Feature/jwks kid (#64)

* jwks: kid added * jwks: kid test added * jwks: kid changed to be a public rsakey thumprint
AbsaOSS · Aug 23, 2023 · 526c256 · 526c256
1 parent 8490769
commit 526c256
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/service/src/main/scala/za/co/absa/loginsvc/rest/service/JWTService.scala b/service/src/main/scala/za/co/absa/loginsvc/rest/service/JWTService.scala
@@ -38,6 +38,7 @@ class JWTService @Autowired()(jwtConfigProvider: JwtConfigProvider) {
 
   private val jwtConfig = jwtConfigProvider.getJWTConfig
   private val rsaKeyPair: KeyPair = Keys.keyPairFor(SignatureAlgorithm.valueOf(jwtConfig.algName))
+  private val kid: String = publicKeyThumbprint
 
   def generateToken(user: User): String = {
     import scala.collection.JavaConverters._
@@ -55,6 +56,7 @@ class JWTService @Autowired()(jwtConfigProvider: JwtConfigProvider) {
       .setSubject(user.name)
       .setExpiration(expiration)
       .setIssuedAt(issuedAt)
+      .claim("kid", kid)
       .claim("groups", groupsClaim)
       .applyIfDefined(user.email, (builder, value: String) => builder.claim("email", value))
       .applyIfDefined(user.displayName, (builder, value: String) => builder.claim("displayname", value))
@@ -64,14 +66,21 @@ class JWTService @Autowired()(jwtConfigProvider: JwtConfigProvider) {
 
   def publicKey: PublicKey = rsaKeyPair.getPublic
 
-  def jwks: JWKSet = {
-    val jwk = publicKey match {
+  private def rsaPublicKey: RSAKey = {
+    publicKey match {
       case rsaKey: RSAPublicKey => new RSAKey.Builder(rsaKey)
         .keyUse(KeyUse.SIGNATURE)
         .algorithm(JWSAlgorithm.parse(jwtConfig.algName))
+        .keyID(kid)
         .build()
       case _ => throw new IllegalArgumentException("Unsupported public key type")
     }
+  }
+
+  def publicKeyThumbprint: String = rsaPublicKey.computeThumbprint().toString
+
+  def jwks: JWKSet = {
+    val jwk = rsaPublicKey
     new JWKSet(jwk).toPublicJWKSet
   }
 }

diff --git a/service/src/test/scala/za/co/absa/loginsvc/rest/service/JWTServiceTest.scala b/service/src/test/scala/za/co/absa/loginsvc/rest/service/JWTServiceTest.scala
@@ -91,6 +91,17 @@ class JWTServiceTest extends AnyFlatSpec {
     }
   }
 
+  it should "return a JWT kid" in {
+    val jwt = jwtService.generateToken(userWithoutEmailAndGroups)
+    val parsedJWT = parseJWT(jwt)
+
+    assert(parsedJWT.isSuccess)
+    parsedJWT.foreach { jwt =>
+      val kid = jwt.getBody.get("kid")
+      assert(kid === jwtService.publicKeyThumbprint)
+    }
+  }
+
   it should "turn groups into empty `groups` claim for user without groups" in {
     import scala.collection.JavaConverters._