Issue 21826: Add prototype code for creating private_key_jwt client authentication #25133
Conversation
…uthentication
- Adds logic to the OIDC token endpoint request code to add `private_key_jwt` related parameters when using that token endpoint auth method
- Adds a large part of the logic to the `PrivateKeyJwtAuthMethod` class to create the JWT for client authentication
- Note: Still missing logic to obtain the key itself using the keyAliasName
For OpenLiberty#21826
Had to move some classes around to avoid the following: ``` [ERROR ] CWWKE0702E: Could not resolve module: com.ibm.ws.security.openidconnect.common [149] Bundle was not resolved because of a uses constraint violation. org.apache.felix.resolver.reason.ReasonException: Uses constraint violation. Unable to resolve resource com.ibm.ws.security.openidconnect.common [osgi.identity; osgi.identity="com.ibm.ws.security.openidconnect.common"; type="osgi.bundle"; version:Version="1.0.77.202304261135"] because it exports package 'com.ibm.ws.security.openidconnect.common' and is also exposed to it from resource com.ibm.ws.security.openidconnect.clients.common [osgi.identity; osgi.identity="com.ibm.ws.security.openidconnect.clients.common"; type="osgi.bundle"; version:Version="1.0.77.202304261135"] via the following dependency chain: ``` My guess is that opening up the `com.ibm.ws.security.openidconnect.clients.common` bundle that had its own `com.ibm.ws.security.openidconnect.common` package conflicted with the actual `com.ibm.ws.security.openidconnect.common` project.
Adds logic for retrieving the private key to use from the configured keystore. For OpenLiberty#21826
| TOKEN_ENDPOINT_AUTH_METHOD_SETTINGS_ERROR.explanation=The OpenID Connect token endpoint requires client authentication, but the OpenID Connect client might be missing information, or the client encountered another error while setting up the authentication data. | ||
| TOKEN_ENDPOINT_AUTH_METHOD_SETTINGS_ERROR.useraction=See the error in the message for more information. | ||
|
|
||
| PRIVATE_KEY_JWT_MISSING_KEY_ALIAS_NAME=CWWKS1555E: The [{0}] OpenID Connect client does not have a key alias name configured, so the client cannot locate the key to use to sign the JSON Web Token that is used for client authentication. |
There was a problem hiding this comment.
Remove "that is used" unless it will make the message technically incorrect
| TOKEN_ENDPOINT_AUTH_METHOD_SETTINGS_ERROR.useraction=See the error in the message for more information. | ||
|
|
||
| PRIVATE_KEY_JWT_MISSING_KEY_ALIAS_NAME=CWWKS1555E: The [{0}] OpenID Connect client does not have a key alias name configured, so the client cannot locate the key to use to sign the JSON Web Token that is used for client authentication. | ||
| PRIVATE_KEY_JWT_MISSING_KEY_ALIAS_NAME.explanation=The OpenID Connect client must configure a key alias name to define what key to use to sign the JWT. |
| PRIVATE_KEY_JWT_MISSING_KEY_ALIAS_NAME.explanation=The OpenID Connect client must configure a key alias name to define what key to use to sign the JWT. | ||
| PRIVATE_KEY_JWT_MISSING_KEY_ALIAS_NAME.useraction=Verify that the OpenID Connect client has a key alias name configured. | ||
|
|
||
| PRIVATE_KEY_JWT_MISSING_KEYSTORE_REF=CWWKS1556E: The [{0}] OpenID Connect client does not have a keystore reference configured, so the client cannot locate the key to use to sign the JSON Web Token that is used for client authentication. |
| PRIVATE_KEY_JWT_AUTH_ERROR.explanation=The OpenID Connect client is configured to use JSON Web Tokens for client authentication, but an error occurred while creating the token. | ||
| PRIVATE_KEY_JWT_AUTH_ERROR.useraction=For more information, see the error in the message. | ||
|
|
||
| PRIVATE_KEY_JWT_MISSING_SIGNING_KEY=CWWKS2431E: The [{0}] OpenID Connect client is missing the key that is needed to sign the token that is used for client authentication. |
There was a problem hiding this comment.
Remove "that is used" unless it will make the message technically incorrect
| PRIVATE_KEY_JWT_AUTH_ERROR.useraction=For more information, see the error in the message. | ||
|
|
||
| PRIVATE_KEY_JWT_MISSING_SIGNING_KEY=CWWKS2431E: The [{0}] OpenID Connect client is missing the key that is needed to sign the token that is used for client authentication. | ||
| PRIVATE_KEY_JWT_MISSING_SIGNING_KEY.explanation=The OpenID Connect client configuration is missing data, or a key cannot be found with the key alias name in the SSL configuration that is specified in the OpenID Connect client. |
|
|
||
| PRIVATE_KEY_JWT_MISSING_SIGNING_KEY=CWWKS2431E: The [{0}] OpenID Connect client is missing the key that is needed to sign the token that is used for client authentication. | ||
| PRIVATE_KEY_JWT_MISSING_SIGNING_KEY.explanation=The OpenID Connect client configuration is missing data, or a key cannot be found with the key alias name in the SSL configuration that is specified in the OpenID Connect client. | ||
| PRIVATE_KEY_JWT_MISSING_SIGNING_KEY.useraction=Ensure that the OpenID Connect client has a key alias name and SSL reference configured. Verify that the keystore that is referenced by the SSL configuration contains a key whose alias matches the key alias name in the OpenID Connect client configuration. |
There was a problem hiding this comment.
Change "that is referenced by the SSL configuration contains" to "that the SSL configuration references contains"
|
#libby |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
Adds logic to the OIDC token endpoint request code to add
private_key_jwtrelated parameters when using that token endpoint auth methodAdds a large part of the logic to the
PrivateKeyJwtAuthMethodclass to create the JWT for client authenticationAdds logic for retrieving the private key to use from the configured keystore.
For OIDC client certificate support #21826