Scicas 3580 ias token exchange (#1848)

* SCICAS-3580:
- extended SecurityContext to hold attachments

* SCICAS-3580:
- extended IasTokenAuthenticator to call hooks after sucessfully validating a token

* SCICAS-3580:
- created a ContextExtension interface for after-validation hooks to extend the SecurityContext
- implemented a IasToXsuaaExtension to swap a weak IAS Token to a strong IAS token and (if wanted) to a XSUAA token. Saves all tokens to the SecurityContext

* SCICAS-3580:
- reformatted code

* SCICAS-3580:
- removed the ContextExtension principle and added a new hybrid token authenticator instead that handles the switch from IAS to XSUAA token

* getIdToken Exchange:
- added a new SecurityContext extension that handles the token exchange from weak access token to strong ID Token
- added logic to the SecurityContext to register a new Context Extension and to use this extension to get a new ID Token

* getIdToken Exchange:
- resolved MR comments
- reformatted code

* getIdToken Exchange:
- added logic to only return ID Token if it doesnt expire within next 5 minutes

* getIdToken Exchange:
- added nullcheck

* getIdToken Exchange:
- minor changes

* getIdToken Exchange:
- minor changes / MR comments
- added tests

* getIdToken Exchange:
- fixed javadoc header

* getIdToken Exchange:
- added a new placeholder variable for the initial token to work on and to keep it saved within the security context
- changed the logic in the DefaultIdTokenExtension to work with the initial token instead of the real token as this token may vary in further topics if it gets exchanged for an XSUAA Token

* getIdToken Exchange:
- minor change in client id retrieval logic

* getIdToken Exchange:
- removed IAS logic and used the new getIDToken function to retrieve ID Token

* SCICAS-3580:
- PR comments

* SCICAS-3580:
- PR comments
- reformatted code and applied happy path concept to remove if clause nesting
- added javadoc

* SCICAS-3580:
- removed final from exception

* SCICAS-3580:
- pr comments

* SCICAS-3580:
- pr comments

* SCICAS-3580:
- pr comments
- added tests

Author: NiklasHerrmann21

java-api/pom.xml

@@ -116,7 +116,7 @@
 			<scope>test</scope>
 			<version>${slf4j.api.version}</version>
 		</dependency>
-	</dependencies>
+    </dependencies>
 
 	<build>
 		<plugins>

java-api/src/main/java/com/sap/cloud/security/token/SecurityContext.java

@@ -41,13 +41,12 @@ public static Certificate getClientCertificate() {
 		return certificateStorage.get();
 	}
 
-	/**
-	 * Saves the certificate thread wide.
-	 *
-	 * @param certificate
-	 * 		certificate to be saved.
-	 */
-	public static void setClientCertificate(Certificate certificate) {
+  /**
+   * Saves the certificate thread wide.
+   *
+   * @param certificate certificate to be saved.
+   */
+  public static void setClientCertificate(final Certificate certificate) {
 		LOGGER.debug("Sets certificate to SecurityContext (thread-locally). {}",
 				certificate);
 		certificateStorage.set(certificate);
@@ -69,7 +68,7 @@ private static void clearCertificate() {
    *
    * @param token token to be saved.
    */
-  public static void setToken(Token token) {
+  public static void setToken(final Token token) {
     LOGGER.debug(
         "Sets token of service {} to SecurityContext (thread-locally).",
         token != null ? token.getService() : "null");
@@ -78,6 +77,19 @@ public static void setToken(Token token) {
     idTokenStorage.remove();
   }
 
+  /**
+   * Saves the token thread wide. Only used in special cases to overwrite only the token for
+   * internal usage.
+   *
+   * @param token token to be saved.
+   */
+  public static void overwriteToken(final Token token) {
+    LOGGER.debug(
+        "Sets token of service {} to SecurityContext (thread-locally).",
+        token != null ? token.getService() : "null");
+    tokenStorage.set(token);
+  }
+
 	/**
 	 * Returns the token that is saved in thread wide storage.
 	 *
@@ -125,7 +137,7 @@ public static void registerIdTokenExtension(IdTokenExtension ext) {
   }
 
   /**
-   * Resolves an OpenID Connect ID token for the current user.
+   * Experimental Resolves an OpenID Connect ID token for the current user.
    *
    * <p>Checks if a token is already present in the thread local storage and if it is still valid
    * (not expired or about to expire within 5 minutes). If a valid token is found, it is returned.
@@ -196,21 +208,22 @@ public static List<String> getServicePlans() {
 		return servicePlanStorage.get();
 	}
 
-	/**
-	 * Saves the Identity service broker plans in thread local storage.
-	 *
-	 * @param servicePlansHeader unprocessed Identity Service broker plan header value from response
-	 */
-	public static void setServicePlans(String servicePlansHeader) {
-		// the header format contains a comma-separated list of quoted plan names, e.g. "plan1","plan \"two\"","plan3"
-		String[] planParts = servicePlansHeader
-				.trim()
-				.split("\\s*,\\s*"); // split by <whitespaces>,<whitespaces>
-
-		// remove " around plan names
-		List<String> plans = Arrays.stream(planParts)
-				.map(plan -> plan.substring(1, plan.length() - 1))
-				.collect(Collectors.toList());
+  /**
+   * Saves the Identity service broker plans in thread local storage.
+   *
+   * @param servicePlansHeader unprocessed Identity Service broker plan header value from response
+   */
+  public static void setServicePlans(final String servicePlansHeader) {
+    // the header format contains a comma-separated list of quoted plan names, e.g. "plan1","plan
+    // \"two\"","plan3"
+    final String[] planParts =
+        servicePlansHeader.trim().split("\\s*,\\s*"); // split by <whitespaces>,<whitespaces>
+
+    // remove " around plan names
+    final List<String> plans =
+        Arrays.stream(planParts)
+            .map(plan -> plan.substring(1, plan.length() - 1))
+            .collect(Collectors.toList());
 
 		if (LOGGER.isDebugEnabled()) {
 			LOGGER.debug("Sets Identity Service Plan {} to SecurityContext (thread-locally).",

java-security/src/main/java/com/sap/cloud/security/servlet/HybridTokenAuthenticator.java

@@ -0,0 +1,123 @@
+package com.sap.cloud.security.servlet;
+
+import static com.sap.cloud.security.servlet.HybridTokenFactory.isXsuaaToken;
+import static com.sap.cloud.security.servlet.HybridTokenFactory.removeBearer;
+
+import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
+import com.sap.cloud.security.token.DefaultIdTokenExtension;
+import com.sap.cloud.security.token.SecurityContext;
+import com.sap.cloud.security.token.Token;
+import com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService;
+import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
+import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
+import com.sap.cloud.security.xsuaa.client.XsuaaTokenExchangeService;
+import com.sap.cloud.security.xsuaa.http.HttpHeaders;
+import com.sap.cloud.security.xsuaa.jwt.Base64JwtDecoder;
+import com.sap.cloud.security.xsuaa.jwt.DecodedJwt;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+import org.apache.http.impl.client.CloseableHttpClient;
+
+/**
+ * Experimental Authenticates HTTP requests carrying either an IAS Access Token, ID token or an
+ * XSUAA access token in the {@code Authorization} header.
+ *
+ * <p>If the token is already an XSUAA token, validation is delegated to {@link
+ * XsuaaTokenAuthenticator}. Otherwise, the IAS token is validated via {@link
+ * IasTokenAuthenticator}, and on success, exchanged for an XSUAA access token using the OAuth 2.0
+ * JWT Bearer Token grant ({@code jwt_bearer}). The exchanged XSUAA token is then stored in the
+ * {@link com.sap.cloud.security.token.SecurityContext} and used for subsequent authorization.
+ *
+ * <p>Requirements:
+ *
+ * <ul>
+ *   <li>XSUAA instance must support the {@code jwt_bearer} grant type.
+ *   <li>The IAS ID token must contain the {@code app_tid} (tenant) claim.
+ *   <li>Either client secret or certificate credentials must be configured for XSUAA.
+ * </ul>
+ *
+ * <p>This authenticator is stateless and thread-safe. It should be invoked once per request,
+ * typically from a servlet filter. Ensure the {@link com.sap.cloud.security.token.SecurityContext}
+ * is cleared after each request to prevent token leakage between threads.
+ */
+public class HybridTokenAuthenticator extends AbstractTokenAuthenticator {
+
+  private final OAuth2ServiceConfiguration xsuaaConfig;
+  private final OAuth2TokenService tokenService;
+  private final IasTokenAuthenticator iasTokenAuthenticator = new IasTokenAuthenticator();
+  private final XsuaaTokenAuthenticator xsuaaTokenAuthenticator = new XsuaaTokenAuthenticator();
+  private final XsuaaTokenExchangeService exchangeService = new XsuaaTokenExchangeService();
+
+  public HybridTokenAuthenticator(
+      @Nonnull final OAuth2ServiceConfiguration iasConfig,
+      @Nonnull final CloseableHttpClient httpClient,
+      @Nonnull final OAuth2ServiceConfiguration xsuaaConfig) {
+    this.tokenService = new DefaultOAuth2TokenService(httpClient);
+    this.xsuaaConfig = xsuaaConfig;
+    SecurityContext.registerIdTokenExtension(new DefaultIdTokenExtension(tokenService, iasConfig));
+  }
+
+  @Override
+  public TokenAuthenticationResult validateRequest(
+      final ServletRequest request, final ServletResponse response) {
+
+    if (!(request instanceof HttpServletRequest httpRequest
+        && response instanceof HttpServletResponse)) {
+      return unauthenticated("Could not process request " + request);
+    }
+    final String authz = httpRequest.getHeader(HttpHeaders.AUTHORIZATION);
+    if (!headerIsAvailable(authz)) {
+      return unauthenticated("Authorization header is missing.");
+    }
+    DecodedJwt decodedJwt;
+    try {
+      decodedJwt = Base64JwtDecoder.getInstance().decode(removeBearer(authz));
+    } catch (IllegalArgumentException e) {
+      return unauthenticated("Unexpected error occurred: " + e.getMessage());
+    }
+
+    // If token is already an XSUAA token, delegate to XSUAA authenticator
+    if (isXsuaaToken(decodedJwt)) {
+      return xsuaaTokenAuthenticator.validateRequest(httpRequest, response);
+    }
+
+    // Otherwise, treat it as an IAS token
+    final TokenAuthenticationResult iasResult =
+        iasTokenAuthenticator.validateRequest(httpRequest, response);
+    if (!iasResult.isAuthenticated()) {
+      return iasResult;
+    }
+    try {
+      final Token idToken = SecurityContext.getIdToken();
+      if (idToken == null) {
+        return unauthenticated("Missing IAS ID Token. Cannot exchange for XSUAA Token.");
+      }
+      final Token xsuaaToken = exchangeService.exchangeToXsuaa(idToken, xsuaaConfig, tokenService);
+      SecurityContext.overwriteToken(xsuaaToken);
+      return xsuaaTokenAuthenticator.authenticated(xsuaaToken);
+    } catch (OAuth2ServiceException | IllegalArgumentException | IllegalStateException e) {
+      return unauthenticated(
+          "Unexpected error during exchange from ID token to XSUAA token:" + e.getMessage());
+    }
+  }
+
+  @Override
+  protected OAuth2ServiceConfiguration getServiceConfiguration() {
+    return xsuaaTokenAuthenticator.getServiceConfiguration();
+  }
+
+  @Nullable
+  @Override
+  protected OAuth2ServiceConfiguration getOtherServiceConfiguration() {
+    return xsuaaTokenAuthenticator.getOtherServiceConfiguration();
+  }
+
+  @Override
+  protected Token extractFromHeader(final String authorizationHeader) {
+    return xsuaaTokenAuthenticator.extractFromHeader(authorizationHeader);
+  }
+}

java-security/src/main/java/com/sap/cloud/security/servlet/HybridTokenFactory.java

@@ -5,6 +5,9 @@
  */
 package com.sap.cloud.security.servlet;
 
+import static com.sap.cloud.security.token.TokenClaims.XSUAA.EXTERNAL_ATTRIBUTE;
+import static com.sap.cloud.security.token.TokenClaims.XSUAA.EXTERNAL_ATTRIBUTE_ENHANCER;
+
 import com.sap.cloud.security.config.Environments;
 import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
 import com.sap.cloud.security.config.ServiceConstants;
@@ -13,16 +16,12 @@
 import com.sap.cloud.security.xsuaa.Assertions;
 import com.sap.cloud.security.xsuaa.jwt.Base64JwtDecoder;
 import com.sap.cloud.security.xsuaa.jwt.DecodedJwt;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.annotation.Nonnull;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.regex.Pattern;
-
-import static com.sap.cloud.security.token.TokenClaims.XSUAA.EXTERNAL_ATTRIBUTE;
-import static com.sap.cloud.security.token.TokenClaims.XSUAA.EXTERNAL_ATTRIBUTE_ENHANCER;
+import javax.annotation.Nonnull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Creates a {@link Token} instance. Supports Jwt tokens from IAS and XSUAA identity service. TokenFactory loads and
@@ -34,14 +33,16 @@ public class HybridTokenFactory implements TokenFactory {
 	static Optional<String> xsAppId;
 	static ScopeConverter xsScopeConverter;
 
-	/**
-	 * Determines whether the JWT token is issued by XSUAA or IAS identity service, and creates a Token for it.
-	 *
-	 * @param jwtToken
-	 * 		the encoded JWT token (access_token or id_token), e.g. from the Authorization Header.
-	 * @return the new token instance
-	 */
-	public Token create(String jwtToken) {
+  /**
+   * Determines whether the JWT token is issued by XSUAA or IAS identity service, and creates a
+   * Token for it.
+   *
+   * @param jwtToken the encoded JWT token (access_token or id_token), e.g. from the Authorization
+   *     Header.
+   * @return the new token instance
+   */
+  @Override
+  public Token create(String jwtToken) {
 		try {
 			Objects.requireNonNull(jwtToken, "Requires encoded jwtToken to create a Token instance.");
 			DecodedJwt decodedJwt = Base64JwtDecoder.getInstance().decode(removeBearer(jwtToken));
@@ -90,22 +91,21 @@ private static Optional<String> getXsAppId() {
 		return xsAppId;
 	}
 
-	/**
-	 * Determines if the provided decoded jwt token is issued by the XSUAA identity service.
-	 *
-	 * @param decodedJwt
-	 * 		jwt to be checked
-	 * @return true if provided token is a XSUAA token
-	 */
-	private static boolean isXsuaaToken(DecodedJwt decodedJwt) {
+  /**
+   * Determines if the provided decoded jwt token is issued by the XSUAA identity service.
+   *
+   * @param decodedJwt jwt to be checked
+   * @return true if provided token is a XSUAA token
+   */
+  protected static boolean isXsuaaToken(DecodedJwt decodedJwt) {
 		String jwtPayload = decodedJwt.getPayload().toLowerCase();
 		return (jwtPayload.contains(EXTERNAL_ATTRIBUTE)
 				&& jwtPayload.contains(EXTERNAL_ATTRIBUTE_ENHANCER)
 				&& jwtPayload.contains("xsuaa"))
 				|| jwtPayload.contains("\"zid\":\"uaa\",");
 	}
 
-	private static String removeBearer(@Nonnull String jwtToken) {
+  protected static String removeBearer(@Nonnull String jwtToken) {
 		Assertions.assertHasText(jwtToken, "jwtToken must not be null / empty");
 		Pattern bearerPattern = Pattern.compile("[B|b]earer ");
 		return bearerPattern.matcher(jwtToken).replaceFirst("");

java-security/src/main/java/com/sap/cloud/security/servlet/IasTokenAuthenticator.java

@@ -14,38 +14,39 @@
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
-
 import javax.annotation.Nullable;
 
 public class IasTokenAuthenticator extends AbstractTokenAuthenticator {
 
-	@Override
-	public Token extractFromHeader(String authorizationHeader) {
-		return new SapIdToken(authorizationHeader);
-	}
-
-	@Override
-	public TokenAuthenticationResult validateRequest(ServletRequest request, ServletResponse response) {
-		HttpServletRequest httpRequest = (HttpServletRequest) request;
-		SecurityContext.setClientCertificate(X509Certificate
-				.newCertificate(getClientCertificate(httpRequest)));
-		return super.validateRequest(request, response);
-	}
-
-	@Override
-	protected OAuth2ServiceConfiguration getServiceConfiguration() {
-		OAuth2ServiceConfiguration config = serviceConfiguration != null ? serviceConfiguration
-				: Environments.getCurrent().getIasConfiguration();
-		if (config == null) {
-			throw new IllegalStateException("There must be a service configuration.");
-		}
-		return config;
-	}
-
-	@Nullable
-	@Override
-	protected OAuth2ServiceConfiguration getOtherServiceConfiguration() {
-		return null;
-	}
-
+  @Override
+  public Token extractFromHeader(final String authorizationHeader) {
+    return new SapIdToken(authorizationHeader);
+  }
+
+  @Override
+  public TokenAuthenticationResult validateRequest(
+      final ServletRequest request, final ServletResponse response) {
+    final HttpServletRequest httpRequest = (HttpServletRequest) request;
+    SecurityContext.setClientCertificate(
+        X509Certificate.newCertificate(getClientCertificate(httpRequest)));
+    return super.validateRequest(request, response);
+  }
+
+  @Override
+  protected OAuth2ServiceConfiguration getServiceConfiguration() {
+    final OAuth2ServiceConfiguration config =
+        serviceConfiguration != null
+            ? serviceConfiguration
+            : Environments.getCurrent().getIasConfiguration();
+    if (config == null) {
+      throw new IllegalStateException("There must be a service configuration.");
+    }
+    return config;
+  }
+
+  @Nullable
+  @Override
+  protected OAuth2ServiceConfiguration getOtherServiceConfiguration() {
+    return null;
+  }
 }