Merge pull request #847 from navikt/private-key-jwt-audience

Author: tronghn

src/main/kotlin/no/nav/security/mock/oauth2/OAuth2Exception.kt

@@ -23,12 +23,12 @@ fun missingParameter(name: String): Nothing =
 
 fun invalidGrant(grantType: GrantType): Nothing =
     "grant_type $grantType not supported.".let {
-        throw OAuth2Exception(OAuth2Error.INVALID_GRANT, it)
+        throw OAuth2Exception(OAuth2Error.INVALID_GRANT.setDescription(it), it)
     }
 
 fun invalidRequest(message: String): Nothing =
     message.let {
-        throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, message)
+        throw OAuth2Exception(OAuth2Error.INVALID_REQUEST.setDescription(message), message)
     }
 
 fun notFound(message: String): Nothing = throw OAuth2Exception(ErrorObject("not_found", "Resource not found", HTTPResponse.SC_NOT_FOUND), message)

src/main/kotlin/no/nav/security/mock/oauth2/extensions/NimbusExtensions.kt

@@ -106,20 +106,56 @@ fun HTTPRequest.clientAuthentication() =
     ClientAuthentication.parse(this)
         ?: throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, "request must contain some form of ClientAuthentication.")
 
+/**
+ * TODO: We currently accept multiple audiences for backwards compatibility as updates to RFC7523 are pending.
+ * Relevant excerpts:
+ *  > The JWT MUST contain an aud (audience) claim containing the issuer identifier [RFC8414] of the authorization server as its sole value.
+ *
+ *  > Unlike the aud value specified in [RFC7523], there MUST be no value other than the issuer identifier of the intended authorization server used as the audience of the JWT;
+ *  > this includes that the token endpoint URL of the authorization server MUST NOT be used as an audience value.
+ *
+ *  > The authorization server MUST reject any JWT that does not contain its issuer identifier as its sole audience value.
+ *
+ * See [RFC7523bis](https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis) for details.
+ * Compliance with the RFC will require breaking changes.
+ **/
 fun ClientAuthentication.requirePrivateKeyJwt(
     requiredAudience: String,
     maxLifetimeSeconds: Long,
+    additionalAcceptedAudience: String? = null,
 ): PrivateKeyJWT =
     (this as? PrivateKeyJWT)
         ?.let {
+            val acceptedAudiences = setOf(requiredAudience, additionalAcceptedAudience).filterNotNull().toSet()
             when {
                 it.clientAssertion.expiresIn() > maxLifetimeSeconds -> {
-                    invalidRequest("invalid client_assertion: client_assertion expiry is too long( should be < $maxLifetimeSeconds)")
+                    invalidRequest("invalid client_assertion: expiry must be less than $maxLifetimeSeconds seconds")
                 }
-                !it.clientAssertion.jwtClaimsSet.audience
-                    .contains(requiredAudience) -> {
-                    invalidRequest("invalid client_assertion: client_assertion must contain required audience '$requiredAudience'")
+
+                it.clientAssertion.jwtClaimsSet.issuer != it.clientID.value -> {
+                    invalidRequest("invalid client_assertion: issuer must match client_id '${it.clientID.value}'")
+                }
+
+                it.clientAssertion.jwtClaimsSet.subject != it.clientID.value -> {
+                    invalidRequest("invalid client_assertion: subject must match client_id '${it.clientID.value}'")
+                }
+
+                it.clientAssertion.jwtClaimsSet.audience
+                    .isEmpty() -> {
+                    invalidRequest("invalid client_assertion: audience cannot be empty")
                 }
+
+                it.clientAssertion.jwtClaimsSet.audience.size > 1 -> {
+                    invalidRequest("invalid client_assertion: audience must not contain more than one element")
+                }
+
+                // audience is a List<String>; it should contain exactly one element as per previous checks
+                it.clientAssertion.jwtClaimsSet.audience
+                    .first() !in acceptedAudiences -> {
+                    invalidRequest("invalid client_assertion: audience should be $requiredAudience")
+                }
+
+                // all checks passed
                 else -> it
             }
         } ?: throw OAuth2Exception(OAuth2Error.INVALID_REQUEST, "request must contain a valid client_assertion.")

src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpRequest.kt

@@ -35,7 +35,12 @@ data class OAuth2HttpRequest(
         val httpRequest: HTTPRequest = this.asNimbusHTTPRequest()
         var clientAuthentication = httpRequest.clientAuthentication()
         if (clientAuthentication.method == ClientAuthenticationMethod.PRIVATE_KEY_JWT) {
-            clientAuthentication = clientAuthentication.requirePrivateKeyJwt(this.url.toString(), 120)
+            clientAuthentication =
+                clientAuthentication.requirePrivateKeyJwt(
+                    requiredAudience = this.url.toIssuerUrl().toString(),
+                    maxLifetimeSeconds = 120,
+                    additionalAcceptedAudience = this.url.toTokenEndpointUrl().toString(),
+                )
         }
         val tokenExchangeGrant = TokenExchangeGrant.parse(formParameters.map)
 

src/test/kotlin/examples/kotlin/ktor/client/OAuth2Client.kt

@@ -111,26 +111,26 @@ class Auth internal constructor(
         fun privateKeyJwt(
             keyPair: KeyPair,
             clientId: String,
-            tokenEndpoint: String,
+            audience: String,
             expiry: Duration = Duration.ofSeconds(120),
         ): Auth =
             Auth(
                 parameters =
                     mapOf(
                         "client_assertion_type" to CLIENT_ASSERTION_TYPE,
-                        "client_assertion" to keyPair.clientAssertion(clientId, tokenEndpoint, expiry),
+                        "client_assertion" to keyPair.clientAssertion(clientId, audience, expiry),
                     ),
             )
 
         private fun KeyPair.clientAssertion(
             clientId: String,
-            tokenEndpoint: String,
+            audience: String,
             expiry: Duration = Duration.ofSeconds(120),
         ): String {
             val now = Instant.now()
             return JWT
                 .create()
-                .withAudience(tokenEndpoint)
+                .withAudience(audience)
                 .withIssuer(clientId)
                 .withSubject(clientId)
                 .withJWTId(UUID.randomUUID().toString())

src/test/kotlin/examples/kotlin/ktor/client/OAuth2ClientTest.kt

@@ -55,14 +55,15 @@ internal class OAuth2ClientTest {
         runBlocking {
             val initialToken = server.issueToken(subject = "enduser")
             val tokenEndpointUrl = server.tokenEndpointUrl("default").toString()
+            val issuerUrl = server.issuerUrl("default").toString()
             val tokenResponse =
                 httpClient.onBehalfOfGrant(
                     url = tokenEndpointUrl,
                     auth =
                         Auth.privateKeyJwt(
                             keyPair = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair(),
                             clientId = "client1",
-                            tokenEndpoint = tokenEndpointUrl,
+                            audience = issuerUrl,
                         ),
                     token = initialToken.serialize(),
                     scope = "targetScope",

src/test/kotlin/no/nav/security/mock/oauth2/e2e/TokenExchangeGrantIntegrationTest.kt

@@ -1,6 +1,5 @@
 package no.nav.security.mock.oauth2.e2e
 
-import com.nimbusds.jwt.JWTClaimsSet
 import io.kotest.matchers.collections.shouldContainExactly
 import io.kotest.matchers.should
 import io.kotest.matchers.shouldBe
@@ -11,21 +10,16 @@ import no.nav.security.mock.oauth2.testutils.SubjectTokenType
 import no.nav.security.mock.oauth2.testutils.audience
 import no.nav.security.mock.oauth2.testutils.claims
 import no.nav.security.mock.oauth2.testutils.clientAssertion
-import no.nav.security.mock.oauth2.testutils.generateRsaKey
+import no.nav.security.mock.oauth2.testutils.issueSubjectToken
 import no.nav.security.mock.oauth2.testutils.shouldBeValidFor
-import no.nav.security.mock.oauth2.testutils.sign
 import no.nav.security.mock.oauth2.testutils.subject
 import no.nav.security.mock.oauth2.testutils.toTokenResponse
 import no.nav.security.mock.oauth2.testutils.tokenRequest
 import no.nav.security.mock.oauth2.testutils.verifyWith
-import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
 import no.nav.security.mock.oauth2.withMockOAuth2Server
 import okhttp3.OkHttpClient
 import okhttp3.Response
 import org.junit.jupiter.api.Test
-import java.time.Instant
-import java.util.Date
-import java.util.UUID
 
 class TokenExchangeGrantIntegrationTest {
     private val client: OkHttpClient =
@@ -38,25 +32,12 @@ class TokenExchangeGrantIntegrationTest {
     fun `token request with token exchange grant should exchange subject_token with a new token containing many of the same claims`() {
         withMockOAuth2Server {
             val initialSubject = "yolo"
-            val initialToken =
-                this.issueToken(
-                    issuerId = "idprovider",
-                    clientId = "initialClient",
-                    tokenCallback =
-                        DefaultOAuth2TokenCallback(
-                            issuerId = "idprovider",
-                            subject = initialSubject,
-                            claims =
-                                mapOf(
-                                    "claim1" to "value1",
-                                    "claim2" to "value2",
-                                ),
-                        ),
-                )
+            val initialToken = issueSubjectToken(subject = initialSubject)
 
             val issuerId = "tokenx"
             val tokenEndpointUrl = this.tokenEndpointUrl(issuerId)
-            val clientAssertion = clientAssertion("tokenExchangeClient", tokenEndpointUrl.toUrl()).serialize()
+            val issuerUrl = this.issuerUrl(issuerId)
+            val clientAssertion = clientAssertion(clientId = "tokenExchangeClient", audience = issuerUrl.toString()).serialize()
             val targetAudienceForToken = "targetAudience"
 
             val response: ParsedTokenResponse =
@@ -92,21 +73,7 @@ class TokenExchangeGrantIntegrationTest {
     fun `token request with token exchange grant and client basic auth should exchange subject_token with a new token containing many of the same claims`() {
         withMockOAuth2Server {
             val initialSubject = "yolo"
-            val initialToken =
-                this.issueToken(
-                    issuerId = "idprovider",
-                    clientId = "initialClient",
-                    tokenCallback =
-                        DefaultOAuth2TokenCallback(
-                            issuerId = "idprovider",
-                            subject = initialSubject,
-                            claims =
-                                mapOf(
-                                    "claim1" to "value1",
-                                    "claim2" to "value2",
-                                ),
-                        ),
-                )
+            val initialToken = issueSubjectToken(subject = initialSubject)
 
             val issuerId = "tokenx"
             val tokenEndpointUrl = this.tokenEndpointUrl(issuerId)
@@ -140,6 +107,46 @@ class TokenExchangeGrantIntegrationTest {
         }
     }
 
+    @Test
+    fun `token request with client_assertion containing aud equal token endpoint should be allowed`() {
+        withMockOAuth2Server {
+            val initialSubject = "yolo"
+            val initialToken = issueSubjectToken(subject = initialSubject)
+
+            val issuerId = "tokenx"
+            val tokenEndpointUrl = this.tokenEndpointUrl(issuerId)
+            val clientAssertion = clientAssertion("clientid", tokenEndpointUrl.toString()).serialize()
+            val targetAudienceForToken = "targetAudience"
+
+            val response: ParsedTokenResponse =
+                client
+                    .tokenRequest(
+                        url = tokenEndpointUrl,
+                        parameters =
+                            mapOf(
+                                "grant_type" to TOKEN_EXCHANGE.value,
+                                "client_assertion_type" to ClientAssertionType.JWT_BEARER,
+                                "client_assertion" to clientAssertion,
+                                "subject_token_type" to SubjectTokenType.TOKEN_TYPE_JWT,
+                                "subject_token" to initialToken.serialize(),
+                                "audience" to targetAudienceForToken,
+                            ),
+                    ).toTokenResponse()
+
+            response shouldBeValidFor TOKEN_EXCHANGE
+            response.scope shouldBe null
+            response.tokenType shouldBe "Bearer"
+            response.issuedTokenType shouldBe "urn:ietf:params:oauth:token-type:access_token"
+
+            response.accessToken!! should verifyWith(issuerId, this)
+
+            response.accessToken.subject shouldBe initialSubject
+            response.accessToken.audience shouldContainExactly listOf(targetAudienceForToken)
+            response.accessToken.claims["claim1"] shouldBe "value1"
+            response.accessToken.claims["claim2"] shouldBe "value2"
+        }
+    }
+
     @Test
     fun `token request without client_assertion should fail`() {
         withMockOAuth2Server {
@@ -161,8 +168,10 @@ class TokenExchangeGrantIntegrationTest {
     @Test
     fun `token request with invalid client_assertion_type should fail`() {
         withMockOAuth2Server {
+            val initialToken = issueSubjectToken(subject = "some-subject")
             val tokenEndpointUrl = this.tokenEndpointUrl("tokenx")
-            val clientAssertion = clientAssertion("tokenExchangeClient", tokenEndpointUrl.toUrl()).serialize()
+            val issuerUrl = this.issuerUrl("tokenx")
+            val clientAssertion = clientAssertion(clientId = "tokenExchangeClient", audience = issuerUrl.toString()).serialize()
             val response: Response =
                 client.tokenRequest(
                     url = tokenEndpointUrl,
@@ -172,8 +181,8 @@ class TokenExchangeGrantIntegrationTest {
                             "client_assertion_type" to "some-invalid-type",
                             "client_assertion" to clientAssertion,
                             "subject_token_type" to SubjectTokenType.TOKEN_TYPE_JWT,
-                            "subject_token" to "na",
-                            "audience" to "na",
+                            "subject_token" to initialToken.serialize(),
+                            "audience" to "targetAudience",
                         ),
                 )
             response.code shouldBe 400
@@ -183,22 +192,39 @@ class TokenExchangeGrantIntegrationTest {
     @Test
     fun `token request with client_assertion containing invalid aud should fail`() {
         withMockOAuth2Server {
+            val initialToken = issueSubjectToken(subject = "some-subject")
             val tokenEndpointUrl = this.tokenEndpointUrl("tokenx")
 
-            val clientAssertion =
-                JWTClaimsSet
-                    .Builder()
-                    .issuer("clientid")
-                    .subject("clientid")
-                    .audience("invalid")
-                    .issueTime(Date.from(Instant.now()))
-                    .expirationTime(Date.from(Instant.now().plusSeconds(120)))
-                    .notBeforeTime(Date.from(Instant.now()))
-                    .jwtID(UUID.randomUUID().toString())
-                    .build()
-                    .sign(generateRsaKey())
-                    .serialize()
+            val clientAssertion = clientAssertion(clientId = "tokenExchangeClient", audience = "invalid").serialize()
+            val response: Response =
+                client.tokenRequest(
+                    url = tokenEndpointUrl,
+                    parameters =
+                        mapOf(
+                            "grant_type" to TOKEN_EXCHANGE.value,
+                            "client_assertion_type" to ClientAssertionType.JWT_BEARER,
+                            "client_assertion" to clientAssertion,
+                            "subject_token_type" to SubjectTokenType.TOKEN_TYPE_JWT,
+                            "subject_token" to initialToken.serialize(),
+                            "audience" to "targetAudience",
+                        ),
+                )
+            response.code shouldBe 400
+        }
+    }
 
+    @Test
+    fun `token request with client_assertion containing multiple audiences should fail`() {
+        withMockOAuth2Server {
+            val initialToken = issueSubjectToken(subject = "some-subject")
+            val tokenEndpointUrl = this.tokenEndpointUrl("tokenx")
+            val issuerUrl = this.issuerUrl("tokenx")
+
+            val clientAssertion =
+                clientAssertion(
+                    clientId = "tokenExchangeClient",
+                    audiences = listOf(tokenEndpointUrl.toString(), issuerUrl.toString()),
+                ).serialize()
             val response: Response =
                 client.tokenRequest(
                     url = tokenEndpointUrl,
@@ -208,8 +234,8 @@ class TokenExchangeGrantIntegrationTest {
                             "client_assertion_type" to ClientAssertionType.JWT_BEARER,
                             "client_assertion" to clientAssertion,
                             "subject_token_type" to SubjectTokenType.TOKEN_TYPE_JWT,
-                            "subject_token" to "na",
-                            "audience" to "na",
+                            "subject_token" to initialToken.serialize(),
+                            "audience" to "targetAudience",
                         ),
                 )
             response.code shouldBe 400