Allow specifying JWKS path in AthenzService (#6393)

Motivation:

In recent Athenz versions, access token validation only works when the
curve names in JWKS follow the RFC specification.
Therefore, I propose changing the default JWKS endpoint to return
RFC-compliant values, while still allowing the default to be overridden
in `AthenzServiceBuilder`

References:

- AthenZ/athenz#2707
-
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/599/add-prime256v1-to-the-supported-curves-in

Motifications:

- Use `/oauth2/keys?rfc=true` to fetch JWKS from the ZTS server.
- Add the same property in `AthenzConfig` for Spring Boot integration.

Result:

Fixed Athenz access token validation to work with RFC-compliant JWKS.

Author: ikhoon

athenz/src/main/java/com/linecorp/armeria/internal/server/athenz/AthenzServiceDecoratorFactoryProvider.java

@@ -25,11 +25,13 @@
 
 import com.linecorp.armeria.client.athenz.ZtsBaseClient;
 import com.linecorp.armeria.client.athenz.ZtsBaseClientBuilder;
+import com.linecorp.armeria.common.annotation.Nullable;
 import com.linecorp.armeria.server.Server;
 import com.linecorp.armeria.server.ServerBuilder;
 import com.linecorp.armeria.server.ServerListenerAdapter;
 import com.linecorp.armeria.server.athenz.AthenzPolicyConfig;
 import com.linecorp.armeria.server.athenz.AthenzServiceDecoratorFactory;
+import com.linecorp.armeria.server.athenz.AthenzServiceDecoratorFactoryBuilder;
 
 /**
  * A helper class to create an {@link AthenzServiceDecoratorFactory} instance.
@@ -39,7 +41,9 @@ public final class AthenzServiceDecoratorFactoryProvider {
 
     public static AthenzServiceDecoratorFactory create(
             ServerBuilder sb, URI ztsUri, File athenzPrivateKey, File athenzPublicKey,
-            URI proxyUri, File athenzCaCert, List<String> domains, boolean jwsPolicySupport,
+            @Nullable URI proxyUri, @Nullable File athenzCaCert, @Nullable String oauth2KeysPath,
+            List<String> domains,
+            boolean jwsPolicySupport,
             Duration policyRefreshInterval) {
 
         final ZtsBaseClientBuilder clientBuilder =
@@ -62,8 +66,13 @@ public void serverStopped(Server server) throws Exception {
                 ztsBaseClient.close();
             }
         });
-        return AthenzServiceDecoratorFactory
-                .builder(ztsBaseClient)
+        final AthenzServiceDecoratorFactoryBuilder factoryBuilder =
+                AthenzServiceDecoratorFactory
+                        .builder(ztsBaseClient);
+        if (oauth2KeysPath != null) {
+            factoryBuilder.oauth2KeysPath(oauth2KeysPath);
+        }
+        return factoryBuilder
                 .policyConfig(athenzPolicyConfig)
                 .build();
     }

athenz/src/main/java/com/linecorp/armeria/server/athenz/AbstractAthenzServiceBuilder.java

@@ -20,9 +20,11 @@
 import static com.google.common.base.Preconditions.checkState;
 import static java.util.Objects.requireNonNull;
 
+import java.net.URI;
 import java.time.Duration;
 
 import com.yahoo.athenz.zpe.ZpeClient;
+import com.yahoo.athenz.zpe.ZpeConsts;
 import com.yahoo.athenz.zpe.pkey.PublicKeyStore;
 
 import com.linecorp.armeria.client.athenz.ZtsBaseClient;
@@ -36,13 +38,15 @@
 public abstract class AbstractAthenzServiceBuilder<SELF extends AbstractAthenzServiceBuilder<SELF>> {
 
     private static final Duration DEFAULT_OAUTH2_KEYS_REFRESH_INTERVAL = Duration.ofHours(1);
+    private static final String DEFAULT_OAUTH2_KEY_PATH = "/oauth2/keys?rfc=true";
     private static final int MAX_TOKEN_CACHE_SIZE = 10240;
 
     private Duration oauth2KeysRefreshInterval = DEFAULT_OAUTH2_KEYS_REFRESH_INTERVAL;
 
     private final ZtsBaseClient ztsBaseClient;
     @Nullable
     private AthenzPolicyConfig policyConfig;
+    private String oauth2KeysPath = DEFAULT_OAUTH2_KEY_PATH;
     private int maxTokenCacheSize = MAX_TOKEN_CACHE_SIZE;
 
     AbstractAthenzServiceBuilder(ZtsBaseClient ztsBaseClient) {
@@ -70,6 +74,22 @@ public SELF oauth2KeysRefreshInterval(Duration oauth2KeysRefreshInterval) {
         return self();
     }
 
+    /**
+     * Sets the URI to fetch OAuth2 keys (JWK) from the ZTS server. The path is relative to the base {@link URI}
+     * of {@link ZtsBaseClient}.
+     * If not set, defaults to {@value #DEFAULT_OAUTH2_KEY_PATH}.
+     * If {@value ZpeConsts#ZPE_PROP_JWK_URI} is set as a system property, this option is ignored.
+     */
+    public SELF oauth2KeysPath(String oauth2KeysPath) {
+        requireNonNull(oauth2KeysPath, "oauth2KeysPath");
+        checkArgument(!oauth2KeysPath.isEmpty(), "oauth2KeysPath must not be empty");
+        checkArgument(oauth2KeysPath.charAt(0) == '/',
+                      "oauth2KeysPath: %s (expected: a relative path starting with '/')",
+                      oauth2KeysPath);
+        this.oauth2KeysPath = oauth2KeysPath;
+        return self();
+    }
+
     /**
      * Set the limit of role and access tokens that are cached to improve the performance of validating
      * signatures since the tokens must be re-used by clients until they're about to be expired.
@@ -83,13 +103,13 @@ public SELF maxTokenCacheSize(int maxTokenCacheSize) {
 
     MinifiedAuthZpeClient buildAuthZpeClient() {
         checkState(policyConfig != null, "policyConfig must be set before building the service");
-        final PublicKeyStore publicKeyStore = new AthenzPublicKeyProvider(ztsBaseClient,
-                                                                          oauth2KeysRefreshInterval);
+        final PublicKeyStore publicKeyStore = new AthenzPublicKeyProvider(
+                ztsBaseClient, oauth2KeysRefreshInterval, oauth2KeysPath);
         final ZpeClient zpeClient = new AthenzPolicyClient(ztsBaseClient, policyConfig, publicKeyStore,
                                                            maxTokenCacheSize);
         // NB: zpeClient.init() will block until the initial policy data is loaded.
         zpeClient.init(null);
-        return new MinifiedAuthZpeClient(ztsBaseClient, publicKeyStore, zpeClient);
+        return new MinifiedAuthZpeClient(ztsBaseClient, publicKeyStore, zpeClient, oauth2KeysPath);
     }
 
     @SuppressWarnings("unchecked")

athenz/src/main/java/com/linecorp/armeria/server/athenz/AthenzPublicKeyProvider.java

@@ -51,13 +51,15 @@ final class AthenzPublicKeyProvider implements PublicKeyStore {
     private final long minRetryInterval;
     private final AsyncLoader<Map<String, CompletableFuture<PublicKey>>> ztsKeyLoader;
     private final AsyncLoader<Map<String, CompletableFuture<PublicKey>>> zmsKeyLoader;
+    private final String oauth2KeyPath;
     private volatile long lastReloadZtsJwkTime;
     private volatile long lastReloadZmsJwkTime;
 
-    AthenzPublicKeyProvider(ZtsBaseClient ztsBaseClient, Duration refreshInterval) {
+    AthenzPublicKeyProvider(ZtsBaseClient ztsBaseClient, Duration refreshInterval, String oauth2KeyPath) {
         // TODO(ikhoon): Make minRetryInterval configurable.
         minRetryInterval = refreshInterval.toMillis() / 4;
         webClient = ztsBaseClient.webClient();
+        this.oauth2KeyPath = oauth2KeyPath;
         ztsKeyLoader = AsyncLoader.<Map<String, CompletableFuture<PublicKey>>>builder(k -> fetchZtsKeys())
                                   .name("athenz-zts-key-loader")
                                   .refreshAfterLoad(refreshInterval)
@@ -108,7 +110,7 @@ private CompletableFuture<PublicKey> getKey(
     private CompletableFuture<Map<String, CompletableFuture<PublicKey>>> fetchZtsKeys() {
         return webClient
                 .prepare()
-                .get("/oauth2/keys")
+                .get(oauth2KeyPath)
                 .asJson(Keys.class)
                 .execute()
                 .thenApply(res -> {

athenz/src/main/java/com/linecorp/armeria/server/athenz/MinifiedAuthZpeClient.java

@@ -180,7 +180,8 @@ public String toString() {
         }
     }
 
-    MinifiedAuthZpeClient(ZtsBaseClient ztsBaseClient, PublicKeyStore publicKeyStore, ZpeClient zpeClt) {
+    MinifiedAuthZpeClient(ZtsBaseClient ztsBaseClient, PublicKeyStore publicKeyStore, ZpeClient zpeClt,
+                          String oauth2KeysPath) {
         this.publicKeyStore = publicKeyStore;
         this.zpeClt = zpeClt;
 
@@ -190,21 +191,21 @@ public String toString() {
 
         // initialize the access token signing key resolver
 
-        initializeAccessTokenSignKeyResolver(ztsBaseClient);
+        initializeAccessTokenSignKeyResolver(ztsBaseClient, oauth2KeysPath);
 
         // save the last zts api call time, and the allowed interval between api calls
 
         setMillisBetweenZtsCalls(Long.parseLong(
                 System.getProperty(ZPE_PROP_MILLIS_BETWEEN_ZTS_CALLS, Long.toString(30 * 1000 * 60))));
     }
 
-    private void initializeAccessTokenSignKeyResolver(ZtsBaseClient ztsBaseClient) {
+    private void initializeAccessTokenSignKeyResolver(ZtsBaseClient ztsBaseClient, String oauth2KeysPath) {
         final String serverUrl = System.getProperty(ZpeConsts.ZPE_PROP_JWK_URI);
         if (serverUrl == null || serverUrl.isEmpty()) {
-            accessSignKeyResolver = newDefaultJwtsSigningKeyResolver(ztsBaseClient);
+            accessSignKeyResolver = newDefaultJwtsSigningKeyResolver(ztsBaseClient, oauth2KeysPath);
             ztsBaseClient.addTlsKeyPairListener(tlsKeyPair -> {
                 // Refresh the JwtsSigningKeyResolver when the TLS key pair changes
-                accessSignKeyResolver = newDefaultJwtsSigningKeyResolver(ztsBaseClient);
+                accessSignKeyResolver = newDefaultJwtsSigningKeyResolver(ztsBaseClient, oauth2KeysPath);
             });
             return;
         }
@@ -222,13 +223,15 @@ private void initializeAccessTokenSignKeyResolver(ZtsBaseClient ztsBaseClient) {
                 logger.warn("Unable to initialize key refresher: {}", ex.getMessage());
             }
         }
-        accessSignKeyResolver = new JwtsSigningKeyResolver(serverUrl, sslContext, null);
+        final URI proxyUri = ztsBaseClient.proxyUri();
+        accessSignKeyResolver = new JwtsSigningKeyResolver(serverUrl, sslContext,
+                                                           proxyUri != null ? proxyUri.toString() : null);
     }
 
-    private static JwtsSigningKeyResolver newDefaultJwtsSigningKeyResolver(ZtsBaseClient ztsBaseClient) {
+    private static JwtsSigningKeyResolver newDefaultJwtsSigningKeyResolver(ZtsBaseClient ztsBaseClient,
+                                                                           String oauth2KeysPath) {
         final URI ztsUri = ztsBaseClient.ztsUri();
         final URI proxyUri = ztsBaseClient.proxyUri();
-        logger.debug("No JWK URI specified, using {}", ztsUri);
         String proxyUriStr = null;
         if (proxyUri != null) {
             proxyUriStr = proxyUri.toString();
@@ -239,7 +242,7 @@ private static JwtsSigningKeyResolver newDefaultJwtsSigningKeyResolver(ZtsBaseCl
                                                                           null, clientFactory.meterRegistry());
         final JdkSslContext sslContext = (JdkSslContext) sslContextFactory.getOrCreate(SslContextMode.CLIENT,
                                                                                        "*");
-        return new JwtsSigningKeyResolver(ztsUri + "/oauth2/keys", sslContext.context(), proxyUriStr);
+        return new JwtsSigningKeyResolver(ztsUri + oauth2KeysPath, sslContext.context(), proxyUriStr);
     }
 
     /**

athenz/src/test/java/com/linecorp/armeria/server/athenz/AthenzPolicyLoaderTest.java

@@ -49,7 +49,8 @@ class AthenzPolicyLoaderTest {
     void loadPolicyFiles(boolean jwsPolicySupport) throws Exception {
         try (ZtsBaseClient baseClient = athenzExtension.newZtsBaseClient(TEST_SERVICE)) {
             final PublicKeyStore publicKeyStore = new AthenzPublicKeyProvider(baseClient,
-                                                                              Duration.ofSeconds(10));
+                                                                              Duration.ofSeconds(10),
+                                                                              "/oauth2/keys?rfc=true");
             final AthenzPolicyConfig policyConfig = new AthenzPolicyConfig(ImmutableList.of(TEST_DOMAIN_NAME),
                                                                            ImmutableMap.of(), jwsPolicySupport,
                                                                            Duration.ofSeconds(10));