From adbf06fcd6841a4093c481fb27c0bfb252102428 Mon Sep 17 00:00:00 2001 From: dushani Date: Tue, 13 Feb 2024 09:54:26 +0530 Subject: [PATCH] Fix DCR to support JWT tokens by default. Fix JWT Authenticator to remove audience. --- .../dcr/web/impl/RegistrationServiceImpl.java | 2 +- .../util/impl/OAuthJwtAuthenticatorImpl.java | 97 ++++++++----------- 2 files changed, 39 insertions(+), 60 deletions(-) diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.dcr/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java b/components/apimgt/org.wso2.carbon.apimgt.rest.api.dcr/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java index ebc5ec0d3eb2..f28bfeef89ea 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.rest.api.dcr/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java +++ b/components/apimgt/org.wso2.carbon.apimgt.rest.api.dcr/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web/impl/RegistrationServiceImpl.java @@ -144,7 +144,7 @@ public Response register(RegistrationProfile profile) { } } - String tokenType = APIConstants.DEFAULT_TOKEN_TYPE; + String tokenType = APIConstants.TOKEN_TYPE_JWT; String profileTokenType = profile.getTokenType(); if (StringUtils.isNotEmpty(profileTokenType)) { tokenType = profileTokenType; diff --git a/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java b/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java index f3f27be20f27..de1e13ba8fcb 100644 --- a/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java +++ b/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java @@ -69,11 +69,9 @@ public class OAuthJwtAuthenticatorImpl extends AbstractOAuthAuthenticator { APIConstants.EMAIL_DOMAIN_SEPARATOR + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME; private boolean isRESTApiTokenCacheEnabled; private Map tokenIssuers; - private java.util.Map> audiencesMap; public OAuthJwtAuthenticatorImpl() { tokenIssuers = getTokenIssuers(); - audiencesMap = getRestApiJWTAuthAudiences(); } /** @@ -228,71 +226,52 @@ private JWTValidationInfo validateJWTToken(SignedJWTInfo signedJWTInfo, String j if (StringUtils.isNotEmpty(issuer)) { //validate Issuer - List tokenAudiences = signedJWTInfo.getJwtClaimsSet().getAudience(); if (tokenIssuers != null && tokenIssuers.containsKey(issuer)) { - //validate audience - if (audiencesMap != null && audiencesMap.get(basePath.getPath()) != null && - tokenAudiences.stream().anyMatch(audiencesMap.get(basePath.getPath())::contains)) { - if (isRESTApiTokenCacheEnabled) { - JWTValidationInfo tempJWTValidationInfo = (JWTValidationInfo) getRESTAPITokenCache().get(jti); - if (tempJWTValidationInfo != null) { - Boolean isExpired = checkTokenExpiration(new Date(tempJWTValidationInfo.getExpiryTime())); - if (isExpired) { - tempJWTValidationInfo.setValid(false); - getRESTAPITokenCache().remove(jti); - getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo); - log.error("JWT token validation failed. Reason: Expired Token. " + maskedToken); - return tempJWTValidationInfo; - } - //check accessToken - if (!tempJWTValidationInfo.getRawPayload().equals(accessToken)) { - tempJWTValidationInfo.setValid(false); - getRESTAPITokenCache().remove(jti); - getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo); - log.error("JWT token validation failed. Reason: Invalid Token. " + maskedToken); - return tempJWTValidationInfo; - } + if (isRESTApiTokenCacheEnabled) { + JWTValidationInfo tempJWTValidationInfo = (JWTValidationInfo) getRESTAPITokenCache().get(jti); + if (tempJWTValidationInfo != null) { + boolean isExpired = checkTokenExpiration(new Date(tempJWTValidationInfo.getExpiryTime())); + if (isExpired) { + tempJWTValidationInfo.setValid(false); + getRESTAPITokenCache().remove(jti); + getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo); + log.error("JWT token validation failed. Reason: Expired Token. " + maskedToken); return tempJWTValidationInfo; - - } else if (getRESTAPIInvalidTokenCache().get(jti) != null) { - if (log.isDebugEnabled()) { - log.debug("Token retrieved from the invalid token cache. Token: " + maskedToken); - } - return (JWTValidationInfo) getRESTAPIInvalidTokenCache().get(jti); } - } - //info not in cache. validate signature and exp - JWTValidator jwtValidator = APIMConfigUtil.getJWTValidatorMap().get(issuer); - jwtValidationInfo = jwtValidator.validateToken(signedJWTInfo); - if (jwtValidationInfo.isValid()) { - //valid token - if (isRESTApiTokenCacheEnabled) { - getRESTAPITokenCache().put(jti, jwtValidationInfo); + //check accessToken + if (!tempJWTValidationInfo.getRawPayload().equals(accessToken)) { + tempJWTValidationInfo.setValid(false); + getRESTAPITokenCache().remove(jti); + getRESTAPIInvalidTokenCache().put(jti, tempJWTValidationInfo); + log.error("JWT token validation failed. Reason: Invalid Token. " + maskedToken); + return tempJWTValidationInfo; } - } else { - //put in invalid cache - if (isRESTApiTokenCacheEnabled) { - getRESTAPIInvalidTokenCache().put(jti, jwtValidationInfo); + return tempJWTValidationInfo; + + } else if (getRESTAPIInvalidTokenCache().get(jti) != null) { + if (log.isDebugEnabled()) { + log.debug("Token retrieved from the invalid token cache. Token: " + maskedToken); } - //invalid credentials : 900901 error code - log.error("JWT token validation failed. Reason: Invalid Credentials. " + - "Make sure you have provided the correct security credentials in the token :" - + maskedToken); + return (JWTValidationInfo) getRESTAPIInvalidTokenCache().get(jti); + } + } + //info not in cache. validate signature and exp + JWTValidator jwtValidator = APIMConfigUtil.getJWTValidatorMap().get(issuer); + jwtValidationInfo = jwtValidator.validateToken(signedJWTInfo); + if (jwtValidationInfo.isValid()) { + //valid token + if (isRESTApiTokenCacheEnabled) { + getRESTAPITokenCache().put(jti, jwtValidationInfo); } } else { - if (audiencesMap == null) { - log.error("JWT token audience validation failed. Reason: No audiences registered " + - "in the server"); - } else if (audiencesMap.get(basePath.getPath()) == null) { - log.error("JWT token audience validation failed. Reason: No audiences registered " + - "in the server for the base path (" + basePath.getPath() + ")"); - } else { - log.error("JWT token audience validation failed. Reason: None of the aud present " - + "in the JWT (" + tokenAudiences.toString() + - ") matches the intended audience (" + audiencesMap.get(basePath.getPath()) - .toString() + ") for base path ( " + basePath.getPath() + " )."); + //put in invalid cache + if (isRESTApiTokenCacheEnabled) { + getRESTAPIInvalidTokenCache().put(jti, jwtValidationInfo); } - return null; + //invalid credentials : 900901 error code + log.error("JWT token validation failed. Reason: Invalid Credentials. " + + "Make sure you have provided the correct security credentials in the token :" + + maskedToken); } } else { //invalid issuer. invalid token