This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 67f879c5975843f4c0ed30775d3b02fee3162aed Author: Felix Auringer <[email protected]> AuthorDate: Mon Jan 5 13:45:24 2026 +0100 refactor(managesieve): rebase on new oidc token validation --- .../org/apache/james/managesieve/api/Session.java | 2 +- .../core/OAUTHAuthenticationProcessor.java | 38 ++------------------ .../james/managesieve/util/SettableSession.java | 2 +- .../org/apache/james/jwt/OidcJwtTokenVerifier.java | 2 +- .../apache/james/jwt/OidcSASLConfiguration.java | 7 ++-- .../org/apache/james/jwt/OidcTokenFixture.java | 1 + .../netty/ManageSieveChannelUpstreamHandler.java | 2 +- .../managesieveserver/netty/ManageSieveServer.java | 2 +- .../james/managesieveserver/ManageSieveClient.java | 4 +-- .../apache/james/managesieveserver/OIDCTest.java | 42 ++++++++++++++++++---- .../src/test/resources/managesieveserver-oidc.xml | 4 +++ 11 files changed, 51 insertions(+), 55 deletions(-) diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java index ca5ed2b2fa..9f1a058f19 100644 --- a/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java +++ b/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java @@ -23,8 +23,8 @@ package org.apache.james.managesieve.api; import java.util.Optional; import org.apache.james.core.Username; +import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.managesieve.api.commands.Authenticate; -import org.apache.james.protocols.api.OidcSASLConfiguration; public interface Session { diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java index ba925141a8..ebdfe25c33 100644 --- a/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java +++ b/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java @@ -24,16 +24,13 @@ import java.util.Optional; import org.apache.james.core.Username; import org.apache.james.jwt.OidcJwtTokenVerifier; -import org.apache.james.jwt.introspection.IntrospectionEndpoint; +import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.managesieve.api.AuthenticationException; import org.apache.james.managesieve.api.AuthenticationProcessor; import org.apache.james.managesieve.api.Session; import org.apache.james.managesieve.api.SyntaxException; import org.apache.james.protocols.api.OIDCSASLParser; import org.apache.james.protocols.api.OIDCSASLParser.OIDCInitialResponse; -import org.apache.james.protocols.api.OidcSASLConfiguration; - -import reactor.core.publisher.Mono; public class OAUTHAuthenticationProcessor implements AuthenticationProcessor { @@ -58,7 +55,7 @@ public class OAUTHAuthenticationProcessor implements AuthenticationProcessor { Optional<Username> authenticatedUserResult = Optional.empty(); try { - authenticatedUserResult = validateToken(oidcInitialResponse.getToken()); + authenticatedUserResult = new OidcJwtTokenVerifier(this.oidcConfiguration).validateToken(oidcInitialResponse.getToken()); } catch (Exception e) { throw new AuthenticationException("Could not validate the JWT"); } @@ -75,35 +72,4 @@ public class OAUTHAuthenticationProcessor implements AuthenticationProcessor { return authenticatedUser; } - - private Optional<Username> validateToken(String token) { - if (this.oidcConfiguration.isCheckTokenByIntrospectionEndpoint()) { - return validTokenWithIntrospection(token); - } else if (this.oidcConfiguration.isCheckTokenByUserinfoEndpoint()) { - return validTokenWithUserInfo(token); - } else { - return OidcJwtTokenVerifier.verifySignatureAndExtractClaim(token, this.oidcConfiguration.getJwksURL(), this.oidcConfiguration.getClaim()) - .map(Username::of); - } - } - - private Optional<Username> validTokenWithUserInfo(String token) { - return Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(token, - this.oidcConfiguration.getJwksURL(), - this.oidcConfiguration.getClaim(), - this.oidcConfiguration.getUserInfoEndpoint().orElseThrow())) - .blockOptional() - .map(Username::of); - } - - private Optional<Username> validTokenWithIntrospection(String token) { - return Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(token, - this.oidcConfiguration.getJwksURL(), - this.oidcConfiguration.getClaim(), - this.oidcConfiguration.getIntrospectionEndpoint() - .map(endpoint -> new IntrospectionEndpoint(endpoint, this.oidcConfiguration.getIntrospectionEndpointAuthorization())) - .orElseThrow())) - .blockOptional() - .map(Username::of); - } } diff --git a/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java b/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java index f689ffcc2e..204a39e688 100644 --- a/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java +++ b/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java @@ -23,9 +23,9 @@ package org.apache.james.managesieve.util; import java.util.Optional; import org.apache.james.core.Username; +import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.managesieve.api.Session; import org.apache.james.managesieve.api.commands.Authenticate; -import org.apache.james.protocols.api.OidcSASLConfiguration; public class SettableSession implements Session { diff --git a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java index 7f87132bb7..28af294b64 100644 --- a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java +++ b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java @@ -104,7 +104,7 @@ public class OidcJwtTokenVerifier { } @VisibleForTesting - Publisher<String> verifyWithUserinfo(String jwtToken, URL userinfoEndpoint) { + Publisher<String> verifyWithUserinfo(String jwtToken, URL userinfoEndpoint) { return Mono.fromCallable(() -> verifySignatureAndExtractClaim(jwtToken)) .flatMap(optional -> optional.map(Mono::just).orElseGet(Mono::empty)) .flatMap(claimResult -> Mono.from(CHECK_TOKEN_CLIENT.userInfo(userinfoEndpoint, jwtToken)) diff --git a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java index cb59ef1811..0fbc52f46e 100644 --- a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java +++ b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java @@ -37,9 +37,6 @@ import com.google.common.base.Preconditions; public class OidcSASLConfiguration { private static final Logger LOGGER = LoggerFactory.getLogger(OidcSASLConfiguration.class); - private static final boolean FORCE_INTROSPECT = Boolean.parseBoolean(System.getProperty("james.sasl.oidc.force.introspect", "true")); - private static final boolean VALIDATE_AUD = Boolean.parseBoolean(System.getProperty("james.sasl.oidc.validate.aud", "true")); - @VisibleForTesting static Builder builder() { return new Builder(); @@ -140,7 +137,7 @@ public class OidcSASLConfiguration { String aud = configuration.getString("aud", null); if (introspectionUrl == null) { - if (FORCE_INTROSPECT) { + if (Boolean.parseBoolean(System.getProperty("james.sasl.oidc.force.introspect", "true"))) { throw new IllegalArgumentException("'introspection.url' is mandatory for secure set up. Disable this check with -Djames.sasl.oidc.force.introspect=false."); } else { LOGGER.warn("'introspection.url' is mandatory for secure set up. This check was disabled with -Djames.sasl.oidc.force.introspect=false."); @@ -148,7 +145,7 @@ public class OidcSASLConfiguration { } if (aud == null) { - if (VALIDATE_AUD) { + if (Boolean.parseBoolean(System.getProperty("james.sasl.oidc.validate.aud", "true"))) { throw new IllegalArgumentException("'aud' is mandatory for secure set up. Disable this check with -Djames.sasl.oidc.validate.aud=false."); } else { LOGGER.warn("'aud' is mandatory for secure set up. This check was disabled with -Djames.sasl.oidc.validate.aud=false."); diff --git a/server/protocols/jwt/src/test/java/org/apache/james/jwt/OidcTokenFixture.java b/server/protocols/jwt/src/test/java/org/apache/james/jwt/OidcTokenFixture.java index dcf09137ba..26b1d186e0 100644 --- a/server/protocols/jwt/src/test/java/org/apache/james/jwt/OidcTokenFixture.java +++ b/server/protocols/jwt/src/test/java/org/apache/james/jwt/OidcTokenFixture.java @@ -108,6 +108,7 @@ public class OidcTokenFixture { public static final String CLAIM = "email_address"; public static final String USER_EMAIL_ADDRESS = "[email protected]"; + public static final String AUDIENCE = "account"; public static final String VALID_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Inc4MFBzNUlhc24tYUdXbXcyVHJ4RGlOY2FocEgyc1h6NXBxZGhBbDlIWGMifQ.eyJleHAiOjM5Mzk1MDYxNjcsImlhdCI6MTYzOTUwNTg2NywiYXV0aF90aW1lIjozNjM5NTA1ODQxLCJqdGkiOiJjMjQ5ZTBkNi1jY2JiLTRmZDAtODI5Yi04OTM1MjczN2YzZGIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcmVhbG0xIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjIwNDUyNzFiLWMxYmItNDJiOC1hMTkwLThlYWI1MmYzYmEwOSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFjY291bnQtY29uc29sZSIsIm5 [...] public static final String VALID_TOKEN_HAS_NOT_KID = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjM5Mzk1MDYxNjcsImlhdCI6MTYzOTUwNTg2NywiYXV0aF90aW1lIjozNjM5NTA1ODQxLCJqdGkiOiJjMjQ5ZTBkNi1jY2JiLTRmZDAtODI5Yi04OTM1MjczN2YzZGIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcmVhbG0xIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjIwNDUyNzFiLWMxYmItNDJiOC1hMTkwLThlYWI1MmYzYmEwOSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFjY291bnQtY29uc29sZSIsIm5vbmNlIjoiNWUyOGJjNTAtODE5NS00NjM3LThmMWEtYWUzNWFlYTk0NTc1I [...] public static final String VALID_TOKEN_HAS_NOT_FOUND_KID = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im5vdEZvdW5kIn0.eyJleHAiOjM5Mzk1MDYxNjcsImlhdCI6MTYzOTUwNTg2NywiYXV0aF90aW1lIjozNjM5NTA1ODQxLCJqdGkiOiJjMjQ5ZTBkNi1jY2JiLTRmZDAtODI5Yi04OTM1MjczN2YzZGIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcmVhbG0xIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjIwNDUyNzFiLWMxYmItNDJiOC1hMTkwLThlYWI1MmYzYmEwOSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFjY291bnQtY29uc29sZSIsIm5vbmNlIjoiNWUyOGJjNTAtODE5NS00 [...] diff --git a/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveChannelUpstreamHandler.java b/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveChannelUpstreamHandler.java index 0e6454ad80..134d1b375c 100644 --- a/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveChannelUpstreamHandler.java +++ b/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveChannelUpstreamHandler.java @@ -23,12 +23,12 @@ import java.io.Closeable; import java.net.InetSocketAddress; import java.util.Optional; +import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.managesieve.api.Session; import org.apache.james.managesieve.api.SessionTerminatedException; import org.apache.james.managesieve.transcode.ManageSieveProcessor; import org.apache.james.managesieve.transcode.NotEnoughDataException; import org.apache.james.managesieve.util.SettableSession; -import org.apache.james.protocols.api.OidcSASLConfiguration; import org.apache.james.protocols.api.ProxyInformation; import org.apache.james.protocols.netty.Encryption; import org.slf4j.Logger; diff --git a/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveServer.java b/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveServer.java index 3c52a0f6c7..7e1f55af7c 100644 --- a/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveServer.java +++ b/server/protocols/protocols-managesieve/src/main/java/org/apache/james/managesieveserver/netty/ManageSieveServer.java @@ -26,8 +26,8 @@ import java.util.Optional; import org.apache.commons.configuration2.HierarchicalConfiguration; import org.apache.commons.configuration2.ex.ConfigurationException; import org.apache.commons.configuration2.tree.ImmutableNode; +import org.apache.james.jwt.OidcSASLConfiguration; import org.apache.james.managesieve.transcode.ManageSieveProcessor; -import org.apache.james.protocols.api.OidcSASLConfiguration; import org.apache.james.protocols.lib.netty.AbstractConfigurableAsyncServer; import org.apache.james.protocols.netty.AbstractChannelPipelineFactory; import org.apache.james.protocols.netty.AllButStartTlsLineChannelHandlerFactory; diff --git a/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/ManageSieveClient.java b/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/ManageSieveClient.java index c4f042b7ba..0f1e7cb9e1 100644 --- a/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/ManageSieveClient.java +++ b/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/ManageSieveClient.java @@ -92,8 +92,8 @@ public class ManageSieveClient extends SocketClient { response = new ServerResponse(responseType, responseCode, explanation, lines); } else if (tokens[0].equals("+")) { - Optional explanation = Optional.of(tokens[1].substring(1, tokens[1].length() - 1)); - response = new ServerResponse(ResponseType.CONTINUATION, Optional.empty(), explanation, new ArrayList()); + Optional<String> explanation = Optional.of(tokens[1].substring(1, tokens[1].length() - 1)); + response = new ServerResponse(ResponseType.CONTINUATION, Optional.empty(), explanation, new ArrayList<String>()); } else { lines.addLast(line); } diff --git a/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/OIDCTest.java b/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/OIDCTest.java index 87ca3dbffe..fd2cb0b282 100644 --- a/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/OIDCTest.java +++ b/server/protocols/protocols-managesieve/src/test/java/org/apache/james/managesieveserver/OIDCTest.java @@ -30,6 +30,7 @@ import org.apache.james.util.ClassLoaderUtils; import org.assertj.core.api.Assertions; import org.junit.jupiter.api.AfterAll; import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; @@ -85,6 +86,12 @@ public class OIDCTest { this.configuration.addProperty("oidc.scope", SCOPE); } + @BeforeAll + void initialSetup() { + System.setProperty("james.sasl.oidc.force.introspect", "false"); + System.setProperty("james.sasl.oidc.validate.aud", "false"); + } + @BeforeEach void setUp() throws Exception { this.testSystem.setUp(this.configuration); @@ -99,8 +106,10 @@ public class OIDCTest { } @AfterAll - void finalTearDown() { + void finalTeardown() { this.authServer.stop(); + System.clearProperty("james.sasl.oidc.force.introspect"); + System.clearProperty("james.sasl.oidc.validate.aud"); } @Test @@ -204,7 +213,7 @@ public class OIDCTest { .when(HttpRequest.request().withPath(INTROSPECTION_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) .withHeader("Content-Type", "application/json") - .withBody(String.format("{\"active\": true, \"%s\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS), StandardCharsets.UTF_8)); + .withBody(String.format("{\"active\": true, \"%s\": \"%s\", \"aud\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS, OidcTokenFixture.AUDIENCE), StandardCharsets.UTF_8)); this.authServer .when(HttpRequest.request().withPath(JWKS_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) @@ -216,6 +225,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -234,7 +244,7 @@ public class OIDCTest { .when(HttpRequest.request().withPath(INTROSPECTION_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) .withHeader("Content-Type", "application/json") - .withBody(String.format("{\"active\": false, \"%s\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS), StandardCharsets.UTF_8)); + .withBody(String.format("{\"active\": false, \"%s\": \"%s\", \"aud\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS, OidcTokenFixture.AUDIENCE), StandardCharsets.UTF_8)); this.authServer .when(HttpRequest.request().withPath(JWKS_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) @@ -246,6 +256,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -264,7 +275,7 @@ public class OIDCTest { .when(HttpRequest.request().withPath(INTROSPECTION_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) .withHeader("Content-Type", "application/json") - .withBody(String.format("{\"active\": true, \"%s\": \"%s-wrong\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS), StandardCharsets.UTF_8)); + .withBody(String.format("{\"active\": true, \"%s\": \"%s-wrong\", \"aud\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS, OidcTokenFixture.AUDIENCE), StandardCharsets.UTF_8)); this.authServer .when(HttpRequest.request().withPath(JWKS_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) @@ -276,6 +287,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -294,7 +306,7 @@ public class OIDCTest { .when(HttpRequest.request().withPath(INTROSPECTION_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) .withHeader("Content-Type", "application/json") - .withBody(String.format("{\"%s\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS), StandardCharsets.UTF_8)); + .withBody(String.format("{\"%s\": \"%s\", \"aud\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS, OidcTokenFixture.AUDIENCE), StandardCharsets.UTF_8)); this.authServer .when(HttpRequest.request().withPath(JWKS_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) @@ -306,6 +318,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -324,7 +337,7 @@ public class OIDCTest { .when(HttpRequest.request().withPath(INTROSPECTION_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) .withHeader("Content-Type", "application/json") - .withBody("{\"active\": true}", StandardCharsets.UTF_8)); + .withBody(String.format("{\"active\": true, \"aud\": \"%s\"}", OidcTokenFixture.AUDIENCE), StandardCharsets.UTF_8)); this.authServer .when(HttpRequest.request().withPath(JWKS_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) @@ -336,6 +349,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -364,6 +378,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -382,7 +397,7 @@ public class OIDCTest { .when(HttpRequest.request().withPath(INTROSPECTION_URI_PATH)) .respond(HttpResponse.response().withStatusCode(200) .withHeader("Content-Type", "application/json") - .withBody(String.format("{\"active\": true, \"%s\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS), StandardCharsets.UTF_8)); + .withBody(String.format("{\"active\": true, \"%s\": \"%s\", \"aud\": \"%s\"}", OidcTokenFixture.CLAIM, OidcTokenFixture.USER_EMAIL_ADDRESS, OidcTokenFixture.AUDIENCE), StandardCharsets.UTF_8)); this.authServer .when(HttpRequest.request().withPath(JWKS_URI_PATH)) .respond(HttpResponse.response().withStatusCode(500)); @@ -392,6 +407,7 @@ public class OIDCTest { configuration.addProperty("oidc.oidcConfigurationURL", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), DISCOVERY_URI_PATH)); configuration.addProperty("oidc.scope", SCOPE); configuration.addProperty("oidc.introspection.url", String.format("http://127.0.0.1:%s%s";, this.authServer.getLocalPort(), INTROSPECTION_URI_PATH)); + configuration.addProperty("oidc.aud", OidcTokenFixture.AUDIENCE); testSystem.setUp(configuration); ManageSieveClient client = new ManageSieveClient(); @@ -413,12 +429,24 @@ public class OIDCTest { this.testSystem = new ManageSieveServerTestSystem(); } + @BeforeAll + static void initialSetup() { + System.setProperty("james.sasl.oidc.force.introspect", "false"); + System.setProperty("james.sasl.oidc.validate.aud", "false"); + } + @AfterEach void tearDown() { this.testSystem.manageSieveServer.destroy(); this.authServer.stop(); } + @AfterAll + static void finalTeardown() { + System.clearProperty("james.sasl.oidc.force.introspect"); + System.clearProperty("james.sasl.oidc.validate.aud"); + } + @Test void oauthbearerShouldSucceedWhenUserinfoClaimMatches() throws Exception { this.authServer = ClientAndServer.startClientAndServer(0); diff --git a/server/protocols/protocols-managesieve/src/test/resources/managesieveserver-oidc.xml b/server/protocols/protocols-managesieve/src/test/resources/managesieveserver-oidc.xml index 9125d16891..9ed26d0140 100644 --- a/server/protocols/protocols-managesieve/src/test/resources/managesieveserver-oidc.xml +++ b/server/protocols/protocols-managesieve/src/test/resources/managesieveserver-oidc.xml @@ -12,5 +12,9 @@ <claim>sub</claim> <oidcConfigurationURL>https://127.0.0.1/realms/test/.well-known/openid-configuration</oidcConfigurationURL> <scope>email</scope> + <introspection> + <url>https://127.0.0.1/oidc/introspect</url> + </introspection> + <aud>james</aud> </oidc> </managesieveserver> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
