Switch JWT library implementations from cxf to nimbus

build.gradle

@@ -198,10 +198,6 @@ test {
     if (JavaVersion.current() > JavaVersion.VERSION_1_8) {
         jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED"
     }
-    retry {
-        failOnPassedAfterRetry = false
-        maxRetries = 5
-    }
     jacoco {
         excludes = [
                 "com.sun.jndi.dns.*",
@@ -245,10 +241,10 @@ def setCommonTestConfig(Test task) {
     if (JavaVersion.current() > JavaVersion.VERSION_1_8) {
         task.jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED"
     }
-    task.retry {
-        failOnPassedAfterRetry = false
-        maxRetries = 5
-    }
+    // task.retry {
+    //     failOnPassedAfterRetry = false
+    //     maxRetries = 5
+    // }
     task.jacoco {
         excludes = [
                 "com.sun.jndi.dns.*",
@@ -464,11 +460,11 @@ task integrationTest(type: Test) {
     systemProperty "java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager"
     testClassesDirs = sourceSets.integrationTest.output.classesDirs
     classpath = sourceSets.integrationTest.runtimeClasspath
-    retry {
-        failOnPassedAfterRetry = false
-        maxRetries = 2
-        maxFailures = 10
-    }
+    // retry {
+    //     failOnPassedAfterRetry = false
+    //     maxRetries = 2
+    //     maxFailures = 10
+    // }
     //run the integrationTest task after the test task
     shouldRunAfter test
 }
@@ -488,6 +484,7 @@ dependencies {
     implementation 'commons-cli:commons-cli:1.5.0'
     implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
     implementation 'org.ldaptive:ldaptive:1.2.3'
+    implementation 'com.nimbusds:nimbus-jose-jwt:9.31'
 
     //JWT
     implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}"

checkstyle/checkstyle.xml

@@ -219,6 +219,13 @@
     <property name="severity" value="error"/>
   </module>
 
+  <module name="RegexpSingleline">
+    <property name="format" value="println"/>
+    <property name="ignoreCase" value="true"/>
+    <property name="message" value="SYSTEM.OUT.PRINTLN NONONO!" />
+    <property name="severity" value="error"/>
+  </module>
+
   <module name="RegexpSingleline">
     <property name="format" value="extension"/>
     <property name="ignoreCase" value="true"/>

src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java

@@ -14,13 +14,14 @@
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.text.ParseException;
 import java.util.Collection;
 import java.util.Map.Entry;
 import java.util.regex.Pattern;
 
 import com.google.common.annotations.VisibleForTesting;
-import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
 import org.apache.hc.core5.http.HttpHeaders;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -108,7 +109,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) throws Op
             return null;
         }
 
-        JwtToken jwt;
+        SignedJWT jwt;
 
         try {
             jwt = jwtVerifier.getVerifiedJwtToken(jwtString);
@@ -120,7 +121,13 @@ private AuthCredentials extractCredentials0(final RestRequest request) throws Op
             return null;
         }
 
-        JwtClaims claims = jwt.getClaims();
+        JWTClaimsSet claims = null;
+        try {
+            claims = jwt.getJWTClaimsSet();
+        } catch (ParseException e) {
+            log.info("Extracting JWT token from {} failed", jwtString, e);
+            return null;
+        }
 
         final String subject = extractSubject(claims);
 
@@ -133,7 +140,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) throws Op
 
         final AuthCredentials ac = new AuthCredentials(subject, roles).markComplete();
 
-        for (Entry<String, Object> claim : claims.asMap().entrySet()) {
+        for (Entry<String, Object> claim : claims.getClaims().entrySet()) {
             ac.addAttribute("attr.jwt." + claim.getKey(), String.valueOf(claim.getValue()));
         }
 
@@ -170,7 +177,7 @@ protected String getJwtTokenString(RestRequest request) {
     }
 
     @VisibleForTesting
-    public String extractSubject(JwtClaims claims) {
+    public String extractSubject(JWTClaimsSet claims) {
         String subject = claims.getSubject();
 
         if (subjectKey != null) {
@@ -200,7 +207,7 @@ public String extractSubject(JwtClaims claims) {
 
     @SuppressWarnings("unchecked")
     @VisibleForTesting
-    public String[] extractRoles(JwtClaims claims) {
+    public String[] extractRoles(JWTClaimsSet claims) {
         if (rolesKey == null) {
             return new String[0];
         }

src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/JwtVerifier.java

@@ -12,21 +12,24 @@
 package com.amazon.dlic.auth.http.jwt.keybyoidc;
 
 import com.google.common.base.Strings;
+import com.nimbusds.jose.Algorithm;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.Ed25519Verifier;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.KeyType;
+import com.nimbusds.jose.jwk.KeyUse;
+import com.nimbusds.jose.jwk.OctetKeyPair;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.jwt.proc.BadJWTException;
 import org.apache.commons.lang3.StringEscapeUtils;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
-import org.apache.cxf.rs.security.jose.jwk.KeyType;
-import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
-import org.apache.cxf.rs.security.jose.jwt.JwtException;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.text.ParseException;
+import java.util.List;
+
 public class JwtVerifier {
 
     private final static Logger log = LogManager.getLogger(JwtVerifier.class);
@@ -43,31 +46,29 @@ public JwtVerifier(KeyProvider keyProvider, int clockSkewToleranceSeconds, Strin
         this.requiredAudience = requiredAudience;
     }
 
-    public JwtToken getVerifiedJwtToken(String encodedJwt) throws BadCredentialsException {
+    public SignedJWT getVerifiedJwtToken(String encodedJwt) throws BadCredentialsException {
         try {
-            JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
-            JwtToken jwt = jwtConsumer.getJwtToken();
+            SignedJWT jwt = SignedJWT.parse(encodedJwt);
 
-            String escapedKid = jwt.getJwsHeaders().getKeyId();
+            String escapedKid = jwt.getHeader().getKeyID();
             String kid = escapedKid;
             if (!Strings.isNullOrEmpty(kid)) {
                 kid = StringEscapeUtils.unescapeJava(escapedKid);
             }
-            JsonWebKey key = keyProvider.getKey(kid);
+             JWK key = keyProvider.getKey(kid);
 
-            // Algorithm is not mandatory for the key material, so we set it to the same as the JWT
-            if (key.getAlgorithm() == null && key.getPublicKeyUse() == PublicKeyUse.SIGN && key.getKeyType() == KeyType.RSA) {
-                key.setAlgorithm(jwt.getJwsHeaders().getAlgorithm());
+            // TODO algorithm is final in jose implementation. Algorithm is not mandatory for the key material, so we set it to the same as the JWT, check if it's even necessary
+            if (key.getAlgorithm() == null && key.getKeyUse() == KeyUse.SIGNATURE && key.getKeyType() == KeyType.RSA) {
+//                key.setAlgorithm(jwt.getJwsHeaders().getAlgorithm());
             }
 
-            JwsSignatureVerifier signatureVerifier = getInitializedSignatureVerifier(key, jwt);
-
-            boolean signatureValid = jwtConsumer.verifySignatureWith(signatureVerifier);
+            JWSVerifier signatureVerifier = getInitializedSignatureVerifier(key, jwt);
+            boolean signatureValid = jwt.verify(signatureVerifier);
 
             if (!signatureValid && Strings.isNullOrEmpty(kid)) {
                 key = keyProvider.getKeyAfterRefresh(null);
                 signatureVerifier = getInitializedSignatureVerifier(key, jwt);
-                signatureValid = jwtConsumer.verifySignatureWith(signatureVerifier);
+                signatureValid = jwt.verify(signatureVerifier);
             }
 
             if (!signatureValid) {
@@ -77,18 +78,20 @@ public JwtToken getVerifiedJwtToken(String encodedJwt) throws BadCredentialsExce
             validateClaims(jwt);
 
             return jwt;
-        } catch (JwtException e) {
+        } catch (JOSEException | ParseException e) {
             throw new BadCredentialsException(e.getMessage(), e);
+        } catch (BadJWTException e) {
+            throw new RuntimeException(e);
         }
     }
 
-    private void validateSignatureAlgorithm(JsonWebKey key, JwtToken jwt) throws BadCredentialsException {
-        if (Strings.isNullOrEmpty(key.getAlgorithm())) {
+    private void validateSignatureAlgorithm(JWK key, SignedJWT jwt) throws BadCredentialsException {
+        if (key.getAlgorithm() == null || jwt.getHeader().getAlgorithm() == null) {
             return;
         }
 
-        SignatureAlgorithm keyAlgorithm = SignatureAlgorithm.getAlgorithm(key.getAlgorithm());
-        SignatureAlgorithm tokenAlgorithm = SignatureAlgorithm.getAlgorithm(jwt.getJwsHeaders().getAlgorithm());
+        Algorithm keyAlgorithm = key.getAlgorithm();
+        Algorithm tokenAlgorithm = jwt.getHeader().getAlgorithm();
 
         if (!keyAlgorithm.equals(tokenAlgorithm)) {
             throw new BadCredentialsException(
@@ -97,38 +100,41 @@ private void validateSignatureAlgorithm(JsonWebKey key, JwtToken jwt) throws Bad
         }
     }
 
-    private JwsSignatureVerifier getInitializedSignatureVerifier(JsonWebKey key, JwtToken jwt) throws BadCredentialsException,
-        JwtException {
+    private JWSVerifier getInitializedSignatureVerifier(JWK key, SignedJWT jwt) throws BadCredentialsException, JOSEException {
 
         validateSignatureAlgorithm(key, jwt);
-        JwsSignatureVerifier result = JwsUtils.getSignatureVerifier(key, jwt.getJwsHeaders().getSignatureAlgorithm());
+        if(key.getClass() != OctetKeyPair.class) {
+            throw new BadCredentialsException("Cannot verify JWT");
+        }
+        JWSVerifier result = new Ed25519Verifier((OctetKeyPair) key);
         if (result == null) {
             throw new BadCredentialsException("Cannot verify JWT");
         } else {
             return result;
         }
     }
 
-    private void validateClaims(JwtToken jwt) throws JwtException {
-        JwtClaims claims = jwt.getClaims();
+    private void validateClaims(SignedJWT jwt) throws ParseException, BadJWTException {
+        JWTClaimsSet claims = jwt.getJWTClaimsSet();
 
         if (claims != null) {
-            JwtUtils.validateJwtExpiry(claims, clockSkewToleranceSeconds, false);
-            JwtUtils.validateJwtNotBefore(claims, clockSkewToleranceSeconds, false);
+            //TODO
+//            JwtUtils.validateJwtExpiry(claims, clockSkewToleranceSeconds, false);
+//            JwtUtils.validateJwtNotBefore(claims, clockSkewToleranceSeconds, false);
             validateRequiredAudienceAndIssuer(claims);
         }
     }
 
-    private void validateRequiredAudienceAndIssuer(JwtClaims claims) {
-        String audience = claims.getAudience();
+    private void validateRequiredAudienceAndIssuer(JWTClaimsSet claims) throws BadJWTException {
+        List<String> audience = claims.getAudience();
         String issuer = claims.getIssuer();
 
-        if (!Strings.isNullOrEmpty(requiredAudience) && !requiredAudience.equals(audience)) {
-            throw new JwtException("Invalid audience");
+        if (!Strings.isNullOrEmpty(requiredAudience) && !requiredAudience.equals(audience.stream().findFirst().orElse(""))) {
+            throw new BadJWTException("Invalid audience");
         }
 
         if (!Strings.isNullOrEmpty(requiredIssuer) && !requiredIssuer.equals(issuer)) {
-            throw new JwtException("Invalid issuer");
+            throw new BadJWTException("Invalid issuer");
         }
     }
 }

src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeyProvider.java

@@ -11,10 +11,9 @@
 
 package com.amazon.dlic.auth.http.jwt.keybyoidc;
 
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import com.nimbusds.jose.jwk.JWK;
 
 public interface KeyProvider {
-    public JsonWebKey getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
-
-    public JsonWebKey getKeyAfterRefresh(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
+    JWK getKey(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
+    JWK getKeyAfterRefresh(String kid) throws AuthenticatorUnavailableException, BadCredentialsException;
 }

src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetProvider.java

@@ -11,9 +11,9 @@
 
 package com.amazon.dlic.auth.http.jwt.keybyoidc;
 
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
+import com.nimbusds.jose.jwk.JWKSet;
 
 @FunctionalInterface
 public interface KeySetProvider {
-    JsonWebKeys get() throws AuthenticatorUnavailableException;
+    JWKSet get() throws AuthenticatorUnavailableException;
 }

src/main/java/com/amazon/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java

@@ -12,11 +12,11 @@
 package com.amazon.dlic.auth.http.jwt.keybyoidc;
 
 import java.io.IOException;
+import java.text.ParseException;
 import java.util.concurrent.TimeUnit;
 
+import com.nimbusds.jose.jwk.JWKSet;
 import joptsimple.internal.Strings;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
-import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.hc.client5.http.cache.HttpCacheContext;
 import org.apache.hc.client5.http.cache.HttpCacheStorage;
 import org.apache.hc.client5.http.classic.methods.HttpGet;
@@ -70,7 +70,7 @@ public class KeySetRetriever implements KeySetProvider {
         configureCache(useCacheForOidConnectEndpoint);
     }
 
-    public JsonWebKeys get() throws AuthenticatorUnavailableException {
+    public JWKSet get() throws AuthenticatorUnavailableException {
         String uri = getJwksUri();
 
         try (CloseableHttpClient httpClient = createHttpClient(null)) {
@@ -94,10 +94,13 @@ public JsonWebKeys get() throws AuthenticatorUnavailableException {
                 if (httpEntity == null) {
                     throw new AuthenticatorUnavailableException("Error while getting " + uri + ": Empty response entity");
                 }
-
-                JsonWebKeys keySet = JwkUtils.readJwkSet(httpEntity.getContent());
+                //TODO
+                JWKSet keySet = JWKSet.load(httpEntity.getContent());
+//                JWKSet keySet = JwkUtils.readJwkSet(httpEntity.getContent());
 
                 return keySet;
+            } catch (ParseException e) {
+                throw new RuntimeException(e);
             }
         } catch (IOException e) {
             throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + e, e);