Skip to content

Commit

Permalink
Issue helidon-io#5860 - Make check for audience claim in access token…
Browse files Browse the repository at this point in the history
… optional in OIDC provider

Signed-off-by: Tomáš Kraus <tomas.kraus@oracle.com>
  • Loading branch information
Tomas-Kraus committed Jun 7, 2023
1 parent 2754987 commit 3614c10
Show file tree
Hide file tree
Showing 5 changed files with 75 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ abstract class BaseBuilder<B extends BaseBuilder<B, T>, T> implements Builder<B,
private URI introspectUri;
private String scopeAudience;
private boolean useWellKnown = true;
// Audience claim is optional
private boolean optionalAudience = false;

BaseBuilder() {
}
Expand All @@ -78,7 +80,7 @@ void buildConfiguration() {
OidcUtil.validateExists(collector, clientSecret, "Client Secret", "client-secret");
OidcUtil.validateExists(collector, identityUri, "Identity URI", "identity-uri");

if ((audience == null) && (identityUri != null)) {
if (audience == null && !optionalAudience && identityUri != null) {
this.audience = identityUri.toString();
}
// first set of validations
Expand Down Expand Up @@ -501,4 +503,13 @@ String scopeAudience() {
String name() {
return TenantConfigFinder.DEFAULT_TENANT_ID;
}

boolean optionalAudience() {
return optionalAudience;
}

void setOptionalAudience(boolean optional) {
this.optionalAudience = optional;
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,11 @@
* <td>Force https for redirects to identity provider.
* This is helpful if you have a frontend SSL or cloud load balancer in front and Helidon is serving plain http.</td>
* </tr>
* <tr>
* <td>{@code optional-audience}</td>
* <td>{@code false}</td>
* <td>Allow audience claim to be optional.</td>
* </tr>
* </table>
*/
public final class OidcConfig extends TenantConfigImpl {
Expand Down Expand Up @@ -376,6 +381,7 @@ public final class OidcConfig extends TenantConfigImpl {
private final OidcCookieHandler tokenCookieHandler;
private final OidcCookieHandler idTokenCookieHandler;
private final OidcCookieHandler tenantCookieHandler;
private final boolean optionalAudience;

private OidcConfig(Builder builder) {
super(builder);
Expand Down Expand Up @@ -414,6 +420,7 @@ private OidcConfig(Builder builder) {
this.webClientBuilderSupplier = builder.webClientBuilderSupplier;
this.jaxrsClientBuilderSupplier = builder.jaxrsClientBuilderSupplier;
this.defaultTenant = LazyValue.create(() -> Tenant.create(this, this));
this.optionalAudience = builder.optionalAudience();

LOGGER.log(Level.TRACE, () -> "Redirect URI with host: " + frontendUri + redirectUri);
}
Expand Down Expand Up @@ -1123,6 +1130,8 @@ public Builder config(Config config) {
config.get("tenants").asList(Config.class)
.ifPresent(confList -> confList.forEach(tenantConfig -> tenantFromConfig(config, tenantConfig)));

config.get("optional-audience").asBoolean().ifPresent(this::optionalAudience);

return this;
}

Expand Down Expand Up @@ -1654,6 +1663,18 @@ public Builder addTenantConfig(TenantConfig tenantConfig) {
return this;
}

/**
* Allow audience claim to be optional.
*
* @param optional whether the audience claim is be optional (true) or not (false)
* @return updated builder instance
*/
@ConfiguredOption("false")
public Builder optionalAudience(Boolean optional) {
setOptionalAudience(optional);
return this;
}

private void clientTimeoutMillis(long millis) {
this.clientTimeout(Duration.ofMillis(millis));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,16 @@

package io.helidon.security.providers.oidc.common;

import java.net.URI;
import java.time.Duration;
import java.util.Arrays;
import java.util.Map;

import io.helidon.common.http.Http;
import io.helidon.config.Config;
import io.helidon.config.ConfigSources;
import io.helidon.reactive.webserver.WebServer;
import io.helidon.reactive.webserver.Routing;
import io.helidon.reactive.webserver.WebServer;

import org.junit.jupiter.api.Test;

Expand All @@ -30,11 +35,6 @@
import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.jupiter.api.Assertions.assertAll;

import java.net.URI;
import java.time.Duration;
import java.util.Arrays;
import java.util.Map;

/**
* Unit test for {@link OidcConfig}.
*/
Expand Down Expand Up @@ -180,6 +180,18 @@ void testCookieEncryptionPasswordFromBuilderConfig() {
}
}

@Test
void testOptionalAudience() {
OidcConfig config = OidcConfig.builder()
.identityUri(URI.create(httpHostPort + "/identity"))
.clientSecret("top-secret")
.clientId("client-id")
.optionalAudience(true)
.build();
String audience = config.audience();
assertThat(audience, nullValue());
}

// Stub the Builder class to be able to retrieve the cookie-encryption-password value
private class TestOidcConfigBuilder extends OidcConfig.Builder {
// Stub the method to be able to store the cookie-encryption-password to a variable for later retrieval
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2021 Oracle and/or its affiliates.
* Copyright (c) 2018, 2023 Oracle and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -18,14 +18,20 @@

import io.helidon.config.Config;

import org.junit.jupiter.api.Test;

import static org.hamcrest.CoreMatchers.nullValue;
import static org.hamcrest.MatcherAssert.assertThat;

/**
* Unit test for {@link OidcConfig}.
*/
class OidcConfigFromConfigTest extends OidcConfigAbstractTest {
private OidcConfig oidcConfig;
private Config config;

OidcConfigFromConfigTest() {
Config config = Config.builder()
config = Config.builder()
.disableSystemPropertiesSource()
.disableEnvironmentVariablesSource()
.build();
Expand All @@ -37,4 +43,12 @@ class OidcConfigFromConfigTest extends OidcConfigAbstractTest {
OidcConfig getConfig() {
return oidcConfig;
}

@Test
void testOptionalAudience() {
OidcConfig oidcConfig = OidcConfig.create(config.get("security.oidc-optional-aud"));
String audience = oidcConfig.audience();
assertThat(audience, nullValue());
}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#
# Copyright (c) 2018, 2022 Oracle and/or its affiliates.
# Copyright (c) 2018, 2023 Oracle and/or its affiliates.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -16,6 +16,7 @@

security:
config.require-encryption: false

oidc-test:
identity-uri: "https://identity.oracle.com"
scope-audience: "http://localhost:7987/test-application"
Expand All @@ -29,3 +30,9 @@ security:
authorization-endpoint-uri: "http://identity.oracle.com/authorization"
introspect-endpoint-uri: "http://identity.oracle.com/introspect"
relative-uris: true

oidc-optional-aud:
identity-uri: "https://my.identity"
client-id: "my-id"
client-secret: "my-well-known-secret"
optional-audience: true

0 comments on commit 3614c10

Please sign in to comment.