Remove the enforcing of token type for OBO auth

Signed-off-by: Ryan Liang <[email protected]>

src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java

@@ -113,16 +113,13 @@ public String createJwt(
         List<String> roles,
         List<String> backendRoles
     ) throws Exception {
-        String tokenIdentifier = "obo";
         long timeMillis = timeProvider.getAsLong();
         Instant now = Instant.ofEpochMilli(timeProvider.getAsLong());
 
         jwtProducer.setSignatureProvider(JwsUtils.getSignatureProvider(signingKey));
         JwtClaims jwtClaims = new JwtClaims();
         JwtToken jwt = new JwtToken(jwtClaims);
 
-        jwtClaims.setProperty("typ", tokenIdentifier);
-
         jwtClaims.setIssuer(issuer);
 
         jwtClaims.setIssuedAt(timeMillis);

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

@@ -204,11 +204,11 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
                 return null;
             }
 
-            final String tokenType = claims.get(TOKEN_TYPE_CLAIM).toString();
-            if (!tokenType.equals(TOKEN_TYPE)) {
-                log.error("This toke is not verifying as an on-behalf-of token");
-                return null;
-            }
+//            final String tokenType = claims.get(TOKEN_TYPE_CLAIM).toString();
+//            if (!tokenType.equals(TOKEN_TYPE)) {
+//                log.error("This toke is not verifying as an on-behalf-of token");
+//                return null;
+//            }
 
             final String issuer = claims.getIssuer();
             final String clusterName = OpenSearchSecurityPlugin.getClusterName().getClusterName().value();

src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java

@@ -63,7 +63,6 @@ public void testCreateJwtWithRoles() throws Exception {
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
         JwtToken jwt = jwtConsumer.getJwtToken();
 
-        Assert.assertEquals("obo", jwt.getClaim("typ"));
         Assert.assertEquals("cluster_0", jwt.getClaim("iss"));
         Assert.assertEquals("admin", jwt.getClaim("sub"));
         Assert.assertEquals("audience_0", jwt.getClaim("aud"));

src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java

@@ -74,7 +74,7 @@ public void testNoKey() throws Exception {
             final AuthCredentials credentials = extractCredentialsFromJwtHeader(
                 null,
                 claimsEncryptionKey,
-                Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy"),
+                Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy"),
                 false
             );
             Assert.fail("Expected a RuntimeException");
@@ -90,7 +90,7 @@ public void testEmptyKey() throws Exception {
             final AuthCredentials credentials = extractCredentialsFromJwtHeader(
                 null,
                 claimsEncryptionKey,
-                Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy"),
+                Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy"),
                 false
             );
             Assert.fail("Expected a RuntimeException");
@@ -106,7 +106,7 @@ public void testBadKey() throws Exception {
             final AuthCredentials credentials = extractCredentialsFromJwtHeader(
                 BaseEncoding.base64().encode(new byte[] { 1, 3, 3, 4, 3, 6, 7, 8, 3, 10 }),
                 claimsEncryptionKey,
-                Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy"),
+                Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy"),
                 false
             );
             Assert.fail("Expected a WeakKeyException");
@@ -143,7 +143,6 @@ public void testInvalid() throws Exception {
     public void testDisabled() throws Exception {
         String jwsToken = Jwts.builder()
             .setIssuer(clusterNameString)
-            .claim("typ", "obo")
             .setSubject("Leonard McCoy")
             .setAudience("ext_0")
             .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)
@@ -161,7 +160,6 @@ public void testDisabled() throws Exception {
     public void testNonSpecifyOBOSetting() throws Exception {
         String jwsToken = Jwts.builder()
             .setIssuer(clusterNameString)
-            .claim("typ", "obo")
             .setSubject("Leonard McCoy")
             .setAudience("ext_0")
             .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)
@@ -180,7 +178,6 @@ public void testBearer() throws Exception {
 
         String jwsToken = Jwts.builder()
             .setIssuer(clusterNameString)
-            .claim("typ", "obo")
             .setSubject("Leonard McCoy")
             .setAudience("ext_0")
             .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)
@@ -196,15 +193,14 @@ public void testBearer() throws Exception {
         Assert.assertEquals("Leonard McCoy", credentials.getUsername());
         Assert.assertEquals(0, credentials.getSecurityRoles().size());
         Assert.assertEquals(0, credentials.getBackendRoles().size());
-        Assert.assertEquals(4, credentials.getAttributes().size());
+        Assert.assertEquals(3, credentials.getAttributes().size());
     }
 
     @Test
     public void testBearerWrongPosition() throws Exception {
 
         String jwsToken = Jwts.builder()
             .setIssuer(clusterNameString)
-            .claim("typ", "obo")
             .setSubject("Leonard McCoy")
             .setAudience("ext_0")
             .signWith(secretKey, SignatureAlgorithm.HS512)
@@ -223,7 +219,6 @@ public void testBearerWrongPosition() throws Exception {
     public void testBasicAuthHeader() throws Exception {
         String jwsToken = Jwts.builder()
             .setIssuer(clusterNameString)
-            .claim("typ", "obo")
             .setSubject("Leonard McCoy")
             .setAudience("ext_0")
             .signWith(secretKey, SignatureAlgorithm.HS512)
@@ -244,7 +239,6 @@ public void testRoles() throws Exception {
             claimsEncryptionKey,
             Jwts.builder()
                 .setIssuer(clusterNameString)
-                .claim("typ", "obo")
                 .setSubject("Leonard McCoy")
                 .claim("dr", "role1,role2")
                 .setAudience("svc1"),
@@ -257,19 +251,6 @@ public void testRoles() throws Exception {
         Assert.assertEquals(0, credentials.getBackendRoles().size());
     }
 
-    @Test
-    public void testNoTokenType() throws Exception {
-
-        final AuthCredentials credentials = extractCredentialsFromJwtHeader(
-            signingKeyB64Encoded,
-            claimsEncryptionKey,
-            Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"),
-            true
-        );
-
-        Assert.assertNull(credentials);
-    }
-
     @Test
     public void testNullClaim() throws Exception {
 
@@ -278,7 +259,6 @@ public void testNullClaim() throws Exception {
             claimsEncryptionKey,
             Jwts.builder()
                 .setIssuer(clusterNameString)
-                .claim("typ", "obo")
                 .setSubject("Leonard McCoy")
                 .claim("dr", null)
                 .setAudience("svc1"),
@@ -298,7 +278,6 @@ public void testNonStringClaim() throws Exception {
             claimsEncryptionKey,
             Jwts.builder()
                 .setIssuer(clusterNameString)
-                .claim("typ", "obo")
                 .setSubject("Leonard McCoy")
                 .claim("dr", 123L)
                 .setAudience("svc1"),
@@ -317,7 +296,7 @@ public void testRolesMissing() throws Exception {
         final AuthCredentials credentials = extractCredentialsFromJwtHeader(
             signingKeyB64Encoded,
             claimsEncryptionKey,
-            Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy").setAudience("svc1"),
+            Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").setAudience("svc1"),
             false
         );
 
@@ -335,7 +314,6 @@ public void testWrongSubjectKey() throws Exception {
             claimsEncryptionKey,
             Jwts.builder()
                 .setIssuer(clusterNameString)
-                .claim("typ", "obo")
                 .claim("roles", "role1,role2")
                 .claim("asub", "Dr. Who")
                 .setAudience("svc1"),
@@ -351,7 +329,7 @@ public void testExp() throws Exception {
         final AuthCredentials credentials = extractCredentialsFromJwtHeader(
             signingKeyB64Encoded,
             claimsEncryptionKey,
-            Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Expired").setExpiration(new Date(100)),
+            Jwts.builder().setIssuer(clusterNameString).setSubject("Expired").setExpiration(new Date(100)),
             false
         );
 
@@ -366,7 +344,6 @@ public void testNbf() throws Exception {
             claimsEncryptionKey,
             Jwts.builder()
                 .setIssuer(clusterNameString)
-                .claim("typ", "obo")
                 .setSubject("Expired")
                 .setNotBefore(new Date(System.currentTimeMillis() + (1000 * 36000))),
             false
@@ -404,7 +381,6 @@ public void testDifferentIssuer() throws Exception {
 
         String jwsToken = Jwts.builder()
             .setIssuer("Wrong Cluster Identifier")
-            .claim("typ", "obo")
             .setSubject("Leonard McCoy")
             .setAudience("ext_0")
             .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)