AGDROID-686 Token integrity check

[aidenkeating]

Motivation

JIRA: https://issues.jboss.org/browse/AGDROID-686

Description

Function to Verify JWT Tokens (Access, Identity, Refresh) using a Keycloak Realm Public Key before they are used as part of client side access control decisions.

Provide the configuration from the JSON mobile configuration to the OIDCCredentials.

Tested successfully with both valid & tampered Access/Identity tokens. Identity Brokering originated tokens can also be validated.

Progress

• Get the Public Key from the Mobile Core Config (when available)
• Get the Audience from the Mobile Core Config (when available)
• Construct the integrity parameters (build issuer etc.) from the core config.
• Add Unit tests - Test Wrong issues, audiences, tampered signature, payload, algorithm info sections etc

[aidenkeating]

@ziccardi @secondsun Would you mind taking a look?

This adds IntegrityCheckParameters that are part of the OIDCCredentials containing the issuer, audience and publicKey from the mobile JSON config.

At the moment it looks like the SDK user would provide the credential at login. In this case I'm kind of confused as at the moment Credential seems to be used as a container for the tokens when a user has already authenticated. I don't understand why/how a user would provide that information at login.

Something tells me OIDCCredential has become more like AuthState and OIDCCredentials should be refactored to OIDCAuthState. Something that is created once a user is logged in instead of something the SDK user provides.

A call may be better to explain this.

[ziccardi]

@aidenkeating The authentication is performed through the usage of an authentication chain that can be configured at runtime.
Some of the rings of the authentication chain require a credential to be supplied (for example, to check that the token is still valid), some of them do not require the credentials (for example the browser authentication).
In both cases, after the user has been authenticated, an UserPrincipal object is returned containing the UserCredentials (in case of OIDC, it will contain the auth tokens).

[ziccardi]

Make the parameter final

[ziccardi]

Make the params final

[ziccardi]

Make the param final

[ziccardi]

Make the params final

[ziccardi]

Make the param final

[ziccardi]

See previous comments

[ziccardi]

Don't use System.out

[ziccardi]

See previous comment

[ziccardi]

Make parameter final

[ziccardi]

integrityCheckParameters could be null

[secondsun]

@aidenkeating Do you have a demo project that shows the code being used somewhere?

[aidenkeating]

@secondsun Not yet. I can implement it in https://github.com/feedhenry/mobile-security-android-template

[secondsun]

@aidenkeating Mostly looks good, added a few changes. The most important one I think is changing the JSON exception to a more descriptive run time exception.

The general argument is that we aren't working on JSON at a conceptual level. We are using OIDC tokens and configurations instead. This means that JSONException is leaking internal information that is not relevant to the user's tasks. Because this information isn't relevant we end up with exceptions that aren't solvable by the user (see here throws JSONException being leaked everywhere)

[secondsun]

Remove these two lines, they are already set above to 1.8

[secondsun]

packages need to be renamed to conform to https://github.com/aerogear/proposals/blob/master/sdks/SDK-naming.md

[ziccardi]

@secondsun : just to be sure, should we rename it to org.aerogear.android.ags.auth?

[secondsun]

@ziccardi Yes

[secondsun]

these should be private static final constant fields instead of local variables.

[secondsun]

For now use Android's Log object instead of printing the stack trace.

[secondsun]

How is serialize used?

[secondsun]

Personally I would remove the JSONException from the method declaration and rethrow it as a runtime exception and add that clue to the documentation.

[aidenkeating]

@secondsun serialize is used when persisting the auth state in the AuthStateManager.

[secondsun]

See above comments about JSONException.

[secondsun]

I don't like the name "write". I think save is more descriptive. Also if we wrap the JSONExceptions above we aren't "leaking" it here.

[secondsun]

Could the repeated "OIDCCredentials oidcCredentials = new OIDCCredentials();" be in the setup block?

[ziccardi]

When is the bootstrap called?
If we don't initialise the object inside the constructor, we should than throw an IllegalStateException if other methods are called before the bootstrap one.

[aidenkeating]

@secondsun Am I correct in saying the core will initialize and then call bootstrap on a ServiceModule?

[secondsun]

@aidenkeating Yes. https://github.com/aerogear/proposals/blob/master/android-sdk/README.md#starting-up-mobile-core

[ziccardi]

Add some documentation here. What is the issuer?

[ziccardi]

What is this public key? What is the format it is returned? It is a DSA? RSA? or what?

[ziccardi]

Is this object supposed to be constructed only through this method? If yes, the constructor should be private

[aidenkeating]

No this will need to be constructed through the constructor when initially created at authentication time.

[ziccardi]

A null check should be added here

[ziccardi]

is it ok to have a null jwtPublicKey here? If it is not, make it final and do not assign null to it.

final PublicKey jwtPublicKey;
try {
    jwtPublicKey = utils.fromPemEncoded(constructedPublicKey);
} catch (JoseException e) {

[ziccardi]

If we can safely return false here, it would be better to use logger to log exceptions.

[ziccardi]

Every time a variable is not supposed to be assigned again, it should be declared as final.

[ziccardi]

If this object is supposed to be created only through this method, the constructor should be private.

[ziccardi]

Is it correct to throw an unchecked exception here?

[secondsun]

@ziccardi Yes.

[secondsun]

However, we should add @throws to the javadocs

[secondsun]

compile is deprecated. replace with implementation and move above the test dependencies. Also can you include the dependency in the android bom https://github.com/aerogear/aerogear-parent/blob/master/aerogear-android-sdk-bom/pom.xml, passos is working on moving this to use a more managed system.

[secondsun]

@ziccardi Yes

[secondsun]

nix the exception

[secondsun]

This code will never throw a JSON exception, best not to declare it.

[secondsun]

Kill the exception.

If you have to throw a checked exception (pro tip, you don't), make it more specific to the task at hand. For instance if there is no "issuer" property on the object then throwing as JSON exception is less useful than throwing a new IllegalArgumentException with a useful message.

Also, add that the object needs to be a json object with those parameters in the header.

Also also, if all we are doing is storing this in shared preferences can we make it a parcelable instead?

[aidenkeating]

@secondsun I'm not sure I understand how parcelable would help here?

[secondsun]

Kill the JSONException. Add javadocs.

[secondsun]

However, we should add @throws to the javadocs

[aidenkeating]

@ziccardi @secondsun Mind taking another look?

[ziccardi]

Is ServiceConfiguration an immutable object?
If it is not, different threads could change the content of the ServiceConfiguration object, thus changing the internal state of the Authenticator without any control by the latter, making it crash prone.

[aidenkeating]

Not too familiar with any core stuff. @secondsun would you have an answer to this?

[secondsun]

ServiceConfiguration is meant to be immutable. If it isn't then feel free to make it so.

[aidenkeating]

Have made this change in a separate PR. Don't want this one to bloat much more. https://github.com/aerogear/aerogear-android-sdk/pull/24/files

[ziccardi]

Make these final

[ziccardi]

There is no added value in using variables to store the values here.

[ziccardi]

Please use a more specific exception. In this case, if the parameters are not correct, an IllegalArgumentException could be the right one.

[ziccardi]

See previous comment

[ziccardi]

See previous comment

[secondsun]

Looking better, I found a stub method and most of my comments are minor doc and annotation tweaks.

[secondsun]

You'll need to rebase on master and add these dependencies to the aerogear-android-sdk-bom. @danielpassos Can show you how.

[secondsun]

ServiceConfiguration is meant to be immutable. If it isn't then feel free to make it so.

[secondsun]

Do you think JavaDocs are needed? The properties and things look self explanatory to me, but if there are any weirdnesses or edge cases to be aware of (like what does isValid check to validate) then I would want them added.

[aidenkeating]

I think you're right about isValid requiring some docs here. For the others I don't think so, they're self explanatory I think.

[secondsun]

For the methods you implement you need to add the @Override annotation.

[secondsun]

Add @throws to describe why the runtime exception may be thrown.

[secondsun]

Add @Override where appropriate.

[aidenkeating]

ICredential is just empty at the moment.

[secondsun]

Add @throws to describe the runtime exception to the javadoc

[secondsun]

javadocs.

[secondsun]

Need implementation :)

[aidenkeating]

Not sure why this is showing up as changed, but the renew was there before this PR and I think it's outside the scope of this PR. I think its implementation is kind of dependent on knowing how login will work.

[secondsun]

Shouldn't this be illegal state exception?

[aidenkeating]

@secondsun Dependencies were added in this PR, waiting on a new release now. Have made a temporary commit that will fail so I don't forget

[rachael-oregan]

I'm not sure if Singleton's are suppose to have parameters? This way couldn't the singleton be instantiated multiple times which defeats the purpose?

[secondsun]

Private constructor and prefs is a final variable. IN this case it isn't bad because the references set up aren't mutable. However I am generally -1 to static singletons because they have annoying behaviors when you are testing that you have to code around.

[aidenkeating]

@rachael-oregan To respond to this comment 260a5b3#r166298337 yeah I'm not sure the best way to approach this. I don't think providing a 'setter' of any kind is a good idea as then context could change if the setter is called multiple times. This can't be initialized multiple times but I can see the awkwardness of it.

This way context is bound to whatever is provided first, instead of being able to be set multiple times.

There's also the option of providing context on each function call I guess.

Perhaps @ziccardi or @secondsun have a more informed view on how to approach this.

[ziccardi]

@aidenkeating Just a proposal: we could add a bootstrap method with package level visibility. It could then be called from the bootstrap method of the AuthService. This way other classes will see only a getInstance with no parameters. WDYT?

[secondsun]

We should NOT be using singletons. References to services should be fetch through the mobile core and not plucked from the ether.

See https://github.com/aerogear/proposals/blob/master/android-sdk/README.md#referencing-a-service

[aidenkeating]

Yeah I don't think this is used anyway, doesn't seem to be referenced anywhere. Must have been left over. Will remove

[aidenkeating]

@secondsun @ziccardi Removed unused singleton stuff and updated the android sdk bom stuff. Tests have started to pass again.

[aidenkeating]

@secondsun Would you mind taking a look? One question, we currently have the auth module typed as keycloak because it matches up with the actual keycloak service. We also have a keycloak module in this SDK. I'm guessing them both being typed as keycloak is a bad thing? Should we modify the keycloak module to something else or remove it altogether as it will be replaced with the auth service?

[danielpassos]

@aidenkeating Keycloak Service is a temporary one, It was to help us in the core PoC and going to be removed

[aidenkeating]

@danielpassos @ziccardi @secondsun Would you mind taking a look? I think this is ready to merge

[ziccardi]

Just a couple of comments

[ziccardi]

Shouldn't be return isAuthorized() && !getNeedsRenewal(); ?

[ziccardi]

@aidenkeating Just a proposal: we could add a bootstrap method with package level visibility. It could then be called from the bootstrap method of the AuthService. This way other classes will see only a getInstance with no parameters. WDYT?

[aidenkeating]

@ziccardi @danielpassos Mind taking a look? Have move the AuthStateManager out to the auth package. Have also included an init(Context) function in the AuthService to allow the user to provide the context. This is following the example used in this PR https://github.com/aerogear/aerogear-android-sdk/pull/27/files#diff-7037942ee1f06907ac7d09f6d65ccd6dR88

[rachael-oregan]

I presume this won't compile because its not implementing the methods from ServiceModule right?

Also how is the AuthService object got now?

[aidenkeating]

It is. Well CircleCI tests are passing. Jenkins is failing because the gradle daemon decided to go ahead and stop.

The ServiceModule interface has changed in this PR #22

[rachael-oregan]

Ah right cool, thanks for explaining

[aidenkeating]

@wtrocki Would you mind taking a look? I think this is ready to merge. Don't want this PR to bloat too much more. Jenkins appears to be failing because of an internal issue

Changes were applied

[wtrocki]

LGTM. Adjustments can be done later stage

[wtrocki]

I have spent some time checking changes on local machine.
PR recieved pretty good feedback. Considering that this changes cannot be properly tested until we get login implementation I think it's best to get that into master and follow up with other PR's.

Really good job @aidenkeating

[danielpassos]

I didn't have time to review it, I was about to start now but it's already merged. I didn't test it but I have 2 comments about this PR:

1. Correct or not all other modules are using org.aerogear.mobile.[module-name] as the package
2. I think all method who going to throw the exception needs to have that explicit in the method not only in the Javadoc.

[aidenkeating]

@danielpassos The package name was to address this comment #21 (comment) and this proposal https://github.com/aerogear/proposals/blob/master/sdks/SDK-naming.md#proposed-solution