Implemented new Oauth2Test for JWTs (#1246)

* Working on new OAuth2Test

* OAuth2Test for JWTs

* fixed typo

* Add OAuth2Test to the list of unit tests in OAuth2UnitTests.java

---------

Co-authored-by: t-burch <119930761+t-burch@users.noreply.github.com>

core/src/main/java/com/predic8/membrane/core/interceptor/authentication/session/StaticUserDataProvider.java

@@ -13,18 +13,13 @@
    limitations under the License. */
 package com.predic8.membrane.core.interceptor.authentication.session;
 
-import com.google.api.client.util.Base64;
 import com.predic8.membrane.annot.MCAttribute;
 import com.predic8.membrane.annot.MCChildElement;
 import com.predic8.membrane.annot.MCElement;
 import com.predic8.membrane.annot.MCOtherAttributes;
 import com.predic8.membrane.core.Router;
 import org.apache.commons.codec.digest.Crypt;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.*;
 import java.util.regex.Pattern;
@@ -72,11 +67,12 @@ public Map<String, String> verify(Map<String, String> postData) {
 			String salt = userHashSplit[2];
 			try {
 				pw = createPasswdCompatibleHash(algo,postDataPassword,salt);
-			} catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
+			} catch (Exception e) {
 				throw new RuntimeException(e.getMessage());
 			}
-        }else
+		} else {
 			pw = postDataPassword;
+		}
 		String pw2;
 		pw2 = userAttributes.getPassword();
 		if (pw2 == null || !pw2.equals(pw))
@@ -85,18 +81,18 @@ public Map<String, String> verify(Map<String, String> postData) {
 	}
 
 	private boolean isHashedPassword(String postDataPassword) {
-		// TODO do a better check here
 		String[] split = postDataPassword.split(Pattern.quote("$"));
-		if(split.length != 4)
+		if (split.length != 4)
 			return false;
-		if(!split[0].isEmpty())
+		if (!split[0].isEmpty())
 			return false;
-		if(split[3].length() < 20)
+		if (split[3].length() < 20)
 			return false;
-		return true;
+		// Check if second part is a valid hex
+		return Pattern.matches("[a-fA-F0-9]{40}", split[2]);
 	}
 
-	private String createPasswdCompatibleHash(String algo, String password, String salt) throws UnsupportedEncodingException, NoSuchAlgorithmException {
+	private String createPasswdCompatibleHash(String algo, String password, String salt) {
 		return Crypt.crypt(password, "$" + algo + "$" + salt);
 	}
 

core/src/main/java/com/predic8/membrane/core/interceptor/jwt/Jwks.java

@@ -26,13 +26,14 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
 @MCElement(name="jwks")
 public class Jwks {
 
-    List<Jwk> jwks;
+    List<Jwk> jwks = new ArrayList<>();
     String jwksUris;
     AuthorizationService authorizationService;
 

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/WellknownFile.java

@@ -19,7 +19,6 @@
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.util.HashSet;
 import java.util.Set;
 import java.util.stream.Collectors;
 

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/processors/AuthEndpointProcessor.java

@@ -17,12 +17,8 @@
 import com.predic8.membrane.core.interceptor.Outcome;
 import com.predic8.membrane.core.interceptor.authentication.session.SessionManager;
 import com.predic8.membrane.core.interceptor.oauth2.OAuth2AuthorizationServerInterceptor;
-import com.predic8.membrane.core.interceptor.oauth2.ParamNames;
 import com.predic8.membrane.core.interceptor.oauth2.request.AuthWithSessionRequest;
 import com.predic8.membrane.core.interceptor.oauth2.request.AuthWithoutSessionRequest;
-import com.predic8.membrane.core.util.URLParamUtil;
-
-import static com.predic8.membrane.core.util.URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR;
 
 public class AuthEndpointProcessor extends EndpointProcessor {
 

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/processors/CertsEndpointProcessor.java

@@ -15,14 +15,15 @@
 
 import com.predic8.membrane.core.beautifier.JSONBeautifier;
 import com.predic8.membrane.core.exchange.Exchange;
-import com.predic8.membrane.core.http.MimeType;
 import com.predic8.membrane.core.http.Response;
 import com.predic8.membrane.core.interceptor.Outcome;
 import com.predic8.membrane.core.interceptor.oauth2.OAuth2AuthorizationServerInterceptor;
 
+import static com.predic8.membrane.core.http.MimeType.APPLICATION_JSON_UTF8;
+
 public class CertsEndpointProcessor extends EndpointProcessor {
 
-    private JSONBeautifier jsonBeautifier = new JSONBeautifier();
+    private final JSONBeautifier jsonBeautifier = new JSONBeautifier();
 
     public CertsEndpointProcessor(OAuth2AuthorizationServerInterceptor authServer) {
         super(authServer);
@@ -35,7 +36,14 @@ public boolean isResponsible(Exchange exc) {
 
     @Override
     public Outcome process(Exchange exc) throws Exception {
-        exc.setResponse(Response.ok().contentType(MimeType.APPLICATION_JSON_UTF8).body(jsonBeautifier.beautify(authServer.getJwtGenerator().getJwk())).build());
+        String accessTokenJWKIfAvailable = authServer.getTokenGenerator().getJwkIfAvailable();
+        String idTokenJWK = authServer.getJwtGenerator().getJwk();
+
+        String jwks = "{\"keys\": [ " + idTokenJWK +
+                (accessTokenJWKIfAvailable != null ? "," + accessTokenJWKIfAvailable : "") +
+                "]}";
+
+        exc.setResponse(Response.ok().contentType(APPLICATION_JSON_UTF8).body(jsonBeautifier.beautify(jwks)).build());
         return Outcome.RETURN;
     }
-}
+}

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/request/UserinfoRequest.java

@@ -13,7 +13,6 @@
 
 package com.predic8.membrane.core.interceptor.oauth2.request;
 
-import com.fasterxml.jackson.core.JsonGenerator;
 import com.predic8.membrane.core.exchange.Exchange;
 import com.predic8.membrane.core.http.MimeType;
 import com.predic8.membrane.core.http.Response;

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/request/tokenrequest/CredentialsFlow.java

@@ -27,7 +27,6 @@
 import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.JwtGenerator;
 
 import java.io.IOException;
-import java.lang.reflect.Executable;
 import java.util.ArrayList;
 
 import org.jose4j.lang.JoseException;

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/request/tokenrequest/PasswordFlow.java

@@ -17,11 +17,8 @@
 import com.predic8.membrane.core.http.MimeType;
 import com.predic8.membrane.core.http.Response;
 import com.predic8.membrane.core.interceptor.authentication.session.SessionManager;
-import com.predic8.membrane.core.interceptor.oauth2.ClaimRenamer;
-import com.predic8.membrane.core.interceptor.oauth2.Client;
+import com.predic8.membrane.core.interceptor.oauth2.*;
 import com.predic8.membrane.core.interceptor.oauth2.OAuth2AuthorizationServerInterceptor;
-import com.predic8.membrane.core.interceptor.oauth2.OAuth2Util;
-import com.predic8.membrane.core.interceptor.oauth2.ParamNames;
 import com.predic8.membrane.core.interceptor.oauth2.parameter.ClaimsParameter;
 import com.predic8.membrane.core.interceptor.oauth2.request.NoResponse;
 import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.JwtGenerator;

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/request/tokenrequest/RefreshTokenFlow.java

@@ -17,11 +17,8 @@
 import com.predic8.membrane.core.http.MimeType;
 import com.predic8.membrane.core.http.Response;
 import com.predic8.membrane.core.interceptor.authentication.session.SessionManager;
-import com.predic8.membrane.core.interceptor.oauth2.ClaimRenamer;
-import com.predic8.membrane.core.interceptor.oauth2.Client;
+import com.predic8.membrane.core.interceptor.oauth2.*;
 import com.predic8.membrane.core.interceptor.oauth2.OAuth2AuthorizationServerInterceptor;
-import com.predic8.membrane.core.interceptor.oauth2.OAuth2Util;
-import com.predic8.membrane.core.interceptor.oauth2.ParamNames;
 import com.predic8.membrane.core.interceptor.oauth2.parameter.ClaimsParameter;
 import com.predic8.membrane.core.interceptor.oauth2.request.NoResponse;
 import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.JwtGenerator;

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/tokengenerators/BearerJwtTokenGenerator.java

@@ -54,8 +54,8 @@ public void init(Router router) throws Exception {
             rsaJsonWebKey = generateKey();
             if (warningGeneratedKey)
                 LOG.warn("bearerJwtToken uses a generated key ('{}'). Sessions of this instance will not be compatible " +
-                        "with sessions of other (e.g. restarted)instances. To solve this, write the JWK into a file and " +
-                        "reference it using <bearerJwtToken><jwk location=\"...\">.",
+                                "with sessions of other (e.g. restarted) instances. To solve this, write the JWK into a file and " +
+                                "reference it using <bearerJwtToken><jwk location=\"...\">.",
                         rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE));
         } else {
             rsaJsonWebKey = new RsaJsonWebKey(JsonUtil.parseJson(jwk.get(router.getResolverMap(), router.getBaseLocation())));
@@ -86,6 +86,7 @@ public String getToken(String username, String clientId, String clientSecret) {
         jws.setPayload(claims.toJson());
         jws.setKey(rsaJsonWebKey.getRsaPrivateKey());
         jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
+        jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
         try {
             return jws.getCompactSerialization();
         } catch (JoseException e) {
@@ -165,4 +166,9 @@ public boolean isWarningGeneratedKey() {
     public void setWarningGeneratedKey(boolean warningGeneratedKey) {
         this.warningGeneratedKey = warningGeneratedKey;
     }
-}
+
+    @Override
+    public String getJwkIfAvailable() {
+        return rsaJsonWebKey.toJson();
+    }
+}

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/tokengenerators/BearerTokenGenerator.java

@@ -117,4 +117,9 @@ public boolean supportsRevocation() {
     public long getExpiration() {
         return 0;
     }
-}
+
+    @Override
+    public String getJwkIfAvailable() {
+        return null;
+    }
+}

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/tokengenerators/JwtGenerator.java

@@ -41,7 +41,7 @@
 public class JwtGenerator {
 
     public String getJwk() {
-        return "{\"keys\": [ " + rsaJsonWebKey.toJson() + "]}";
+        return rsaJsonWebKey.toJson();
     }
 
     public static class Claim{
@@ -193,4 +193,4 @@ private static JwtClaims processIdTokenToClaims(String idToken, String iss, Stri
 
         return jwtConsumer.processToClaims(idToken);
     }
-}
+}

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/tokengenerators/TokenGenerator.java

@@ -60,4 +60,10 @@ public interface TokenGenerator {
      * @return token expiration in seconds, or 0 if there is no expiration
      */
     long getExpiration();
-}
+
+    /**
+     * @return the JWK representation of the key used to sign the tokens or null, if there is no such key (e.g. because
+     * the tokens are randomly generated strings)
+     */
+    String getJwkIfAvailable();
+}

core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/OAuth2AuthorizationServerInterceptorBase.java

@@ -18,7 +18,6 @@
 import com.predic8.membrane.core.http.*;
 import com.predic8.membrane.core.interceptor.authentication.session.*;
 import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.*;
-import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.BearerJwtTokenGenerator;
 import com.predic8.membrane.core.util.*;
 import com.predic8.membrane.core.util.functionalInterfaces.*;
 import org.junit.jupiter.api.*;