Fix DCR to support JWT tokens by default.

Fix JWT Authenticator to remove audience.
dushaniw · Feb 13, 2024 · adbf06f · adbf06f
1 parent 68ca131
commit adbf06f
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 60 deletions.
diff --git a/...r/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java b/...r/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java
@@ -144,7 +144,7 @@ public Response register(RegistrationProfile profile) {
                     }
                 }
 
-                String tokenType = APIConstants.DEFAULT_TOKEN_TYPE;
+                String tokenType = APIConstants.TOKEN_TYPE_JWT;
                 String profileTokenType = profile.getTokenType();
                 if (StringUtils.isNotEmpty(profileTokenType)) {
                     tokenType = profileTokenType;

diff --git a/...il/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java b/...il/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java
@@ -69,11 +69,9 @@ public class OAuthJwtAuthenticatorImpl extends AbstractOAuthAuthenticator {
             APIConstants.EMAIL_DOMAIN_SEPARATOR + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
     private boolean isRESTApiTokenCacheEnabled;
     private Map<String, TokenIssuerDto> tokenIssuers;
-    private java.util.Map<String, List<String>> audiencesMap;
 
     public OAuthJwtAuthenticatorImpl() {
         tokenIssuers = getTokenIssuers();
-        audiencesMap = getRestApiJWTAuthAudiences();
     }
 
     /**
@@ -228,71 +226,52 @@ private JWTValidationInfo validateJWTToken(SignedJWTInfo signedJWTInfo, String j
 
         if (StringUtils.isNotEmpty(issuer)) {
             //validate Issuer
-            List<String> tokenAudiences = signedJWTInfo.getJwtClaimsSet().getAudience();
             if (tokenIssuers != null && tokenIssuers.containsKey(issuer)) {
-                //validate audience
-                if (audiencesMap != null && audiencesMap.get(basePath.getPath()) != null &&
-                        tokenAudiences.stream().anyMatch(audiencesMap.get(basePath.getPath())::contains)) {
-                    if (isRESTApiTokenCacheEnabled) {
-                        JWTValidationInfo tempJWTValidationInfo = (JWTValidationInfo) getRESTAPITokenCache().get(jti);
-                        if (tempJWTValidationInfo != null) {
-                            Boolean isExpired = checkTokenExpiration(new Date(tempJWTValidationInfo.getExpiryTime()));
-                            if (isExpired) {
-                                tempJWTValidationInfo.setValid(false);
-                                getRESTAPITokenCache().remove(jti);
-                                getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo);
-                                log.error("JWT token validation failed. Reason: Expired Token. " + maskedToken);
-                                return tempJWTValidationInfo;
-                            }
-                            //check accessToken
-                            if (!tempJWTValidationInfo.getRawPayload().equals(accessToken)) {
-                                tempJWTValidationInfo.setValid(false);
-                                getRESTAPITokenCache().remove(jti);
-                                getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo);
-                                log.error("JWT token validation failed. Reason: Invalid Token. " + maskedToken);
-                                return tempJWTValidationInfo;
-                            }
+                if (isRESTApiTokenCacheEnabled) {
+                    JWTValidationInfo tempJWTValidationInfo = (JWTValidationInfo) getRESTAPITokenCache().get(jti);
+                    if (tempJWTValidationInfo != null) {
+                        boolean isExpired = checkTokenExpiration(new Date(tempJWTValidationInfo.getExpiryTime()));
+                        if (isExpired) {
+                            tempJWTValidationInfo.setValid(false);
+                            getRESTAPITokenCache().remove(jti);
+                            getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo);
+                            log.error("JWT token validation failed. Reason: Expired Token. " + maskedToken);
                             return tempJWTValidationInfo;
-
-                        } else if (getRESTAPIInvalidTokenCache().get(jti) != null) {
-                            if (log.isDebugEnabled()) {
-                                log.debug("Token retrieved from the invalid token cache. Token: " + maskedToken);
-                            }
-                            return (JWTValidationInfo) getRESTAPIInvalidTokenCache().get(jti);
                         }
-                    }
-                    //info not in cache. validate signature and exp
-                    JWTValidator jwtValidator = APIMConfigUtil.getJWTValidatorMap().get(issuer);
-                    jwtValidationInfo = jwtValidator.validateToken(signedJWTInfo);
-                    if (jwtValidationInfo.isValid()) {
-                        //valid token
-                        if (isRESTApiTokenCacheEnabled) {
-                            getRESTAPITokenCache().put(jti, jwtValidationInfo);
+                        //check accessToken
+                        if (!tempJWTValidationInfo.getRawPayload().equals(accessToken)) {
+                            tempJWTValidationInfo.setValid(false);
+                            getRESTAPITokenCache().remove(jti);
+                            getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo);
+                            log.error("JWT token validation failed. Reason: Invalid Token. " + maskedToken);
+                            return tempJWTValidationInfo;
                         }
-                    } else {
-                        //put in invalid cache
-                        if (isRESTApiTokenCacheEnabled) {
-                            getRESTAPIInvalidTokenCache().put(jti, jwtValidationInfo);
+                        return tempJWTValidationInfo;
+
+                    } else if (getRESTAPIInvalidTokenCache().get(jti) != null) {
+                        if (log.isDebugEnabled()) {
+                            log.debug("Token retrieved from the invalid token cache. Token: " + maskedToken);
                         }
-                        //invalid credentials : 900901 error code
-                        log.error("JWT token validation failed. Reason: Invalid Credentials. " +
-                                "Make sure you have provided the correct security credentials in the token :"
-                                + maskedToken);
+                        return (JWTValidationInfo) getRESTAPIInvalidTokenCache().get(jti);
+                    }
+                }
+                //info not in cache. validate signature and exp
+                JWTValidator jwtValidator = APIMConfigUtil.getJWTValidatorMap().get(issuer);
+                jwtValidationInfo = jwtValidator.validateToken(signedJWTInfo);
+                if (jwtValidationInfo.isValid()) {
+                    //valid token
+                    if (isRESTApiTokenCacheEnabled) {
+                        getRESTAPITokenCache().put(jti, jwtValidationInfo);
                     }
                 } else {
-                    if (audiencesMap == null) {
-                        log.error("JWT token audience validation failed. Reason: No audiences registered " +
-                                "in the server");
-                    } else if (audiencesMap.get(basePath.getPath()) == null) {
-                        log.error("JWT token audience validation failed. Reason: No audiences registered " +
-                                "in the server for the base path (" + basePath.getPath() + ")");
-                    } else {
-                        log.error("JWT token audience validation failed. Reason: None of the aud present "
-                                + "in the JWT (" + tokenAudiences.toString() +
-                                ") matches the intended audience (" + audiencesMap.get(basePath.getPath())
-                                .toString() + ") for base path ( " + basePath.getPath() +  " ).");
+                    //put in invalid cache
+                    if (isRESTApiTokenCacheEnabled) {
+                        getRESTAPIInvalidTokenCache().put(jti, jwtValidationInfo);
                     }
-                    return null;
+                    //invalid credentials : 900901 error code
+                    log.error("JWT token validation failed. Reason: Invalid Credentials. " +
+                            "Make sure you have provided the correct security credentials in the token :"
+                            + maskedToken);
                 }
             } else {
                 //invalid issuer. invalid token