fix: use local key resolver for data plane token verification (#1167)

edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceExtension.java

@@ -22,6 +22,7 @@
 import org.eclipse.edc.connector.dataplane.spi.iam.DataPlaneAccessTokenService;
 import org.eclipse.edc.connector.dataplane.spi.store.AccessTokenDataStore;
 import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
+import org.eclipse.edc.keys.spi.LocalPublicKeyService;
 import org.eclipse.edc.keys.spi.PrivateKeyResolver;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
@@ -64,6 +65,8 @@ public class DataPlaneTokenRefreshServiceExtension implements ServiceExtension {
     @Inject
     private DidPublicKeyResolver didPkResolver;
     @Inject
+    private LocalPublicKeyService localPublicKeyService;
+    @Inject
     private AccessTokenDataStore accessTokenDataStore;
     @Inject
     private PrivateKeyResolver privateKeyResolver;
@@ -108,7 +111,7 @@ private DataPlaneTokenRefreshServiceImpl getTokenRefreshService(ServiceExtension
             var tokenExpiry = getExpiryConfig(context);
             monitor.debug("Token refresh endpoint: %s".formatted(refreshEndpoint));
             monitor.debug("Token refresh time tolerance: %d s".formatted(expiryTolerance));
-            tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(clock, tokenValidationService, didPkResolver, accessTokenDataStore, new JwtGenerationService(),
+            tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(clock, tokenValidationService, didPkResolver, localPublicKeyService, accessTokenDataStore, new JwtGenerationService(),
                     getPrivateKeySupplier(context), context.getMonitor(), refreshEndpoint, expiryTolerance, tokenExpiry,
                     () -> context.getConfig().getString(TOKEN_VERIFIER_PUBLIC_KEY_ALIAS), vault, typeManager.getMapper());
         }

edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImpl.java

@@ -27,6 +27,7 @@
 import org.eclipse.edc.connector.dataplane.spi.store.AccessTokenDataStore;
 import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
 import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
+import org.eclipse.edc.keys.spi.LocalPublicKeyService;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.iam.TokenParameters;
 import org.eclipse.edc.spi.iam.TokenRepresentation;
@@ -77,6 +78,7 @@ public class DataPlaneTokenRefreshServiceImpl implements DataPlaneTokenRefreshSe
     private final List<TokenValidationRule> accessTokenAuthorizationRules;
     private final TokenValidationService tokenValidationService;
     private final DidPublicKeyResolver publicKeyResolver;
+    private final LocalPublicKeyService localPublicKeyService;
     private final AccessTokenDataStore accessTokenDataStore;
     private final TokenGenerationService tokenGenerationService;
     private final Supplier<PrivateKey> privateKeySupplier;
@@ -90,6 +92,7 @@ public class DataPlaneTokenRefreshServiceImpl implements DataPlaneTokenRefreshSe
     public DataPlaneTokenRefreshServiceImpl(Clock clock,
                                             TokenValidationService tokenValidationService,
                                             DidPublicKeyResolver publicKeyResolver,
+                                            LocalPublicKeyService localPublicKeyService,
                                             AccessTokenDataStore accessTokenDataStore,
                                             TokenGenerationService tokenGenerationService,
                                             Supplier<PrivateKey> privateKeySupplier,
@@ -102,6 +105,7 @@ public DataPlaneTokenRefreshServiceImpl(Clock clock,
                                             ObjectMapper objectMapper) {
         this.tokenValidationService = tokenValidationService;
         this.publicKeyResolver = publicKeyResolver;
+        this.localPublicKeyService = localPublicKeyService;
         this.accessTokenDataStore = accessTokenDataStore;
         this.tokenGenerationService = tokenGenerationService;
         this.privateKeySupplier = privateKeySupplier;
@@ -235,7 +239,7 @@ public Result<TokenRepresentation> obtainToken(TokenParameters tokenParameters,
 
     @Override
     public Result<AccessTokenData> resolve(String token) {
-        return tokenValidationService.validate(token, publicKeyResolver, accessTokenAuthorizationRules)
+        return tokenValidationService.validate(token, localPublicKeyService, accessTokenAuthorizationRules)
                 .compose(claimToken -> {
                     var id = claimToken.getStringClaim(JWTClaimNames.JWT_ID);
                     var tokenData = accessTokenDataStore.getById(id);

edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplComponentTest.java

@@ -34,6 +34,7 @@
 import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
 import org.eclipse.edc.junit.annotations.ComponentTest;
 import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
+import org.eclipse.edc.keys.spi.LocalPublicKeyService;
 import org.eclipse.edc.query.CriterionOperatorRegistryImpl;
 import org.eclipse.edc.security.token.jwt.CryptoConverter;
 import org.eclipse.edc.spi.iam.TokenParameters;
@@ -69,6 +70,7 @@ class DataPlaneTokenRefreshServiceImplComponentTest {
     public static final String CONSUMER_DID = "did:web:bob";
     public static final String PROVIDER_DID = "did:web:alice";
     private final DidPublicKeyResolver didPkResolverMock = mock();
+    private final LocalPublicKeyService localPublicKeyService = mock();
     private DataPlaneTokenRefreshServiceImpl tokenRefreshService;
     private InMemoryAccessTokenDataStore tokenDataStore;
     private ECKey consumerKey;
@@ -86,6 +88,7 @@ void setup() throws JOSEException {
         tokenRefreshService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(),
                 new TokenValidationServiceImpl(),
                 didPkResolverMock,
+                localPublicKeyService,
                 tokenDataStore,
                 new JwtGenerationService(),
                 () -> privateKey,
@@ -97,6 +100,9 @@ void setup() throws JOSEException {
                 new InMemoryVault(mock()),
                 new ObjectMapper());
 
+        when(localPublicKeyService.resolveKey(eq(consumerKey.getKeyID()))).thenReturn(Result.success(consumerKey.toPublicKey()));
+        when(localPublicKeyService.resolveKey(eq(providerKey.getKeyID()))).thenReturn(Result.success(providerKey.toPublicKey()));
+
         when(didPkResolverMock.resolveKey(eq(consumerKey.getKeyID()))).thenReturn(Result.success(consumerKey.toPublicKey()));
         when(didPkResolverMock.resolveKey(eq(providerKey.getKeyID()))).thenReturn(Result.success(providerKey.toPublicKey()));
     }

edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/test/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/DataPlaneTokenRefreshServiceImplTest.java

@@ -23,6 +23,7 @@
 import org.eclipse.edc.connector.dataplane.spi.AccessTokenData;
 import org.eclipse.edc.connector.dataplane.spi.store.AccessTokenDataStore;
 import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
+import org.eclipse.edc.keys.spi.LocalPublicKeyService;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.iam.TokenParameters;
 import org.eclipse.edc.spi.iam.TokenRepresentation;
@@ -65,7 +66,10 @@ class DataPlaneTokenRefreshServiceImplTest {
     private final TokenValidationService tokenValidationService = mock();
     private final DidPublicKeyResolver didPublicKeyResolver = mock();
 
-    private final DataPlaneTokenRefreshServiceImpl accessTokenService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(), tokenValidationService, didPublicKeyResolver, accessTokenDataStore, tokenGenService, mock(), mock(),
+    private final LocalPublicKeyService localPublicKeyService = mock();
+
+    private final DataPlaneTokenRefreshServiceImpl accessTokenService = new DataPlaneTokenRefreshServiceImpl(Clock.systemUTC(),
+            tokenValidationService, didPublicKeyResolver, localPublicKeyService, accessTokenDataStore, tokenGenService, mock(), mock(),
             "https://example.com", 1, 300L,
             () -> "keyid", mock(), new ObjectMapper());