[7.17] Update OIDC and JWT dependencies (#96862) (#96917)

n1v0lg · elasticmachine · web-flow · commit 1fe30f5d6b3f · 2023-06-19T08:17:24.000-04:00
* Update OIDC and JWT dependencies (#96862) Updates internal dependencies for OIDC and JWT realms. * Order --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -974,9 +974,14 @@
             <sha256 value="7664cf8c6f2adadf600287812b32878277beda54912eab9d4c2932cd50cb704a" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="9.3.1">
-         <artifact name="oauth2-oidc-sdk-9.3.1.jar">
-            <sha256 value="6ebf20268af33b31fc21486a59571b03013940a5e051cb4925d08c2c1e6e017c" origin="Generated by Gradle"/>
+       <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.23">
+           <artifact name="nimbus-jose-jwt-9.23.jar">
+               <sha256 value="33ab8084fdae1d75be1b061b1489d4a12045bd7b50c2e24ff152911e4551ec07" origin="Generated by Gradle"/>
+           </artifact>
+       </component>
+      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="9.37">
+         <artifact name="oauth2-oidc-sdk-9.37.jar">
+            <sha256 value="44a04bbed5ae3f6d198aa73ee6b545c476e528ec1a267ef3e9f7033f886dd6fe" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.perforce" name="p4java" version="2015.2.1365273">
diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle
@@ -66,8 +66,8 @@ dependencies {
   runtimeOnly 'com.google.guava:guava:19.0'
 
   // Dependencies for oidc
-  api "com.nimbusds:oauth2-oidc-sdk:9.3.1"
-  api "com.nimbusds:nimbus-jose-jwt:9.8.1"
+  api "com.nimbusds:oauth2-oidc-sdk:9.37"
+  api "com.nimbusds:nimbus-jose-jwt:9.23"
   api "com.nimbusds:lang-tag:1.4.4"
   api "com.sun.mail:jakarta.mail:1.6.3"
   api "net.jcip:jcip-annotations:1.0"
@@ -90,7 +90,7 @@ dependencies {
   testImplementation('org.apache.kerby:kerb-crypto:1.1.1')
   testImplementation('org.apache.kerby:kerb-util:1.1.1')
   testImplementation('org.apache.kerby:token-provider:1.1.1')
-  testImplementation('com.nimbusds:nimbus-jose-jwt:9.8.1')
+  testImplementation('com.nimbusds:nimbus-jose-jwt:9.23')
   testImplementation('net.jcip:jcip-annotations:1.0')
   testImplementation('org.apache.kerby:kerb-admin:1.1.1')
   testImplementation('org.apache.kerby:kerb-server:1.1.1')
@@ -384,6 +384,7 @@ tasks.named("thirdPartyAudit").configure {
           'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
           'com.google.crypto.tink.subtle.Ed25519Verify',
           'com.google.crypto.tink.subtle.X25519',
+          'com.google.crypto.tink.subtle.XChaCha20Poly1305',
           'com.nimbusds.common.contenttype.ContentType'
   )
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectTestCase.java
@@ -9,6 +9,9 @@
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jose.shaded.json.JSONStyle;
+import com.nimbusds.jose.shaded.json.JSONValue;
+import com.nimbusds.jose.shaded.json.reader.JsonWriterI;
 import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
@@ -22,6 +25,7 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings;
+import org.junit.BeforeClass;
 
 import java.io.IOException;
 import java.nio.file.Files;
@@ -36,6 +40,19 @@
 
 public abstract class OpenIdConnectTestCase extends ESTestCase {
 
+    @BeforeClass
+    public static void setupWriters() {
+        // In test code, we sometimes create claims sets with claims that use the `Nonce` class; therefore, we register a writer
+        // for them here; otherwise json-smart tries to use reflection which our security manage prohibits
+        // This only applies to test, not prod code, since we don't create claim sets with "non-default" classes
+        JSONValue.registerWriter(Nonce.class, new JsonWriterI<Nonce>() {
+            @Override
+            public <E extends Nonce> void writeJSONString(E e, Appendable appendable, JSONStyle jsonStyle) throws IOException {
+                appendable.append(e.toJSONString());
+            }
+        });
+    }
+
     protected static final String REALM_NAME = "oidc-realm";
 
     protected static Settings.Builder getBasicRealmSettings() {
