server returned an error: error=%s, error_description=%s, error_uri=%s, state=%s", error, errorDescription, errorUri, state));
-            }
-            return Response.ok()
-                    .entity(service.getCallbackErrorHtml(error))
-                    .build();
+            return service.handleOAuth2Error(state, error, errorDescription, errorUri);
         }
 
-        OAuthResult result;
         try {
-            result = service.finishChallenge(
-                    authId,
-                    code,
-                    uriInfo.getBaseUri().resolve(CALLBACK_ENDPOINT),
-                    NonceCookie.read(nonce));
+            requireNonNull(state, "state is null");
+            requireNonNull(code, "code is null");
+            return service.finishOAuth2Challenge(state, code, uriInfo.getBaseUri().resolve(CALLBACK_ENDPOINT), NonceCookie.read(nonce));
         }
-        catch (ChallengeFailedException | RuntimeException e) {
+        catch (RuntimeException e) {
             LOG.debug(e, "Authentication response could not be verified: state=%s", state);
-            if (tokenExchange.isPresent() && authId.isPresent()) {
-                tokenExchange.get().setTokenExchangeError(authId.get(), format("Authentication response could not be verified: state=%s", state));
-            }
-            return Response.ok()
+            return Response.status(BAD_REQUEST)
+                    .cookie(NonceCookie.delete())
                     .entity(service.getInternalFailureHtml("Authentication response could not be verified"))
                     .build();
         }
-
-        if (authId.isEmpty()) {
-            return Response
-                    .seeOther(URI.create(UI_LOCATION))
-                    .cookie(OAuthWebUiCookie.create(result.getAccessToken(), result.getTokenExpiration()), NonceCookie.delete())
-                    .build();
-        }
-
-        if (tokenExchange.isEmpty()) {
-            LOG.debug("Token exchange is not active: state=%s", state);
-            return Response.ok()
-                    .entity(service.getInternalFailureHtml("Client token exchange is not enabled"))
-                    .build();
-        }
-
-        tokenExchange.get().setAccessToken(authId.get(), result.getAccessToken());
-
-        ResponseBuilder builder = Response.ok(service.getSuccessHtml());
-        if (webUiOAuthEnabled) {
-            builder.cookie(OAuthWebUiCookie.create(result.getAccessToken(), result.getTokenExpiration()));
-        }
-        return builder.build();
     }
 }

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Client.java

@@ -23,16 +23,16 @@ public interface OAuth2Client
 {
     URI getAuthorizationUri(String state, URI callbackUri, Optional<String> nonceHash);
 
-    AccessToken getAccessToken(String code, URI callbackUri)
+    OAuth2Response getOAuth2Response(String code, URI callbackUri)
             throws ChallengeFailedException;
 
-    class AccessToken
+    class OAuth2Response
     {
         private final String accessToken;
         private final Optional<Instant> validUntil;
         private final Optional<String> idToken;
 
-        public AccessToken(String accessToken, Optional<Instant> validUntil, Optional<String> idToken)
+        public OAuth2Response(String accessToken, Optional<Instant> validUntil, Optional<String> idToken)
         {
             this.accessToken = requireNonNull(accessToken, "accessToken is null");
             this.validUntil = requireNonNull(validUntil, "validUntil is null");