Merge pull request #40883 from sberyozkin/oidc_valid_chain_but_invali…

…d_claims Confirm that expired or wrong aud JWT cause 401 even if the cert chain is valid
quarkusio · May 29, 2024 · 7fb79c0 · 7fb79c0
2 parents ecdf3ea + aa9704c
commit 7fb79c0
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 6 deletions.
diff --git a/integration-tests/oidc-wiremock/src/main/resources/application.properties b/integration-tests/oidc-wiremock/src/main/resources/application.properties
@@ -206,6 +206,7 @@ quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-passwor
 
 quarkus.oidc.bearer-chain-custom-validator.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-chain-custom-validator.certificate-chain.trust-store-password=storepassword
+quarkus.oidc.bearer-chain-custom-validator.token.audience=https://service.example.com
 
 quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-file=truststore-rootcert.p12
 quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-password=storepassword

diff --git a/...ests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java b/...ests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
@@ -199,18 +199,37 @@ public void testCertChainWithCustomValidator() throws Exception {
         // Send the token with the valid certificate chain and bind it to the token claim
         String accessToken = getAccessTokenForCustomValidator(
                 List.of(subjectCert, intermediateCert, rootCert),
-                subjectPrivateKey, true);
+                subjectPrivateKey, "https://service.example.com", true, false);
 
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-chain-custom-validator")
                 .then()
                 .statusCode(200)
                 .body(Matchers.containsString("admin"));
 
-        // Send the token with the valid certificate chain but do bind it to the token claim
+        // Send the token with the valid certificate chain but do not bind it to the token claim
         accessToken = getAccessTokenForCustomValidator(
                 List.of(subjectCert, intermediateCert, rootCert),
-                subjectPrivateKey, false);
+                subjectPrivateKey, "https://service.example.com", false, false);
+
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-chain-custom-validator")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the valid certificate chain bound to the token claim, but expired
+        accessToken = getAccessTokenForCustomValidator(
+                List.of(subjectCert, intermediateCert, rootCert),
+                subjectPrivateKey, "https://service.example.com", true, true);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-chain-custom-validator")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the valid certificate chain but with the wrong audience
+        accessToken = getAccessTokenForCustomValidator(
+                List.of(subjectCert, intermediateCert, rootCert),
+                subjectPrivateKey, "https://server.example.com", true, false);
 
         RestAssured.given().auth().oauth2(accessToken)
                 .when().get("/api/admin/bearer-chain-custom-validator")
@@ -748,18 +767,25 @@ private String getAccessTokenWithCertChain(List<X509Certificate> chain,
     }
 
     private String getAccessTokenForCustomValidator(List<X509Certificate> chain,
-            PrivateKey privateKey, boolean setLeafCertThumbprint) throws Exception {
+            PrivateKey privateKey, String aud, boolean setLeafCertThumbprint, boolean expired) throws Exception {
         JwtClaimsBuilder builder = Jwt.preferredUserName("alice")
                 .groups("admin")
                 .issuer("https://server.example.com")
-                .audience("https://service.example.com")
+                .audience(aud)
                 .claim("root-certificate-thumbprint", TrustStoreUtils.calculateThumprint(chain.get(chain.size() - 1)));
         if (setLeafCertThumbprint) {
             builder.claim("leaf-certificate-thumbprint", TrustStoreUtils.calculateThumprint(chain.get(0)));
         }
-        return builder.jws()
+        if (expired) {
+            builder.expiresIn(1);
+        }
+        String jwt = builder.jws()
                 .chain(chain)
                 .sign(privateKey);
+        if (expired) {
+            Thread.sleep(2000);
+        }
+        return jwt;
     }
 
     private String getAccessTokenWithoutKidAndThumbprint(String userName, Set<String> groups) {