JVMCBC-1689 Add JwtAuthenticator

Modifications
-------------
Add SaslMechanism.OAUTHBEARER, and modify
SaslMechanism.from(String) to use a lookup table
that gets populated automatically. (SASL mechanism
names are case-sensitive!)

Add InitialResponseSaslClient, an abstract base class for
single-step SASL mechanisms (like PLAIN and OAUTHBEARER).
Move common code from ScramSaslClient into CallbackHelper.

Add OauthBearerSaslClient, a subclass of InitialResponseSaslClient
that sends the username and JWT in the expected format.

Change-Id: I4fe89131e8616dad5a7bd4b823612ccba86a871b
Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/233969
Reviewed-by: Michael Reiche <[email protected]>
Tested-by: Build Bot <[email protected]>

Author: dnault

core-io/src/main/java/com/couchbase/client/core/env/Authenticator.java

@@ -32,6 +32,7 @@
  * Implementing this interface yourself is not recommended. Please use one of the provided implementations.
  *
  * @see PasswordAuthenticator
+ * @see JwtAuthenticator
  * @see CertificateAuthenticator
  * @see DelegatingAuthenticator
  *

core-io/src/main/java/com/couchbase/client/core/env/JwtAuthenticator.java

@@ -0,0 +1,150 @@
+/*
+ * Copyright 2025 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.core.env;
+
+import com.couchbase.client.core.annotation.SinceCouchbase;
+import com.couchbase.client.core.deps.com.fasterxml.jackson.databind.node.ObjectNode;
+import com.couchbase.client.core.deps.io.netty.channel.ChannelPipeline;
+import com.couchbase.client.core.endpoint.EndpointContext;
+import com.couchbase.client.core.io.netty.kv.SaslAuthenticationHandler;
+import com.couchbase.client.core.io.netty.kv.sasl.OauthBearerSaslClient;
+import com.couchbase.client.core.json.Mapper;
+import org.jspecify.annotations.NullMarked;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Set;
+
+import static com.couchbase.client.core.logging.RedactableArgument.redactUser;
+import static java.util.Collections.unmodifiableSet;
+import static java.util.Objects.requireNonNull;
+import static java.util.stream.Collectors.toList;
+
+/**
+ * Authenticates with the Couchbase Server cluster using a JSON Web Token (JWT)
+ * issued by an Identity Provider.
+ * <p>
+ * Create a new instance by calling {@link JwtAuthenticator#create(String)}.
+ */
+@SinceCouchbase("8.1")
+@NullMarked
+public class JwtAuthenticator implements Authenticator {
+  /**
+   * @implNote The SASL exchange is handled by {@link OauthBearerSaslClient}
+   */
+  private static final Set<SaslMechanism> supportedMechanisms =
+    unmodifiableSet(EnumSet.of(SaslMechanism.OAUTHBEARER));
+
+  public static JwtAuthenticator create(String jwt) {
+    return new JwtAuthenticator(jwt);
+  }
+
+  private static class Jwt {
+    private final ObjectNode header;
+    private final ObjectNode payload;
+
+    private Jwt(ObjectNode header, ObjectNode payload) {
+      this.header = requireNonNull(header);
+      this.payload = requireNonNull(payload);
+    }
+
+    public static Jwt parse(String jwt) {
+      String[] parts = jwt.split("\\.");
+      if (parts.length != 3) {
+        throw new IllegalArgumentException("Expected JWT to have 3 dot-separated components, but found " + parts.length);
+      }
+
+      List<byte[]> decodedParts = Arrays.stream(parts)
+        .map(Jwt::decodeBas64Url)
+        .collect(toList());
+
+      try {
+        return new Jwt(
+          (ObjectNode) Mapper.decodeIntoTree(decodedParts.get(0)),
+          (ObjectNode) Mapper.decodeIntoTree(decodedParts.get(1))
+        );
+      } catch (Exception e) {
+        throw new IllegalArgumentException("Malformed JWT; not JSON", e);
+      }
+    }
+
+    private static byte[] decodeBas64Url(String s) {
+      try {
+        return Base64.getUrlDecoder().decode(s);
+      } catch (Exception e) {
+        throw new IllegalArgumentException("Malformed JWT; component not Base64URL-encoded", e);
+      }
+    }
+
+    @Override
+    public String toString() {
+      long expiryEpochSeconds = payload.path("exp").longValue();
+      Duration timeUntilExpiry = Duration.ofSeconds(expiryEpochSeconds - Instant.now().getEpochSecond());
+      return "Jwt{" +
+        "header=" + redactUser(header) +
+        ", payload=" + redactUser(payload) +
+        ", signature=<redacted>" + // because we don't want a valid JWT to appear in any logs.
+        ", timeUntilExpiry=" + timeUntilExpiry +
+        '}';
+    }
+  }
+
+  private final Jwt jwt;
+  private final String encodedJwt;
+  private final String authHeaderValue;
+  private final String username;
+
+  private JwtAuthenticator(String encodedJwt) {
+    this.encodedJwt = encodedJwt.trim();
+    this.authHeaderValue = "Bearer " + this.encodedJwt;
+    this.jwt = Jwt.parse(this.encodedJwt);
+
+    String fieldName = "sub";
+    this.username = jwt.payload.path(fieldName).textValue();
+    if (this.username == null) {
+      throw new IllegalArgumentException("Missing '" + fieldName + "' in JWT payload");
+    }
+  }
+
+  @Override
+  public void authKeyValueConnection(EndpointContext ctx, ChannelPipeline pipeline) {
+    pipeline.addLast(new SaslAuthenticationHandler(
+      ctx,
+      username,
+      encodedJwt,
+      supportedMechanisms
+    ));
+  }
+
+  @Override
+  public String getAuthHeaderValue() {
+    return authHeaderValue;
+  }
+
+  @Override
+  public String toString() {
+    // Omit sensitive properties (like authHeaderValue and encodedJwt)
+    // so they don't accidentally end up in a log.
+    return "JwtAuthenticator{" +
+      "jwt=" + jwt +
+      '}';
+  }
+}

core-io/src/main/java/com/couchbase/client/core/env/SaslMechanism.java

@@ -16,6 +16,15 @@
 
 package com.couchbase.client.core.env;
 
+import org.jspecify.annotations.Nullable;
+
+import java.util.Arrays;
+import java.util.Map;
+
+import static java.util.Collections.unmodifiableMap;
+import static java.util.Objects.requireNonNull;
+import static java.util.stream.Collectors.toMap;
+
 /**
  * Describes the support SASL authentication mechanisms.
  */
@@ -24,13 +33,20 @@ public enum SaslMechanism {
   PLAIN("PLAIN", 1),
   SCRAM_SHA1("SCRAM-SHA1", 2),
   SCRAM_SHA256("SCRAM-SHA256", 2),
-  SCRAM_SHA512("SCRAM-SHA512", 2);
+  SCRAM_SHA512("SCRAM-SHA512", 2),
+  OAUTHBEARER("OAUTHBEARER", 1),
+  ;
 
   private final String mech;
   private final int roundtrips;
 
+  private static final Map<String, SaslMechanism> lookupTable = unmodifiableMap(
+    Arrays.stream(SaslMechanism.values())
+      .collect(toMap(it -> it.mech, it -> it))
+  );
+
   SaslMechanism(String mech, int roundtrips) {
-    this.mech = mech;
+    this.mech = requireNonNull(mech);
     this.roundtrips = roundtrips;
   }
 
@@ -54,17 +70,7 @@ public int roundtrips() {
    * @param mech the mechanism to convert.
    * @return null if not found, otherwise the enum representation.
    */
-  public static SaslMechanism from(final String mech) {
-    if (mech.equalsIgnoreCase("PLAIN")) {
-      return PLAIN;
-    } else if (mech.equalsIgnoreCase("SCRAM-SHA1")) {
-      return SCRAM_SHA1;
-    } else if (mech.equalsIgnoreCase("SCRAM-SHA256")) {
-      return SCRAM_SHA256;
-    } else if (mech.equalsIgnoreCase("SCRAM-SHA512")) {
-      return SCRAM_SHA512;
-    }
-
-    return null;
+  public static @Nullable SaslMechanism from(final String mech) {
+    return lookupTable.get(mech);
   }
 }

core-io/src/main/java/com/couchbase/client/core/io/netty/kv/sasl/CallbackHelper.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright 2025 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.core.io.netty.kv.sasl;
+
+import com.couchbase.client.core.annotation.Stability;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.sasl.SaslException;
+import java.io.IOException;
+import java.util.Arrays;
+
+@Stability.Internal
+class CallbackHelper {
+  private CallbackHelper() {
+    throw new AssertionError("not instantiable");
+  }
+
+  static String getUsername(CallbackHandler callbackHandler) throws SaslException {
+    final NameCallback nameCallback = new NameCallback("Username");
+    try {
+      callbackHandler.handle(new Callback[]{nameCallback});
+    } catch (IOException | UnsupportedCallbackException e) {
+      throw new SaslException("Missing callback fetch username", e);
+    }
+
+    final String name = nameCallback.getName();
+    if (name == null || name.isEmpty()) {
+      throw new SaslException("Missing username");
+    }
+    return name;
+  }
+
+  static String getPassword(CallbackHandler callbackHandler) throws SaslException {
+    final PasswordCallback passwordCallback = new PasswordCallback("Password", false);
+    try {
+      try {
+        callbackHandler.handle(new Callback[]{passwordCallback});
+      } catch (IOException | UnsupportedCallbackException e) {
+        throw new SaslException("Missing callback fetch password", e);
+      }
+
+      final char[] pw = passwordCallback.getPassword();
+      if (pw == null) {
+        throw new SaslException("Password can't be null");
+      }
+
+      String result = new String(pw);
+      Arrays.fill(pw, ' ');
+      return result;
+
+    } finally {
+      passwordCallback.clearPassword();
+    }
+  }
+}

core-io/src/main/java/com/couchbase/client/core/io/netty/kv/sasl/CouchbaseSaslClientFactory.java

@@ -16,11 +16,15 @@
 
 package com.couchbase.client.core.io.netty.kv.sasl;
 
+import com.couchbase.client.core.env.SaslMechanism;
+
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.sasl.Sasl;
 import javax.security.sasl.SaslClient;
 import javax.security.sasl.SaslClientFactory;
 import javax.security.sasl.SaslException;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 
 /**
@@ -45,10 +49,17 @@ public SaslClient createSaslClient(final String[] mechanisms, final String autho
 
     SaslClient client = SCRAM_FACTORY
       .createSaslClient(mechanisms, authorizationId, protocol, serverName, props, cbh);
-    if (client == null) {
-      client = Sasl.createSaslClient(mechanisms, authorizationId, protocol, serverName, props, cbh);
+
+    if (client != null) {
+      return client;
     }
-    return client;
+
+    List<String> mechanismList = Arrays.asList(mechanisms);
+    if (mechanismList.contains(SaslMechanism.OAUTHBEARER.mech())) {
+      return new OauthBearerSaslClient(cbh);
+    }
+
+    return Sasl.createSaslClient(mechanisms, authorizationId, protocol, serverName, props, cbh);
   }
 
   /**