feat: OIDC - Fetch JWK from providers (#3137)

--------- Signed-off-by: Pablo Hernán Carle <[email protected]> Signed-off-by: sj895092 <[email protected]> Co-authored-by: Pablo Hernán Carle <[email protected]> Co-authored-by: ShobhaJayanna <[email protected]> Co-authored-by: sj895092 <[email protected]>
zowe · Oct 19, 2023 · b23bb8f · b23bb8f
1 parent 9c90457
commit b23bb8f
Show file tree

Hide file tree

Showing 16 changed files with 403 additions and 128 deletions.
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -104,9 +104,9 @@ jobs:
                 env:
                     APIML_SECURITY_OIDC_CLIENTID: ${{ secrets.OKTA_CLIENT_ID }}
                     APIML_SECURITY_OIDC_CLIENTSECRET: ${{ secrets.OKTA_CLIENT_PASSWORD }}
-                    APIML_SECURITY_OIDC_INTROSPECTURL: ${{ secrets.OKTA_INTROSPECT_URL }}
                     APIML_SECURITY_OIDC_ENABLED: true
                     APIML_SECURITY_OIDC_REGISTRY: zowe.okta.com
+                    APIML_SECURITY_OIDC_JWKS_URI: ${{ secrets.OKTA_JWK_URI }}
                     APIML_SECURITY_OIDC_IDENTITYMAPPERUSER: APIMTST
                     APIML_SECURITY_OIDC_IDENTITYMAPPERURL: https://gateway-service:10010/zss/api/v1/certificate/dn
             discovery-service:

diff --git a/config/docker/gateway-service.yml b/config/docker/gateway-service.yml
@@ -11,10 +11,11 @@ apiml:
             enabled: true
             clientId:
             clientSecret:
-            introspectUrl:
             registry:
             identityMapperUrl:
             identityMapperUser:
+            jwks:
+                uri:
         auth:
             zosmf:
                 serviceId: mockzosmf  # Replace me with the correct z/OSMF service id

diff --git a/config/local/gateway-service.yml b/config/local/gateway-service.yml
@@ -18,10 +18,11 @@ apiml:
             enabled: false
             clientId:
             clientSecret:
-            introspectUrl:
             registry:
             identityMapperUrl:
             identityMapperUser:
+            jwks:
+                uri:
         auth:
             jwt:
                 customAuthHeader:

diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh
@@ -49,10 +49,11 @@
 # - ZWE_configs_apiml_security_oidc_enabled
 # - ZWE_configs_apiml_security_oidc_clientId
 # - ZWE_configs_apiml_security_oidc_clientSecret
-# - ZWE_configs_apiml_security_oidc_introspectUrl
 # - ZWE_configs_apiml_security_oidc_registry
 # - ZWE_configs_apiml_security_oidc_identityMapperUrl
 # - ZWE_configs_apiml_security_oidc_identityMapperUser
+# - ZWE_configs_apiml_security_oidc_jwks_uri
+# - ZWE_configs_apiml_security_oidc_jwks_refreshInternalHours
 # - ZWE_configs_apiml_service_allowEncodedSlashes - Allows encoded slashes on on URLs through gateway
 # - ZWE_configs_apiml_service_centralRegistryUrls - List of additional Discovery Services URLs to register with
 # - ZWE_configs_apiml_service_corsEnabled
@@ -269,10 +270,11 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} java \
     -Dapiml.security.oidc.enabled=${ZWE_configs_apiml_security_oidc_enabled:-false} \
     -Dapiml.security.oidc.clientId=${ZWE_configs_apiml_security_oidc_clientId:-} \
     -Dapiml.security.oidc.clientSecret=${ZWE_configs_apiml_security_oidc_clientSecret:-} \
-    -Dapiml.security.oidc.introspectUrl=${ZWE_configs_apiml_security_oidc_introspectUrl:-} \
     -Dapiml.security.oidc.registry=${ZWE_configs_apiml_security_oidc_registry:-} \
     -Dapiml.security.oidc.identityMapperUrl=${ZWE_configs_apiml_security_oidc_identityMapperUrl:-"https://${ZWE_haInstance_hostname:-localhost}:${ZWE_configs_port:-7554}/zss/api/v1/certificate/dn"} \
     -Dapiml.security.oidc.identityMapperUser=${ZWE_configs_apiml_security_oidc_identityMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}} \
+    -Dapiml.security.oidc.jwks.uri=${ZWE_configs_apiml_security_oidc_jwks_uri} \
+    -Dapiml.security.oidc.jwks.refreshInternalHours=${ZWE_configs_apiml_security_oidc_jwks_refreshInternalHours:-1} \
     -Djava.protocol.handler.pkgs=com.ibm.crypto.provider \
     -Dloader.path=${GATEWAY_LOADER_PATH} \
     -Djava.library.path=${LIBPATH} \

diff --git a/gateway-package/src/main/resources/manifest.yaml b/gateway-package/src/main/resources/manifest.yaml
@@ -63,7 +63,6 @@ configs:
         enabled: false
         clientId:
         clientSecret:
-        introspectUrl:
         registry:
         # default value is https://${ZWE_haInstance_hostname:-localhost}:${ZWE_configs_port}/zss/api/v1/certificate/dn
         identityMapperUrl:

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/cache/ServiceCacheEvictor.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/cache/ServiceCacheEvictor.java
@@ -76,7 +76,6 @@ public void evict() {
             serviceCacheEvicts.forEach(x -> x.evictCacheService(serviceId));
         }
 
-
     }
 
 }
diff --git a/...src/main/java/org/zowe/apiml/gateway/security/service/token/ApimlAccessTokenProvider.java b/...src/main/java/org/zowe/apiml/gateway/security/service/token/ApimlAccessTokenProvider.java
@@ -12,9 +12,9 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Service;
 import org.zowe.apiml.gateway.cache.CachingServiceClient;
 import org.zowe.apiml.gateway.cache.CachingServiceClientException;
@@ -40,18 +40,16 @@
 @Slf4j
 public class ApimlAccessTokenProvider implements AccessTokenProvider {
 
-
-    private final CachingServiceClient cachingServiceClient;
-    private final AuthenticationService authenticationService;
-    private static final ObjectMapper objectMapper = new ObjectMapper();
-    private byte[] salt;
     static final String INVALID_TOKENS_KEY = "invalidTokens";
     static final String INVALID_USERS_KEY = "invalidUsers";
     static final String INVALID_SCOPES_KEY = "invalidScopes";
 
-    static {
-        objectMapper.registerModule(new JavaTimeModule());
-    }
+    private final CachingServiceClient cachingServiceClient;
+    private final AuthenticationService authenticationService;
+    @Qualifier("oidcMapper")
+    private final ObjectMapper objectMapper;
+
+    private byte[] salt;
 
     public void invalidateToken(String token) throws CachingServiceClientException, JsonProcessingException {
         String hashedValue = getHash(token);

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/JwkKeys.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/JwkKeys.java
@@ -0,0 +1,60 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.service.token;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.util.List;
+
+@Data
+@AllArgsConstructor
+@NoArgsConstructor
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class JwkKeys {
+
+    private List<Key> keys;
+
+    @Data
+    @AllArgsConstructor
+    @NoArgsConstructor
+    public static class Key {
+
+        // Cryptographic algorithm family for the certificate's Key pair. i.e. RSA
+        @JsonProperty("kty")
+        private String kty;
+
+        // The algorithm used with the Key. i.e. RS256
+        @JsonProperty("alg")
+        private String alg;
+
+        // The certificate's Key ID
+        @JsonProperty("kid")
+        private String kid;
+
+        // How the Key is used. i.e. sig
+        @JsonProperty("use")
+        private String use;
+
+        // RSA Key value (exponent) for Key blinding
+        @JsonProperty("e")
+        private String e;
+
+        // RSA modulus value
+        @JsonProperty("n")
+        private String n;
+
+    }
+
+}
diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCConfig.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/token/OIDCConfig.java
@@ -0,0 +1,36 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.gateway.security.service.token;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import io.jsonwebtoken.Clock;
+import io.jsonwebtoken.impl.DefaultClock;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class OIDCConfig {
+
+    @Bean
+    public Clock clock() {
+        return new DefaultClock();
+    }
+
+    @Bean
+    @Qualifier("oidcMapper")
+    public ObjectMapper mapper() {
+        return new ObjectMapper()
+            .registerModule(new JavaTimeModule());
+    }
+
+}