Merge branch 'Vorimo-jwk-rotation'

mnylen · Jul 15, 2022 · 5fb2006 · 5fb2006
2 parents 4d4c259 + 0b4fbd5
commit 5fb2006
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 39 deletions.
diff --git a/vertx-auth-oauth2/src/main/generated/io/vertx/ext/auth/oauth2/OAuth2OptionsConverter.java b/vertx-auth-oauth2/src/main/generated/io/vertx/ext/auth/oauth2/OAuth2OptionsConverter.java
@@ -75,6 +75,11 @@ public static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json,
             obj.setIntrospectionPath((String)member.getValue());
           }
           break;
+        case "jwkMaxAgeInSeconds":
+          if (member.getValue() instanceof Number) {
+            obj.setJwkMaxAgeInSeconds(((Number)member.getValue()).longValue());
+          }
+          break;
         case "jwkPath":
           if (member.getValue() instanceof String) {
             obj.setJwkPath((String)member.getValue());
@@ -202,6 +207,7 @@ public static void toJson(OAuth2Options obj, java.util.Map<String, Object> json)
     if (obj.getIntrospectionPath() != null) {
       json.put("introspectionPath", obj.getIntrospectionPath());
     }
+    json.put("jwkMaxAgeInSeconds", obj.getJwkMaxAgeInSeconds());
     if (obj.getJwkPath() != null) {
       json.put("jwkPath", obj.getJwkPath());
     }

diff --git a/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/OAuth2Options.java b/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/OAuth2Options.java
@@ -50,7 +50,8 @@ public class OAuth2Options {
   private static final JWTOptions JWT_OPTIONS = new JWTOptions();
   private static final String SCOPE_SEPARATOR = " ";
   private static final boolean VALIDATE_ISSUER = true;
-  private static final boolean ROTATE_JWKS = true;
+  //seconds of JWK's default age (-1 means no rotation)
+  private static final long JWK_DEFAULT_AGE = -1L;
 
   private OAuth2FlowType flow;
   private List<String> supportedGrantTypes;
@@ -68,7 +69,8 @@ public class OAuth2Options {
   private String introspectionPath;
   // JWK path RFC7517
   private String jwkPath;
-  private boolean rotateJWKs;
+  //seconds of JWKs lifetime
+  private long jwkMaxAgeInSeconds;
   // OpenID non standard
   private String tenant;
 
@@ -144,7 +146,7 @@ public OAuth2Options(OAuth2Options other) {
       headers = null;
     }
     jwkPath = other.getJwkPath();
-    rotateJWKs = other.isRotateJWKs();
+    jwkMaxAgeInSeconds = other.getJwkMaxAgeInSeconds();
     httpClientOptions = other.getHttpClientOptions();
     userAgent = other.getUserAgent();
     supportedGrantTypes = other.getSupportedGrantTypes();
@@ -161,7 +163,7 @@ private void init() {
     revocationPath = REVOCATION_PATH;
     scopeSeparator = SCOPE_SEPARATOR;
     jwtOptions = JWT_OPTIONS;
-    rotateJWKs = ROTATE_JWKS;
+    jwkMaxAgeInSeconds = JWK_DEFAULT_AGE;
   }
 
   /**
@@ -179,6 +181,7 @@ public OAuth2Options(JsonObject json) {
 
   /**
    * Get the Oauth2 authorization resource path. e.g.: /oauth/authorize
+   *
    * @return authorization path
    */
   public String getAuthorizationPath() {
@@ -192,6 +195,7 @@ public OAuth2Options setAuthorizationPath(String authorizationPath) {
 
   /**
    * Get the Oauth2 token resource path. e.g.: /oauth/token
+   *
    * @return token path
    */
   public String getTokenPath() {
@@ -205,6 +209,7 @@ public OAuth2Options setTokenPath(String tokenPath) {
 
   /**
    * Get the Oauth2 revocation resource path. e.g.: /oauth/revoke
+   *
    * @return revocation path
    */
   public String getRevocationPath() {
@@ -213,6 +218,7 @@ public String getRevocationPath() {
 
   /**
    * Set the Oauth2 revocation resource path. e.g.: /oauth/revoke
+   *
    * @return self
    */
   public OAuth2Options setRevocationPath(String revocationPath) {
@@ -222,6 +228,7 @@ public OAuth2Options setRevocationPath(String revocationPath) {
 
   /**
    * Root URL for the provider without trailing slashes
+   *
    * @param site a url
    * @return self
    */
@@ -248,6 +255,7 @@ public OAuth2Options setClientID(String clientID) {
 
   /**
    * Get the provider client id
+   *
    * @return client id
    */
   public String getClientId() {
@@ -256,6 +264,7 @@ public String getClientId() {
 
   /**
    * Set the provider client id
+   *
    * @param clientId client id
    * @return self
    */
@@ -266,6 +275,7 @@ public OAuth2Options setClientId(String clientId) {
 
   /**
    * Get the provider client secret
+   *
    * @return the client secret
    */
   public String getClientSecret() {
@@ -274,6 +284,7 @@ public String getClientSecret() {
 
   /**
    * Set the provider client secret
+   *
    * @param clientSecret client secret
    * @return self
    */
@@ -302,6 +313,7 @@ public OAuth2Options setClientAssertion(String clientAssertion) {
 
   /**
    * The User-Agent header to use when communicating with a provider
+   *
    * @return the user agent string
    */
   public String getUserAgent() {
@@ -310,6 +322,7 @@ public String getUserAgent() {
 
   /**
    * Set a custom user agent to use when communicating to a provider
+   *
    * @param userAgent the user agent
    * @return self
    */
@@ -320,6 +333,7 @@ public OAuth2Options setUserAgent(String userAgent) {
 
   /**
    * Custom headers to send along with every request.
+   *
    * @return the headers as a json structure
    */
   public JsonObject getHeaders() {
@@ -328,6 +342,7 @@ public JsonObject getHeaders() {
 
   /**
    * Set custom headers to be sent with every request to the provider
+   *
    * @param headers the headers
    * @return self
    */
@@ -338,6 +353,7 @@ public OAuth2Options setHeaders(JsonObject headers) {
 
   /**
    * The provider PubSec key options
+   *
    * @return the pub sec key options
    */
   public List<PubSecKeyOptions> getPubSecKeys() {
@@ -359,6 +375,7 @@ public OAuth2Options addPubSecKey(PubSecKeyOptions pubSecKey) {
 
   /**
    * The provider logout path
+   *
    * @return a logout resource path
    */
   public String getLogoutPath() {
@@ -367,6 +384,7 @@ public String getLogoutPath() {
 
   /**
    * Set the provider logout path
+   *
    * @param logoutPath a logout resource path
    * @return self
    */
@@ -377,6 +395,7 @@ public OAuth2Options setLogoutPath(String logoutPath) {
 
   /**
    * The provider userInfo resource path
+   *
    * @return a resouce path
    */
   public String getUserInfoPath() {
@@ -385,6 +404,7 @@ public String getUserInfoPath() {
 
   /**
    * Set the provider userInfo resource path
+   *
    * @param userInfoPath a resource path
    * @return self
    */
@@ -395,6 +415,7 @@ public OAuth2Options setUserInfoPath(String userInfoPath) {
 
   /**
    * Set the provider scope separator
+   *
    * @return a single character string usually a space or a plus
    */
   public String getScopeSeparator() {
@@ -403,6 +424,7 @@ public String getScopeSeparator() {
 
   /**
    * Set the provider scope separator
+   *
    * @param scopeSeparator a separator e.g.: ' ', '+', ','
    * @return self
    */
@@ -413,6 +435,7 @@ public OAuth2Options setScopeSeparator(String scopeSeparator) {
 
   /**
    * Extra parameters to send to the provider
+   *
    * @return a json representation of the parameters
    */
   public JsonObject getExtraParameters() {
@@ -421,6 +444,7 @@ public JsonObject getExtraParameters() {
 
   /**
    * Set extra parameters to be sent to the provider on each request
+   *
    * @param extraParams a json representation of the parameters
    * @return self
    */
@@ -431,6 +455,7 @@ public OAuth2Options setExtraParameters(JsonObject extraParams) {
 
   /**
    * The provider token introspection resource path
+   *
    * @return the resource path
    */
   public String getIntrospectionPath() {
@@ -439,6 +464,7 @@ public String getIntrospectionPath() {
 
   /**
    * Set the provider token introspection resource path
+   *
    * @param introspectionPath a resource path
    * @return self
    */
@@ -449,6 +475,7 @@ public OAuth2Options setIntrospectionPath(String introspectionPath) {
 
   /**
    * Set the provider custom userInfo parameters to send when requesting them.
+   *
    * @return a json representation of the extra parameters
    */
   public JsonObject getUserInfoParameters() {
@@ -457,6 +484,7 @@ public JsonObject getUserInfoParameters() {
 
   /**
    * Set custom parameters to be sent during the userInfo resource request
+   *
    * @param userInfoParams json representation of the parameters
    * @return self
    */
@@ -492,7 +520,7 @@ public OAuth2FlowType getFlow() {
   }
 
   /**
-    * @deprecated see {@link Oauth2Credentials#setFlow(OAuth2FlowType)}
+   * @deprecated see {@link Oauth2Credentials#setFlow(OAuth2FlowType)}
    */
   @Deprecated
   public OAuth2Options setFlow(OAuth2FlowType flow) {
@@ -516,7 +544,7 @@ public String getTenant() {
   /**
    * Sets an optional tenant. Tenants are used in some OpenID servers as placeholders for the URLs.
    * The tenant should be set prior to any URL as it affects the way the URLs will be stored.
-   *
+   * <p>
    * Some provders may name this differently, for example: `realm`.
    *
    * @param tenant the tenant/realm for this config.
@@ -527,22 +555,26 @@ public OAuth2Options setTenant(String tenant) {
     return this;
   }
 
+  @Deprecated
   public boolean isRotateJWKs() {
-    return rotateJWKs;
+    return jwkMaxAgeInSeconds != -1L;
   }
 
   /**
    * Enable/Disable the JWKs rotation.
+   *
    * @param rotateJWKs {@code true} to rotate keys as described in {@link OAuth2Auth#jWKSet(Handler)}.
    * @return self
+   * @deprecated use {@link #setJwkMaxAgeInSeconds(long)} instead
    */
+  @Deprecated
   public OAuth2Options setRotateJWKs(boolean rotateJWKs) {
-    this.rotateJWKs = rotateJWKs;
     return this;
   }
 
   /**
    * The provider supported grant types
+   *
    * @return the supported grant types options
    */
   public List<String> getSupportedGrantTypes() {
@@ -630,7 +662,8 @@ public void validate() throws IllegalStateException {
           }
         } else {
           if (clientAssertion == null || clientAssertionType == null) {
-            throw new IllegalStateException("Configuration missing. You need to specify [clientAssertion] AND [clientAssertionType]");
+            throw new IllegalStateException(
+              "Configuration missing. You need to specify [clientAssertion] AND [clientAssertionType]");
           }
         }
         break;
@@ -642,7 +675,8 @@ public void validate() throws IllegalStateException {
           }
         } else {
           if (clientAssertion == null || clientAssertionType == null) {
-            throw new IllegalStateException("Configuration missing. You need to specify [clientAssertion] AND [clientAssertionType]");
+            throw new IllegalStateException(
+              "Configuration missing. You need to specify [clientAssertion] AND [clientAssertionType]");
           }
         }
         break;
@@ -668,4 +702,17 @@ public OAuth2Options setHttpClientOptions(HttpClientOptions httpClientOptions) {
     this.httpClientOptions = httpClientOptions;
     return this;
   }
+
+  public long getJwkMaxAgeInSeconds() {
+    return jwkMaxAgeInSeconds;
+  }
+
+  /**
+   * -1 means no rotation for JWKs
+   *
+   * @param jwkMaxAgeInSeconds timeout of JWKs rotation
+   */
+  public void setJwkMaxAgeInSeconds(long jwkMaxAgeInSeconds) {
+    this.jwkMaxAgeInSeconds = jwkMaxAgeInSeconds;
+  }
 }