OIDC id token authentication and access token refreshing

Signed-off-by: David Kral <david.k.kral@oracle.com>

docs/config/io_helidon_security_providers_oidc_OidcProvider.adoc

@@ -71,13 +71,35 @@ This type provides the following service implementations:
 |`client-timeout-millis` |Duration |`30000` |Timeout of calls using web client.
 |`cookie-domain` |string |{nbsp} |Domain the cookie is valid for.
  Not used by default.
+|`cookie-encryption-enabled` |boolean |`false` |Whether to encrypt token cookie created by this microservice.
+ Defaults to `false`.
+|`cookie-encryption-enabled-id-token` |boolean |`true` |Whether to encrypt id token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-refresh-token` |boolean |`true` |Whether to encrypt refresh token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-tenant-name` |boolean |`true` |Whether to encrypt tenant name cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-name` |string |{nbsp} |Name of the encryption configuration available through Security#encrypt(String, byte[]) and
+ Security#decrypt(String, String).
+ If configured and encryption is enabled for any cookie,
+ Security MUST be configured in global or current `io.helidon.common.context.Context` (this
+ is done automatically in Helidon MP).
+|`cookie-encryption-password` |char[] |{nbsp} |Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice
+ using the cookie.
 |`cookie-http-only` |boolean |`true` |When using cookie, if set to true, the HttpOnly attribute will be configured.
  Defaults to `OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY`.
 |`cookie-max-age-seconds` |long |{nbsp} |When using cookie, used to set MaxAge attribute of the cookie, defining how long
  the cookie is valid.
  Not used by default.
 |`cookie-name` |string |`JSESSIONID` |Name of the cookie to use.
  Defaults to `DEFAULT_COOKIE_NAME`.
+|`cookie-name-id-token` |string |`JSESSIONID_2` |Name of the cookie to use for id token.
+ Defaults to `DEFAULT_COOKIE_NAME`_2.
+
+ This cookie is only used when logout is enabled, as otherwise it is not needed.
+ Content of this cookie is encrypted.
+|`cookie-name-refresh-token` |string |`JSESSIONID_3` |The name of the cookie to use for the refresh token.
+ Defaults to `DEFAULT_REFRESH_COOKIE_NAME`.
 |`cookie-name-tenant` |string |`HELIDON_TENANT` |The name of the cookie to use for the tenant name.
  Defaults to `DEFAULT_TENANT_COOKIE_NAME`.
 |`cookie-path` |string |`/` |Path the cookie is valid for.
@@ -97,6 +119,9 @@ This type provides the following service implementations:
  process header containing a JWT.
  Default is "Authorization" header with a prefix "bearer ".
 |`header-use` |boolean |`true` |Whether to expect JWT in a header field.
+|`id-token-signature-validation` |boolean |`true` |Whether id token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`identity-uri` |URI |{nbsp} |URI of the identity server, base used to retrieve OIDC metadata.
 |`introspect-endpoint-uri` |URI |{nbsp} |Endpoint to use to validate JWT.
  Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).
@@ -123,7 +148,8 @@ This type provides the following service implementations:
  Defaults to `DEFAULT_PROXY_PORT`
 |`proxy-protocol` |string |`http` |Proxy protocol to use when proxy is used.
  Defaults to `DEFAULT_PROXY_PROTOCOL`.
-|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT token when parameter is used.
+|`query-id-token-param-name` |string |`id_token` |Name of a query parameter that contains the JWT id token when parameter is used.
+|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT access token when parameter is used.
 |`query-param-tenant-name` |string |`h_tenant` |Name of a query parameter that contains the tenant name when the parameter is used.
  Defaults to #DEFAULT_TENANT_PARAM_NAME.
 |`query-param-use` |boolean |`false` |Whether to use a query parameter to send JWT token from application to this
@@ -167,6 +193,9 @@ This type provides the following service implementations:
  code.
  If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
  an attempt is made to use #identityUri(URI)/oauth2/v1/token.
+|`token-signature-validation` |boolean |`true` |Whether access token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`use-jwt-groups` |boolean |`true` |Claim `groups` from JWT will be used to automatically add
   groups to current subject (may be used with jakarta.annotation.security.RolesAllowed annotation).
 |`validate-jwt-with-jwk` |boolean |`true` |Use JWK (a set of keys to validate signatures of JWT) to validate tokens.

docs/config/io_helidon_security_providers_oidc_common_OidcConfig.adoc

@@ -60,13 +60,35 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
 |`client-timeout-millis` |Duration |`30000` |Timeout of calls using web client.
 |`cookie-domain` |string |{nbsp} |Domain the cookie is valid for.
  Not used by default.
+|`cookie-encryption-enabled` |boolean |`false` |Whether to encrypt token cookie created by this microservice.
+ Defaults to `false`.
+|`cookie-encryption-enabled-id-token` |boolean |`true` |Whether to encrypt id token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-refresh-token` |boolean |`true` |Whether to encrypt refresh token cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-enabled-tenant-name` |boolean |`true` |Whether to encrypt tenant name cookie created by this microservice.
+ Defaults to `true`.
+|`cookie-encryption-name` |string |{nbsp} |Name of the encryption configuration available through Security#encrypt(String, byte[]) and
+ Security#decrypt(String, String).
+ If configured and encryption is enabled for any cookie,
+ Security MUST be configured in global or current `io.helidon.common.context.Context` (this
+ is done automatically in Helidon MP).
+|`cookie-encryption-password` |char[] |{nbsp} |Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice
+ using the cookie.
 |`cookie-http-only` |boolean |`true` |When using cookie, if set to true, the HttpOnly attribute will be configured.
  Defaults to `OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY`.
 |`cookie-max-age-seconds` |long |{nbsp} |When using cookie, used to set MaxAge attribute of the cookie, defining how long
  the cookie is valid.
  Not used by default.
 |`cookie-name` |string |`JSESSIONID` |Name of the cookie to use.
  Defaults to `DEFAULT_COOKIE_NAME`.
+|`cookie-name-id-token` |string |`JSESSIONID_2` |Name of the cookie to use for id token.
+ Defaults to `DEFAULT_COOKIE_NAME`_2.
+
+ This cookie is only used when logout is enabled, as otherwise it is not needed.
+ Content of this cookie is encrypted.
+|`cookie-name-refresh-token` |string |`JSESSIONID_3` |The name of the cookie to use for the refresh token.
+ Defaults to `DEFAULT_REFRESH_COOKIE_NAME`.
 |`cookie-name-tenant` |string |`HELIDON_TENANT` |The name of the cookie to use for the tenant name.
  Defaults to `DEFAULT_TENANT_COOKIE_NAME`.
 |`cookie-path` |string |`/` |Path the cookie is valid for.
@@ -86,6 +108,9 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
  process header containing a JWT.
  Default is "Authorization" header with a prefix "bearer ".
 |`header-use` |boolean |`true` |Whether to expect JWT in a header field.
+|`id-token-signature-validation` |boolean |`true` |Whether id token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`identity-uri` |URI |{nbsp} |URI of the identity server, base used to retrieve OIDC metadata.
 |`introspect-endpoint-uri` |URI |{nbsp} |Endpoint to use to validate JWT.
  Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).
@@ -107,7 +132,8 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
  Defaults to `DEFAULT_PROXY_PORT`
 |`proxy-protocol` |string |`http` |Proxy protocol to use when proxy is used.
  Defaults to `DEFAULT_PROXY_PROTOCOL`.
-|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT token when parameter is used.
+|`query-id-token-param-name` |string |`id_token` |Name of a query parameter that contains the JWT id token when parameter is used.
+|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT access token when parameter is used.
 |`query-param-tenant-name` |string |`h_tenant` |Name of a query parameter that contains the tenant name when the parameter is used.
  Defaults to #DEFAULT_TENANT_PARAM_NAME.
 |`query-param-use` |boolean |`false` |Whether to use a query parameter to send JWT token from application to this
@@ -151,6 +177,9 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
  code.
  If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
  an attempt is made to use #identityUri(URI)/oauth2/v1/token.
+|`token-signature-validation` |boolean |`true` |Whether access token signature check should be enabled.
+ Signature check is enabled by default, and it is highly recommended to not change that.
+ Change this setting only when you really know what you are doing, otherwise it could case security issues.
 |`validate-jwt-with-jwk` |boolean |`true` |Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
  Use this method when you want to use default values for JWK or introspection endpoint URI.
 

microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityFilter.java

@@ -43,6 +43,7 @@
 import io.helidon.security.integration.common.SecurityTracing;
 import io.helidon.security.internal.SecurityAuditEvent;
 import io.helidon.security.providers.common.spi.AnnotationAnalyzer;
+import io.helidon.webserver.security.SecurityHttpFeature;
 
 import jakarta.annotation.PostConstruct;
 import jakarta.annotation.Priority;
@@ -56,6 +57,7 @@
 import jakarta.ws.rs.container.ContainerResponseFilter;
 import jakarta.ws.rs.core.Application;
 import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MultivaluedMap;
 import jakarta.ws.rs.core.Response;
 import org.glassfish.jersey.server.ExtendedUriInfo;
 import org.glassfish.jersey.server.model.AbstractResourceModelVisitor;
@@ -182,6 +184,16 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
         } else {
             return;
         }
+        io.helidon.common.context.Context helidonContext = Contexts.context()
+                .orElseThrow(() -> new IllegalStateException("Context must be available in Jersey"));
+        helidonContext.get(SecurityHttpFeature.CONTEXT_RESPONSE_HEADERS, Map.class)
+                .map(it -> (Map<String, List<String>>) it)
+                .ifPresent(it -> {
+                    MultivaluedMap<String, Object> headers = responseContext.getHeaders();
+                    for (Map.Entry<String, List<String>> entry : it.entrySet()) {
+                        entry.getValue().forEach(value -> headers.add(entry.getKey(), value));
+                    }
+                });
 
         SecurityFilterContext fc = (SecurityFilterContext) requestContext.getProperty(PROP_FILTER_CONTEXT);
         SecurityDefinition methodSecurity = jerseySecurityContext.methodSecurity();

microprofile/security/src/main/java/io/helidon/microprofile/security/SecurityFilterCommon.java

@@ -24,6 +24,7 @@
 
 import io.helidon.common.HelidonServiceLoader;
 import io.helidon.common.config.Config;
+import io.helidon.common.context.Contexts;
 import io.helidon.common.uri.UriQuery;
 import io.helidon.microprofile.security.spi.SecurityResponseMapper;
 import io.helidon.security.AuthenticationResponse;
@@ -37,6 +38,7 @@
 import io.helidon.security.integration.common.AtnTracing;
 import io.helidon.security.integration.common.AtzTracing;
 import io.helidon.security.integration.common.SecurityTracing;
+import io.helidon.webserver.security.SecurityHttpFeature;
 
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.container.ContainerRequestContext;
@@ -198,6 +200,9 @@ protected void processAuthentication(SecurityFilterContext context,
         switch (responseStatus) {
             case SUCCESS -> {
                 //everything is fine, we can continue with processing
+                io.helidon.common.context.Context helidonContext = Contexts.context()
+                        .orElseThrow(() -> new IllegalStateException("Context must be available in Jersey"));
+                helidonContext.register(SecurityHttpFeature.CONTEXT_RESPONSE_HEADERS, response.responseHeaders());
             }
             case FAILURE_FINISH -> {
                 if (methodSecurity.authenticationOptional()) {