-
Notifications
You must be signed in to change notification settings - Fork 280
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ELY-2584] Add the ability to specify that the OIDC Authentication Re…
…quest should include request and request_uri parameters
- Loading branch information
Prarthona Paul
committed
May 22, 2024
1 parent
0dba5eb
commit 776a2fb
Showing
15 changed files
with
1,154 additions
and
88 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
http/oidc/src/main/java/org/wildfly/security/http/oidc/JWKEncPublicKeyLocator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| /* | ||
| * JBoss, Home of Professional Open Source. | ||
| * Copyright 2024 Red Hat, Inc., and individual contributors | ||
| * as indicated by the @author tags. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.wildfly.security.http.oidc; | ||
|
|
||
| import static org.apache.http.HttpHeaders.ACCEPT; | ||
| import static org.wildfly.security.http.oidc.ElytronMessages.log; | ||
| import static org.wildfly.security.http.oidc.Oidc.JSON_CONTENT_TYPE; | ||
|
|
||
| import java.security.PublicKey; | ||
| import java.util.Map; | ||
| import java.util.concurrent.ConcurrentHashMap; | ||
|
|
||
| import org.apache.http.client.methods.HttpGet; | ||
| import org.wildfly.security.jose.jwk.JWK; | ||
| import org.wildfly.security.jose.jwk.JWKParser; | ||
| import org.wildfly.security.jose.jwk.JsonWebKeySet; | ||
|
|
||
| /** | ||
| * A public key locator that dynamically obtains the public key used for encryption | ||
| * from an OpenID provider by sending a request to the provider's {@code jwks_uri} | ||
| * when needed. | ||
| * | ||
| * @author <a href="mailto:[email protected]">Prarthona Paul</a> | ||
| * */ | ||
| class JWKEncPublicKeyLocator implements PublicKeyLocator { | ||
| private Map<String, PublicKey> currentKeys = new ConcurrentHashMap<>(); | ||
|
|
||
| private volatile int lastRequestTime = 0; | ||
|
|
||
| @Override | ||
| public PublicKey getPublicKey(String kid, OidcClientConfiguration config) { | ||
| int minTimeBetweenRequests = config.getMinTimeBetweenJwksRequests(); | ||
| int publicKeyCacheTtl = config.getPublicKeyCacheTtl(); | ||
| int currentTime = getCurrentTime(); | ||
|
|
||
| PublicKey publicKey = lookupCachedKey(publicKeyCacheTtl, currentTime, JWK.Use.ENC.toString()); | ||
| if (publicKey != null) { | ||
| return publicKey; | ||
| } | ||
|
|
||
| synchronized (this) { | ||
| currentTime = getCurrentTime(); | ||
| if (currentTime > lastRequestTime + minTimeBetweenRequests) { | ||
| sendRequest(config); | ||
| lastRequestTime = currentTime; | ||
| } else { | ||
| log.debug("Won't send request to jwks url. Last request time was " + lastRequestTime); | ||
| } | ||
| return lookupCachedKey(publicKeyCacheTtl, currentTime, JWK.Use.ENC.toString()); | ||
| } | ||
|
|
||
| } | ||
|
|
||
| @Override | ||
| public void reset(OidcClientConfiguration config) { | ||
| synchronized (this) { | ||
| sendRequest(config); | ||
| lastRequestTime = getCurrentTime(); | ||
| } | ||
| } | ||
|
|
||
| private PublicKey lookupCachedKey(int publicKeyCacheTtl, int currentTime, String kid) { | ||
| if (lastRequestTime + publicKeyCacheTtl > currentTime && kid != null) { | ||
| return currentKeys.get(kid); | ||
| } else { | ||
| return null; | ||
| } | ||
| } | ||
|
|
||
| private static int getCurrentTime() { | ||
| return (int) (System.currentTimeMillis() / 1000); | ||
| } | ||
|
|
||
| private void sendRequest(OidcClientConfiguration config) { | ||
| if (log.isTraceEnabled()) { | ||
| log.trace("Going to send request to retrieve new set of public keys to encrypt a JWT request for client " + config.getResourceName()); | ||
| } | ||
|
|
||
| HttpGet request = new HttpGet(config.getJwksUrl()); | ||
| request.addHeader(ACCEPT, JSON_CONTENT_TYPE); | ||
| try { | ||
| JWK[] jwkList = Oidc.sendJsonHttpRequest(config, request, JsonWebKeySet.class).getKeys(); | ||
| for (JWK jwk : jwkList) { | ||
| if (jwk.getPublicKeyUse().toUpperCase().equals(JWK.Use.ENC.toString())) { //JWTs are to be encrypted with public keys shared by the OpenID provider and decrypted by the private key they hold | ||
| currentKeys.clear(); | ||
| currentKeys.put(JWK.Use.ENC.toString(), new JWKParser(jwk).toPublicKey()); | ||
| } | ||
| } | ||
| } catch (OidcException e) { | ||
| log.error("Error when sending request to retrieve public keys", e); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
78 changes: 78 additions & 0 deletions
78
http/oidc/src/main/java/org/wildfly/security/http/oidc/JWTSigningUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| /* | ||
| * JBoss, Home of Professional Open Source. | ||
| * Copyright 2024 Red Hat, Inc., and individual contributors | ||
| * as indicated by the @author tags. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.wildfly.security.http.oidc; | ||
|
|
||
| import java.io.FileInputStream; | ||
| import java.io.FileNotFoundException; | ||
| import java.io.InputStream; | ||
| import java.security.KeyPair; | ||
| import java.security.KeyStore; | ||
| import java.security.PrivateKey; | ||
| import java.security.PublicKey; | ||
|
|
||
| import static org.wildfly.security.http.oidc.ElytronMessages.log; | ||
| import static org.wildfly.security.http.oidc.Oidc.PROTOCOL_CLASSPATH; | ||
|
|
||
| /** | ||
| * An interface to obtain the KeyPair from a keystore file. | ||
| * | ||
| * @author <a href="mailto:[email protected]">Prarthona Paul</a> | ||
| */ | ||
|
|
||
| class JWTSigningUtils { | ||
|
|
||
| public static KeyPair loadKeyPairFromKeyStore(String keyStoreFile, String storePassword, String keyPassword, String keyAlias, String keyStoreType) { | ||
| InputStream stream = findFile(keyStoreFile); | ||
| try { | ||
| KeyStore keyStore = KeyStore.getInstance(keyStoreType); | ||
| keyStore.load(stream, storePassword.toCharArray()); | ||
| PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword.toCharArray()); | ||
| if (privateKey == null) { | ||
| throw log.unableToLoadKeyWithAlias(keyAlias); | ||
| } | ||
| PublicKey publicKey = keyStore.getCertificate(keyAlias).getPublicKey(); | ||
| return new KeyPair(publicKey, privateKey); | ||
| } catch (Exception e) { | ||
| throw log.unableToLoadPrivateKey(e); | ||
| } | ||
| } | ||
|
|
||
| public static InputStream findFile(String keystoreFile) { | ||
| if (keystoreFile.startsWith(PROTOCOL_CLASSPATH)) { | ||
| String classPathLocation = keystoreFile.replace(PROTOCOL_CLASSPATH, ""); | ||
| // try current class classloader first | ||
| InputStream is = JWTClientCredentialsProvider.class.getClassLoader().getResourceAsStream(classPathLocation); | ||
| if (is == null) { | ||
| is = Thread.currentThread().getContextClassLoader().getResourceAsStream(classPathLocation); | ||
| } | ||
| if (is != null) { | ||
| return is; | ||
| } else { | ||
| throw log.unableToFindKeystoreFile(keystoreFile); | ||
| } | ||
| } else { | ||
| try { | ||
| // fallback to file | ||
| return new FileInputStream(keystoreFile); | ||
| } catch (FileNotFoundException e) { | ||
| throw new RuntimeException(e); | ||
| } | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.