Fapi conformance

.circleci/config.yml

@@ -163,7 +163,7 @@ jobs:
       os_name: "ubuntu"
       os_version: "2004"
       os_patch: "202101-01"
-      machine_size: "large"
+      machine_size: "xlarge"
 
     steps:
       - attach_workspace:

gravitee-am-common/src/main/java/io/gravitee/am/common/exception/oauth2/InvalidRequestUriException.java

@@ -36,7 +36,7 @@ public InvalidRequestUriException(String message) {
 
     @Override
     public String getOAuth2ErrorCode() {
-        return "invalid_request_uris";
+        return "invalid_request_uri";
     }
 
 }

gravitee-am-common/src/main/java/io/gravitee/am/common/jwt/Claims.java

@@ -97,10 +97,14 @@ public interface Claims {
      * The oauth 2.0 "scopes"
      */
     String scope = "scope";
+    /**
+     * The oauth 2.0 confirmation method
+     */
+    String cnf = "cnf";
 
     static List<String> claims() {
         return Arrays.asList(iss, sub, aud, exp, nbf, iat,
-                jti, domain, claims, ip_address, user_agent, scope);
+                jti, domain, claims, ip_address, user_agent, scope, cnf);
     }
 
 }

gravitee-am-common/src/main/java/io/gravitee/am/common/jwt/JWT.java

@@ -27,6 +27,8 @@
  */
 public class JWT extends HashMap<String, Object> {
 
+    public static final String CONFIRMATION_METHOD_X509_THUMBPRINT = "x5t#S256";
+
     public JWT() { }
 
     public JWT(Map<? extends String, ?> claims) {
@@ -116,4 +118,12 @@ public void setClaimsRequestParameter(Object claims) {
     public boolean hasScope(String scope) {
         return getScope() != null && Arrays.asList(getScope().split("\\s+")).contains(scope);
     }
+
+    public void setConfirmationMethod(Map<String, Object> confirmation) {
+        put(Claims.cnf, confirmation);
+    }
+
+    public Object getConfirmationMethod() {
+        return get(Claims.cnf);
+    }
 }

gravitee-am-common/src/main/java/io/gravitee/am/common/oidc/ClientAuthenticationMethod.java

@@ -68,6 +68,11 @@ public interface ClientAuthenticationMethod {
      */
     String SELF_SIGNED_TLS_CLIENT_AUTH = "self_signed_tls_client_auth";
 
+    /**
+     * URN to identify the ClientAssertion using JWT token
+     */
+    String JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+
     static List<String> supportedValues() {
         return Arrays.asList(
                 CLIENT_SECRET_BASIC,

gravitee-am-fapi-resource-api/pom.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+            http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>io.gravitee.am</groupId>
+        <artifactId>gravitee-am-parent</artifactId>
+        <version>3.10.0-SNAPSHOT</version>
+    </parent>
+
+    <groupId>io.gravitee.am.fapi</groupId>
+    <artifactId>gravitee-fapi-resource-api</artifactId>
+    <version>3.10.0-SNAPSHOT</version>
+    <name> Gravitee.io - OIDC FAPI - Resource API</name>
+
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-web</artifactId>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/commons-cli/commons-cli -->
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.4</version>
+        </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>8.17</version>
+        </dependency>
+    </dependencies>
+</project>

gravitee-am-fapi-resource-api/src/main/java/io/gravitee/sample/fapi/api/FapiApi.java

@@ -0,0 +1,128 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.sample.fapi.api;
+
+import io.vertx.core.Vertx;
+import io.vertx.core.http.*;
+import io.vertx.core.net.JksOptions;
+import io.vertx.core.net.PfxOptions;
+import io.vertx.ext.web.Router;
+import io.vertx.ext.web.handler.StaticHandler;
+import org.apache.commons.cli.*;
+
+import java.util.Set;
+
+import static io.vertx.core.http.HttpMethod.GET;
+
+/**
+ * @author Eric LELEU (eric.leleu at graviteesource.com)
+ */
+public class FapiApi {
+
+    public static final String CONF_HOST = "host";
+    public static final String CONF_PORT = "port";
+    public static final String CONF_TRUST_STORE_PATH = "trustStorePath";
+    public static final String CONF_TRUST_STORE_TYPE = "trustStoreType";
+    public static final String CONF_TRUST_STORE_PASSWORD = "trustStorePassword";
+    public static final String CONF_KEY_STORE_PATH = "keyStorePath";
+    public static final String CONF_KEY_STORE_TYPE = "keyStoreType";
+    public static final String CONF_KEY_STORE_PASSWORD = "keyStorePassword";
+
+    public static void main(String[] args) throws Exception {
+        CommandLine cmd = parseArgs(args);
+        HttpServerOptions options = buildHttpOptions(cmd);
+
+        Vertx vertx = Vertx.vertx();
+        HttpServer server = vertx.createHttpServer(options);
+
+        Router router = Router.router(vertx);
+        router.route().handler(StaticHandler.create());
+
+        router.route("/fapi/api")
+                .method(GET)
+                .produces("application/json")
+                .handler(new FapiResourceApiHandler());
+
+        server.requestHandler(router)
+
+                .listen();
+        System.out.println("Server listening on port " + cmd.getOptionValue(CONF_PORT, "9443"));
+    }
+
+    private static HttpServerOptions buildHttpOptions(CommandLine cmd) {
+        HttpServerOptions options = new HttpServerOptions();
+        options.setPort(Integer.parseInt(cmd.getOptionValue(CONF_PORT, "9443")));
+        options.setHost(cmd.getOptionValue(CONF_HOST, "0.0.0.0"));
+        options.setSsl(true);
+        options.setUseAlpn(false);
+        options.setEnabledSecureTransportProtocols(Set.of("TLSv1.2", "TLSv1.3"));
+        options.addEnabledCipherSuite("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256")
+                .addEnabledCipherSuite("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
+                .addEnabledCipherSuite("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
+                .addEnabledCipherSuite("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
+        options.setClientAuth(ClientAuth.REQUEST);
+
+        if (cmd.getOptionValue(CONF_TRUST_STORE_TYPE, "pkcs12").equalsIgnoreCase("pkcs12")) {
+            options.setPfxTrustOptions(new PfxOptions()
+                        .setPath(cmd.getOptionValue(CONF_TRUST_STORE_PATH))
+                        .setPassword(cmd.getOptionValue(CONF_TRUST_STORE_PASSWORD)));
+        } else{
+            options.setTrustStoreOptions(new JksOptions()
+                        .setPath(cmd.getOptionValue(CONF_TRUST_STORE_PATH))
+                        .setPassword(cmd.getOptionValue(CONF_TRUST_STORE_PASSWORD)));
+        }
+
+        if (cmd.getOptionValue(CONF_KEY_STORE_TYPE, "pkcs12").equalsIgnoreCase("pkcs12")) {
+            options.setPfxKeyCertOptions(new PfxOptions()
+                        .setPath(cmd.getOptionValue(CONF_KEY_STORE_PATH))
+                        .setPassword(cmd.getOptionValue(CONF_KEY_STORE_PASSWORD)));
+        } else{
+            options.setKeyStoreOptions(new JksOptions()
+                        .setPath(cmd.getOptionValue(CONF_KEY_STORE_PATH))
+                        .setPassword(cmd.getOptionValue(CONF_KEY_STORE_PASSWORD)));
+        }
+        return options;
+    }
+
+    private static CommandLine parseArgs(String[] args) throws ParseException {
+        Options options = new Options();
+        Option host = new Option(CONF_HOST, true, "binding interface");
+        host.setRequired(false);
+        options.addOption(host);
+
+        Option port = new Option(CONF_PORT, true, "listening port");
+        port.setRequired(false);
+        options.addOption(port);
+        // TODO create each options with required true
+        options.addOption(CONF_TRUST_STORE_PATH, true, "truststore path");
+        options.addOption(CONF_TRUST_STORE_TYPE, true, "truststore type");
+        options.addOption(CONF_TRUST_STORE_PASSWORD, true, "truststore password");
+        options.addOption(CONF_KEY_STORE_PATH, true, "keystore path");
+        options.addOption(CONF_KEY_STORE_TYPE, true, "keystore type");
+        options.addOption(CONF_KEY_STORE_PASSWORD, true, "keystore password");
+
+        CommandLineParser parser = new DefaultParser();
+        CommandLine cmd = parser.parse( options, args);
+
+        if (!(cmd.hasOption(CONF_KEY_STORE_PATH) && cmd.hasOption(CONF_KEY_STORE_PATH))) {
+            HelpFormatter formatter = new HelpFormatter();
+            formatter.printHelp( "java io.gravitee.sample.fapi.api.FapiApi ", options );
+            System.exit(1);
+        }
+
+        return cmd;
+    }
+}

gravitee-am-fapi-resource-api/src/main/java/io/gravitee/sample/fapi/api/FapiResourceApiHandler.java

@@ -0,0 +1,88 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.sample.fapi.api;
+
+import com.nimbusds.jose.util.Base64URL;
+import io.vertx.core.Handler;
+import io.vertx.core.http.HttpHeaders;
+import io.vertx.core.json.JsonArray;
+import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.impl.jose.JWT;
+import io.vertx.ext.web.RoutingContext;
+
+import javax.net.ssl.SSLSession;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.*;
+
+
+public class FapiResourceApiHandler implements Handler<RoutingContext> {
+
+    @Override
+    public void handle(RoutingContext routingContext) {
+        try {
+            final SSLSession sslSession = routingContext.request().sslSession();
+            Certificate[] peerCertificates = sslSession.getPeerCertificates();
+            X509Certificate peerCertificate = (X509Certificate) peerCertificates[0];
+
+            String thumbprint256 = getThumbprint(peerCertificate, "SHA-256");
+
+            final String auth = routingContext.request().getHeader(HttpHeaders.AUTHORIZATION);
+            if (auth != null && auth.startsWith("Bearer ")) {
+
+                String jwtString = auth.replaceFirst("Bearer ", "");
+                final JsonObject jwt = JWT.parse(jwtString).getJsonObject("payload");
+
+                if (jwt.containsKey("cnf") && thumbprint256.equals(jwt.getJsonObject("cnf").getString("x5t#S256"))) {
+                    //response ok
+                    final int statusCode = 200;
+                    routingContext.response()
+                            .putHeader("content-type", "application/json")
+                            .putHeader("Date", DateTimeFormatter.RFC_1123_DATE_TIME.format(ZonedDateTime.now()))
+                            .putHeader("x-fapi-auth-date", routingContext.request().getHeader("x-fapi-auth-date"))
+                            .putHeader("x-fapi-customer-ip-address", routingContext.request().getHeader("x-fapi-customer-ip-address"))
+                            .putHeader("x-fapi-interaction-id", Optional.ofNullable(routingContext.request().getHeader("x-fapi-interaction-id")).orElse(UUID.randomUUID().toString()))
+                            .setStatusCode(statusCode)
+                            .end(jwt.encodePrettily()); // return JWT as JSON object
+                }
+            }
+
+            // default response unauthorized
+            routingContext.response()
+                        .putHeader("content-type", "application/json")
+                        .setStatusCode(401).end();
+        } catch (Exception e) {
+            e.printStackTrace();
+            routingContext.fail(500, e);
+        }
+
+    }
+
+    public static String getThumbprint(X509Certificate cert, String algorithm)
+            throws NoSuchAlgorithmException, CertificateEncodingException {
+        MessageDigest md = MessageDigest.getInstance(algorithm);
+        byte[] der = cert.getEncoded();
+        md.update(der);
+        byte[] digest = md.digest();
+        return Base64URL.encode(digest).toString();
+    }
+}

gravitee-am-gateway/gravitee-am-gateway-handler/gravitee-am-gateway-handler-common/src/main/java/io/gravitee/am/gateway/handler/common/utils/ConstantKeys.java

@@ -15,8 +15,6 @@
  */
 package io.gravitee.am.gateway.handler.common.utils;
 
-import io.gravitee.am.service.validators.AccountSettingsValidator;
-
 /**
  * @author Jeoffrey HAEYAERT (jeoffrey.haeyaert at graviteesource.com)
  * @author GraviteeSource Team
@@ -55,6 +53,7 @@ public interface ConstantKeys {
     String SKIP_ACTION_KEY = "skipAction";
     String TRANSACTION_ID_KEY = "tid";
     String OIDC_PROVIDER_ID_TOKEN_KEY = "op_id_token";
+    String PEER_CERTIFICATE_THUMBPRINT = "x509_thumbprint_s256";
 
     // enrich authentication flow keys
     String AUTH_FLOW_CONTEXT_KEY = "authFlowContext";
@@ -95,4 +94,11 @@ public interface ConstantKeys {
     // Forgot Password
     String FORGOT_PASSWORD_FIELDS_KEY = "forgotPwdFormFields";
     String FORGOT_PASSWORD_CONFIRM = "forgot_password_confirm";
+
+    // key used to store & retrieve the request object from the routing context
+    String REQUEST_OBJECT_KEY = "requestObject";
+    // identifier of the Pushed Authorization Parameters
+    String REQUEST_URI_ID_KEY = "requestUriId";
+    String REQUEST_OBJECT_FROM_URI = "request-object-from-uri";
+
 }