Update documentation for JWT bearer grant

[#145414125] https://www.pivotaltracker.com/story/show/145414125
cloudfoundry · Jun 3, 2017 · fa70612 · fa70612
1 parent 4b0baf2
commit fa70612
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 4 deletions.
diff --git a/uaa/slateCustomizations/source/index.html.md.erb b/uaa/slateCustomizations/source/index.html.md.erb
@@ -302,6 +302,35 @@ _Response Fields_
 
 <%= ERB.new(File.read("../../build/generated-snippets/TokenEndpointDocs/getTokenUsingSaml2BearerGrant/response-fields.md")).result(binding) %>
 
+## JWT Bearer Token Grant
+
+<aside class="notice">
+  From 4.4.x
+</aside>
+
+The _JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants_
+allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in 
+[RFC 7523](https://tools.ietf.org/html/rfc7523). The requesting client, must have `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`.
+In addition the requesting client must either allow the IDP in `allowedproviders` or omit the property so that any trusted IDP is allowed.
+The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the 
+UAA database. If multiple providers exists that have the same issuer, the grant will fail.
+
+<%= ERB.new(File.read("../../build/generated-snippets/JwtBearerGrantDocs/document_jwt_bearer_grant/curl-request.md")).result(binding) %>
+<%= ERB.new(File.read("../../build/generated-snippets/JwtBearerGrantDocs/document_jwt_bearer_grant/http-request.md")).result(binding) %>
+<%= ERB.new(File.read("../../build/generated-snippets/JwtBearerGrantDocs/document_jwt_bearer_grant/http-response.md")).result(binding) %>
+
+_Request Headers_
+
+<%= ERB.new(File.read("../../build/generated-snippets/JwtBearerGrantDocs/document_jwt_bearer_grant/request-headers.md")).result(binding) %>
+
+_Request Parameters_
+
+<%= ERB.new(File.read("../../build/generated-snippets/JwtBearerGrantDocs/document_jwt_bearer_grant/request-parameters.md")).result(binding) %>
+
+_Response Fields_
+
+<%= ERB.new(File.read("../../build/generated-snippets/JwtBearerGrantDocs/document_jwt_bearer_grant/response-fields.md")).result(binding) %>
+
 ## Refresh Token
 
 <%= ERB.new(File.read("../../build/generated-snippets/TokenEndpointDocs/refreshToken/curl-request.md")).result(binding) %>

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantDocs.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantDocs.java
@@ -0,0 +1,76 @@
+/*
+ * ****************************************************************************
+ *     Cloud Foundry
+ *     Copyright (c) [2009-2017] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *     You may not use this product except in compliance with the License.
+ *
+ *     This product includes a number of subcomponents with
+ *     separate copyright notices and license terms. Your use of these
+ *     subcomponents is subject to the terms and conditions of the
+ *     subcomponent's license, as noted in the LICENSE file.
+ * ****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.mock.token;
+
+
+import org.junit.Test;
+import org.springframework.restdocs.headers.RequestHeadersSnippet;
+import org.springframework.restdocs.snippet.Snippet;
+
+import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_JWT_BEARER;
+import static org.cloudfoundry.identity.uaa.test.SnippetUtils.fieldWithPath;
+import static org.cloudfoundry.identity.uaa.test.SnippetUtils.headerWithName;
+import static org.cloudfoundry.identity.uaa.test.SnippetUtils.parameterWithName;
+import static org.springframework.restdocs.headers.HeaderDocumentation.requestHeaders;
+import static org.springframework.restdocs.mockmvc.MockMvcRestDocumentation.document;
+import static org.springframework.restdocs.operation.preprocess.Preprocessors.preprocessResponse;
+import static org.springframework.restdocs.operation.preprocess.Preprocessors.prettyPrint;
+import static org.springframework.restdocs.payload.JsonFieldType.NUMBER;
+import static org.springframework.restdocs.payload.JsonFieldType.STRING;
+import static org.springframework.restdocs.payload.PayloadDocumentation.responseFields;
+import static org.springframework.restdocs.request.RequestDocumentation.requestParameters;
+
+public class JwtBearerGrantDocs extends JwtBearerGrantMockMvcTests {
+
+    @Test
+    public void document_jwt_bearer_grant() throws Exception {
+        Snippet responseFields = responseFields(
+            fieldWithPath("access_token").type(STRING).description("Access token generated by this grant"),
+            fieldWithPath("token_type").type(STRING).description("Will always be `bearer`"),
+            fieldWithPath("id_token").type(STRING).optional().description("If requested in `response_type`, the id_token for the shadow user"),
+            fieldWithPath("scope").type(STRING).description("List of scopes present in the `scope` claim in the access token"),
+            fieldWithPath("expires_in").type(NUMBER).description("Number of seconds before this token expires from the time of issuance"),
+            fieldWithPath("jti").type(STRING).description("The unique token ID")
+        );
+
+        Snippet requestParameters = requestParameters(
+            parameterWithName("assertion").type(STRING).required().description("JWT token identifying representing the user to be authenticated"),
+            parameterWithName("client_id").type(STRING).required().description("Required, client with "),
+            parameterWithName("client_secret").type(STRING).required().description("Required unless a basic authorization header is used"),
+            parameterWithName("grant_type").type(STRING).required().description("Must be set to `"+ GRANT_TYPE_JWT_BEARER+"`"),
+            parameterWithName("scope").type(STRING).optional(null).description("Optional parameter to limit the number of scopes in the `scope` claim of the access token"),
+            parameterWithName("response_type").type(STRING).optional(null).description("May be set to `token` or `token id_token` or `id_token`"),
+            parameterWithName("token_format").type(STRING).optional(null).description("May be set to `opaque` to retrieve revocable and non identifiable access token")
+        );
+
+        RequestHeadersSnippet headers = requestHeaders(
+            headerWithName("Authorization")
+                .description("Uses basic authorization with `base64(resource_server:shared_secret)` assuming the caller (a resource server) is actually also a registered client and has `uaa.resource` authority")
+                .optional()
+        );
+
+        setup_auth0_jwt_bearer_grant()
+            .andDo(
+                document(
+                    "{ClassName}/{methodName}",
+                    preprocessResponse(prettyPrint()),
+                    headers,
+                    requestParameters,
+                    responseFields
+                )
+            );
+    }
+}
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/JwtBearerGrantMockMvcTests.java
@@ -19,6 +19,7 @@
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
 import org.cloudfoundry.identity.uaa.oauth.KeyInfo;
+import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
@@ -150,6 +151,10 @@ public ResultActions perform_grant_in_zone(IdentityZone theZone, String assertio
 
     @Test
     public void auth0_jwt_bearer_grant() throws Exception {
+        setup_auth0_jwt_bearer_grant();
+    }
+
+    public ResultActions setup_auth0_jwt_bearer_grant() throws Exception {
         IdentityZone theZone = IdentityZone.getUaa();
         String idToken = getAuth0IdToken();
         createAuth0Provider(IdentityZone.getUaa(),
@@ -164,17 +169,19 @@ public void auth0_jwt_bearer_grant() throws Exception {
             .param("client_id", client.getClientId())
             .param("client_secret", client.getClientSecret())
             .param(GRANT_TYPE, GRANT_TYPE_JWT_BEARER)
+            .param("response_type", "token id_token")
+            .param("scope", "openid")
+            .param(TokenConstants.REQUEST_TOKEN_FORMAT, TokenConstants.OPAQUE)
             .param("assertion", idToken);
 
         if (hasText(theZone.getSubdomain())) {
             jwtBearerGrant = jwtBearerGrant.header("Host", theZone.getSubdomain()+".localhost");
         }
-
-        getMockMvc().perform(jwtBearerGrant)
+        return getMockMvc().perform(jwtBearerGrant)
             .andDo(print())
             .andExpect(status().isOk())
-            .andExpect(jsonPath("$.access_token").isNotEmpty());
-
+            .andExpect(jsonPath("$.access_token").isNotEmpty())
+            .andExpect(jsonPath("$.id_token").isNotEmpty());
     }
 
     public String getAuth0IdToken() throws Exception {