OIDC UserInfo Endpoint

Signed-off-by: Stephen Crawford <[email protected]>
stephen-crawford · Aug 14, 2024 · fd26f1e · fd26f1e
1 parent e0bda71
commit fd26f1e
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 13 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
@@ -56,7 +56,7 @@ public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator
     private static final Pattern BASIC = Pattern.compile("^\\s*Basic\\s.*", Pattern.CASE_INSENSITIVE);
 
     private KeyProvider keyProvider;
-    private JwtVerifier jwtVerifier;
+    protected JwtVerifier jwtVerifier;
     private final String jwtHeaderName;
     private final boolean isDefaultAuthHeader;
     private final String jwtUrlParameter;

diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPOpenIdAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPOpenIdAuthenticator.java
@@ -2,6 +2,7 @@
 
 import com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator;
 import com.amazon.dlic.util.SettingsBasedSSLConfigurator;
+import com.google.googlejavaformat.Op;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
@@ -155,22 +156,12 @@ public  AuthCredentials extractCredentials0(SecurityRequest request, ThreadConte
 
                 }
 
-
                 // TODO: Make this return the formed creds from the response
                 return null;
-
-            } catch (ParseException | BadCredentialsException e) {
-                throw new RuntimeException(e);
             }
         } catch (IOException e) {
             throw new AuthenticatorUnavailableException("Error while getting " + this.userinfo_endpoint + ": " + e, e);
         }
-
-        return null;
-    }
-
-    private boolean signatureAlgorithmIsValid(JWK key, SignedJWT jwt) throws BadCredentialsException {
-        return false;
     }
 
     private String responseClaimsIncludeRequiredClaims(JWTClaimsSet claims, boolean isSigned) {
@@ -182,7 +173,7 @@ private String responseClaimsIncludeRequiredClaims(JWTClaimsSet claims, boolean
         }
 
         if (isSigned) {
-            if (claims.getClaim("iss") == null || claims.getClaim("iss").toString().isBlank() || !claims.getClaim("iss").toString().equals(ISSUER_ID_URL)) {
+            if (claims.getClaim("iss") == null || claims.getClaim("iss").toString().isBlank() || !claims.getClaim("iss").toString().equals(settings.get(ISSUER_ID_URL))) {
                 missing = missing.concat("iss");
             }
             if (claims.getClaim("aud") == null || claims.getClaim("aud").toString().isBlank() || !claims.getClaim("aud").toString().equals(settings.get(CLIENT_ID))) {
@@ -199,7 +190,6 @@ public HTTPJwtKeyByOpenIdConnectAuthenticator(Settings settings, Path configPath
             super(settings,configPath);
         }
 
-
         protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws Exception {
             int idpRequestTimeoutMs = settings.getAsInt("idp_request_timeout_ms", 5000);
             int idpQueuedThreadTimeoutMs = settings.getAsInt("idp_queued_thread_timeout_ms", 2500);
@@ -235,6 +225,31 @@ protected KeyProvider initKeyProvider(Settings settings, Path configPath) throws
             return selfRefreshingKeySet;
         }
 
+        @Override
+        public AuthCredentials extractCredentials(SecurityRequest request, ThreadContext context) throws OpenSearchSecurityException {
+            String parsedToken = super.getJwtTokenString(request);
+            SignedJWT jwt;
+            boolean isJwtSigned = false;
+            JWTClaimsSet claimsSet;
+
+            try {
+                jwt = super.jwtVerifier.getVerifiedJwtToken(parsedToken);
+                if (jwt.getSignature() != null) {
+                    isJwtSigned = true;
+                }
+                claimsSet = jwt.getJWTClaimsSet();
+            } catch (OpenSearchSecurityException | ParseException | BadCredentialsException e) {
+                throw new RuntimeException(e);
+            }
+
+            String missing = responseClaimsIncludeRequiredClaims(claimsSet, isJwtSigned);
+            if (!missing.isBlank()) {
+                throw new AuthenticatorUnavailableException("Missing expected claims: " + missing);
+            }
+
+            return super.extractCredentials(request, context);
+        }
+
         @Override
         public String getType() {
             return "jwt-key-by-oidc";