JVMCBC-1689 Omit redundant authorization ID from OAUTHBEARER payload

Motivation
----------
Now that MB-68594 is resolved, the SDK no longer needs to
redundantly specify the authorization ID when using a JWT
to authenticate.

Modifications
-------------
Remove code that extracted the "sub" field from the JWT,
since we no longer need to pass it to the server redundantly.

Let subclasses of InitialResponseSaslClient decide
which bits of information to fetch from the callback.
This lets us specify a null username, while avoiding
the exception that would result from trying to fetch
a null username from the callback.

Propagate the authorization ID from the SaslClientFactory
to OauthBearerSaslClient. This feature is currently unused,
(the whole point of this change is to avoid having
to explicitly pass an authorization ID) but this parallels
the other SaslClient implementations.

When authorization ID is absent (currently always!),
omit the "a=<authorization-id>" component from the SASL
OAUTHBEARER payload.

Change-Id: I606f8297cc5bc6547f7ef5b1adb276eaa41333b0
Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/234802
Tested-by: Build Bot <[email protected]>
Reviewed-by: Michael Reiche <[email protected]>

Author: dnault

core-io/src/main/java/com/couchbase/client/core/env/JwtAuthenticator.java

@@ -110,25 +110,18 @@ public String toString() {
   private final Jwt jwt;
   private final String encodedJwt;
   private final String authHeaderValue;
-  private final String username;
 
   private JwtAuthenticator(String encodedJwt) {
     this.encodedJwt = encodedJwt.trim();
     this.authHeaderValue = "Bearer " + this.encodedJwt;
     this.jwt = Jwt.parse(this.encodedJwt);
-
-    String fieldName = "sub";
-    this.username = jwt.payload.path(fieldName).textValue();
-    if (this.username == null) {
-      throw new IllegalArgumentException("Missing '" + fieldName + "' in JWT payload");
-    }
   }
 
   @Override
   public void authKeyValueConnection(EndpointContext ctx, ChannelPipeline pipeline) {
     pipeline.addLast(new SaslAuthenticationHandler(
       ctx,
-      username,
+      null, // username not required
       encodedJwt,
       supportedMechanisms
     ));

core-io/src/main/java/com/couchbase/client/core/io/netty/kv/SaslAuthenticationHandler.java

@@ -38,6 +38,7 @@
 import com.couchbase.client.core.json.Mapper;
 import com.couchbase.client.core.msg.kv.BaseKeyValueRequest;
 import com.couchbase.client.core.util.Bytes;
+import org.jspecify.annotations.Nullable;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -102,7 +103,7 @@ public class SaslAuthenticationHandler extends ChannelDuplexHandler implements C
    * Holds the timeout for the full feature negotiation phase.
    */
   private final Duration timeout;
-  private final String username;
+  private final @Nullable String username;
   private final String password;
   private final Set<SaslMechanism> allowedMechanisms;
   private final EndpointContext endpointContext;
@@ -129,7 +130,7 @@ public class SaslAuthenticationHandler extends ChannelDuplexHandler implements C
    */
   private int roundtripsToGo;
 
-  public SaslAuthenticationHandler(final EndpointContext endpointContext, final String username,
+  public SaslAuthenticationHandler(final EndpointContext endpointContext, final @Nullable String username,
                                    final String password, final Set<SaslMechanism> allowedSaslMechanisms) {
     this.endpointContext = endpointContext;
     this.username = username;

core-io/src/main/java/com/couchbase/client/core/io/netty/kv/sasl/CouchbaseSaslClientFactory.java

@@ -56,7 +56,7 @@ public SaslClient createSaslClient(final String[] mechanisms, final String autho
 
     List<String> mechanismList = Arrays.asList(mechanisms);
     if (mechanismList.contains(SaslMechanism.OAUTHBEARER.mech())) {
-      return new OauthBearerSaslClient(cbh);
+      return new OauthBearerSaslClient(authorizationId, cbh);
     }
 
     return Sasl.createSaslClient(mechanisms, authorizationId, protocol, serverName, props, cbh);

core-io/src/main/java/com/couchbase/client/core/io/netty/kv/sasl/InitialResponseSaslClient.java

@@ -17,31 +17,31 @@
 package com.couchbase.client.core.io.netty.kv.sasl;
 
 import com.couchbase.client.core.annotation.Stability;
+import org.jspecify.annotations.NullMarked;
 import org.jspecify.annotations.Nullable;
 
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.SaslClient;
 import javax.security.sasl.SaslException;
 
-import static com.couchbase.client.core.io.netty.kv.sasl.CallbackHelper.getPassword;
-import static com.couchbase.client.core.io.netty.kv.sasl.CallbackHelper.getUsername;
 import static java.util.Objects.requireNonNull;
 
 /**
  * Base class for mechanisms that have a single step: the initial response.
  */
 @Stability.Internal
+@NullMarked
 abstract class InitialResponseSaslClient implements SaslClient {
   private final CallbackHandler callbackHandler;
-  private final String authorizationId;
+  protected final @Nullable String authorizationId;
 
   private boolean complete;
 
   public InitialResponseSaslClient(
     @Nullable String authorizationId,
     CallbackHandler callbackHandler
   ) {
-    this.authorizationId = authorizationId == null ? "" : authorizationId;
+    this.authorizationId = authorizationId;
     this.callbackHandler = requireNonNull(callbackHandler);
   }
 
@@ -57,16 +57,10 @@ public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
     }
 
     complete = true;
-    String username = getUsername(callbackHandler);
-    String password = getPassword(callbackHandler);
-    return getInitialResponse(authorizationId, username, password);
+    return getInitialResponse(callbackHandler);
   }
 
-  abstract byte[] getInitialResponse(
-    String authorizationId,
-    String username,
-    String password
-  );
+  abstract byte[] getInitialResponse(CallbackHandler callbackHandler) throws SaslException;
 
   @Override
   public boolean isComplete() {
@@ -86,7 +80,7 @@ public byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException {
   }
 
   @Override
-  public Object getNegotiatedProperty(String propName) {
+  public @Nullable Object getNegotiatedProperty(String propName) {
     requireComplete("getNegotiatedProperty");
     return null;
   }

core-io/src/main/java/com/couchbase/client/core/io/netty/kv/sasl/OauthBearerSaslClient.java

@@ -18,15 +18,23 @@
 
 import com.couchbase.client.core.annotation.Stability;
 import com.couchbase.client.core.env.SaslMechanism;
+import org.jspecify.annotations.NullMarked;
+import org.jspecify.annotations.Nullable;
 
 import javax.security.auth.callback.CallbackHandler;
+import javax.security.sasl.SaslException;
 
+import static com.couchbase.client.core.io.netty.kv.sasl.CallbackHelper.getPassword;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 @Stability.Internal
+@NullMarked
 public class OauthBearerSaslClient extends InitialResponseSaslClient {
-  public OauthBearerSaslClient(CallbackHandler callbackHandler) {
-    super(null, callbackHandler);
+  public OauthBearerSaslClient(
+    @Nullable String authorizationId,
+    CallbackHandler callbackHandler
+  ) {
+    super(authorizationId, callbackHandler);
   }
 
   @Override
@@ -35,11 +43,9 @@ public String getMechanismName() {
   }
 
   @Override
-  protected byte[] getInitialResponse(
-    String authorizationId,
-    String username,
-    String password
-  ) {
-    return ("n,a=" + username + ",\1auth=Bearer " + password + "\1\1").getBytes(UTF_8);
+  protected byte[] getInitialResponse(CallbackHandler callbackHandler) throws SaslException {
+    String authorizationComponent = authorizationId == null ? "" : "a=" + authorizationId;
+    String token = getPassword(callbackHandler);
+    return ("n," + authorizationComponent + ",\1auth=Bearer " + token + "\1\1").getBytes(UTF_8);
   }
 }