Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC id token validation and token refresh #8153

Merged
merged 5 commits into from
Jan 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
///////////////////////////////////////////////////////////////////////////////

Copyright (c) 2023 Oracle and/or its affiliates.
Copyright (c) 2023, 2024 Oracle and/or its affiliates.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -71,13 +71,35 @@ This type provides the following service implementations:
|`client-timeout-millis` |Duration |`30000` |Timeout of calls using web client.
|`cookie-domain` |string |{nbsp} |Domain the cookie is valid for.
Not used by default.
|`cookie-encryption-enabled` |boolean |`false` |Whether to encrypt token cookie created by this microservice.
Defaults to `false`.
|`cookie-encryption-enabled-id-token` |boolean |`true` |Whether to encrypt id token cookie created by this microservice.
Defaults to `true`.
|`cookie-encryption-enabled-refresh-token` |boolean |`true` |Whether to encrypt refresh token cookie created by this microservice.
Defaults to `true`.
|`cookie-encryption-enabled-tenant-name` |boolean |`true` |Whether to encrypt tenant name cookie created by this microservice.
Defaults to `true`.
|`cookie-encryption-name` |string |{nbsp} |Name of the encryption configuration available through Security#encrypt(String, byte[]) and
Security#decrypt(String, String).
If configured and encryption is enabled for any cookie,
Security MUST be configured in global or current `io.helidon.common.context.Context` (this
is done automatically in Helidon MP).
|`cookie-encryption-password` |char[] |{nbsp} |Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice
using the cookie.
|`cookie-http-only` |boolean |`true` |When using cookie, if set to true, the HttpOnly attribute will be configured.
Defaults to `OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY`.
|`cookie-max-age-seconds` |long |{nbsp} |When using cookie, used to set MaxAge attribute of the cookie, defining how long
the cookie is valid.
Not used by default.
|`cookie-name` |string |`JSESSIONID` |Name of the cookie to use.
Defaults to `DEFAULT_COOKIE_NAME`.
|`cookie-name-id-token` |string |`JSESSIONID_2` |Name of the cookie to use for id token.
Defaults to `DEFAULT_COOKIE_NAME`_2.

This cookie is only used when logout is enabled, as otherwise it is not needed.
Content of this cookie is encrypted.
|`cookie-name-refresh-token` |string |`JSESSIONID_3` |The name of the cookie to use for the refresh token.
Defaults to `DEFAULT_REFRESH_COOKIE_NAME`.
|`cookie-name-tenant` |string |`HELIDON_TENANT` |The name of the cookie to use for the tenant name.
Defaults to `DEFAULT_TENANT_COOKIE_NAME`.
|`cookie-path` |string |`/` |Path the cookie is valid for.
Expand All @@ -97,6 +119,9 @@ This type provides the following service implementations:
process header containing a JWT.
Default is "Authorization" header with a prefix "bearer ".
|`header-use` |boolean |`true` |Whether to expect JWT in a header field.
|`id-token-signature-validation` |boolean |`true` |Whether id token signature check should be enabled.
Signature check is enabled by default, and it is highly recommended to not change that.
Change this setting only when you really know what you are doing, otherwise it could case security issues.
|`identity-uri` |URI |{nbsp} |URI of the identity server, base used to retrieve OIDC metadata.
|`introspect-endpoint-uri` |URI |{nbsp} |Endpoint to use to validate JWT.
Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).
Expand All @@ -123,7 +148,8 @@ This type provides the following service implementations:
Defaults to `DEFAULT_PROXY_PORT`
|`proxy-protocol` |string |`http` |Proxy protocol to use when proxy is used.
Defaults to `DEFAULT_PROXY_PROTOCOL`.
|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT token when parameter is used.
|`query-id-token-param-name` |string |`id_token` |Name of a query parameter that contains the JWT id token when parameter is used.
|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT access token when parameter is used.
|`query-param-tenant-name` |string |`h_tenant` |Name of a query parameter that contains the tenant name when the parameter is used.
Defaults to #DEFAULT_TENANT_PARAM_NAME.
|`query-param-use` |boolean |`false` |Whether to use a query parameter to send JWT token from application to this
Expand Down Expand Up @@ -167,6 +193,9 @@ This type provides the following service implementations:
code.
If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
an attempt is made to use #identityUri(URI)/oauth2/v1/token.
|`token-signature-validation` |boolean |`true` |Whether access token signature check should be enabled.
Signature check is enabled by default, and it is highly recommended to not change that.
Change this setting only when you really know what you are doing, otherwise it could case security issues.
|`use-jwt-groups` |boolean |`true` |Claim `groups` from JWT will be used to automatically add
groups to current subject (may be used with jakarta.annotation.security.RolesAllowed annotation).
|`validate-jwt-with-jwk` |boolean |`true` |Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
///////////////////////////////////////////////////////////////////////////////

Copyright (c) 2023 Oracle and/or its affiliates.
Copyright (c) 2023, 2024 Oracle and/or its affiliates.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -60,13 +60,35 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
|`client-timeout-millis` |Duration |`30000` |Timeout of calls using web client.
|`cookie-domain` |string |{nbsp} |Domain the cookie is valid for.
Not used by default.
|`cookie-encryption-enabled` |boolean |`false` |Whether to encrypt token cookie created by this microservice.
Defaults to `false`.
|`cookie-encryption-enabled-id-token` |boolean |`true` |Whether to encrypt id token cookie created by this microservice.
Defaults to `true`.
|`cookie-encryption-enabled-refresh-token` |boolean |`true` |Whether to encrypt refresh token cookie created by this microservice.
Defaults to `true`.
|`cookie-encryption-enabled-tenant-name` |boolean |`true` |Whether to encrypt tenant name cookie created by this microservice.
Defaults to `true`.
|`cookie-encryption-name` |string |{nbsp} |Name of the encryption configuration available through Security#encrypt(String, byte[]) and
Security#decrypt(String, String).
If configured and encryption is enabled for any cookie,
Security MUST be configured in global or current `io.helidon.common.context.Context` (this
is done automatically in Helidon MP).
|`cookie-encryption-password` |char[] |{nbsp} |Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice
using the cookie.
|`cookie-http-only` |boolean |`true` |When using cookie, if set to true, the HttpOnly attribute will be configured.
Defaults to `OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY`.
|`cookie-max-age-seconds` |long |{nbsp} |When using cookie, used to set MaxAge attribute of the cookie, defining how long
the cookie is valid.
Not used by default.
|`cookie-name` |string |`JSESSIONID` |Name of the cookie to use.
Defaults to `DEFAULT_COOKIE_NAME`.
|`cookie-name-id-token` |string |`JSESSIONID_2` |Name of the cookie to use for id token.
Defaults to `DEFAULT_COOKIE_NAME`_2.

This cookie is only used when logout is enabled, as otherwise it is not needed.
Content of this cookie is encrypted.
|`cookie-name-refresh-token` |string |`JSESSIONID_3` |The name of the cookie to use for the refresh token.
Defaults to `DEFAULT_REFRESH_COOKIE_NAME`.
|`cookie-name-tenant` |string |`HELIDON_TENANT` |The name of the cookie to use for the tenant name.
Defaults to `DEFAULT_TENANT_COOKIE_NAME`.
|`cookie-path` |string |`/` |Path the cookie is valid for.
Expand All @@ -86,6 +108,9 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
process header containing a JWT.
Default is "Authorization" header with a prefix "bearer ".
|`header-use` |boolean |`true` |Whether to expect JWT in a header field.
|`id-token-signature-validation` |boolean |`true` |Whether id token signature check should be enabled.
Signature check is enabled by default, and it is highly recommended to not change that.
Change this setting only when you really know what you are doing, otherwise it could case security issues.
|`identity-uri` |URI |{nbsp} |URI of the identity server, base used to retrieve OIDC metadata.
|`introspect-endpoint-uri` |URI |{nbsp} |Endpoint to use to validate JWT.
Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).
Expand All @@ -107,7 +132,8 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
Defaults to `DEFAULT_PROXY_PORT`
|`proxy-protocol` |string |`http` |Proxy protocol to use when proxy is used.
Defaults to `DEFAULT_PROXY_PROTOCOL`.
|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT token when parameter is used.
|`query-id-token-param-name` |string |`id_token` |Name of a query parameter that contains the JWT id token when parameter is used.
|`query-param-name` |string |`accessToken` |Name of a query parameter that contains the JWT access token when parameter is used.
|`query-param-tenant-name` |string |`h_tenant` |Name of a query parameter that contains the tenant name when the parameter is used.
Defaults to #DEFAULT_TENANT_PARAM_NAME.
|`query-param-use` |boolean |`false` |Whether to use a query parameter to send JWT token from application to this
Expand Down Expand Up @@ -151,6 +177,9 @@ Type: link:{javadoc-base-url}/io.helidon.security.providers.oidc.common/io/helid
code.
If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
an attempt is made to use #identityUri(URI)/oauth2/v1/token.
|`token-signature-validation` |boolean |`true` |Whether access token signature check should be enabled.
Signature check is enabled by default, and it is highly recommended to not change that.
Change this setting only when you really know what you are doing, otherwise it could case security issues.
|`validate-jwt-with-jwk` |boolean |`true` |Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
Use this method when you want to use default values for JWK or introspection endpoint URI.

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2023 Oracle and/or its affiliates.
* Copyright (c) 2018, 2024 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -43,6 +43,7 @@
import io.helidon.security.integration.common.SecurityTracing;
import io.helidon.security.internal.SecurityAuditEvent;
import io.helidon.security.providers.common.spi.AnnotationAnalyzer;
import io.helidon.webserver.security.SecurityHttpFeature;

import jakarta.annotation.PostConstruct;
import jakarta.annotation.Priority;
Expand All @@ -56,6 +57,7 @@
import jakarta.ws.rs.container.ContainerResponseFilter;
import jakarta.ws.rs.core.Application;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import org.glassfish.jersey.server.ExtendedUriInfo;
import org.glassfish.jersey.server.model.AbstractResourceModelVisitor;
Expand Down Expand Up @@ -182,6 +184,16 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
} else {
return;
}
io.helidon.common.context.Context helidonContext = Contexts.context()
.orElseThrow(() -> new IllegalStateException("Context must be available in Jersey"));
helidonContext.get(SecurityHttpFeature.CONTEXT_RESPONSE_HEADERS, Map.class)
.map(it -> (Map<String, List<String>>) it)
.ifPresent(it -> {
MultivaluedMap<String, Object> headers = responseContext.getHeaders();
for (Map.Entry<String, List<String>> entry : it.entrySet()) {
entry.getValue().forEach(value -> headers.add(entry.getKey(), value));
}
});

SecurityFilterContext fc = (SecurityFilterContext) requestContext.getProperty(PROP_FILTER_CONTEXT);
SecurityDefinition methodSecurity = jerseySecurityContext.methodSecurity();
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2023 Oracle and/or its affiliates.
* Copyright (c) 2018, 2024 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -24,6 +24,7 @@

import io.helidon.common.HelidonServiceLoader;
import io.helidon.common.config.Config;
import io.helidon.common.context.Contexts;
import io.helidon.common.uri.UriQuery;
import io.helidon.microprofile.security.spi.SecurityResponseMapper;
import io.helidon.security.AuthenticationResponse;
Expand All @@ -37,6 +38,7 @@
import io.helidon.security.integration.common.AtnTracing;
import io.helidon.security.integration.common.AtzTracing;
import io.helidon.security.integration.common.SecurityTracing;
import io.helidon.webserver.security.SecurityHttpFeature;

import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.container.ContainerRequestContext;
Expand Down Expand Up @@ -198,6 +200,9 @@ protected void processAuthentication(SecurityFilterContext context,
switch (responseStatus) {
case SUCCESS -> {
//everything is fine, we can continue with processing
io.helidon.common.context.Context helidonContext = Contexts.context()
.orElseThrow(() -> new IllegalStateException("Context must be available in Jersey"));
helidonContext.register(SecurityHttpFeature.CONTEXT_RESPONSE_HEADERS, response.responseHeaders());
}
case FAILURE_FINISH -> {
if (methodSecurity.authenticationOptional()) {
Expand Down