feat(jans-cedarling): improve error handling for JWKS responses

[rmarinn]

NOTE: this merge is dependent on #9999

Prepare

• Read PR guidelines
• Read license information

---

Description

This PR enhances the error handling mechanism when fetching from a remote JWKS so that Cedarling does not halt initialization when encountering a key with an unsupported algorithm. This improvement will allow for smoother operation and better handling of dynamic key sets.

Target issue

target issue: #9966

closes #9966

Implementation Details

• added logic to skip over JWKs that use unsupported algorithms without breaking the initialization process
• updated error handling to avoid stopping service initialization when encountering unknown algorithm variants in JWKs

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and reliability of the JWT (JSON Web Token) handling and validation functionality in the cedarling project, with changes spanning multiple files and addressing various aspects of JWT processing, including decoding, validation, error handling, and key management.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and reliability of the JWT (JSON Web Token) handling and validation functionality in the cedarling project. The changes span multiple files and address various aspects of JWT processing, including decoding, validation, error handling, and key management.

The key security-related improvements include:

1. Conditional inclusion of the "exp" (expiration) claim in the list of required claims, allowing the application to optionally skip the validation of the expiration claim.
2. Explicit handling of unsupported algorithms, ensuring that the application only processes tokens signed with approved algorithms.
3. Comprehensive error handling and reporting, with the introduction of new error types to provide detailed information about various failure scenarios.
4. Secure key management, including the use of thread-safe and shared-ownership wrappers for the cryptographic keys used in the JWT decoding process.
5. Robust validation of JWT claims, such as "iss", "aud", "sub", "nbf", and "exp", to ensure the integrity and authenticity of the tokens.
6. Graceful handling of missing or unsupported keys in the JWKS (JSON Web Key Set) returned by the trusted issuer.

Overall, the changes in this pull request demonstrate a security-conscious approach to the implementation of JWT-based authentication and authorization in the cedarling project, with a focus on mitigating potential security vulnerabilities and maintaining the reliability and robustness of the system.

Files Changed:

1. jans-cedarling/cedarling/src/jwt/decoding_strategy.rs: Improvements to the JWT decoding and validation logic, including the conditional inclusion of the "exp" claim and the handling of unsupported algorithms.
2. jans-cedarling/cedarling/src/jwt/decoding_strategy/error.rs: Introduction of a new JwtDecodingError enum to handle various error cases that can occur during JWT decoding and validation.
3. jans-cedarling/cedarling/examples/authorize_with_jwt_validation.rs: Demonstration of JWT validation and policy-based authorization using the Cedarling library.
4. jans-cedarling/cedarling/src/init/service_config.rs: Changes to the HTTP client implementation and the handling of trusted issuers and OpenID configurations.
5. jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service/openid_config.rs: Improvements to the thread-safe and shared-ownership handling of the cryptographic keys used for JWT decoding.
6. jans-cedarling/cedarling/src/jwt/jwt_service_config.rs: Refactoring of the JWT service configuration to use an abstraction for the HTTP client.
7. jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service.rs: Implementation of a KeyService for retrieving and caching the cryptographic keys used for JWT decoding.
8. jans-cedarling/cedarling/src/jwt/decoding_strategy/key_service/error.rs: Enhancements to the KeyServiceError enum to handle various error conditions related to key management.
9. jans-cedarling/cedarling/src/jwt/mod.rs: Improvements to the JWT validation logic, including more comprehensive checks on the access_token, id_token, and userinfo_token.
10. jans-cedarling/cedarling/src/jwt/test/with_validation/: Addition of various test cases to ensure the proper handling of different JWT-related error scenarios.

Code Analysis

We ran 9 analyzers against 17 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[abaghinyan]

Some suggestions for improvement

[nynymike]

Why am I still seeing raw binary tokens?

[rmarinn]

that's the example file to show how the user can use their own tokens from the test server. please see authorize_with_validation.rs for the instructions.

[djellemah]

Looks fine to me.

[olehbozhok]

Probably we can remove /// # Panics if it has no text