feature: support jwt client configuration (#93)

allow to set JWKS configuration for client authentication based on private_key_jwt standard
cloudfoundry · Oct 17, 2023 · 93bac69 · 93bac69
1 parent fe9cc20
commit 93bac69
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/lib/uaa/scim.rb b/lib/uaa/scim.rb
@@ -369,6 +369,28 @@ def change_secret(client_id, new_secret, old_secret = nil)
         "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/secret", req, headers))
   end
 
+  # Change client jwt trust configuration.
+  # * For a client to change its jwt client trust, the token in @auth_header must contain
+  #   "client.trust" scope.
+  # * For an admin to set a client secret, the token in @auth_header must contain
+  #   "uaa.admin" scope.
+  # @see https://docs.cloudfoundry.org/api/uaa/index.html#change-client-jwt
+  # @param [String] client_id the {Scim} +id+ attribute of the client
+  # @param [String] jwks_uri the URI to token endpoint
+  # @param [String] jwks the JSON Web Key Set
+  # @param [String] kid If changeMode is DELETE provide the id of key
+  # @param [String] changeMode Change mode, possible is ADD, UPDATE, DELETE
+  # @return [Hash] success message from server
+  def change_clientjwt(client_id, jwks_uri = nil, jwks = nil, kid = nil, changeMode = nil)
+    req = {"client_id" => client_id }
+    req["jwks_uri"] = jwks_uri if jwks_uri
+    req["jwks"] = jwks if jwks
+    req["kid"] = kid if kid
+    req["changeMode"] = changeMode if changeMode
+    json_parse_reply(@key_style, *json_put(@target,
+                                           "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/clientjwt", req, headers))
+  end
+
   def unlock_user(user_id)
     req = {"locked" => false}
     json_parse_reply(@key_style, *json_patch(@target,

diff --git a/spec/scim_spec.rb b/spec/scim_spec.rb
@@ -160,6 +160,30 @@ def check_headers(headers, content, accept, zone)
     result['id'].should == 'id12345'
   end
 
+  it "add a client's jwt trust using jwks_uri" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/clientjwt"
+      method.should == :put
+      check_headers(headers, :json, :json, nil)
+      body.should include('"jwks_uri":"http://localhost:8080/uaa/token_keys"')
+      [200, '{"id":"id12345"}', {'content-type' => 'application/json'}]
+    end
+    result = subject.change_clientjwt('id12345', 'http://localhost:8080/uaa/token_keys')
+    result['id'].should == 'id12345'
+  end
+
+  it "add a client's jwt trust using jwks" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/clientjwt"
+      method.should == :put
+      check_headers(headers, :json, :json, nil)
+      body.should include('"jwks":"keys"')
+      [200, '{"id":"id12345"}', {'content-type' => 'application/json'}]
+    end
+    result = subject.change_clientjwt('id12345', nil, 'keys')
+    result['id'].should == 'id12345'
+  end
+
   it 'unlocks a user' do
     subject.set_request_handler do |url, method, body, headers|
       url.should == "#{@target}/Users/id12345/status"