[ELY-2201] Add the ability to configure the expected token signature …

…algorithm
wildfly-security · Sep 10, 2021 · 76b78a1 · 76b78a1
1 parent 98450ce
commit 76b78a1
Show file tree

Hide file tree

Showing 7 changed files with 56 additions and 8 deletions.
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java
@@ -96,6 +96,7 @@ public class Oidc {
     static final String OIDC_STATE_COOKIE = "OIDC_STATE";
     static final String KEYCLOAK_CLIENT_CLUSTER_HOST = "client_cluster_host";
     static final String KEYCLOAK_QUERY_BEARER_TOKEN = "k_query_bearer_token";
+    static final String DEFAULT_TOKEN_SIGNATURE_ALGORITHM = "RS256";
 
 
     // keycloak-specific request parameter used to specify the identifier of the identity provider that should be used to authenticate a user

diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfiguration.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfiguration.java
@@ -23,6 +23,7 @@
 import static org.wildfly.security.http.oidc.Oidc.ACCOUNT_PATH;
 import static org.wildfly.security.http.oidc.Oidc.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH;
 import static org.wildfly.security.http.oidc.Oidc.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH;
+import static org.wildfly.security.http.oidc.Oidc.DEFAULT_TOKEN_SIGNATURE_ALGORITHM;
 import static org.wildfly.security.http.oidc.Oidc.DISCOVERY_PATH;
 import static org.wildfly.security.http.oidc.Oidc.JSON_CONTENT_TYPE;
 import static org.wildfly.security.http.oidc.Oidc.KEYCLOAK_REALMS_PATH;
@@ -122,7 +123,7 @@ public enum RelativeUrlsUsed {
     protected boolean delegateBearerErrorResponseSending = false;
     protected boolean verifyTokenAudience = false;
 
-    protected String jwsSignatureAlgorithm = "RS256";
+    protected String tokenSignatureAlgorithm = DEFAULT_TOKEN_SIGNATURE_ALGORITHM;
 
     public OidcClientConfiguration() {
     }
@@ -616,12 +617,12 @@ public void setClient(Callable<HttpClient> callable) {
         client = callable;
     }
 
-    public void setJwsSignatureAlgorithm(String jwsSignatureAlgorithm) {
-        this.jwsSignatureAlgorithm = jwsSignatureAlgorithm;
+    public void setTokenSignatureAlgorithm(String tokenSignatureAlgorithm) {
+        this.tokenSignatureAlgorithm = tokenSignatureAlgorithm;
     }
 
-    public String getJwsSignatureAlgorithm() {
-        return jwsSignatureAlgorithm;
+    public String getTokenSignatureAlgorithm() {
+        return tokenSignatureAlgorithm;
     }
 
 }
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java
@@ -151,6 +151,8 @@ protected OidcClientConfiguration internalBuild(final OidcJsonConfiguration oidc
             oidcClientConfiguration.setTurnOffChangeSessionIdOnLogin(oidcJsonConfiguration.getTurnOffChangeSessionIdOnLogin());
         }
 
+        oidcClientConfiguration.setTokenSignatureAlgorithm(oidcJsonConfiguration.getTokenSignatureAlgorithm());
+
         return oidcClientConfiguration;
     }
 

diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientContext.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientContext.java
@@ -500,6 +500,16 @@ public boolean isVerifyTokenAudience() {
         public void setVerifyTokenAudience(boolean verifyTokenAudience) {
             delegate.setVerifyTokenAudience(verifyTokenAudience);
         }
+
+        @Override
+        public String getTokenSignatureAlgorithm() {
+            return delegate.getTokenSignatureAlgorithm();
+        }
+
+        @Override
+        public void setTokenSignatureAlgorithm(String tokenSignatureAlgorithm) {
+            delegate.setTokenSignatureAlgorithm(tokenSignatureAlgorithm);
+        }
     }
 
     protected String getAuthServerBaseUrl(OidcHttpFacade facade, String base) {

diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java
@@ -18,6 +18,8 @@
 
 package org.wildfly.security.http.oidc;
 
+import static org.wildfly.security.http.oidc.Oidc.DEFAULT_TOKEN_SIGNATURE_ALGORITHM;
+
 import java.util.Map;
 import java.util.TreeMap;
 
@@ -44,7 +46,7 @@
         "register-node-at-startup", "register-node-period", "token-store", "adapter-state-cookie-path", "principal-attribute",
         "proxy-url", "turn-off-change-session-id-on-login", "token-minimum-time-to-live",
         "min-time-between-jwks-requests", "public-key-cache-ttl",
-        "ignore-oauth-query-parameter", "verify-token-audience"
+        "ignore-oauth-query-parameter", "verify-token-audience", "token-signature-algorithm"
 })
 public class OidcJsonConfiguration {
 
@@ -133,6 +135,8 @@ public class OidcJsonConfiguration {
     protected String providerUrl;
     @JsonProperty("client-id")
     protected String clientId;
+    @JsonProperty("token-signature-algorithm")
+    protected String tokenSignatureAlgorithm = DEFAULT_TOKEN_SIGNATURE_ALGORITHM;
 
     /**
      * The Proxy url to use for requests to the auth-server, configurable via the adapter config property {@code proxy-url}.
@@ -488,5 +492,14 @@ public Map<String, String> getRedirectRewriteRules() {
     public void setRedirectRewriteRules(Map<String, String> redirectRewriteRules) {
         this.redirectRewriteRules = redirectRewriteRules;
     }
+
+    public String getTokenSignatureAlgorithm() {
+        return tokenSignatureAlgorithm;
+    }
+
+    public void setTokenSignatureAlgorithm(String tokenSignatureAlgorithm) {
+        this.tokenSignatureAlgorithm = tokenSignatureAlgorithm;
+    }
+
 }
 
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/TokenValidator.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/TokenValidator.java
@@ -83,7 +83,7 @@ public VerifiedTokens parseAndVerifyToken(final String idToken, final String acc
                 ClientSecretCredentialsProvider clientSecretCredentialsProvider = (ClientSecretCredentialsProvider) clientConfiguration.getClientAuthenticator();
                 jwtConsumerBuilder.setVerificationKey(clientSecretCredentialsProvider.getClientSecret());
             }
-            jwtConsumerBuilder.registerValidator(new AtHashValidator(accessToken, clientConfiguration.getJwsSignatureAlgorithm()));
+            jwtConsumerBuilder.registerValidator(new AtHashValidator(accessToken, clientConfiguration.getTokenSignatureAlgorithm()));
             // second pass to validate
             jwtConsumerBuilder.build().processContext(idJwtContext);
             JwtClaims idJwtClaims = idJwtContext.getJwtClaims();
@@ -141,7 +141,7 @@ public TokenValidator build() throws IllegalArgumentException {
             if (clientId == null || clientId.length() == 0) {
                 throw log.noClientIDGiven();
             }
-            expectedJwsAlgorithm = clientConfiguration.getJwsSignatureAlgorithm();
+            expectedJwsAlgorithm = clientConfiguration.getTokenSignatureAlgorithm();
             if (expectedJwsAlgorithm == null || expectedJwsAlgorithm.length() == 0) {
                 throw log.noExpectedJwsAlgorithmGiven();
             }

diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/OidcTest.java
@@ -204,6 +204,13 @@ public void testSucessfulAuthenticationWithProviderUrl() throws Exception {
                 true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
     }
 
+    @Test
+    public void testTokenSignatureAlgorithm() throws Exception {
+        // keycloak uses RS256
+        performAuthentication(getOidcConfigurationInputStreamWithTokenSignatureAlgorithm(), KeycloakConfiguration.ALICE, KeycloakConfiguration.ALICE_PASSWORD,
+                true, HttpStatus.SC_MOVED_TEMPORARILY, getClientUrl(), CLIENT_PAGE_TEXT);
+    }
+
     private void performAuthentication(InputStream oidcConfig, String username, String password, boolean loginToKeycloak,
                                        int expectedDispatcherStatusCode, String expectedLocation, String clientPageText) throws Exception {
         try {
@@ -299,6 +306,20 @@ private InputStream getOidcConfigurationMissingRequiredOption() {
         return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8));
     }
 
+    private InputStream getOidcConfigurationInputStreamWithTokenSignatureAlgorithm() {
+        String oidcConfig = "{\n" +
+                "    \"token-signature-algorithm\" : \"RS256\",\n" +
+                "    \"resource\" : \"" + CLIENT_ID + "\",\n" +
+                "    \"public-client\" : \"false\",\n" +
+                "    \"provider-url\" : \"" + KEYCLOAK_CONTAINER.getAuthServerUrl() + "/realms/" + TEST_REALM + "\",\n" +
+                "    \"ssl-required\" : \"EXTERNAL\",\n" +
+                "    \"credentials\" : {\n" +
+                "        \"secret\" : \"" + CLIENT_SECRET + "\"\n" +
+                "    }\n" +
+                "}";
+        return new ByteArrayInputStream(oidcConfig.getBytes(StandardCharsets.UTF_8));
+    }
+
     private CallbackHandler getCallbackHandler() {
         return callbacks -> {
             for(Callback callback : callbacks) {
-Original file line number
+Diff line change
@@ Expand Up @@
                 oidcClientConfiguration.setTurnOffChangeSessionIdOnLogin(oidcJsonConfiguration.getTurnOffChangeSessionIdOnLogin());
             }
+            oidcClientConfiguration.setTokenSignatureAlgorithm(oidcJsonConfiguration.getTokenSignatureAlgorithm());
             return oidcClientConfiguration;
         }
@@ Expand Down @@