JWT claim definition for OIDC Id Token moved to JwtProcessor

Signed-off-by: Gianluca Barbon <gianluca.barbon@eurotech.com>
eclipse · Mar 15, 2021 · f75b9bf · f75b9bf
1 parent 783fd43
commit f75b9bf
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/...so/openid-connect/api/src/main/java/org/eclipse/kapua/plugin/sso/openid/JwtProcessor.java b/...so/openid-connect/api/src/main/java/org/eclipse/kapua/plugin/sso/openid/JwtProcessor.java
@@ -35,4 +35,11 @@ public interface JwtProcessor extends AutoCloseable {
      * @throws OpenIDJwtException if JWT processing fails.
      */
     JwtContext process(final String jwt) throws OpenIDException;
+
+    /**
+     * Return the claim to be extracted form the JWT as user identifier.
+     *
+     * @return the claim in the form of a String
+     */
+    String getExternalIdClaimName();
 }
diff --git a/.../src/main/java/org/eclipse/kapua/plugin/sso/openid/provider/internal/DisabledLocator.java b/.../src/main/java/org/eclipse/kapua/plugin/sso/openid/provider/internal/DisabledLocator.java
@@ -70,6 +70,11 @@ public boolean validate(String jwt) {
         public JwtContext process(String jwt) {
             return null;
         }
+
+        @Override
+        public String getExternalIdClaimName() {
+            return null;
+        }
     };
 
     private DisabledLocator() {

diff --git a/.../src/main/java/org/eclipse/kapua/plugin/sso/openid/provider/jwt/AbstractJwtProcessor.java b/.../src/main/java/org/eclipse/kapua/plugin/sso/openid/provider/jwt/AbstractJwtProcessor.java
@@ -23,6 +23,7 @@
 import org.eclipse.kapua.plugin.sso.openid.exception.jwt.OpenIDJwtProcessException;
 import org.jose4j.jwk.HttpsJwks;
 import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.ReservedClaimNames;
 import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.jwt.consumer.JwtConsumer;
 import org.jose4j.jwt.consumer.JwtConsumerBuilder;
@@ -116,6 +117,14 @@ public JwtContext process(final String jwt) throws OpenIDException {
                 .process(jwt);
     }
 
+    /**
+     * @return 'sub' (according to the official OpenID Connect 1.0 specification)
+     */
+    @Override
+    public String getExternalIdClaimName() {
+        return ReservedClaimNames.SUBJECT;
+    }
+
     @Override
     public void close() throws Exception {
     }

diff --git a/...ain/java/org/eclipse/kapua/service/authentication/shiro/realm/JwtAuthenticatingRealm.java b/...ain/java/org/eclipse/kapua/service/authentication/shiro/realm/JwtAuthenticatingRealm.java
@@ -192,7 +192,7 @@ private String extractExternalId(String jwt) {
         final String id;
         try {
             final JwtContext ctx = jwtProcessor.process(jwt);
-            id = ctx.getJwtClaims().getSubject();
+            id = ctx.getJwtClaims().getClaimValueAsString(jwtProcessor.getExternalIdClaimName());
         } catch (final Exception e) {
             throw new ShiroException("Failed to parse JWT", e);
         }