Switch JWT library implementations from cxf to nimbus

[MaciejMierzwa]

Description

Switch from org.apache.cxf.rs.security.jose to com.nimbusds.jose.jwk.

Issues Resolved

#3267

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff
• Add a checkstyle rule to detect including references to org.apache.cxf.rs.security.jose
• Remove all references to org.apache.cxf.rs.security.jose [15] files impacted
• Replace all unfulfilled references with com.nimbusds.jose.* components
• Add backwards combability tests for any features that have previously shipped

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #3421 (9c667e4) into main (23359f6) will decrease coverage by 0.07%.
Report is 25 commits behind head on main.
The diff coverage is 78.26%.

@@             Coverage Diff              @@
##               main    #3421      +/-   ##
============================================
- Coverage     64.97%   64.90%   -0.07%     
+ Complexity     3638     3637       -1     
============================================
  Files           281      284       +3     
  Lines         20581    20618      +37     
  Branches       3398     3390       -8     
============================================
+ Hits          13372    13383      +11     
- Misses         5520     5553      +33     
+ Partials       1689     1682       -7     

Files	Coverage Δ
...ic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	59.77% <100.00%> (ø)
...zon/dlic/auth/http/saml/HTTPSamlAuthenticator.java	67.36% <ø> (-1.09%)	⬇️
.../dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java	79.04% <33.33%> (-1.54%)	⬇️
...azon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java	79.62% <85.71%> (-9.05%)	⬇️
...nsearch/security/authtoken/jwt/KeyPaddingUtil.java	57.14% <57.14%> (ø)
.../auth/http/jwt/keybyoidc/SelfRefreshingKeySet.java	57.74% <58.33%> (-8.46%)	⬇️
...g/opensearch/security/authtoken/jwt/JwtVendor.java	88.13% <87.17%> (-8.84%)	⬇️
...dlic/auth/http/saml/AuthTokenProcessorHandler.java	50.28% <75.00%> (+3.87%)	⬆️

... and 31 files with indirect coverage changes

[RyanL1997]

Hi @MaciejMierzwa, thanks for working on this. I know the pr is still in draft, and I just left some comment for now.

[willyborankin]

Overall LGTM except some comments I left.
I think we need use LocalDateTime or DateTime or TimeUnit or ChronoUnit. To calculate expiration time for tokens.

[RyanL1997]

Everything has been fixed.

[RyanL1997]

looking into the failure of ci fixed

[peternied]

Thanks for the answers, looks great @RyanL1997 & @MaciejMierzwa

[DarshitChanpura]

LGTM!

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3421-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 4f89b4a782aee54a1c69460a30903b0d0d6b7565
# Push it to GitHub
git push --set-upstream origin backport/backport-3421-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3421-to-2.x.

[RyanL1997]

Manual backport has been created: #3595