AWS ALB authentication and micronaut user details

[rferreira]

Hello folks, I'm trying to integrate Micronaut with AWS' ALB authentication and I've gotten the access token to work well by simply setting the correct header like this:

security:
    token:
      jwt:
        enabled: true
        bearer:
          header-name: "X-Amzn-Oidc-Accesstoken"
          enabled: true
          prefix: ""
        signatures:
          jwks:
            cognito:
              url: "https://cognito-idp.us-east-1.amazonaws.com/*******/.well-known/jwks.json"

But, according to the AWS documentation, claims are coming from a separate header x-amzn-oidc-data and I could user some pointers on how to wire that into the JWT claim flow to hydrate the UserDetails with the correct information. Has anyone successfully integrated Micronaut behind AWS ALB's user authentication logic?

Big thanks

[rferreira]

For posterity, here's a custom TokenValidator that handles AWS's EC256 keys:

@Singleton
public class AwsAlbOidcTokenValidator implements TokenValidator {
  private static final Logger LOG = Loggers.build();
  private final HttpClient httpClient;
  private final SecurityConfig securityConfig;

  @Inject
  public AwsAlbOidcTokenValidator(HttpClient httpClient, SecurityConfig securityConfig) {
    this.httpClient = httpClient;
    this.securityConfig = securityConfig;
  }

  @Override
  public Publisher<Authentication> validateToken(String token) {
    throw new IllegalStateException("deprecated");
  }

  @Override
  public Publisher<Authentication> validateToken(String token, @Nullable HttpRequest<?> request) {
    try {
      LOG.debug("validating token {}", token);
      final var jwt = SignedJWT.parse(token);
      final var keyId = jwt.getHeader().getKeyID();

      if (keyId == null) {
        LOG.warn("kid not found in token header");
      } else {
        var jwk = getPublicKey(keyId);

        if (jwt.verify(new ECDSAVerifier(jwk.toECKey()))) {
          return Publishers.just(new Authentication() {
            @NonNull
            @Override
            public Map<String, Object> getAttributes() {
              return jwt.getPayload().toJSONObject();
            }

            @Override
            public String getName() {
              return (String) jwt.getPayload().toJSONObject().get("username");
            }
          });
        } else {
          LOG.warn("unable to verify token using kid: {}", jwt.getHeader().getKeyID());
        }
      }

    } catch (JOSEException | ParseException | HttpClientResponseException e) {
      LOG.error("error handling token {}", token, e);
    }
    return Publishers.empty();
  }

  @Cacheable(value = "1h")
  @Retryable
  JWK getPublicKey(String keyId) throws JOSEException {
    final var location = UriBuilder.of(securityConfig.getOidcDataKeyURL()).expand(Map.of("kid", keyId))
      .toString();
    LOG.info("loading private key from {} for kid: {}", location, keyId);
    var keyAsText = httpClient.toBlocking().retrieve(location);
    return JWK.parseFromPEMEncodedObjects(keyAsText);
  }
}

A couple things of note:

• I'm using Micronaut's built in token handler to pull the token from the header header-name: "X-Amzn-Oidc-Data"
• SecurityConfig is just a bean holding the ALB's EC key url like: https://public-keys.auth.elb.us-east-1.amazonaws.com/{kid}
• I had to pull in bouncy castle for the JWT PEM parsing to work
• This is only lightly tested

[sdelamo]

thanks for sharing this @rferreira !