From f582401a09e4c91793aecc39a57647f546d69b1d Mon Sep 17 00:00:00 2001 From: ndr_brt Date: Thu, 22 Sep 2022 14:01:10 +0200 Subject: [PATCH] Introduce oauth2 default providers --- .../common/iam/oauth2/oauth2-core/README.md | 21 +++++----- .../core/Oauth2DefaultServicesExtension.java | 38 +++++++++++++++++++ .../iam/oauth2/core/Oauth2Extension.java | 13 +------ ...spaceconnector.spi.system.ServiceExtension | 3 +- .../Oauth2AudienceValidationRuleTest.java | 1 - ...2ExpirationIssuedAtValidationRuleTest.java | 4 -- ...lsRequestAdditionalParametersProvider.java | 19 ++++++++++ 7 files changed, 72 insertions(+), 27 deletions(-) create mode 100644 extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2DefaultServicesExtension.java create mode 100644 spi/common/oauth2-spi/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/spi/NoopCredentialsRequestAdditionalParametersProvider.java diff --git a/extensions/common/iam/oauth2/oauth2-core/README.md b/extensions/common/iam/oauth2/oauth2-core/README.md index a9371406bc1..4d079ee8d8b 100644 --- a/extensions/common/iam/oauth2/oauth2-core/README.md +++ b/extensions/common/iam/oauth2/oauth2-core/README.md @@ -4,16 +4,17 @@ This extension provides an `IdentityService` implementation based on the OAuth2 ## Configuration -| Parameter name | Description | Mandatory | Default value | -|:----------------------------------|:-------------------------------------------------------------------------------------------|:----------|:--------------------------------| -| `edc.oauth.token.url` | URL of the authorization server | true | null | -| `edc.oauth.provider.audience` | Provider audience | false | id of the connector | -| `edc.oauth.provider.jwks.url` | URL from which well-known public keys of Authorization server can be fetched | false | http://localhost/empty_jwks_url | -| `edc.oauth.public.key.alias` | Alias of public associated with client certificate | true | null | -| `edc.oauth.private.key.alias` | Alias of private key (used to sign the token) | true | null | -| `edc.oauth.provider.jwks.refresh` | Interval at which public keys are refreshed from Authorization server (in minutes) | false | 5 | -| `edc.oauth.client.id` | Public identifier of the client | true | null | -| `edc.oauth.validation.nbf.leeway` | Leeway in seconds added to current time to remedy clock skew on notBefore claim validation | false | 10 | +| Parameter name | Description | Mandatory | Default value | +|:----------------------------------|:-------------------------------------------------------------------------------------------|:----------|:------------------------------------| +| `edc.oauth.token.url` | URL of the authorization server | true | null | +| `edc.oauth.provider.audience` | Provider audience to be put in the outgoing token as 'aud' claim | false | id of the connector | +| `edc.oauth.endpoint.audience` | Endpoint audience to verify incoming token 'aud' claim | false | `edc.oauth.provider.audience` value | +| `edc.oauth.provider.jwks.url` | URL from which well-known public keys of Authorization server can be fetched | false | http://localhost/empty_jwks_url | +| `edc.oauth.public.key.alias` | Alias of public associated with client certificate | true | null | +| `edc.oauth.private.key.alias` | Alias of private key (used to sign the token) | true | null | +| `edc.oauth.provider.jwks.refresh` | Interval at which public keys are refreshed from Authorization server (in minutes) | false | 5 | +| `edc.oauth.client.id` | Public identifier of the client | true | null | +| `edc.oauth.validation.nbf.leeway` | Leeway in seconds added to current time to remedy clock skew on notBefore claim validation | false | 10 | ## Extensions diff --git a/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2DefaultServicesExtension.java b/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2DefaultServicesExtension.java new file mode 100644 index 00000000000..ba0326b4289 --- /dev/null +++ b/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2DefaultServicesExtension.java @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation + * + */ + + +package org.eclipse.dataspaceconnector.iam.oauth2.core; + +import org.eclipse.dataspaceconnector.iam.oauth2.spi.CredentialsRequestAdditionalParametersProvider; +import org.eclipse.dataspaceconnector.iam.oauth2.spi.NoopCredentialsRequestAdditionalParametersProvider; +import org.eclipse.dataspaceconnector.spi.system.Provider; +import org.eclipse.dataspaceconnector.spi.system.ServiceExtension; + +/** + * Provides default service implementations for fallback + */ +public class Oauth2DefaultServicesExtension implements ServiceExtension { + + @Override + public String name() { + return "OAuth2 Core Default Services"; + } + + @Provider(isDefault = true) + public CredentialsRequestAdditionalParametersProvider credentialsRequestAdditionalParametersProvider() { + return new NoopCredentialsRequestAdditionalParametersProvider(); + } + +} diff --git a/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2Extension.java b/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2Extension.java index c1f30ba88c3..bcaa678f571 100644 --- a/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2Extension.java +++ b/extensions/common/iam/oauth2/oauth2-core/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/core/Oauth2Extension.java @@ -36,16 +36,12 @@ import org.eclipse.dataspaceconnector.spi.security.PrivateKeyResolver; import org.eclipse.dataspaceconnector.spi.system.ServiceExtension; import org.eclipse.dataspaceconnector.spi.system.ServiceExtensionContext; -import org.jetbrains.annotations.NotNull; import java.security.PrivateKey; import java.security.cert.CertificateEncodingException; import java.time.Clock; -import java.util.Optional; import java.util.concurrent.TimeUnit; -import static java.util.Collections.emptyMap; - /** * Provides OAuth2 client credentials flow support. */ @@ -95,7 +91,7 @@ public class Oauth2Extension implements ServiceExtension { @Inject private Clock clock; - @Inject(required = false) + @Inject private CredentialsRequestAdditionalParametersProvider credentialsRequestAdditionalParametersProvider; @Override @@ -130,7 +126,7 @@ public void initialize(ServiceExtensionContext context) { jwtDecoratorRegistry, context.getTypeManager(), new TokenValidationServiceImpl(configuration.getIdentityProviderKeyResolver(), validationRulesRegistry), - Optional.ofNullable(credentialsRequestAdditionalParametersProvider).orElse(noopCredentialsRequestAdditionalParametersProvider()) + credentialsRequestAdditionalParametersProvider ); context.registerService(IdentityService.class, oauth2Service); @@ -146,11 +142,6 @@ public void shutdown() { providerKeyResolver.stop(); } - @NotNull - private CredentialsRequestAdditionalParametersProvider noopCredentialsRequestAdditionalParametersProvider() { - return p -> emptyMap(); - } - private byte[] getEncodedClientCertificate(Oauth2Configuration configuration) { var certificate = configuration.getCertificateResolver().resolveCertificate(configuration.getPublicCertificateAlias()); if (certificate == null) { diff --git a/extensions/common/iam/oauth2/oauth2-core/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension b/extensions/common/iam/oauth2/oauth2-core/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension index a00cadbc3c4..d52899494fa 100644 --- a/extensions/common/iam/oauth2/oauth2-core/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension +++ b/extensions/common/iam/oauth2/oauth2-core/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension @@ -1,5 +1,5 @@ # -# Copyright (c) 2020, 2021 Microsoft Corporation +# Copyright (c) 2020 - 2022 Microsoft Corporation # # This program and the accompanying materials are made available under the # terms of the Apache License, Version 2.0 which is available at @@ -13,3 +13,4 @@ # org.eclipse.dataspaceconnector.iam.oauth2.core.Oauth2Extension +org.eclipse.dataspaceconnector.iam.oauth2.core.Oauth2DefaultServicesExtension diff --git a/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2AudienceValidationRuleTest.java b/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2AudienceValidationRuleTest.java index e08b42cbf33..af7d4c33ff7 100644 --- a/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2AudienceValidationRuleTest.java +++ b/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2AudienceValidationRuleTest.java @@ -12,7 +12,6 @@ * */ - package org.eclipse.dataspaceconnector.iam.oauth2.core.rule; import org.eclipse.dataspaceconnector.spi.iam.ClaimToken; diff --git a/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2ExpirationIssuedAtValidationRuleTest.java b/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2ExpirationIssuedAtValidationRuleTest.java index ea19b1fdff6..3ba44e76c19 100644 --- a/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2ExpirationIssuedAtValidationRuleTest.java +++ b/extensions/common/iam/oauth2/oauth2-core/src/test/java/org/eclipse/dataspaceconnector/iam/oauth2/core/rule/Oauth2ExpirationIssuedAtValidationRuleTest.java @@ -12,7 +12,6 @@ * */ - package org.eclipse.dataspaceconnector.iam.oauth2.core.rule; import org.eclipse.dataspaceconnector.spi.iam.ClaimToken; @@ -23,15 +22,12 @@ import java.time.Clock; import java.time.Instant; import java.time.temporal.ChronoUnit; -import java.util.List; import static java.time.ZoneOffset.UTC; import static java.util.Collections.emptyMap; import static org.assertj.core.api.Assertions.assertThat; -import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.AUDIENCE; import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.EXPIRATION_TIME; import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.ISSUED_AT; -import static org.eclipse.dataspaceconnector.spi.jwt.JwtRegisteredClaimNames.NOT_BEFORE; class Oauth2ExpirationIssuedAtValidationRuleTest { diff --git a/spi/common/oauth2-spi/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/spi/NoopCredentialsRequestAdditionalParametersProvider.java b/spi/common/oauth2-spi/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/spi/NoopCredentialsRequestAdditionalParametersProvider.java new file mode 100644 index 00000000000..7866afdc31a --- /dev/null +++ b/spi/common/oauth2-spi/src/main/java/org/eclipse/dataspaceconnector/iam/oauth2/spi/NoopCredentialsRequestAdditionalParametersProvider.java @@ -0,0 +1,19 @@ +package org.eclipse.dataspaceconnector.iam.oauth2.spi; + +import org.eclipse.dataspaceconnector.spi.iam.TokenParameters; +import org.jetbrains.annotations.NotNull; + +import java.util.Map; + +import static java.util.Collections.emptyMap; + +/** + * No-op implementation for CredentialsRequestAdditionalParametersProvider + */ +public class NoopCredentialsRequestAdditionalParametersProvider implements CredentialsRequestAdditionalParametersProvider { + + @Override + public @NotNull Map provide(TokenParameters parameters) { + return emptyMap(); + } +}