refactored code, improved oidc / jwks handling (use='sig', min RSA)

Author: hhund

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/client/oidc/OidcClientJersey.java

@@ -169,22 +169,6 @@ public DecodedJWT getAccessTokenDecoded(OidcConfiguration configuration, Jwks jw
 		}
 	}
 
-	/**
-	 * Does not verify if the access token is expired. Supported algorithms: RS256, RS384, RS512, ES256, ES384 and
-	 * ES512.
-	 *
-	 * @param accessToken
-	 *            not <code>null</code>
-	 * @param jwks
-	 *            not <code>null</code>
-	 * @return decoded access token
-	 * @throws OidcClientException
-	 *             if verification fails, the public key to verify is unknown or a unsupported signature algorithm was
-	 *             used.
-	 *
-	 * @see DecodedJWT#getExpiresAt()
-	 * @see DecodedJWT#getExpiresAtAsInstant()
-	 */
 	private DecodedJWT verifyAndDecodeAccessToken(String accessToken, Jwks jwks) throws OidcClientException
 	{
 		try
@@ -196,14 +180,15 @@ private DecodedJWT verifyAndDecodeAccessToken(String accessToken, Jwks jwks) thr
 				throw new OidcClientException("Access token has no kid property");
 
 			Optional<JwksKey> key = jwks.getKey(keyId);
-			if (key.isEmpty())
-				throw new OidcClientException("Access token key with kid '" + keyId + "' not in JWKS");
+			if (key.isEmpty() || !key.get().use().equals("sig"))
+				throw new OidcClientException("Access token key with kid '" + keyId + "'  and use 'sig' not in JWKS");
 
-			Optional<Algorithm> algorithm = key.map(JwksKey::toAlgorithm);
+			Optional<Algorithm> algorithm = key.flatMap(JwksKey::toAlgorithm);
 			if (key.isEmpty())
+			{
 				throw new OidcClientException("Access token key with kid '" + keyId
-						+ "' has unsupported type (kty) / algorithm (alg) in JWKS '" + key.get().kty() + "' / '"
-						+ key.get().alg() + "'");
+						+ "' has unsupported type (kty) / algorithm (alg) / key-size in JWKS");
+			}
 
 			try
 			{
@@ -231,7 +216,7 @@ else if (requiredAudiences.size() > 1)
 			}
 			catch (TokenExpiredException e)
 			{
-				throw new OidcClientException("JWT verification failed: claim missing", e);
+				throw new OidcClientException("JWT verification failed: token expired", e);
 			}
 			catch (IncorrectClaimException e)
 			{

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/client/oidc/OidcClientWithCache.java

@@ -32,7 +32,7 @@ private static final record CacheEntry<T>(ZonedDateTime timeout, T resource)
 	{
 	}
 
-	private final Duration cacheTimeoutconfigurationResource;
+	private final Duration cacheTimeoutConfigurationResource;
 	private final Duration cacheTimeoutJwksResource;
 	private final Duration cacheTimeoutAccessTokenBeforeExpiration;
 	private final OidcClientWithDecodedJwt delegate;
@@ -42,7 +42,7 @@ private static final record CacheEntry<T>(ZonedDateTime timeout, T resource)
 	private CacheEntry<DecodedJWT> accessTokenCache;
 
 	/**
-	 * @param cacheTimeoutconfigurationResource
+	 * @param cacheTimeoutConfigurationResource
 	 *            not <code>null</code>, not negative
 	 * @param cacheTimeoutJwksResource
 	 *            not <code>null</code>, not negative
@@ -51,13 +51,13 @@ private static final record CacheEntry<T>(ZonedDateTime timeout, T resource)
 	 * @param delegate
 	 *            not <code>null</code>
 	 */
-	public OidcClientWithCache(Duration cacheTimeoutconfigurationResource, Duration cacheTimeoutJwksResource,
+	public OidcClientWithCache(Duration cacheTimeoutConfigurationResource, Duration cacheTimeoutJwksResource,
 			Duration cacheTimeoutAccessTokenBeforeExpiration, OidcClientWithDecodedJwt delegate)
 	{
-		this.cacheTimeoutconfigurationResource = Objects.requireNonNull(cacheTimeoutconfigurationResource,
-				"cacheTimeoutconfigurationResource");
-		if (cacheTimeoutconfigurationResource.isNegative())
-			throw new IllegalArgumentException("cacheTimeoutconfigurationResource negative");
+		this.cacheTimeoutConfigurationResource = Objects.requireNonNull(cacheTimeoutConfigurationResource,
+				"cacheTimeoutConfigurationResource");
+		if (cacheTimeoutConfigurationResource.isNegative())
+			throw new IllegalArgumentException("cacheTimeoutConfigurationResource negative");
 
 		this.cacheTimeoutJwksResource = Objects.requireNonNull(cacheTimeoutJwksResource, "cacheTimeoutJwksResource");
 		if (cacheTimeoutJwksResource.isNegative())
@@ -73,13 +73,13 @@ public OidcClientWithCache(Duration cacheTimeoutconfigurationResource, Duration
 	@Override
 	public Configuration getConfiguration() throws OidcClientException
 	{
-		if (configurationCache != null && configurationCache.timeout.isBefore(ZonedDateTime.now()))
+		if (configurationCache != null && configurationCache.timeout.isAfter(ZonedDateTime.now()))
 			return configurationCache.resource;
 		else
 		{
 			Configuration configuration = delegate.getConfiguration();
 			configurationCache = new CacheEntry<Configuration>(
-					ZonedDateTime.now().plus(cacheTimeoutconfigurationResource), configuration);
+					ZonedDateTime.now().plus(cacheTimeoutConfigurationResource), configuration);
 			return configuration;
 		}
 	}
@@ -89,7 +89,7 @@ public Jwks getJwks() throws OidcClientException
 	{
 		Configuration configuration = getConfiguration();
 
-		if (jwksCache != null && jwksCache.timeout.isBefore(ZonedDateTime.now()))
+		if (jwksCache != null && jwksCache.timeout.isAfter(ZonedDateTime.now()))
 			return jwksCache.resource;
 		else
 		{

dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/auth/DsfOpenIdLoginService.java

@@ -33,14 +33,12 @@ public class DsfOpenIdLoginService extends OpenIdLoginService
 {
 	private static final Logger logger = LoggerFactory.getLogger(DsfOpenIdLoginService.class);
 
-	private final OpenIdConfiguration configuration;
 	private final LoginService loginService;
 
 	public DsfOpenIdLoginService(OpenIdConfiguration configuration, LoginService loginService)
 	{
 		super(configuration, loginService);
 
-		this.configuration = configuration;
 		this.loginService = loginService;
 	}
 
@@ -49,17 +47,6 @@ public UserIdentity login(String identifier, Object credentials, Request request
 			Function<Boolean, Session> getOrCreateSession)
 	{
 		OpenIdCredentials openIdCredentials = (OpenIdCredentials) credentials;
-		try
-		{
-			openIdCredentials.redeemAuthCode(configuration);
-		}
-		catch (Exception e)
-		{
-			logger.debug("Unable to redeem auth code", e);
-			logger.warn("Unable to redeem auth code: {} - {}", e.getClass().getName(), e.getMessage());
-
-			return null;
-		}
 
 		return loginService.login(openIdCredentials.getUserId(), credentials, request, getOrCreateSession);
 	}

dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/config/AbstractJettyConfig.java

@@ -162,6 +162,14 @@ public abstract class AbstractJettyConfig extends AbstractCertificateConfig
 	@Value("${dev.dsf.server.auth.oidc.provider.discovery.path:/.well-known/openid-configuration}")
 	private String oidcProviderDiscoveryPath;
 
+	@Documentation(description = "OIDC provider client cache timeout of the 'openid-configuration' discovery resource")
+	@Value("${dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource:PT1H}")
+	private String oidcProviderClientCacheConfigurationResourceTimeout;
+
+	@Documentation(description = "OIDC provider client cache timeout of the jwks resource")
+	@Value("${dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource:PT1H}")
+	private String oidcProviderClientCacheJwksResourceTimeout;
+
 	@Documentation(description = "OIDC provider client connect timeout")
 	@Value("${dev.dsf.server.auth.oidc.provider.client.timeout.connect:PT5S}")
 	private String oidcProviderClientTimeoutConnect;
@@ -407,24 +415,44 @@ public BaseOidcClient baseOidcClient()
 		char[] keyStorePassword = UUID.randomUUID().toString().toCharArray();
 		KeyStore keyStore = oidcProviderClientKeyStore(keyStorePassword);
 
-		return new BaseOidcClientWithCache(new BaseOidcClientJersey(oidcProviderRealmBaseUrl, oidcProviderDiscoveryPath,
-				trustStore, keyStore, keyStore == null ? null : keyStorePassword, proxyUrl, proxyUsername,
-				proxyPassword, buildInfoReader().getUserAgentValue(), oidcProviderClientTimeoutConnect(),
-				oidcProviderClientTimeoutRead(), false));
+		return new BaseOidcClientWithCache(getOidcProviderClientCacheConfigurationResourceTimeout(),
+				getOidcProviderClientCacheJwksResourceTimeout(),
+				new BaseOidcClientJersey(oidcProviderRealmBaseUrl, oidcProviderDiscoveryPath, trustStore, keyStore,
+						keyStore == null ? null : keyStorePassword, proxyUrl, proxyUsername, proxyPassword,
+						buildInfoReader().getUserAgentValue(), oidcProviderClientTimeoutConnect(),
+						oidcProviderClientTimeoutRead(), false));
+	}
+
+	private Duration getOidcProviderClientCacheConfigurationResourceTimeout()
+	{
+		return assertPositive(Duration.parse(oidcProviderClientCacheConfigurationResourceTimeout));
+	}
+
+	private Duration getOidcProviderClientCacheJwksResourceTimeout()
+	{
+		return assertPositive(Duration.parse(oidcProviderClientCacheJwksResourceTimeout));
 	}
 
 	@Bean
 	@Lazy
 	public Duration oidcProviderClientTimeoutRead()
 	{
-		return Duration.parse(oidcProviderClientTimeoutRead);
+		return assertPositive(Duration.parse(oidcProviderClientTimeoutRead));
 	}
 
 	@Bean
 	@Lazy
 	public Duration oidcProviderClientTimeoutConnect()
 	{
-		return Duration.parse(oidcProviderClientTimeoutConnect);
+		return assertPositive(Duration.parse(oidcProviderClientTimeoutConnect));
+	}
+
+	private Duration assertPositive(Duration duration)
+	{
+		if (duration != null && duration.isNegative())
+			throw new IllegalArgumentException("configured duration is negative");
+		else
+			return duration;
 	}
 
 	private Proxy oidcClientProxy()

dsf-common/dsf-common-oidc/src/main/java/dev/dsf/common/oidc/BaseOidcClientWithCache.java

@@ -15,51 +15,65 @@
  */
 package dev.dsf.common.oidc;
 
+import java.time.Duration;
+import java.time.ZonedDateTime;
 import java.util.Objects;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Supplier;
 
 public class BaseOidcClientWithCache implements BaseOidcClient
 {
-	private final BaseOidcClient delegate;
+	private static final record CacheEntry<T>(ZonedDateTime timeout, T resource)
+	{
+	}
+
+	private final Duration cacheTimeoutConfigurationResource;
+	private final Duration cacheTimeoutJwksResource;
+
+	private final AtomicReference<CacheEntry<OidcConfiguration>> configurationCache = new AtomicReference<>();
+	private final AtomicReference<CacheEntry<Jwks>> jwksCache = new AtomicReference<>();
 
-	private final AtomicReference<OidcConfiguration> oidcConfiguration = new AtomicReference<>();
-	private final AtomicReference<Jwks> jwks = new AtomicReference<>();
+	private final BaseOidcClient delegate;
 
 	/**
+	 * @param cacheTimeoutconfigurationResource
+	 *            not <code>null</code>
+	 * @param cacheTimeoutJwksResource
+	 *            not <code>null</code>
 	 * @param delegate
 	 *            not <code>null</code>
 	 */
-	public BaseOidcClientWithCache(BaseOidcClient delegate)
+	public BaseOidcClientWithCache(Duration cacheTimeoutconfigurationResource, Duration cacheTimeoutJwksResource,
+			BaseOidcClient delegate)
 	{
+		this.cacheTimeoutConfigurationResource = Objects.requireNonNull(cacheTimeoutconfigurationResource,
+				"cacheTimeoutconfigurationResource");
+		this.cacheTimeoutJwksResource = Objects.requireNonNull(cacheTimeoutJwksResource, "cacheTimeoutJwksResource");
 		this.delegate = Objects.requireNonNull(delegate, "delegate");
 	}
 
 	@Override
 	public OidcConfiguration getConfiguration() throws OidcClientException
 	{
-		return getOrSet(oidcConfiguration, delegate::getConfiguration);
+		return getOrSet(configurationCache, cacheTimeoutConfigurationResource, delegate::getConfiguration);
 	}
 
-	private <T> T getOrSet(AtomicReference<T> cache, Supplier<T> supplier)
+	private <T> T getOrSet(AtomicReference<CacheEntry<T>> cache, Duration timeout, Supplier<T> supplier)
 	{
-		T cached = cache.get();
-		if (cached == null)
+		CacheEntry<T> cached = cache.get();
+		if (cached != null && cached.timeout.isAfter(ZonedDateTime.now()))
+			return cached.resource;
+		else
 		{
-			T value = supplier.get();
-			if (cache.compareAndSet(cached, value))
-				return value;
-			else
-				return cache.get();
+			cache.compareAndSet(cached, new CacheEntry<>(ZonedDateTime.now().plus(timeout), supplier.get()));
+			return cache.get().resource;
 		}
-		else
-			return cached;
 	}
 
 	@Override
 	public Jwks getJwks() throws OidcClientException
 	{
-		return getOrSet(jwks, () -> delegate.getJwks(getConfiguration()));
+		return getOrSet(jwksCache, cacheTimeoutJwksResource, () -> delegate.getJwks(getConfiguration()));
 	}
 
 	@Override