Merge pull request #212 from FlorianWege-IESE/authorization2

Add audience jwt bearer security property

Author: FrankSchnicke

basyx.components/basyx.components.docker/basyx.components.AASServer/src/main/java/org/eclipse/basyx/components/aas/authorization/AuthorizedAASServerFeature.java

@@ -91,6 +91,10 @@ public IJwtBearerTokenAuthenticationConfigurationProvider getJwtBearerTokenAuthe
 			return null;
 		}
 
+		if (securityConfig.getAuthorizationStrategyJwtBearerTokenAuthenticationConfigurationProvider() == null) {
+			return null;
+		}
+
 		return AuthorizationDynamicClassLoader.loadInstanceDynamically(securityConfig, BaSyxSecurityConfiguration.AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER,
 				IJwtBearerTokenAuthenticationConfigurationProvider.class);
 	}

basyx.components/basyx.components.docker/basyx.components.AASServer/src/main/resources/security.properties

@@ -7,9 +7,11 @@
 # ######################
 # authorization.strategy=SimpleRbac
 authorization.strategy=GrantedAuthority
-authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider=org.eclipse.basyx.components.security.authorization.internal.KeycloakJwtBearerTokenAuthenticationConfigurationProvider
+# authorization.strategy=Custom
+# authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider=org.eclipse.basyx.components.security.authorization.internal.KeycloakJwtBearerTokenAuthenticationConfigurationProvider
 authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl=http://localhost:9005
 authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm=basyx-demo
+authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.audience=aas-server
 authorization.strategy.simpleRbac.rulesFilePath=/rbac_rules.json
 authorization.strategy.simpleRbac.subjectInformationProvider=org.eclipse.basyx.extensions.shared.authorization.internal.JWTAuthenticationContextProvider
 authorization.strategy.simpleRbac.roleAuthenticator=org.eclipse.basyx.extensions.shared.authorization.internal.KeycloakRoleAuthenticator

basyx.components/basyx.components.docker/basyx.components.registry/src/main/java/org/eclipse/basyx/components/registry/RegistryComponent.java

@@ -361,6 +361,9 @@ private void configureContextForAuthorization(final BaSyxContext context) {
 	}
 
 	private IJwtBearerTokenAuthenticationConfigurationProvider getJwtBearerTokenAuthenticationConfigurationProvider() {
+		if (securityConfig.getAuthorizationStrategyJwtBearerTokenAuthenticationConfigurationProvider() == null) {
+			return null;
+		}
 		return AuthorizationDynamicClassLoader.loadInstanceDynamically(securityConfig, BaSyxSecurityConfiguration.AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER,
 				IJwtBearerTokenAuthenticationConfigurationProvider.class);
 	}

basyx.components/basyx.components.docker/basyx.components.registry/src/main/resources/security.properties

@@ -7,9 +7,11 @@
 # ######################
 # authorization.strategy=SimpleRbac
 authorization.strategy=GrantedAuthority
-authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider=org.eclipse.basyx.components.security.authorization.internal.KeycloakJwtBearerTokenAuthenticationConfigurationProvider
+# authorization.strategy=Custom
+# authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider=org.eclipse.basyx.components.security.authorization.internal.KeycloakJwtBearerTokenAuthenticationConfigurationProvider
 authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl=http://127.0.0.1:9005/auth
 authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm=basyx-demo
+authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.audience=aas-registry
 authorization.strategy.simpleRbac.rulesFilePath=/rbac_rules.json
 authorization.strategy.simpleRbac.subjectInformationProvider=org.eclipse.basyx.extensions.shared.authorization.internal.JWTAuthenticationContextProvider
 authorization.strategy.simpleRbac.roleAuthenticator=org.eclipse.basyx.extensions.shared.authorization.internal.KeycloakRoleAuthenticator

basyx.components/basyx.components.lib/src/main/java/org/eclipse/basyx/components/configuration/BaSyxSecurityConfiguration.java

@@ -49,6 +49,7 @@ public class BaSyxSecurityConfiguration extends BaSyxConfiguration {
 	public static final String AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER = "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider";
 	public static final String AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_KEYCLOAK_SERVER_URL = "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl";
 	public static final String AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_KEYCLOAK_REALM = "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm";
+	public static final String AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_AUDIENCE = "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.audience";
 	public static final String AUTHORIZATION_STRATEGY_SIMPLERBAC_RULES_FILE_PATH = "authorization.strategy.simpleRbac.rulesFilePath";
 	public static final String AUTHORIZATION_STRATEGY_SIMPLERBAC_ROLE_AUTHENTICATOR = "authorization.strategy.simpleRbac.roleAuthenticator";
 	public static final String AUTHORIZATION_STRATEGY_SIMPLERBAC_SUBJECT_INFORMATION_PROVIDER = "authorization.strategy.simpleRbac.subjectInformationProvider";
@@ -92,7 +93,7 @@ public BaSyxSecurityConfiguration() {
 	 */
 	public void loadFromEnvironmentVariables() {
 		String[] properties = { AUTHORIZATION_STRATEGY, AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER, AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_KEYCLOAK_SERVER_URL,
-				AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_KEYCLOAK_REALM, AUTHORIZATION_STRATEGY_SIMPLERBAC_RULES_FILE_PATH, AUTHORIZATION_STRATEGY_SIMPLERBAC_ROLE_AUTHENTICATOR,
+				AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_KEYCLOAK_REALM, AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_AUDIENCE, AUTHORIZATION_STRATEGY_SIMPLERBAC_RULES_FILE_PATH, AUTHORIZATION_STRATEGY_SIMPLERBAC_ROLE_AUTHENTICATOR,
 				AUTHORIZATION_STRATEGY_SIMPLERBAC_SUBJECT_INFORMATION_PROVIDER, AUTHORIZATION_STRATEGY_GRANTEDAUTHORITY_GRANTED_AUTHORITY_GRANTED_AUTHORITY_AUTHENTICATOR, AUTHORIZATION_STRATEGY_GRANTEDAUTHORITY_SUBJECT_INFORMATION_PROVIDER,
 				AUTHORIZATION_STRATEGY_CUSTOM_AUTHORIZERS_PROVIDER, AUTHORIZATION_STRATEGY_CUSTOM_SUBJECT_INFORMATION_PROVIDER, };
 		loadFromEnvironmentVariables(ENV_PREFIX, properties);
@@ -135,6 +136,14 @@ public void setAuthorizationStrategyJwtBearerTokenAuthenticationConfigurationPro
 		setProperty(AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_KEYCLOAK_REALM, authorizationStrategyJwtBearerTokenAuthenticationConfigurationProviderKeycloakRealm);
 	}
 
+	public String getAuthorizationStrategyJwtBearerTokenAuthenticationConfigurationProviderAudience() {
+		return getProperty(AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_AUDIENCE);
+	}
+
+	public void setAuthorizationStrategyJwtBearerTokenAuthenticationConfigurationProviderAudience(String authorizationStrategyJwtBearerTokenAuthenticationConfigurationProviderAudience) {
+		setProperty(AUTHORIZATION_STRATEGY_JWT_BEARER_TOKEN_AUTHENTICATION_CONFIGURATION_PROVIDER_AUDIENCE, authorizationStrategyJwtBearerTokenAuthenticationConfigurationProviderAudience);
+	}
+
 	public String getAuthorizationStrategySimpleRbacRulesFilePath() {
 		return getProperty(AUTHORIZATION_STRATEGY_SIMPLERBAC_RULES_FILE_PATH);
 	}

basyx.components/basyx.components.lib/src/main/java/org/eclipse/basyx/components/security/authorization/internal/KeycloakJwtBearerTokenAuthenticationConfigurationProvider.java

@@ -24,6 +24,7 @@
  ******************************************************************************/
 package org.eclipse.basyx.components.security.authorization.internal;
 
+import org.apache.commons.lang3.StringUtils;
 import org.eclipse.basyx.components.configuration.BaSyxSecurityConfiguration;
 import org.eclipse.basyx.extensions.shared.authorization.internal.KeycloakService;
 import org.eclipse.basyx.vab.protocol.http.server.JwtBearerTokenAuthenticationConfiguration;
@@ -46,6 +47,23 @@ public JwtBearerTokenAuthenticationConfiguration get(BaSyxSecurityConfiguration
 
 		final KeycloakService keycloakService = new KeycloakService(serverUrl, realm);
 
-		return keycloakService.createJwtBearerTokenAuthenticationConfiguration();
+		final String audience = getAudience(securityConfig);
+
+		final JwtBearerTokenAuthenticationConfiguration keycloakServiceJwtBearerTokenAuthenticationConfiguration = keycloakService.createJwtBearerTokenAuthenticationConfiguration();
+
+		final String issuerUri = keycloakServiceJwtBearerTokenAuthenticationConfiguration.getIssuerUri();
+		final String jwkSetUri = keycloakServiceJwtBearerTokenAuthenticationConfiguration.getJwkSetUri();
+
+		return JwtBearerTokenAuthenticationConfiguration.of(issuerUri, jwkSetUri, audience);
+	}
+
+	private String getAudience(final BaSyxSecurityConfiguration securityConfig) {
+		final String audience = securityConfig.getAuthorizationStrategyJwtBearerTokenAuthenticationConfigurationProviderAudience();
+
+		if (audience == null || StringUtils.isBlank(audience)) {
+			return null;
+		}
+
+		return audience;
 	}
 }