extensible Issuer support for tokens

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java

@@ -75,6 +75,7 @@ public final class ZTSConsts {
     public static final String ZTS_PROP_REDIRECT_URI_SUFFIX    = "athenz.zts.redirect_uri_suffix";
     public static final String ZTS_PROP_SCOPE_ROLE_WOUT_DOMAIN = "athenz.zts.oauth_scope_role_without_domain";
     public static final String ZTS_PROP_PROVIDER_CONFIG_FILE   = "athenz.zts.oauth_provider_config_file";
+    public static final String ZTS_PROP_HOST_ISSUER_MAPPING_FILE = "athenz.zts.host_issuer_mapping_file";
 
     public static final String ZTS_PROP_CERTSIGN_BASE_URI            = "athenz.zts.certsign_base_uri";
     public static final String ZTS_PROP_CERTSIGN_REQUEST_TIMEOUT     = "athenz.zts.certsign_request_timeout";

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java

@@ -192,6 +192,7 @@ public class ZTSImpl implements ZTSHandler {
     protected boolean jwtCurveRfcSupportOnly = false;
     protected TokenConfigOptions tokenConfigOptions = null;
     protected ProviderConfigManager providerConfigManager;
+    protected IssuerResolver issuerResolver;
 
     private static final String TYPE_DOMAIN_NAME = "DomainName";
     private static final String TYPE_SIMPLE_NAME = "SimpleName";
@@ -378,6 +379,8 @@ public ZTSImpl(CloudStore implCloudStore, DataStore implDataStore) {
 
         setAuthorityKeyStore();
 
+        // initialize our notification manager
+
         setNotificationManager();
 
         // load the StatusChecker
@@ -400,6 +403,10 @@ public ZTSImpl(CloudStore implCloudStore, DataStore implDataStore) {
 
         spiffeUriManager = new SpiffeUriManager();
 
+        // initialize our issuer resolver
+
+        issuerResolver = new IssuerResolver(ztsOAuthIssuer, ztsOpenIDIssuer, ztsOIDCPortIssuer, oidcPort, httpsPort);
+
         // create our external provider config manager
 
         loadExternalProviderConfigManager();
@@ -420,11 +427,7 @@ void loadExternalProviderConfigManager() {
 
         tokenConfigOptions = new TokenConfigOptions();
         tokenConfigOptions.setPublicKeyProvider(dataStore);
-        Set<String> oauth2Issuers = new HashSet<>();
-        oauth2Issuers.add(ztsOAuthIssuer);
-        oauth2Issuers.add(ztsOpenIDIssuer);
-        oauth2Issuers.add(ztsOIDCPortIssuer);
-        tokenConfigOptions.setOauth2Issuers(oauth2Issuers);
+        tokenConfigOptions.setOauth2Issuers(issuerResolver.getOauth2Issuers());
         tokenConfigOptions.setJwtIDTProcessor(JwtsHelper.getJWTProcessor(jwtsResolvers, JwtsHelper.JWT_TYPE_VERIFIER));
         tokenConfigOptions.setJwtJAGProcessor(JwtsHelper.getJWTProcessor(jwtsResolvers, JwtsHelper.JWT_JAG_TYPE_VERIFIER));
     }
@@ -2120,7 +2123,7 @@ public Response getOIDCResponse(ResourceContext ctx, String responseType, String
         idToken.setVersion(1);
         idToken.setAudience(getIdTokenAudience(clientId, roleInAudClaim, idTokenGroups));
         idToken.setSubject(principalName);
-        idToken.setIssuer(isOidcPortRequest(ctx.request(), null) ? ztsOIDCPortIssuer : ztsOpenIDIssuer);
+        idToken.setIssuer(issuerResolver.getIDTokenIssuer(ctx.request(), null));
         idToken.setNonce(nonce);
         idToken.setGroups(idTokenGroups);
         idToken.setIssueTime(iat);
@@ -2691,7 +2694,7 @@ AccessTokenResponse processAccessTokenImpersonationRequest(ResourceContext ctx,
         accessToken.setExpiryTime(iat + tokenTimeout);
         accessToken.setUserId(principalName);
         accessToken.setSubject(subjectPrincipal);
-        accessToken.setIssuer(accessTokenRequest.isUseOpenIDIssuer() ? ztsOpenIDIssuer : ztsOAuthIssuer);
+        accessToken.setIssuer(issuerResolver.getAccessTokenIssuer(ctx.request(), accessTokenRequest.isUseOpenIDIssuer()));
         accessToken.setScope(new ArrayList<>(roles));
 
         // if we have a certificate used for mTLS authentication then
@@ -2843,7 +2846,7 @@ AccessTokenResponse processAccessTokenDelegationRequest(ResourceContext ctx, Pri
         accessToken.setExpiryTime(iat + tokenTimeout);
         accessToken.setUserId(principalName);
         accessToken.setSubject(subjectPrincipal);
-        accessToken.setIssuer(accessTokenRequest.isUseOpenIDIssuer() ? ztsOpenIDIssuer : ztsOAuthIssuer);
+        accessToken.setIssuer(issuerResolver.getAccessTokenIssuer(ctx.request(), accessTokenRequest.isUseOpenIDIssuer()));
         accessToken.setScope(new ArrayList<>(roles));
 
         // include the act claim in our response. we're going to use
@@ -3002,7 +3005,7 @@ AccessTokenResponse processJAGTokenIssueRequest(ResourceContext ctx, Principal p
         accessToken.setAuthTime(iat);
         accessToken.setExpiryTime(iat + tokenTimeout);
         accessToken.setSubject(subjectIdentity);
-        accessToken.setIssuer(ztsOpenIDIssuer);
+        accessToken.setIssuer(issuerResolver.getAccessTokenIssuer(ctx.request(), true));
         accessToken.setScope(roleList);
         accessToken.setResource(accessTokenRequest.getResource());
 
@@ -3035,7 +3038,7 @@ AccessTokenResponse processJAGTokenExchangeRequest(ResourceContext ctx, AccessTo
         // our server oidc/oauth issuer value
 
         final String jagAudience = jagToken.getAudience();
-        if (!ztsOpenIDIssuer.equals(jagAudience) && !ztsOAuthIssuer.equals(jagAudience)) {
+        if (!issuerResolver.isOauth2Issuer(jagAudience)) {
             LOGGER.error("Invalid jag assertion aud claim: {}", jagAudience);
             throw requestError("Unknown jag assertion audience", caller, ZTSConsts.ZTS_UNKNOWN_DOMAIN, clientPrincipalDomain);
         }
@@ -3302,7 +3305,7 @@ AccessTokenResponse processAccessTokenStandardRequest(ResourceContext ctx, Princ
         accessToken.setExpiryTime(iat + tokenTimeout);
         accessToken.setUserId(principalName);
         accessToken.setSubject(principalName);
-        accessToken.setIssuer(accessTokenRequest.isUseOpenIDIssuer() ? ztsOpenIDIssuer : ztsOAuthIssuer);
+        accessToken.setIssuer(issuerResolver.getAccessTokenIssuer(ctx.request(), accessTokenRequest.isUseOpenIDIssuer()));
         accessToken.setProxyPrincipal(proxyUser);
         accessToken.setScope(new ArrayList<>(roles));
         accessToken.setAuthorizationDetails(accessTokenRequest.getAuthzDetails());
@@ -3338,7 +3341,7 @@ AccessTokenResponse processAccessTokenStandardRequest(ResourceContext ctx, Princ
             idToken.setVersion(1);
             idToken.setAudience(tokenScope.getDomainName() + "." + serviceName);
             idToken.setSubject(principalName);
-            idToken.setIssuer(accessTokenRequest.isUseOpenIDIssuer() ? ztsOpenIDIssuer : ztsOAuthIssuer);
+            idToken.setIssuer(issuerResolver.getAccessTokenIssuer(ctx.request(), accessTokenRequest.isUseOpenIDIssuer()));
 
             // id tokens are only valid for up to 12 hours max
             // (value configured as a system property).
@@ -4734,7 +4737,7 @@ Response postInstanceJWTRegister(ResourceContext ctx, InstanceRegisterInformatio
         IdToken idToken = new IdToken();
         idToken.setVersion(1);
         idToken.setAudience(info.getJwtSVIDAudience());
-        idToken.setIssuer(ztsOpenIDIssuer);
+        idToken.setIssuer(issuerResolver.getIDTokenIssuer(ctx.request(), null));
         idToken.setNonce(info.getJwtSVIDNonce());
         idToken.setIssueTime(iat);
         idToken.setAuthTime(iat);
@@ -5980,7 +5983,7 @@ public ExternalCredentialsResponse postExternalCredentialsRequest(ResourceContex
         IdToken idToken = new IdToken();
         idToken.setVersion(1);
         final String issuerOption = extCredsAttributes.get(ZTSConsts.ZTS_EXTERNAL_ATTR_ISSUER_OPTION);
-        idToken.setIssuer(isOidcPortRequest(ctx.request(), issuerOption) ? ztsOIDCPortIssuer : ztsOpenIDIssuer);
+        idToken.setIssuer(issuerResolver.getIDTokenIssuer(ctx.request(), issuerOption));
         idToken.setNonce(Crypto.randomSalt());
         idToken.setIssueTime(iat);
         idToken.setAuthTime(iat);

servers/zts/src/main/java/com/yahoo/athenz/zts/token/HostIssuerMapping.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright The Athenz Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.yahoo.athenz.zts.token;
+
+/**
+ * Represents a host-to-issuer mapping entry from the configuration file.
+ */
+public class HostIssuerMapping {
+    private String host;
+    private String issuer;
+
+    public String getHost() {
+        return host;
+    }
+
+    public void setHost(String host) {
+        this.host = host;
+    }
+
+    public String getIssuer() {
+        return issuer;
+    }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
+}