OIDC UserInfo Endpoint

Signed-off-by: Stephen Crawford <[email protected]>

src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPOpenIdAuthenticator.java

@@ -46,9 +46,9 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 
-import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.APPLICATION_JSON;
+import static org.apache.hc.core5.http.ContentType.APPLICATION_JSON;
+import static org.apache.hc.core5.http.HttpHeaders.AUTHORIZATION;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.APPLICATION_JWT;
-import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.AUTHORIZATION_HEADER;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.CLIENT_ID;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.ISSUER_ID_URL;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.SUB_CLAIM;
@@ -60,14 +60,14 @@ public class HTTPOpenIdAuthenticator implements HTTPAuthenticator {
  private final Path configPath;
  private final int requestTimeoutMs = 10000;
  private final SettingsBasedSSLConfigurator.SSLConfig sslConfig;
- private final String userinfo_endpoint;
+ private final String userInfoEndpoint;
  private volatile HTTPJwtKeyByOpenIdConnectAuthenticator openIdJwtAuthenticator;
 
  public HTTPOpenIdAuthenticator(Settings settings, Path configPath) throws Exception {
  this.settings = settings;
  this.configPath = configPath;
  this.sslConfig = getSSLConfig(settings, configPath);
- userinfo_endpoint = settings.get("userinfo_endpoint");
+ userInfoEndpoint = settings.get("userinfo_endpoint");
  openIdJwtAuthenticator = new HTTPJwtKeyByOpenIdConnectAuthenticator(settings, configPath);
  }
 
@@ -83,7 +83,7 @@ public HTTPJwtKeyByOpenIdConnectAuthenticator getOpenIdJwtAuthenticator() {
  }
 
  public String getType() {
- return null;
+ return "oidc";
  }
 
  private static SettingsBasedSSLConfigurator.SSLConfig getSSLConfig(Settings settings, Path configPath) throws Exception {
@@ -92,7 +92,7 @@ private static SettingsBasedSSLConfigurator.SSLConfig getSSLConfig(Settings sett
 
  @Override
  public AuthCredentials extractCredentials(SecurityRequest request, ThreadContext context) throws OpenSearchSecurityException {
- if (this.userinfo_endpoint != null && !this.userinfo_endpoint.isBlank()) {
+ if (this.userInfoEndpoint != null && !this.userInfoEndpoint.isBlank()) {
  return extractCredentials0(request, context);
  }
  return (this.openIdJwtAuthenticator.extractCredentials(request, context));
@@ -141,37 +141,35 @@ public AuthCredentials extractCredentials0(SecurityRequest request, ThreadContex
 
  try (CloseableHttpClient httpClient = createHttpClient()) {
 
- HttpGet httpGet = new HttpGet(this.userinfo_endpoint);
+ HttpGet httpGet = new HttpGet(this.userInfoEndpoint);
 
  RequestConfig requestConfig = RequestConfig.custom()
  .setConnectionRequestTimeout(requestTimeoutMs, TimeUnit.MILLISECONDS)
  .setConnectTimeout(requestTimeoutMs, TimeUnit.MILLISECONDS)
  .build();
 
  httpGet.setConfig(requestConfig);
- httpGet.addHeader(AUTHORIZATION_HEADER, request.getHeaders().get(AUTHORIZATION_HEADER));
+ httpGet.addHeader(AUTHORIZATION, request.getHeaders().get(AUTHORIZATION));
 
  // HTTPGet should internally verify the appropriate TLS cert.
  try (CloseableHttpResponse response = httpClient.execute(httpGet)) {
 
  if (response.getCode() < 200 || response.getCode() >= 300) {
  throw new AuthenticatorUnavailableException(
- "Error while getting " + this.userinfo_endpoint + ": " + response.getReasonPhrase()
+ "Error while getting " + this.userInfoEndpoint + ": " + response.getReasonPhrase()
  );
  }
 
  HttpEntity httpEntity = response.getEntity();
 
  if (httpEntity == null) {
- throw new AuthenticatorUnavailableException(
- "Error while getting " + this.userinfo_endpoint + ": Empty response entity"
- );
+ throw new AuthenticatorUnavailableException("Error while getting " + this.userInfoEndpoint + ": Empty response entity");
  }
 
  String contentType = httpEntity.getContentType();
- if (!contentType.contains(APPLICATION_JSON) && !contentType.contains(APPLICATION_JWT)) {
+ if (!contentType.contains(APPLICATION_JSON.getMimeType()) && !contentType.contains(APPLICATION_JWT)) {
  throw new AuthenticatorUnavailableException(
- "Error while getting " + this.userinfo_endpoint + ": Invalid content type in response"
+ "Error while getting " + this.userInfoEndpoint + ": Invalid content type in response"
  );
  }
 
@@ -191,7 +189,7 @@ public AuthCredentials extractCredentials0(SecurityRequest request, ThreadContex
  userinfoContent = content.toString();
  } catch (IOException e) {
  throw new AuthenticatorUnavailableException(
- "Error while getting " + this.userinfo_endpoint + ": Unable to read response content"
+ "Error while getting " + this.userInfoEndpoint + ": Unable to read response content"
  );
  }
 
@@ -208,7 +206,7 @@ public AuthCredentials extractCredentials0(SecurityRequest request, ThreadContex
  String missing = validateResponseClaims(claims, id, isSigned);
  if (!missing.isBlank()) {
  throw new AuthenticatorUnavailableException(
- "Error while getting " + this.userinfo_endpoint + ": Missing or invalid required claims in response: " + missing
+ "Error while getting " + this.userInfoEndpoint + ": Missing or invalid required claims in response: " + missing
  );
  }
 
@@ -231,7 +229,7 @@ public AuthCredentials extractCredentials0(SecurityRequest request, ThreadContex
  throw new RuntimeException(e);
  }
  } catch (IOException e) {
- throw new AuthenticatorUnavailableException("Error while getting " + this.userinfo_endpoint + ": " + e, e);
+ throw new AuthenticatorUnavailableException("Error while getting " + this.userInfoEndpoint + ": " + e, e);
  }
  }
 

src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/OpenIdConstants.java

@@ -13,9 +13,7 @@
 
 public class OpenIdConstants {
 
- public static final String APPLICATION_JSON = "application/json";
  public static final String APPLICATION_JWT = "application/jwt";
- public static final String AUTHORIZATION_HEADER = "Authorization";
  public static final String CLIENT_ID = "client_id";
  public static final String ISSUER_ID_URL = "issuer_id_url";
  public static final String SUB_CLAIM = "sub";

src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/HTTPOpenIdAuthenticatorTests.java

@@ -448,7 +448,7 @@ public void userinfoEndpointReturnsJwtWithAllRequirementsTest() throws Exception
 
  @Test
  public void userinfoEndpointReturnsJwtWithRequiredAudIssFailsTest() throws Exception { // Setting a required issuer or audience
- // alongside userinfoendpoint settings causes
+ // alongside userinfo endpoint settings causes
  // failures in signed response cases
  Settings settings = Settings.builder()
  .put("openid_connect_url", mockIdpServer.getDiscoverUri())

src/test/java/com/amazon/dlic/auth/http/jwt/keybyoidc/MockIpdServer.java

@@ -44,7 +44,7 @@
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jwt.JWTClaimsSet;
 
-import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.APPLICATION_JSON;
+import static org.apache.hc.core5.http.ContentType.APPLICATION_JSON;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.OpenIdConstants.APPLICATION_JWT;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.TestJwts.MCCOY_SUBJECT;
 import static com.amazon.dlic.auth.http.jwt.keybyoidc.TestJwts.TEST_ROLES_STRING;