Merge pull request #21319 from sberyozkin/oidc_client_jwt_aud

Use token endoint URL as OIDC JWT authentication audience

extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-secret.properties

@@ -4,4 +4,5 @@ quarkus.oidc-client.client-enabled=false
 quarkus.oidc-client.jwt.auth-server-url=${quarkus.oidc.auth-server-url}
 quarkus.oidc-client.jwt.client-id=${quarkus.oidc.client-id}
 quarkus.oidc-client.jwt.credentials.jwt.secret-provider.key=secret-from-vault-for-jwt
-quarkus.oidc-client.jwt.credentials.jwt.signature-algorithm=HS512
+quarkus.oidc-client.jwt.credentials.jwt.signature-algorithm=HS512
+quarkus.oidc-client.jwt.credentials.jwt.audience=${quarkus.oidc.auth-server-url}

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java

@@ -99,7 +99,8 @@ public Uni<Tokens> get() {
                     // if it is a refresh then a map has already been copied
                     body = !refresh ? copyMultiMap(body) : body;
                     body.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
-                    body.add(OidcConstants.CLIENT_ASSERTION, OidcCommonUtils.signJwtWithKey(oidcConfig, clientJwtKey));
+                    body.add(OidcConstants.CLIENT_ASSERTION,
+                            OidcCommonUtils.signJwtWithKey(oidcConfig, tokenRequestUri, clientJwtKey));
                 }
                 if (!additionalGrantParameters.isEmpty()) {
                     body = copyMultiMap(body);

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java

@@ -261,6 +261,13 @@ public static class Jwt {
             @ConfigItem(defaultValue = "password")
             public String keyPassword;
 
+            /**
+             * JWT audience ('aud') claim value.
+             * By default the audience is set to the address of the OpenId Connect Provider's token endpoint.
+             */
+            @ConfigItem
+            public Optional<String> audience = Optional.empty();
+
             /**
              * Key identifier of the signing key added as a JWT 'kid' header
              */
@@ -320,6 +327,14 @@ public void setSignatureAlgorithm(String signatureAlgorithm) {
                 this.signatureAlgorithm = Optional.of(signatureAlgorithm);
             }
 
+            public Optional<String> getAudience() {
+                return audience;
+            }
+
+            public void setAudience(String audience) {
+                this.audience = Optional.of(audience);
+            }
+
         }
 
         /**

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java

@@ -158,11 +158,11 @@ public static void setHttpClientOptions(OidcCommonConfig oidcConfig, TlsConfig t
     }
 
     public static String getAuthServerUrl(OidcCommonConfig oidcConfig) {
-        String authServerUrl = oidcConfig.getAuthServerUrl().get();
-        if (authServerUrl.endsWith("/")) {
-            authServerUrl = authServerUrl.substring(0, authServerUrl.length() - 1);
-        }
-        return authServerUrl;
+        return removeLastPathSeparator(oidcConfig.getAuthServerUrl().get());
+    }
+
+    private static String removeLastPathSeparator(String value) {
+        return value.endsWith("/") ? value.substring(0, value.length() - 1) : value;
     }
 
     public static String getOidcEndpointUrl(String authServerUrl, Optional<String> endpointPath) {
@@ -276,16 +276,14 @@ public static Key clientJwtKey(Credentials creds) {
         }
     }
 
-    public static String signJwt(OidcCommonConfig oidcConfig) {
-        return signJwtWithKey(oidcConfig, clientJwtKey(oidcConfig.credentials));
-    }
-
-    public static String signJwtWithKey(OidcCommonConfig oidcConfig, Key key) {
+    public static String signJwtWithKey(OidcCommonConfig oidcConfig, String tokenRequestUri, Key key) {
         // 'jti' and 'iat' claim is created by default, iat - is set to the current time
         JwtSignatureBuilder builder = Jwt
                 .issuer(oidcConfig.clientId.get())
                 .subject(oidcConfig.clientId.get())
-                .audience(getAuthServerUrl(oidcConfig))
+                .audience(oidcConfig.credentials.jwt.getAudience().isPresent()
+                        ? removeLastPathSeparator(oidcConfig.credentials.jwt.getAudience().get())
+                        : tokenRequestUri)
                 .expiresIn(oidcConfig.credentials.jwt.lifespan)
                 .jws();
         if (oidcConfig.credentials.jwt.getTokenKeyId().isPresent()) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProviderClient.java

@@ -110,7 +110,8 @@ private UniOnItem<HttpResponse<Buffer>> getHttpResponse(String uri, MultiMap for
             request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
         } else if (clientJwtKey != null) {
             formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
-            formBody.add(OidcConstants.CLIENT_ASSERTION, OidcCommonUtils.signJwtWithKey(oidcConfig, clientJwtKey));
+            formBody.add(OidcConstants.CLIENT_ASSERTION,
+                    OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey));
         } else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
             formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
             formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));