UY-1488 support Key ID in oAuth tokens

Author: ppiernik

oauth/src/main/java/pl/edu/icm/unity/oauth/as/TokenSigner.java

@@ -31,6 +31,7 @@
 import pl.edu.icm.unity.base.exceptions.EngineException;
 import pl.edu.icm.unity.base.exceptions.InternalException;
 import pl.edu.icm.unity.engine.api.PKIManagement;
+import pl.edu.icm.unity.oauth.as.token.KeyIdExtractor;
 
 /**
  * Wrapper for  {@link JWSSigner}. Can signs token using RSA, EC or HMAC algorithm. 
@@ -192,6 +193,10 @@ public SignedJWT sign(JWTClaimsSet claims, String type) throws JOSEException
 		if (!isPKIEnabled())
 			throw new InternalException("Token signer is not initialized");
 		JWSHeader.Builder jwsHeaderBuilder = new JWSHeader.Builder(algorithm);
+		if (credential != null)
+		{
+			jwsHeaderBuilder.keyID(KeyIdExtractor.getKeyId(getCredentialCertificate()));
+		}
 		if (type != null)
 			jwsHeaderBuilder.type(new JOSEObjectType(type));
 		SignedJWT ret = new SignedJWT(jwsHeaderBuilder.build(), claims);	

oauth/src/main/java/pl/edu/icm/unity/oauth/as/token/KeyIdExtractor.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2021 Bixbit - Krzysztof Benedyczak. All rights reserved.
+ * See LICENCE.txt file for licensing information.
+ */
+
+package pl.edu.icm.unity.oauth.as.token;
+
+import java.security.cert.X509Certificate;
+
+public class KeyIdExtractor
+{
+	public static String getKeyId(X509Certificate cert)
+	{
+		return cert.getSerialNumber()
+				.toString(10);
+	}
+
+}

oauth/src/main/java/pl/edu/icm/unity/oauth/as/token/KeysResource.java

@@ -56,12 +56,14 @@ public String getKeys()
 		{
 			set = new JWKSet(new RSAKey.Builder((RSAPublicKey) config.getTokenSigner().getCredentialCertificate().getPublicKey())
 					.keyUse(KeyUse.SIGNATURE)
+					.keyID(KeyIdExtractor.getKeyId(config.getTokenSigner().getCredentialCertificate()))
 					.x509CertChain(getCertAsX5CAttribute(config.getTokenSigner().getCredentialCertificateChain()))
 					.build());
 		} else if (Family.EC.contains(signAlg))
 		{
 			set = new JWKSet(new ECKey.Builder(Curve.forJWSAlgorithm(signAlg).iterator().next(),
 									(ECPublicKey) config.getTokenSigner().getCredentialCertificate().getPublicKey())
+									.keyID(KeyIdExtractor.getKeyId(config.getTokenSigner().getCredentialCertificate()))
 									.keyUse(KeyUse.SIGNATURE)
 									.x509CertChain(getCertAsX5CAttribute(config.getTokenSigner().getCredentialCertificateChain()))
 									.build());

oauth/src/test/java/pl/edu/icm/unity/oauth/as/DiscoveryResourceTest.java

@@ -7,6 +7,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 
 import java.util.HashSet;
@@ -22,6 +23,7 @@
 import com.nimbusds.oauth2.sdk.ParseException;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 
+import pl.edu.icm.unity.oauth.as.OAuthASProperties.AccessTokenFormat;
 import pl.edu.icm.unity.oauth.as.token.DiscoveryResource;
 import pl.edu.icm.unity.oauth.as.token.KeysResource;
 
@@ -49,15 +51,18 @@ public void testDiscovery() throws ParseException
 		assertEquals(7, parsed.getResponseTypes().size());
 	}
 
+	@Test
 	public void testJWK() throws java.text.ParseException
 	{
-		OAuthASProperties config = OAuthTestUtils.getConfig();
+		OAuthASProperties config = OAuthTestUtils.getOIDCConfig();
+		config.setProperty(OAuthASProperties.ACCESS_TOKEN_FORMAT, AccessTokenFormat.JWT.name());
 		KeysResource keysResource = new KeysResource(config);
 		String keys = keysResource.getKeys();
 		JWKSet parsedKeys = JWKSet.parse(keys);
 		assertEquals(1, parsedKeys.getKeys().size());
 		JWK key = parsedKeys.getKeys().get(0);
 		assertEquals(KeyType.RSA, key.getKeyType());
+		assertThat(key.getKeyID()).isNotEmpty();
 	}
 
 }

oauth/src/test/java/pl/edu/icm/unity/oauth/as/token/access/AccessTokenFactoryTest.java

@@ -146,6 +146,18 @@ public void shouldVerifySignatureOfJWT() throws Exception
 		jwt.verify(verifier);
 	}
 
+	@Test
+	public void shouldAddKidToJWTToken() throws OAuthErrorException, ParseException
+	{
+		AccessTokenFactory factory = getFactory(AccessTokenFormat.JWT);
+		
+		AccessToken accessToken = factory.create(getFakeToken(), new Date(1000));
+		
+		assertThat(isJWTToken(accessToken)).isTrue();
+		SignedJWT jwt = SignedJWT.parse(accessToken.getValue());
+		assertThat(jwt.getHeader().getKeyID()).isNotEmpty();
+		
+	}
 
 	private boolean isJWTToken(AccessToken accessToken)
 	{