pvillard31 commented on code in PR #9816: URL: https://github.com/apache/nifi/pull/9816#discussion_r2025214235
########## nifi-extension-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/JWTBearerOAuth2AccessTokenProvider.java: ########## @@ -0,0 +1,677 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.oauth2; + +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.PropertyNamingStrategies; +import com.nimbusds.common.contenttype.ContentType; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JOSEObjectType; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jose.JWSSigner; +import com.nimbusds.jose.crypto.ECDSASigner; +import com.nimbusds.jose.crypto.RSASSASigner; +import com.nimbusds.jose.util.Base64URL; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.JWTClaimsSet.Builder; +import com.nimbusds.jwt.SignedJWT; +import org.apache.commons.lang3.StringUtils; +import org.apache.nifi.annotation.behavior.DynamicProperties; +import org.apache.nifi.annotation.behavior.DynamicProperty; +import org.apache.nifi.annotation.behavior.SupportsSensitiveDynamicProperties; +import org.apache.nifi.annotation.documentation.CapabilityDescription; +import org.apache.nifi.annotation.documentation.Tags; +import org.apache.nifi.annotation.lifecycle.OnDisabled; +import org.apache.nifi.annotation.lifecycle.OnEnabled; +import org.apache.nifi.components.ConfigVerificationResult; +import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.components.ValidationContext; +import org.apache.nifi.components.ValidationResult; +import org.apache.nifi.components.Validator; +import org.apache.nifi.controller.AbstractControllerService; +import org.apache.nifi.controller.ConfigurationContext; +import org.apache.nifi.controller.VerifiableControllerService; +import org.apache.nifi.expression.AttributeExpression; +import org.apache.nifi.expression.ExpressionLanguageScope; +import org.apache.nifi.key.service.api.PrivateKeyService; +import org.apache.nifi.logging.ComponentLog; +import org.apache.nifi.processor.util.StandardValidators; +import org.apache.nifi.ssl.SSLContextProvider; +import org.apache.nifi.web.client.api.HttpRequestHeadersSpec; +import org.apache.nifi.web.client.api.HttpResponseEntity; +import org.apache.nifi.web.client.api.WebClientService; +import org.apache.nifi.web.client.provider.api.WebClientServiceProvider; +import org.apache.nifi.web.security.jwt.key.Ed25519Signer; + +import javax.net.ssl.X509ExtendedKeyManager; + +import java.io.IOException; +import java.io.InputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.RSAPrivateKey; +import java.time.Duration; +import java.time.Instant; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Base64; +import java.util.Collection; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.stream.Collectors; + +@SupportsSensitiveDynamicProperties +@Tags({ "oauth2", "provider", "authorization", "access token", "hjwt" }) +@CapabilityDescription("Provides OAuth 2.0 access tokens that can be used as Bearer authorization header in HTTP requests." + + " This controller service is for implementing the OAuth 2.0 JWT Bearer Flow.") +@DynamicProperties({ + @DynamicProperty( + name = "CLAIM.JWT claim name", + value = "JWT claim value", + expressionLanguageScope = ExpressionLanguageScope.ENVIRONMENT, + description = "Custom claims that should be added to the JWT."), + @DynamicProperty( + name = "FORM.Request parameter name", + value = "Request parameter value", + expressionLanguageScope = ExpressionLanguageScope.ENVIRONMENT, + description = "Custom parameters that should be added to the body of the request against the token endpoint.") +}) +public class JWTBearerOAuth2AccessTokenProvider extends AbstractControllerService implements OAuth2AccessTokenProvider, VerifiableControllerService { + + private static final ObjectMapper ACCESS_DETAILS_MAPPER = new ObjectMapper() + .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + .setPropertyNamingStrategy(PropertyNamingStrategies.SNAKE_CASE); + + public static final PropertyDescriptor PRIVATE_KEY_SERVICE = new PropertyDescriptor.Builder() + .name("Private Key Service") + .description("The private key service to use for signing JWTs.") + .identifiesControllerService(PrivateKeyService.class) + .required(true) + .build(); + + public static final PropertyDescriptor SIGNING_ALGORITHM = new PropertyDescriptor.Builder() + .name("Signing Algorithm") + .description("The algorithm to use for signing the JWT.") + .allowableValues(JWSAlgorithm.RS256.getName(), JWSAlgorithm.RS384.getName(), JWSAlgorithm.RS512.getName(), + JWSAlgorithm.PS256.getName(), JWSAlgorithm.PS384.getName(), JWSAlgorithm.PS512.getName(), + JWSAlgorithm.ES256.getName(), JWSAlgorithm.ES384.getName(), JWSAlgorithm.ES512.getName(), JWSAlgorithm.Ed25519.getName()) + .defaultValue(JWSAlgorithm.PS256.getName()) + .required(true) + .addValidator(Validator.VALID) + .build(); + + public static final PropertyDescriptor ISSUER = new PropertyDescriptor.Builder() + .name("Issuer") + .description("The issuer claim (iss) for the JWT.") + .required(false) + .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) + .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT) + .build(); + + public static final PropertyDescriptor SUBJECT = new PropertyDescriptor.Builder() + .name("Subject") + .description("The subject claim (sub) for the JWT.") + .required(false) + .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) + .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT) + .build(); + + public static final PropertyDescriptor AUDIENCE = new PropertyDescriptor.Builder() + .name("Audience") + .description("The audience claim (aud) for the JWT. Space-separated list of audiences if multiple are expected.") + .required(false) + .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) + .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT) + .build(); + + public static final PropertyDescriptor SCOPE = new PropertyDescriptor.Builder() + .name("Scope") + .description("The scope claim (scope) for the JWT.") + .required(false) + .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) + .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT) + .build(); + + public static final PropertyDescriptor GRANT_TYPE = new PropertyDescriptor.Builder() + .name("Grant Type") + .description("Value to set for the grant_type parameter in the request to the token endpoint.") + .required(true) + .defaultValue("urn:ietf:params:oauth:grant-type:jwt-bearer") + .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) + .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT) + .build(); + + public static final PropertyDescriptor ASSERTION = new PropertyDescriptor.Builder() + .name("Assertion Parameter Name") + .description("Name of the parameter to use for the JWT assertion in the request to the token endpoint.") + .required(true) + .defaultValue("assertion") + .addValidator(StandardValidators.NON_EMPTY_VALIDATOR) + .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT) + .build(); + + public static final PropertyDescriptor NBF = new PropertyDescriptor.Builder() + .name("Set Not Before Time") + .description("The nbf (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing." + + " If set to true, the current time will be used.") + .required(true) + .allowableValues("true", "false") + .defaultValue("false") + .addValidator(Validator.VALID) + .build(); + + public static final PropertyDescriptor HEADER_TYPE = new PropertyDescriptor.Builder() + .name("Set JWT Header Type") Review Comment: Same answer: some implementations are very strict in terms of expected fields in the header. I will test again to double check to be sure. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
