Get rid of jjwt, use auth0.java-jwt instead

Author: artem-v

pom.xml

@@ -1,5 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
@@ -42,9 +44,10 @@
     <vault-java-driver.version>5.1.0</vault-java-driver.version>
     <jackson.version>2.19.2</jackson.version>
     <slf4j.version>1.7.36</slf4j.version>
-    <jjwt.version>0.12.6</jjwt.version>
+    <auth0.java-jwt.version>4.5.0</auth0.java-jwt.version>
 
-    <mockito-junit.version>4.6.1</mockito-junit.version>
+    <mockito-junit.version>5.20.0</mockito-junit.version>
+    <mockito-inline.version>5.2.0</mockito-inline.version>
     <junit-jupiter.version>5.8.2</junit-jupiter.version>
     <hamcrest.version>1.3</hamcrest.version>
     <log4j.version>2.17.2</log4j.version>
@@ -69,21 +72,11 @@
         <artifactId>slf4j-api</artifactId>
         <version>${slf4j.version}</version>
       </dependency>
-      <!-- Jsonwebtoken -->
+      <!-- Auth0/JWT -->
       <dependency>
-        <groupId>io.jsonwebtoken</groupId>
-        <artifactId>jjwt-api</artifactId>
-        <version>${jjwt.version}</version>
-      </dependency>
-      <dependency>
-        <groupId>io.jsonwebtoken</groupId>
-        <artifactId>jjwt-impl</artifactId>
-        <version>${jjwt.version}</version>
-      </dependency>
-      <dependency>
-        <groupId>io.jsonwebtoken</groupId>
-        <artifactId>jjwt-jackson</artifactId>
-        <version>${jjwt.version}</version>
+        <groupId>com.auth0</groupId>
+        <artifactId>java-jwt</artifactId>
+        <version>${auth0.java-jwt.version}</version>
       </dependency>
       <!-- Jackson -->
       <dependency>
@@ -135,7 +128,7 @@
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-inline</artifactId>
-      <version>${mockito-junit.version}</version>
+      <version>${mockito-inline.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>

tests/src/test/java/io/scalecube/security/tokens/jwt/JsonwebtokenResolverTests.java

@@ -11,10 +11,8 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-import io.jsonwebtoken.Locator;
 import io.scalecube.security.environment.IntegrationEnvironmentFixture;
 import io.scalecube.security.environment.VaultEnvironment;
-import java.security.Key;
 import java.time.Duration;
 import java.util.concurrent.TimeUnit;
 import org.junit.jupiter.api.Test;
@@ -58,7 +56,7 @@ void testParseTokenSuccessfully(VaultEnvironment vaultEnvironment) {
   void testJwksKeyLocatorThrowsError(VaultEnvironment vaultEnvironment) {
     final var token = vaultEnvironment.newServiceToken();
 
-    Locator<Key> keyLocator = mock(Locator.class);
+    final var keyLocator = mock(JwksKeyLocator.class);
     when(keyLocator.locate(any())).thenThrow(new RuntimeException("Cannot get key"));
 
     try {
@@ -75,7 +73,7 @@ void testJwksKeyLocatorThrowsError(VaultEnvironment vaultEnvironment) {
   void testJwksKeyLocatorThrowsRetryableError(VaultEnvironment vaultEnvironment) {
     final var token = vaultEnvironment.newServiceToken();
 
-    Locator<Key> keyLocator = mock(Locator.class);
+    final var keyLocator = mock(JwksKeyLocator.class);
     when(keyLocator.locate(any())).thenThrow(new JwtUnavailableException("JWKS timeout"));
 
     try {

tokens/pom.xml

@@ -1,5 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
@@ -13,16 +15,8 @@
 
   <dependencies>
     <dependency>
-      <groupId>io.jsonwebtoken</groupId>
-      <artifactId>jjwt-api</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.jsonwebtoken</groupId>
-      <artifactId>jjwt-impl</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.jsonwebtoken</groupId>
-      <artifactId>jjwt-jackson</artifactId>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>

tokens/src/main/java/io/scalecube/security/tokens/jwt/JsonwebtokenResolver.java

@@ -1,9 +1,8 @@
 package io.scalecube.security.tokens.jwt;
 
-import io.jsonwebtoken.JwtParser;
-import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.Locator;
-import java.security.Key;
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import java.security.interfaces.RSAPublicKey;
 import java.util.concurrent.CompletableFuture;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -12,18 +11,22 @@ public class JsonwebtokenResolver implements JwtTokenResolver {
 
   private static final Logger LOGGER = LoggerFactory.getLogger(JsonwebtokenResolver.class);
 
-  private final JwtParser jwtParser;
+  private final JwksKeyLocator keyLocator;
 
-  public JsonwebtokenResolver(Locator<Key> keyLocator) {
-    jwtParser = Jwts.parser().keyLocator(keyLocator).build();
+  public JsonwebtokenResolver(JwksKeyLocator keyLocator) {
+    this.keyLocator = keyLocator;
   }
 
   @Override
   public CompletableFuture<JwtToken> resolveToken(String token) {
     return CompletableFuture.supplyAsync(
             () -> {
-              final var claimsJws = jwtParser.parseSignedClaims(token);
-              return new JwtToken(claimsJws.getHeader(), claimsJws.getPayload());
+              final var rawToken = JWT.decode(token);
+              final var kid = rawToken.getKeyId();
+              final var publicKey = (RSAPublicKey) keyLocator.locate(kid);
+              final var verifier = JWT.require(Algorithm.RSA256(publicKey, null)).build();
+              verifier.verify(token);
+              return JwtToken.parseToken(token);
             })
         .handle(
             (jwtToken, ex) -> {

tokens/src/main/java/io/scalecube/security/tokens/jwt/JwksKeyLocator.java

@@ -6,8 +6,6 @@
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
-import io.jsonwebtoken.JwsHeader;
-import io.jsonwebtoken.LocatorAdapter;
 import java.io.BufferedInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -29,7 +27,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.locks.ReentrantLock;
 
-public class JwksKeyLocator extends LocatorAdapter<Key> {
+public class JwksKeyLocator {
 
   private static final ObjectMapper OBJECT_MAPPER = newObjectMapper();
 
@@ -54,16 +52,15 @@ public static Builder builder() {
     return new Builder();
   }
 
-  @Override
-  protected Key locate(JwsHeader header) {
+  public Key locate(String kid) {
     try {
       return keyResolutions
           .computeIfAbsent(
-              header.getKeyId(),
-              kid -> {
-                final var key = findKeyById(computeKeyList(), kid);
+              kid,
+              id -> {
+                final var key = findKeyById(computeKeyList(), id);
                 if (key == null) {
-                  throw new JwtUnavailableException("Cannot find key by kid: " + kid);
+                  throw new JwtUnavailableException("Cannot find key by kid: " + id);
                 }
                 return new CachedKey(key, System.currentTimeMillis() + keyTtl);
               })