Merge pull request #17548 from c00crane/oidc_jwe_3

Oidc JWE FAT delivery #3 - propagation

dev/com.ibm.ws.security.oauth.oidc_fat.common/.classpath

@@ -7,6 +7,7 @@
 	<classpathentry kind="src" path="test-applications/oauthtaidemo/src"/>
 	<classpathentry kind="src" path="test-applications/testMediator/src"/>
 	<classpathentry kind="src" path="test-applications/testTokenEndpoint/src"/>
+	<classpathentry kind="src" path="test-applications/testUserinfoEndpoint/src"/>
 	<classpathentry kind="src" path="test-bundles/com.ibm.ws.security.oauth20.jwt.mediator/src"/>
 	<classpathentry kind="src" path="test-bundles/com.ibm.ws.security.oauth20.token.mapping/src"/>
 	<classpathentry kind="src" path="test-bundles/com.ibm.ws.security.oauth20.tokenintrospectprovider/src"/>

dev/com.ibm.ws.security.oauth.oidc_fat.common/bnd.bnd

@@ -29,6 +29,7 @@ src: \
     test-applications/oauthtaidemo/src, \
     test-applications/testMediator/src, \
     test-applications/testTokenEndpoint/src, \
+    test-applications/testUserinfoEndpoint/src, \
     test-bundles/com.ibm.ws.security.oauth20.jwt.mediator/src, \
     test-bundles/com.ibm.ws.security.oauth20.token.mapping/src, \
     test-bundles/com.ibm.ws.security.oauth20.tokenintrospectprovider/src, \
@@ -63,6 +64,7 @@ test.project: true
 	io.openliberty.org.apache.commons.codec;version=latest,\
 	com.ibm.ws.org.osgi.annotation.versioning;version=latest,\
 	com.ibm.ws.security.fat.common;version=latest,\
+	com.ibm.ws.security.fat.common.jwt;version=latest,\
 	com.ibm.ws.security.oauth.2.0;version=latest,\
 	com.ibm.ws.security.openidconnect.clients.common;version=latest,\
 	com.ibm.ws.security.openidconnect.common;version=latest,\
@@ -82,7 +84,9 @@ test.project: true
 	de.flapdoodle.embed.process;version='3.0.1',\
 	org.slf4j:slf4j-jdk14;version=latest,\
 	com.ibm.ws.org.slf4j.api.1.7.7,\
-	com.ibm.ws.javaee.servlet.3.1;version='1.0.10'
+	com.ibm.ws.javaee.servlet.3.1;version='1.0.10',
+	org.glassfish:javax.json;version=1.0,\
+	javax.servlet-api
 
 -testpath: \
     cglib:cglib-nodep;version=3.3.0, \

dev/com.ibm.ws.security.oauth.oidc_fat.common/build.gradle

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2020 IBM Corporation and others.
+ * Copyright (c) 2020, 2021 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -37,7 +37,8 @@ dependencies {
                   project(':com.ibm.ws.security.openidconnect.clients.common')
 
 
-   requiredLibs project(':com.ibm.ws.security.fat.common')            
+   requiredLibs project(':com.ibm.ws.security.fat.common'),  
+   				project(':com.ibm.ws.security.fat.common.jwt')            
 }
 
 addRequiredLibraries.dependsOn addJakartaTransformer
@@ -312,6 +313,51 @@ task testTokenEndpoint_ZIP (type: Zip, dependsOn: classes) {
   /* end of common security copy */  
 }
 
+/******************************************************************
+ ******************************************************************
+ **
+ ** testUserinfoEndpoint.zip
+ **
+ ******************************************************************
+ ******************************************************************/
+task testUserinfoEndpoint_ZIP (type: Zip, dependsOn: classes) { 
+  destinationDirectory = new File(appBuildDir)
+  archiveFileName = 'testUserinfoEndpoint.zip'
+
+  from (new File(projectDir, 'test-applications/testUserinfoEndpoint/resources')) {
+    include 'META-INF/**', 'WEB-INF/**', '*.jsp', '*.html'
+  }
+  from (new File(projectDir, 'build/classes/java/main')) {
+    include 'com/ibm/ws/security/fat/testUserinfoEndpoint/UserinfoEndpointServlet.class'
+    into 'WEB-INF/classes'
+  }
+
+  /* start of jose4j copy */
+  /* copy contents of the jose4j jar into our test app - we don't have another way to get to the jar */
+  from(zipTree("../com.ibm.ws.org.jose4j/build/libs/com.ibm.ws.org.jose4j.jar")) {
+    exclude("META-INF/MANIFEST.MF")
+    into "WEB-INF/classes"
+  }
+  /* end of jose4j copy */
+  /* start of slf4j copy */
+  /* copy contents of the slf4j jar into our test app - we don't have another way to get to the jar */
+  from(zipTree("../com.ibm.ws.org.slf4j.api/build/libs/com.ibm.ws.org.slf4j.api.1.7.7.jar")) {
+    exclude("META-INF/MANIFEST.MF")
+    into "WEB-INF/classes"
+  }
+  /* start of common security fat copy */
+  /* copy contents of the common security fat jar into our test app - we don't have another way to get to the jar */
+  from(zipTree("../com.ibm.ws.security.fat.common/build/libs/com.ibm.ws.security.fat.common.jar")) {
+    exclude("META-INF/MANIFEST.MF")
+    into "WEB-INF/classes"
+  }
+    /* start of common security jwt fat copy */
+  /* copy contents of the common security fat jar into our test app - we don't have another way to get to the jar */
+  from(zipTree("../com.ibm.ws.security.fat.common.jwt/build/libs/com.ibm.ws.security.fat.common.jwt.jar")) {
+    exclude("META-INF/MANIFEST.MF")
+    into "WEB-INF/classes"
+  }
+}
 /******************************************************************
  ******************************************************************
  **
@@ -372,6 +418,7 @@ assemble.dependsOn oauthclientcert_ZIP
 assemble.dependsOn testMediator_ZIP
 assemble.dependsOn oauthtaidemo_EAR
 assemble.dependsOn testTokenEndpoint_ZIP
+assemble.dependsOn testUserinfoEndpoint_ZIP
 
 
 /******************************************************************

dev/com.ibm.ws.security.oauth.oidc_fat.common/publish/files/serversettings/userinfoEndpointApplication.xml

@@ -0,0 +1,31 @@
+<!--
+    Copyright (c) 2021 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License v1.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-v10.html
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+ <server>
+
+	<application
+		type="war"
+		id="UserinfoEndpointServlet"
+		name="UserinfoEndpointServlet"
+		location="${server.config.dir}/test-apps/testUserinfoEndpoint.war"
+	>
+		<application-bnd>
+			<security-role name="Employee">
+				<special-subject type="ALL_AUTHENTICATED_USERS" />
+			</security-role>
+			<security-role name="Manager">
+				<special-subject type="ALL_AUTHENTICATED_USERS" />
+			</security-role>
+			<security-role name="AllAuthenticated">
+				<special-subject type="ALL_AUTHENTICATED_USERS" />
+			</security-role>
+		</application-bnd>
+	</application>
+</server>    

dev/com.ibm.ws.security.oauth.oidc_fat.common/publish/test-features/oauth20TokenMapping-2.0.mf

@@ -0,0 +1,7 @@
+Subsystem-ManifestVersion: 1
+IBM-ShortName: oauth20TokenMapping-2.0
+Subsystem-SymbolicName: com.ibm.ws.security.oauth20.token.mapping; visibility:=public
+Subsystem-Version: 2.0.0
+Subsystem-Content: com.ibm.ws.security.oauth20.token.mapping.jakarta; version="[1,1.0.100)"; start-phase:=SERVICE
+Subsystem-Type: osgi.subsystem.feature
+IBM-Feature-Version: 2

dev/com.ibm.ws.security.oauth.oidc_fat.common/src/com/ibm/ws/security/oauth_oidc/fat/commonTest/Constants.java

@@ -6,7 +6,7 @@
  * http://www.eclipse.org/legal/epl-v10.html
  *
  * Contributors:
- *     IBM Corporation - initial API and implementation
+ * IBM Corporation - initial API and implementation
  *******************************************************************************/
 package com.ibm.ws.security.oauth_oidc.fat.commonTest;
 
@@ -141,10 +141,10 @@ public Constants() {
 
     // All OP actions/tasks should be included in this list!
     public static final String[] OP_TEST_ACTIONS = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER, SUBMIT_TO_AUTH_SERVER_FOR_TOKEN, INVOKE_AUTH_SERVER, PERFORM_LOGIN,
-                                                     PERFORM_ISAM_LOGIN, INVOKE_PROTECTED_RESOURCE, INVOKE_ENDPOINT, INVOKE_INTROSPECTION_ENDPOINT, INVOKE_REVOCATION_ENDPOINT,
-                                                     INVOKE_DISCOVERY_ENDPOINT, INVOKE_JWT_ENDPOINT, INVOKE_AUTH_ENDPOINT, INVOKE_AUTH_ENDPOINT_WITH_BASIC_AUTH,
-                                                     INVOKE_TOKEN_ENDPOINT, LOGOUT, INVOKE_TOKEN_ENDPOINT_CL_CRED, INVOKE_TOKEN_ENDPOINT_PASSWORD, INVOKE_REFRESH_ENDPOINT,
-                                                     PERFORM_IDP_LOGIN, PERFORM_IDP_LOGIN, INVOKE_ACS, INVOKE_RS_PROTECTED_RESOURCE };
+            PERFORM_ISAM_LOGIN, INVOKE_PROTECTED_RESOURCE, INVOKE_ENDPOINT, INVOKE_INTROSPECTION_ENDPOINT, INVOKE_REVOCATION_ENDPOINT,
+            INVOKE_DISCOVERY_ENDPOINT, INVOKE_JWT_ENDPOINT, INVOKE_AUTH_ENDPOINT, INVOKE_AUTH_ENDPOINT_WITH_BASIC_AUTH,
+            INVOKE_TOKEN_ENDPOINT, LOGOUT, INVOKE_TOKEN_ENDPOINT_CL_CRED, INVOKE_TOKEN_ENDPOINT_PASSWORD, INVOKE_REFRESH_ENDPOINT,
+            PERFORM_IDP_LOGIN, PERFORM_IDP_LOGIN, INVOKE_ACS, INVOKE_RS_PROTECTED_RESOURCE };
 
     public static final String[] BASIC_AUTHENTICATION_ACTIONS = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER, PERFORM_LOGIN };
     // TODO For now, the actions are the same since we're using the id_token,
@@ -159,7 +159,7 @@ public Constants() {
     public static final String[] BASIC_AUTHENTICATION_NOJSP_ACTIONS_WITH_BASIC_AUTH = { INVOKE_AUTH_ENDPOINT_WITH_BASIC_AUTH };
     public static final String[] BASIC_PROTECTED_RESOURCE_NOJSP_ACTIONS = { INVOKE_AUTH_ENDPOINT, PERFORM_LOGIN, INVOKE_TOKEN_ENDPOINT, INVOKE_PROTECTED_RESOURCE };
     public static final String[] BASIC_PROTECTED_RESOURCE_NOJSP_ACTIONS2 = { INVOKE_AUTH_ENDPOINT, PERFORM_IDP_LOGIN, INVOKE_ACS, INVOKE_TOKEN_ENDPOINT,
-                                                                             INVOKE_PROTECTED_RESOURCE };
+            INVOKE_PROTECTED_RESOURCE };
     public static final String[] BASIC_TOKEN_NOJSP_ACTIONS = { INVOKE_AUTH_ENDPOINT, PERFORM_LOGIN, INVOKE_TOKEN_ENDPOINT };
     public static final String[] BASIC_TOKEN_NOJSP_ACTIONS_WITH_BASIC_AUTH = { INVOKE_AUTH_ENDPOINT_WITH_BASIC_AUTH, INVOKE_TOKEN_ENDPOINT };
     public static final String[] BASIC_TOKEN_NOJSP_ONLY_ACTIONS = { INVOKE_TOKEN_ENDPOINT };
@@ -170,7 +170,7 @@ public Constants() {
     public static final String[] APP_PASSWORD_NOJSP_ACTIONS = { INVOKE_TOKEN_ENDPOINT };
     public static final String[] APP_PASSWORD_PROTECTED_RESOURCE_NOJSP_ACTIONS = { INVOKE_TOKEN_ENDPOINT, INVOKE_PROTECTED_RESOURCE };
     public static final String[] BASIC_PROTECTED_RESOURCE_NOJSP_ACTIONS_WITH_BASIC_AUTH = { INVOKE_AUTH_ENDPOINT_WITH_BASIC_AUTH, INVOKE_TOKEN_ENDPOINT,
-                                                                                            INVOKE_PROTECTED_RESOURCE };
+            INVOKE_PROTECTED_RESOURCE };
     public static final String[] BASIC_PROTECTED_RESOURCE_NOJSP_AGAIN_ACTIONS = { INVOKE_AUTH_ENDPOINT, INVOKE_TOKEN_ENDPOINT, INVOKE_PROTECTED_RESOURCE };
     public static final String[] BASIC_AUTHENTICATE_ACTIONS_WITH_BASIC_AUTH = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER_WITH_BASIC_AUTH, };
     public static final String[] BASIC_PROTECTED_RESOURCE_ACTIONS_WITH_BASIC_AUTH = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER_WITH_BASIC_AUTH, INVOKE_PROTECTED_RESOURCE };
@@ -203,9 +203,9 @@ public Constants() {
     public static final String[] BASIC_RS_PROTECTED_RESOURCE_ACTIONS = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER, PERFORM_LOGIN, INVOKE_RS_PROTECTED_RESOURCE };
     public static final String[] BASIC_JWT_RS_PROTECTED_RESOURCE_ACTIONS = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER, PERFORM_ISAM_LOGIN, INVOKE_RS_PROTECTED_RESOURCE };
     public static final String[] BASIC_PROTECTED_RESOURCE_RS_PROTECTED_RESOURCE_ACTIONS = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER, PERFORM_LOGIN, INVOKE_PROTECTED_RESOURCE,
-                                                                                            INVOKE_RS_PROTECTED_RESOURCE };
+            INVOKE_RS_PROTECTED_RESOURCE };
     public static final String[] BASIC_PROTECTED_RESOURCE_JWT_RS_PROTECTED_RESOURCE_ACTIONS = { INVOKE_OAUTH_CLIENT, SUBMIT_TO_AUTH_SERVER, PERFORM_ISAM_LOGIN,
-                                                                                                INVOKE_PROTECTED_RESOURCE, INVOKE_RS_PROTECTED_RESOURCE };
+            INVOKE_PROTECTED_RESOURCE, INVOKE_RS_PROTECTED_RESOURCE };
     public static final String[] INVOKE_RS_PROTECTED_RESOURCE_ONLY_ACTIONS = { INVOKE_RS_PROTECTED_RESOURCE };
     public static final String[] INVOKE_RS_PROTECTED_RESOURCE_LOGIN_ACTIONS = { INVOKE_RS_PROTECTED_RESOURCE, PERFORM_LOGIN };
 
@@ -222,7 +222,7 @@ public Constants() {
 
     // All RP actions/tasks should be included in this list!
     public static final String[] RP_TEST_ACTIONS = { GET_LOGIN_PAGE, SPECIFY_PROVIDER, LOGIN_OP_DIRECTLY, LOGIN_USER, GET_RP_CONSENT, LOGIN_AGAIN, LOGOUT, PERFORM_IDP_LOGIN,
-                                                     INVOKE_ACS };
+            INVOKE_ACS };
 
     // public static final List <String> SPECIFY_PROVIDER_ONLY = new
     // List<String>(GET_LOGIN_PAGE, SPECIFY_PROVIDER ) ;
@@ -340,6 +340,10 @@ public Constants() {
     public static final String CLIENTMETATYPE_ENDPOINT = "clientMetatype";
     public static final String CHECKSESSIONIFRAME_ENDPOINT = "check_session_iframe";
 
+    public static final String JSON_USERINFO_DATA = "json_userinfo_data";
+    public static final String JWS_USERINFO_DATA = "jws_userinfo_data";
+    public static final String JWE_USERINFO_DATA = "jwe_userinfo_data";
+
     public static final String LOCAL_VALIDATION_METHOD = "";
 
     public static final String SSODEMO = "ssodemo";
@@ -591,6 +595,8 @@ public Constants() {
     public static final String JWT_TOKEN_FORMAT = "jwt";
     public static final String MP_JWT_TOKEN_FORMAT = "mpjwt";
     public static final String OPAQUE_TOKEN_FORMAT = "opaque";
+    public static final String JWS_TOKEN_FORMAT = "jws_token";
+    public static final String JWE_TOKEN_FORMAT = "jwe_token";
     public static final String APP_PASSWORD_KEY = "app_password";
     public static final String APP_TOKEN_KEY = "app_token";
     public static final String APP_ID_KEY = "app_id";
@@ -805,7 +811,7 @@ public Constants() {
     public static final String[] JWT_BUILDER_REQUIRED_HEADER_KEYS = { HEADER_ALGORITHM };
     public static final String[] JWT_BUILDER_REQUIRED_PAYLOAD_KEYS = { PAYLOAD_ISSUER, PAYLOAD_EXPIRATION_TIME_IN_SECS, PAYLOAD_TOKEN_TYPE, PAYLOAD_ISSUED_AT_TIME_IN_SECS };
     public static final String[] MP_JWT_BUILDER_REQUIRED_PAYLOAD_KEYS = { PAYLOAD_ISSUER, PAYLOAD_EXPIRATION_TIME_IN_SECS, PAYLOAD_TOKEN_TYPE, PAYLOAD_ISSUED_AT_TIME_IN_SECS,
-                                                                          PAYLOAD_USER_PRINCIPAL_NAME };
+            PAYLOAD_USER_PRINCIPAL_NAME };
 
     /********************************* JWT Consumer API Servlet ********************************/
     public static final String JWT_CONSUMER_SERVLET = "jwtconsumerclient";

dev/com.ibm.ws.security.oauth.oidc_fat.common/src/com/ibm/ws/security/oauth_oidc/fat/commonTest/MessageConstants.java

@@ -6,7 +6,7 @@
  * http://www.eclipse.org/legal/epl-v10.html
  *
  * Contributors:
- *     IBM Corporation - initial API and implementation
+ * IBM Corporation - initial API and implementation
  *******************************************************************************/
 package com.ibm.ws.security.oauth_oidc.fat.commonTest;
 
@@ -17,6 +17,7 @@ public class MessageConstants extends com.ibm.ws.security.fat.common.MessageCons
     public static final String CWWKG0011W_CONFIG_VALIDATION_FAILURE = "CWWKG0011W";
 
     public static final String CWWKG0032W_CONFIG_INVALID_VALUE = "CWWKG0032W";
+    public static final String CWWKG0033W_CONFIG_REFERENCE_NOT_FOUND = "CWWKG0033W";
     public static final String CWWKG0081W_CONFIG_VALIDATION_FAILURE = "CWWKG0081W";
     public static final String CWWKG0083W_CONFIG_VALIDATION_FAILURE = "CWWKG0083W";
     public static final String CWWKG0058E_CONFIG_MISSING_REQUIRED_ATTRIBUTE = "CWWKG0058E";

dev/com.ibm.ws.security.oauth.oidc_fat.common/test-applications/testUserinfoEndpoint/resources/META-INF/permissions.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (c) 2021 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License v1.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-v10.html
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+ <permissions
+	xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+        http://xmlns.jcp.org/xml/ns/javaee/permissions_7.xsd"
+	version="7"
+>
+
+	<permission>
+		<class-name>java.io.FilePermission</class-name>
+		<name>ALL FILES</name>
+		<actions>read</actions>
+	</permission>
+
+	<permission>
+		<class-name>javax.security.auth.AuthPermission</class-name>
+		<name>wssecurity.getRunAsSubject</name>
+	</permission>
+
+	<permission>
+	  <class-name>java.util.PropertyPermission</class-name>
+      <name>*</name>
+	  <actions>read</actions>
+    </permission>
+
+	<permission>
+		<class-name>javax.security.auth.AuthPermission</class-name>
+		<name>wssecurity.getCallerSubject</name>
+	</permission>
+
+   <permission>
+	   <class-name>javax.security.auth.PrivateCredentialPermission</class-name>
+	   <name>* * "*"</name>
+	   <actions>read</actions>
+	</permission> 
+
+</permissions>

dev/com.ibm.ws.security.oauth.oidc_fat.common/test-applications/testUserinfoEndpoint/resources/WEB-INF/web.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (c) 2021 IBM Corporation and others.
+    All rights reserved. This program and the accompanying materials
+    are made available under the terms of the Eclipse Public License v1.0
+    which accompanies this distribution, and is available at
+    http://www.eclipse.org/legal/epl-v10.html
+   
+    Contributors:
+        IBM Corporation - initial API and implementation
+ -->
+ <web-app id="UserinfoEndpointServlet" version="3.0" 
+     xmlns="http://java.sun.com/xml/ns/javaee"
+     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
+
+  <display-name>Test Userinfo Endpoint</display-name>
+  <description>RP/RS Server-side implementation to replace the OP userinfo endpoint.</description>
+
+  <!-- SERVLET DEFINITIONS -->
+  <servlet id="Servlet_1">
+  	<servlet-name>UserinfoEndpointServlet</servlet-name>
+  	<servlet-class>com.ibm.ws.security.fat.testUserinfoEndpoint.UserinfoEndpointServlet</servlet-class>
+  	<load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <!-- SERVLET MAPPINGS --> 
+  <servlet-mapping id="ServletMapping_1">
+    <servlet-name>UserinfoEndpointServlet</servlet-name>
+    <url-pattern>/saveToken</url-pattern>
+  </servlet-mapping>         
+  <servlet-mapping id="ServletMapping_2">
+    <servlet-name>UserinfoEndpointServlet</servlet-name>
+    <url-pattern>/getJws</url-pattern>
+  </servlet-mapping>
+
+  <!-- SERVLET MAPPINGS -->        
+  <servlet-mapping id="ServletMapping_3">
+    <servlet-name>UserinfoEndpointServlet</servlet-name>
+    <url-pattern>/getJwe</url-pattern>
+  </servlet-mapping>
+
+</web-app>
+
+
+
+