Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for OpenId Connect userinfo_endpoint #4649

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Add support for OpenId Connect userinfo_endpoint #4649

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
1a3e5d9
OIDC UserInfo Endpoint
stephen-crawford Aug 14, 2024
1c0344a
OIDC UserInfo Endpoint
stephen-crawford Aug 14, 2024
e300d7d
OIDC UserInfo Endpoint
stephen-crawford Aug 15, 2024
7593421
OIDC UserInfo Endpoint
stephen-crawford Aug 15, 2024
3b9ef8c
OIDC UserInfo Endpoint
stephen-crawford Aug 15, 2024
6df0d02
OIDC UserInfo Endpoint
stephen-crawford Aug 15, 2024
9115585
OIDC UserInfo Endpoint
stephen-crawford Aug 16, 2024
6497003
OIDC UserInfo Endpoint
stephen-crawford Aug 16, 2024
2f4f065
OIDC Userinfo Endpoint
stephen-crawford Aug 20, 2024
e0c5c17
OIDC Userinfo Endpoint Support
stephen-crawford Aug 20, 2024
8450932
OIDC UserInfo Endpoint
stephen-crawford Aug 21, 2024
435c099
OIDC UserInfo Endpoint
stephen-crawford Aug 21, 2024
1684db1
OIDC UserInfo Endpoint
stephen-crawford Aug 21, 2024
b601a92
OIDC UserInfo Endpoint
stephen-crawford Aug 22, 2024
c837dcf
OIDC UserInfo Endpoint
stephen-crawford Aug 26, 2024
3fbf595
OIDC UserInfo Endpoint
stephen-crawford Aug 26, 2024
fd8dd4c
OIDC UserInfo Endpoint
stephen-crawford Aug 27, 2024
8e25e32
OIDC UserInfo Endpoint
stephen-crawford Aug 27, 2024
ec73fd2
OIDC UserInfo Endpoint
stephen-crawford Aug 27, 2024
ca57141
OIDC UserInfo Endpoint
stephen-crawford Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -607,6 +607,10 @@ dependencies {
runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.2'
runtimeOnly 'org.ow2.asm:asm:9.7'

implementation 'com.nimbusds:oauth2-oidc-sdk:11.18'
implementation 'net.minidev:json-smart:2.5.1'
implementation 'com.nimbusds:content-type:2.3'

testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.2'

//OpenSAML
Expand Down
73 changes: 39 additions & 34 deletions src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,10 @@
private static final Pattern BASIC = Pattern.compile("^\\s*Basic\\s.*", Pattern.CASE_INSENSITIVE);

private KeyProvider keyProvider;
private JwtVerifier jwtVerifier;
private final String jwtHeaderName;
private final boolean isDefaultAuthHeader;
private final String jwtUrlParameter;
protected JwtVerifier jwtVerifier;
protected final String jwtHeaderName;
protected final boolean isDefaultAuthHeader;
protected final String jwtUrlParameter;
private final String subjectKey;
private final String rolesKey;
private final List<String> requiredAudience;
Expand All @@ -81,7 +81,7 @@
if (!jwtHeaderName.equals(AUTHORIZATION)) {
deprecationLog.deprecate(
"jwt_header",
"The 'jwt_header' setting will be removed in the next major version of OpenSearch. Consult https://github.com/opensearch-project/security/issues/3886 for more details."
"The 'jwt_header' setting will be removed in the next major version of OpenSearch. Consult https://github.com/opensearch-project/security/issues/3886 for more details."
);
}

Expand Down Expand Up @@ -117,7 +117,7 @@

private AuthCredentials extractCredentials0(final SecurityRequest request) throws OpenSearchSecurityException {

String jwtString = getJwtTokenString(request);
String jwtString = getJwtTokenString(request, jwtHeaderName, jwtUrlParameter, isDefaultAuthHeader);

if (Strings.isNullOrEmpty(jwtString)) {
return null;
Expand Down Expand Up @@ -155,34 +155,6 @@
return ac;
}

protected String getJwtTokenString(SecurityRequest request) {
String jwtToken = request.header(jwtHeaderName);
if (isDefaultAuthHeader && jwtToken != null && BASIC.matcher(jwtToken).matches()) {
jwtToken = null;
}

if (jwtUrlParameter != null) {
if (jwtToken == null || jwtToken.isEmpty()) {
jwtToken = request.params().get(jwtUrlParameter);
} else {
// just consume to avoid "contains unrecognized parameter"
request.params().get(jwtUrlParameter);
}
}

if (jwtToken == null) {
return null;
}

int index;

if ((index = jwtToken.toLowerCase().indexOf(BEARER)) > -1) { // detect Bearer
jwtToken = jwtToken.substring(index + BEARER.length());
}

return jwtToken;
}

@VisibleForTesting
public String extractSubject(JWTClaimsSet claims) {
String subject = claims.getSubject();
Expand Down Expand Up @@ -256,6 +228,39 @@
);
}

public static String getJwtTokenString(
SecurityRequest request,
String jwtHeaderName,
String jwtUrlParameter,
boolean isDefaultAuthHeader
) {
String jwtToken = request.header(jwtHeaderName);
if (isDefaultAuthHeader && jwtToken != null && BASIC.matcher(jwtToken).matches()) {
jwtToken = null;
}

if (jwtUrlParameter != null) {
if (jwtToken == null || jwtToken.isEmpty()) {
jwtToken = request.params().get(jwtUrlParameter);

Check warning on line 244 in src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java#L244 

Added line #L244 was not covered by tests
} else {
// just consume to avoid "contains unrecognized parameter"
request.params().get(jwtUrlParameter);

Check warning on line 247 in src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java#L247 

Added line #L247 was not covered by tests
}
}

if (jwtToken == null) {
return null;
}

int index;

if ((index = jwtToken.toLowerCase().indexOf(BEARER)) > -1) { // detect Bearer
jwtToken = jwtToken.substring(index + BEARER.length());
}

return jwtToken;
}

public List<String> getRequiredAudience() {
return requiredAudience;
}
Expand Down
73 changes: 0 additions & 73 deletions .../java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.java
View file
Open in desktop

This file was deleted.

Loading
Loading