JWT WIP

doc/audit/builtin_maps.rst

@@ -381,6 +381,15 @@ JWT signing key to Issuer mapping.
 
 **Value** JWT issuer URL, represented as a string.
 
+``jwt.public_signing_key_issuers``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JWT signing key to CHANGE-ME mapping.
+
+**Key** JWT Key ID, represented as a string.
+
+**Value** CHANGE-ME.
+
 ``constitution``
 ~~~~~~~~~~~~~~~~
 

doc/schemas/gov_openapi.json

@@ -394,6 +394,26 @@
         ],
         "type": "object"
       },
+      "JwtIssuerWithConstraint": {
+        "properties": {
+          "constraint": {
+            "$ref": "#/components/schemas/string"
+          },
+          "issuer": {
+            "$ref": "#/components/schemas/string"
+          }
+        },
+        "required": [
+          "issuer"
+        ],
+        "type": "object"
+      },
+      "JwtIssuerWithConstraint_array": {
+        "items": {
+          "$ref": "#/components/schemas/JwtIssuerWithConstraint"
+        },
+        "type": "array"
+      },
       "KeyIdInfo": {
         "properties": {
           "cert": {
@@ -1262,6 +1282,12 @@
         },
         "type": "object"
       },
+      "string_to_JwtIssuerWithConstraint_array": {
+        "additionalProperties": {
+          "$ref": "#/components/schemas/JwtIssuerWithConstraint_array"
+        },
+        "type": "object"
+      },
       "string_to_KeyIdInfo": {
         "additionalProperties": {
           "$ref": "#/components/schemas/KeyIdInfo"
@@ -1335,7 +1361,7 @@
   "info": {
     "description": "This API is used to submit and query proposals which affect CCF's public governance tables.",
     "title": "CCF Governance API",
-    "version": "4.1.6"
+    "version": "4.1.7"
   },
   "openapi": "3.0.0",
   "paths": {
@@ -1766,6 +1792,28 @@
         }
       }
     },
+    "/gov/kv/jwt/public_signing_key_issuers": {
+      "get": {
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/string_to_JwtIssuerWithConstraint_array"
+                }
+              }
+            },
+            "description": "Default response description"
+          },
+          "default": {
+            "$ref": "#/components/responses/default"
+          }
+        },
+        "x-ccf-forwarding": {
+          "$ref": "#/components/x-ccf-forwarding/sometimes"
+        }
+      }
+    },
     "/gov/kv/jwt/public_signing_keys": {
       "get": {
         "responses": {

include/ccf/crypto/jwk.h

@@ -27,12 +27,13 @@ namespace crypto
     JsonWebKeyType kty;
     std::optional<std::string> kid = std::nullopt;
     std::optional<std::vector<std::string>> x5c = std::nullopt;
+    std::optional<std::string> issuer = std::nullopt;
 
     bool operator==(const JsonWebKey&) const = default;
   };
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(JsonWebKey);
   DECLARE_JSON_REQUIRED_FIELDS(JsonWebKey, kty);
-  DECLARE_JSON_OPTIONAL_FIELDS(JsonWebKey, kid, x5c);
+  DECLARE_JSON_OPTIONAL_FIELDS(JsonWebKey, kid, x5c, issuer);
 
   enum class JsonWebKeyECCurve
   {

include/ccf/service/tables/jwt.h

@@ -58,10 +58,21 @@ namespace ccf
   using JwtKeyId = std::string;
   using Cert = std::vector<uint8_t>;
 
+  struct JwtIssuerWithConstraint
+  {
+    JwtIssuer issuer;
+    std::optional<JwtIssuer> constraint;
+  };
+  DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(JwtIssuerWithConstraint);
+  DECLARE_JSON_REQUIRED_FIELDS(JwtIssuerWithConstraint, issuer);
+  DECLARE_JSON_OPTIONAL_FIELDS(JwtIssuerWithConstraint, constraint);
+
   using JwtIssuers = ServiceMap<JwtIssuer, JwtIssuerMetadata>;
   using JwtPublicSigningKeys = kv::RawCopySerialisedMap<JwtKeyId, Cert>;
   using JwtPublicSigningKeyIssuer =
     kv::RawCopySerialisedMap<JwtKeyId, JwtIssuer>;
+  using JwtPublicSigningKeyIssuers =
+    ServiceMap<JwtKeyId, std::vector<JwtIssuerWithConstraint>>;
 
   namespace Tables
   {
@@ -70,6 +81,9 @@ namespace ccf
       "public:ccf.gov.jwt.public_signing_keys";
     static constexpr auto JWT_PUBLIC_SIGNING_KEY_ISSUER =
       "public:ccf.gov.jwt.public_signing_key_issuer";
+    static constexpr auto JWT_PUBLIC_SIGNING_KEY_ISSUERS =
+      "public:ccf.gov.jwt.public_signing_key_issuers";
+
   }
 
   struct JsonWebKeySet

src/endpoints/authentication/jwt_auth.cpp

@@ -3,13 +3,87 @@
 
 #include "ccf/endpoints/authentication/jwt_auth.h"
 
+#include "ccf/ds/nonstd.h"
 #include "ccf/pal/locking.h"
 #include "ccf/rpc_context.h"
 #include "ccf/service/tables/jwt.h"
 #include "ds/lru.h"
 #include "enclave/enclave_time.h"
 #include "http/http_jwt.h"
 
+namespace
+{
+  static const std::string multitenancy_indicator{"{tenantid}"};
+  static const std::string microsoft_entra_domain{"login.microsoftonline.com"};
+
+  std::optional<std::string_view> first_non_empty_chunk(
+    const std::vector<std::string_view>& chunks)
+  {
+    for (auto chunk : chunks)
+    {
+      if (!chunk.empty())
+      {
+        return chunk;
+      }
+    }
+    return std::nullopt;
+  }
+
+  bool validate_issuer(
+    const http::JwtVerifier::Token& token, std::string issuer)
+  {
+    LOG_INFO_FMT(
+      "Verify token.iss {} and token.tid {} against published key issuer {}",
+      token.payload_typed.iss,
+      token.payload_typed.tid,
+      issuer);
+
+    const bool is_microsoft_entra =
+      issuer.find(microsoft_entra_domain) != std::string::npos;
+    if (!is_microsoft_entra)
+    {
+      return token.payload_typed.iss == issuer;
+    }
+
+    // Specify tenant if working with multi-tenant endpoint.
+    const auto pos = issuer.find(multitenancy_indicator);
+    if (pos != std::string::npos)
+    {
+      issuer.replace(
+        pos, multitenancy_indicator.size(), token.payload_typed.tid);
+    }
+
+    // Step 1. Verify the token issuer against the key issuer.
+    if (token.payload_typed.iss != issuer)
+    {
+      return false;
+    }
+
+    // Step 2. Verify that token.tid is served as a part of token.iss. According
+    // to the documentation, we only accept this format:
+    //
+    // https://domain.com/tenant_id/something_else
+    //
+    // Here url.path == "/tenant_id/something_else".
+
+    const auto url = http::parse_url_full(token.payload_typed.iss);
+    const auto tenant_id = first_non_empty_chunk(nonstd::split(url.path, "/"));
+
+    return (tenant_id && token.payload_typed.tid == tenant_id.value());
+  }
+
+  bool validate_issuers(
+    const http::JwtVerifier::Token& token,
+    const std::vector<ccf::JwtIssuerWithConstraint>& issuers)
+  {
+    return std::any_of(issuers.begin(), issuers.end(), [&](const auto& issuer) {
+      return issuer.constraint.has_value() &&
+        validate_issuer(token, issuer.constraint.value());
+    });
+  }
+
+}
+
 namespace ccf
 {
   struct VerifiersCache
@@ -59,10 +133,11 @@ namespace ccf
       auto& token = token_opt.value();
       auto keys =
         tx.ro<JwtPublicSigningKeys>(ccf::Tables::JWT_PUBLIC_SIGNING_KEYS);
-      auto key_issuers = tx.ro<JwtPublicSigningKeyIssuer>(
-        ccf::Tables::JWT_PUBLIC_SIGNING_KEY_ISSUER);
+      auto key_issuers = tx.ro<JwtPublicSigningKeyIssuers>(
+        ccf::Tables::JWT_PUBLIC_SIGNING_KEY_ISSUERS);
       const auto key_id = token.header_typed.kid;
       const auto token_key = keys->get(key_id);
+      const auto issuers = key_issuers->get(key_id);
 
       if (!token_key.has_value())
       {
@@ -96,10 +171,24 @@ namespace ccf
               time_now,
               token.payload_typed.exp);
           }
+          else if (issuers->empty())
+          {
+            error_reason = fmt::format(
+              "Issuer validation failure for kid {} - issuer not found",
+              key_id);
+          }
+          else if (!validate_issuers(token, issuers.value()))
+          {
+            error_reason = fmt::format(
+              "Token issuer for kid {} failed validation agains the key issuer",
+              key_id);
+          }
           else
           {
             auto identity = std::make_unique<JwtAuthnIdentity>();
-            identity->key_issuer = key_issuers->get(key_id).value();
+            // TODO(#same-kid-different-issuer) back-propagate the proper issuer
+            // we checked against in case there are many.
+            identity->key_issuer = issuers->front().issuer;
             identity->header = std::move(token.header);
             identity->payload = std::move(token.payload);
             return identity;

src/http/http_jwt.h

@@ -32,9 +32,11 @@ namespace http
   {
     size_t nbf;
     size_t exp;
+    std::string iss;
+    std::string tid;
   };
   DECLARE_JSON_TYPE(JwtPayload)
-  DECLARE_JSON_REQUIRED_FIELDS(JwtPayload, nbf, exp)
+  DECLARE_JSON_REQUIRED_FIELDS(JwtPayload, nbf, exp, iss, tid)
 
   class JwtVerifier
   {

src/node/gov/handlers/service_state.h

@@ -468,8 +468,8 @@ namespace ccf::gov::endpoints
               ctx.tx.template ro<ccf::JwtPublicSigningKeys>(
                 ccf::Tables::JWT_PUBLIC_SIGNING_KEYS);
             auto jwt_key_issuers_handle =
-              ctx.tx.template ro<ccf::JwtPublicSigningKeyIssuer>(
-                ccf::Tables::JWT_PUBLIC_SIGNING_KEY_ISSUER);
+              ctx.tx.template ro<ccf::JwtPublicSigningKeyIssuers>(
+                ccf::Tables::JWT_PUBLIC_SIGNING_KEY_ISSUERS);
 
             jwt_keys_handle->foreach(
               [&keys, jwt_key_issuers_handle](
@@ -480,10 +480,12 @@ namespace ccf::gov::endpoints
                 const auto cert_pem = crypto::cert_der_to_pem(cert);
                 key_info["certificate"] = cert_pem.str();
 
-                const auto issuer = jwt_key_issuers_handle->get(kid);
-                if (issuer.has_value())
+                // TODO(#same-kid-different-issuer) we must either populate all
+                // issuers or choose one. To be discussed later on.
+                const auto issuers = jwt_key_issuers_handle->get(kid);
+                if (issuers.has_value() && !issuers->empty())
                 {
-                  key_info["issuer"] = issuer.value();
+                  key_info["issuer"] = issuers->front().issuer;
                 }
                 else
                 {

src/node/jwt_key_auto_refresh.h

@@ -137,6 +137,7 @@ namespace ccf
 
     void handle_jwt_jwks_response(
       const std::string& issuer,
+      const std::optional<std::string>& issuer_constraint,
       http_status status,
       std::vector<uint8_t>&& data)
     {
@@ -173,6 +174,20 @@ namespace ccf
 
       // call internal endpoint to update keys
       auto msg = SetJwtPublicSigningKeys{issuer, jwks};
+
+      // For each key we leave the specified issuer constraint or set a common
+      // one otherwise (if present).
+      if (issuer_constraint.has_value())
+      {
+        for (auto& key : jwks.keys)
+        {
+          if (!key.issuer.has_value())
+          {
+            key.issuer = issuer_constraint;
+          }
+        }
+      }
+
       send_refresh_jwt_keys(msg);
     }
 
@@ -201,9 +216,10 @@ namespace ccf
         issuer);
 
       std::string jwks_url_str;
+      nlohmann::json metadata;
       try
       {
-        auto metadata = nlohmann::json::parse(data);
+        metadata = nlohmann::json::parse(data);
         jwks_url_str = metadata.at("jwks_uri").get<std::string>();
       }
       catch (const std::exception& e)
@@ -235,6 +251,13 @@ namespace ccf
       auto ca_cert = std::make_shared<tls::Cert>(
         ca, std::nullopt, std::nullopt, jwks_url.host);
 
+      std::optional<std::string> issuer_constraint{std::nullopt};
+      const auto constraint = metadata.find("issuer");
+      if (constraint != metadata.end())
+      {
+        issuer_constraint = *constraint;
+      }
+
       LOG_DEBUG_FMT(
         "JWT key auto-refresh: Requesting JWKS at https://{}:{}{}",
         jwks_url.host,
@@ -246,9 +269,10 @@ namespace ccf
       http_client->connect(
         std::string(jwks_url.host),
         std::string(jwks_url_port),
-        [this, issuer](
+        [this, issuer, issuer_constraint](
           http_status status, http::HeaderMap&&, std::vector<uint8_t>&& data) {
-          handle_jwt_jwks_response(issuer, status, std::move(data));
+          handle_jwt_jwks_response(
+            issuer, issuer_constraint, status, std::move(data));
           return true;
         });
       http::Request r(jwks_url.path, HTTP_GET);