JWT realm - add support for required claims (#92314)

This PR adds a new required_claims group setting that can be used to
specify additional mandatory claim checks for either ID tokens or access
tokens. A required claim must have either string or string list value.

Author: ywangd

docs/changelog/92314.yaml

@@ -0,0 +1,5 @@
+pr: 92314
+summary: JWT realm - add support for required claims
+area: Authentication
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java

@@ -8,6 +8,7 @@
 
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.Strings;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
@@ -160,6 +161,7 @@ private static Set<Setting.AffixSetting<?>> getNonSecureSettings() {
                 ALLOWED_SUBJECTS,
                 FALLBACK_SUB_CLAIM,
                 FALLBACK_AUD_CLAIM,
+                REQUIRED_CLAIMS,
                 CLAIMS_PRINCIPAL.getClaim(),
                 CLAIMS_PRINCIPAL.getPattern(),
                 CLAIMS_GROUPS.getClaim(),
@@ -302,6 +304,26 @@ public Iterator<Setting<?>> settings() {
         }, Setting.Property.NodeScope)
     );
 
+    public static final Setting.AffixSetting<Settings> REQUIRED_CLAIMS = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE),
+        "required_claims",
+        key -> Setting.groupSetting(key + ".", settings -> {
+            final List<String> invalidRequiredClaims = List.of("iss", "sub", "aud", "exp", "nbf", "iat");
+            for (String name : settings.names()) {
+                final String fullName = key + "." + name;
+                if (invalidRequiredClaims.contains(name)) {
+                    throw new IllegalArgumentException(
+                        Strings.format("required claim [%s] cannot be one of [%s]", fullName, String.join(",", invalidRequiredClaims))
+                    );
+                }
+                final List<String> values = settings.getAsList(name);
+                if (values.isEmpty()) {
+                    throw new IllegalArgumentException(Strings.format("required claim [%s] cannot be empty", fullName));
+                }
+            }
+        }, Setting.Property.NodeScope)
+    );
+
     // Note: ClaimSetting is a wrapper for two individual settings: getClaim(), getPattern()
     public static final ClaimSetting CLAIMS_PRINCIPAL = new ClaimSetting(TYPE, "principal");
     public static final ClaimSetting CLAIMS_GROUPS = new ClaimSetting(TYPE, "groups");

x-pack/plugin/security/qa/jwt-realm/build.gradle

@@ -62,6 +62,8 @@ testClusters.matching { it.name == 'javaRestTest' }.configureEach {
   setting 'xpack.security.authc.realms.jwt.jwt1.claims.dn', 'dn'
   setting 'xpack.security.authc.realms.jwt.jwt1.claims.name', 'name'
   setting 'xpack.security.authc.realms.jwt.jwt1.claims.mail', 'mail'
+  setting 'xpack.security.authc.realms.jwt.jwt1.required_claims.token_use', 'id'
+  setting 'xpack.security.authc.realms.jwt.jwt1.required_claims.version', '2.0'
   setting 'xpack.security.authc.realms.jwt.jwt1.client_authentication.type', 'NONE'
   // Use default value (RS256) for signature algorithm
   setting 'xpack.security.authc.realms.jwt.jwt1.pkc_jwkset_path', 'rsa.jwkset'
@@ -84,12 +86,13 @@ testClusters.matching { it.name == 'javaRestTest' }.configureEach {
     setting 'xpack.security.authc.realms.jwt.jwt2.claims.principal', 'sub'
   }
   setting 'xpack.security.authc.realms.jwt.jwt2.claim_patterns.principal', '^(.*)@[^.]*[.]example[.]com$'
+  setting 'xpack.security.authc.realms.jwt.jwt2.required_claims.token_use', 'access'
   setting 'xpack.security.authc.realms.jwt.jwt2.authorization_realms', 'lookup_native'
   setting 'xpack.security.authc.realms.jwt.jwt2.client_authentication.type', 'shared_secret'
   keystore 'xpack.security.authc.realms.jwt.jwt2.client_authentication.shared_secret', 'test-secret'
   keystore 'xpack.security.authc.realms.jwt.jwt2.hmac_key', 'test-HMAC/secret passphrase-value'
 
-  // Place PKI realm after JWT realm to verify realm chain fall-throug
+  // Place PKI realm after JWT realm to verify realm chain fall-through
   setting 'xpack.security.authc.realms.pki.pki_realm.order', '4'
 
   setting 'xpack.security.authc.realms.jwt.jwt3.order', '5'

x-pack/plugin/security/qa/jwt-realm/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRestIT.java

@@ -338,6 +338,28 @@ public void testFailureOnInvalidHMACSignature() throws Exception {
 
     }
 
+    public void testFailureOnRequiredClaims() throws JOSEException, IOException {
+        final String principal = System.getProperty("jwt2.service_subject");
+        final String username = getUsernameFromPrincipal(principal);
+        final List<String> roles = randomRoles();
+        createUser(username, roles, Map.of());
+        try {
+            final String audience = "es0" + randomIntBetween(1, 3);
+            final Map<String, Object> data = new HashMap<>(Map.of("iss", "my-issuer", "aud", audience, "email", principal));
+            // The required claim is either missing or mismatching
+            if (randomBoolean()) {
+                data.put("token_use", randomValueOtherThan("access", () -> randomAlphaOfLengthBetween(3, 10)));
+            }
+            final JWTClaimsSet claimsSet = buildJwt(data, Instant.now(), false);
+            final SignedJWT jwt = signHmacJwt(claimsSet, "test-HMAC/secret passphrase-value");
+            final TestSecurityClient client = getSecurityClient(jwt, VALID_SHARED_SECRET);
+            final ResponseException exception = expectThrows(ResponseException.class, client::authenticate);
+            assertThat(exception.getResponse(), hasStatusCode(RestStatus.UNAUTHORIZED));
+        } finally {
+            deleteUser(username);
+        }
+    }
+
     public void testAuthenticationFailureIfDelegatedAuthorizationFails() throws Exception {
         final String principal = System.getProperty("jwt2.service_subject");
         final String username = getUsernameFromPrincipal(principal);
@@ -486,7 +508,9 @@ private SignedJWT buildAndSignJwtForRealm1(
                 Map.entry("dn", dn),
                 Map.entry("name", name),
                 Map.entry("mail", mail),
-                Map.entry("roles", groups) // Realm realm config has `claim.groups: "roles"`
+                Map.entry("roles", groups), // Realm realm config has `claim.groups: "roles"`
+                Map.entry("token_use", "id"),
+                Map.entry("version", "2.0")
             ),
             issueTime
         );
@@ -505,7 +529,9 @@ private SignedJWT buildAndSignJwtForRealm2(String principal, Instant issueTime)
     private JWTClaimsSet buildJwtForRealm2(String principal, Instant issueTime) {
         // The "jwt2" realm, supports 3 audiences (es01/02/03)
         final String audience = "es0" + randomIntBetween(1, 3);
-        final Map<String, Object> data = new HashMap<>(Map.of("iss", "my-issuer", "aud", audience, "email", principal));
+        final Map<String, Object> data = new HashMap<>(
+            Map.of("iss", "my-issuer", "aud", audience, "email", principal, "token_use", "access")
+        );
         // scope (fallback audience) is ignored since aud exists
         if (randomBoolean()) {
             data.put("scope", randomAlphaOfLength(20));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java

@@ -15,6 +15,7 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.Releasable;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
@@ -23,6 +24,7 @@
 
 import java.text.ParseException;
 import java.time.Clock;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
@@ -47,16 +49,19 @@ public JwtAuthenticator(
     ) {
         this.realmConfig = realmConfig;
         this.tokenType = realmConfig.getSetting(JwtRealmSettings.TOKEN_TYPE);
+        final List<JwtFieldValidator> jwtFieldValidators = new ArrayList<>();
         if (tokenType == JwtRealmSettings.TokenType.ID_TOKEN) {
             this.fallbackClaimNames = Map.of();
-            this.jwtFieldValidators = configureFieldValidatorsForIdToken(realmConfig);
+            jwtFieldValidators.addAll(configureFieldValidatorsForIdToken(realmConfig));
         } else {
             this.fallbackClaimNames = Map.ofEntries(
                 Map.entry("sub", realmConfig.getSetting(JwtRealmSettings.FALLBACK_SUB_CLAIM)),
                 Map.entry("aud", realmConfig.getSetting(JwtRealmSettings.FALLBACK_AUD_CLAIM))
             );
-            this.jwtFieldValidators = configureFieldValidatorsForAccessToken(realmConfig, fallbackClaimNames);
+            jwtFieldValidators.addAll(configureFieldValidatorsForAccessToken(realmConfig, fallbackClaimNames));
         }
+        jwtFieldValidators.addAll(getRequireClaimsValidators());
+        this.jwtFieldValidators = List.copyOf(jwtFieldValidators);
         this.jwtSignatureValidator = new JwtSignatureValidator.DelegatingJwtSignatureValidator(realmConfig, sslService, reloadNotifier);
     }
 
@@ -104,12 +109,17 @@ public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionLi
         }
 
         try {
-            jwtSignatureValidator.validate(tokenPrincipal, signedJWT, listener.map(ignored -> jwtClaimsSet));
+            validateSignature(tokenPrincipal, signedJWT, listener.map(ignored -> jwtClaimsSet));
         } catch (Exception e) {
             listener.onFailure(e);
         }
     }
 
+    // Package private for testing
+    void validateSignature(String tokenPrincipal, SignedJWT signedJWT, ActionListener<Void> listener) {
+        jwtSignatureValidator.validate(tokenPrincipal, signedJWT, listener);
+    }
+
     @Override
     public void close() {
         jwtSignatureValidator.close();
@@ -172,6 +182,13 @@ private static List<JwtFieldValidator> configureFieldValidatorsForAccessToken(
             new JwtDateClaimValidator(clock, "iat", allowedClockSkew, JwtDateClaimValidator.Relationship.BEFORE_NOW, false),
             new JwtDateClaimValidator(clock, "exp", allowedClockSkew, JwtDateClaimValidator.Relationship.AFTER_NOW, false)
         );
+    }
 
+    private List<JwtStringClaimValidator> getRequireClaimsValidators() {
+        final Settings requiredClaims = realmConfig.getSetting(JwtRealmSettings.REQUIRED_CLAIMS);
+        return requiredClaims.names().stream().map(name -> {
+            final List<String> allowedValues = requiredClaims.getAsList(name);
+            return new JwtStringClaimValidator(name, allowedValues, false);
+        }).toList();
     }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticatorAccessTokenTypeTests.java

@@ -9,42 +9,28 @@
 
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.junit.Before;
 
 import java.text.ParseException;
 
 import static org.hamcrest.Matchers.containsString;
 
 public class JwtAuthenticatorAccessTokenTypeTests extends JwtAuthenticatorTests {
 
-    private String fallbackSub;
-    private String fallbackAud;
-
-    @Before
-    public void beforeTest() {
-        doBeforeTest();
-        fallbackSub = randomBoolean() ? "_" + randomAlphaOfLength(5) : null;
-        fallbackAud = randomBoolean() ? "_" + randomAlphaOfLength(8) : null;
-    }
-
     @Override
     protected JwtRealmSettings.TokenType getTokenType() {
         return JwtRealmSettings.TokenType.ACCESS_TOKEN;
     }
 
     public void testSubjectIsRequired() throws ParseException {
-        final IllegalArgumentException e = doTestSubjectIsRequired(buildJwtAuthenticator(fallbackSub, fallbackAud));
+        final IllegalArgumentException e = doTestSubjectIsRequired(buildJwtAuthenticator());
         if (fallbackSub != null) {
             assertThat(e.getMessage(), containsString("missing required string claim [" + fallbackSub + " (fallback of sub)]"));
         }
     }
 
     public void testAccessTokenTypeMandatesAllowedSubjects() {
         allowedSubject = null;
-        final IllegalArgumentException e = expectThrows(
-            IllegalArgumentException.class,
-            () -> buildJwtAuthenticator(fallbackSub, fallbackAud)
-        );
+        final IllegalArgumentException e = expectThrows(IllegalArgumentException.class, () -> buildJwtAuthenticator());
 
         assertThat(
             e.getMessage(),
@@ -53,6 +39,6 @@ public void testAccessTokenTypeMandatesAllowedSubjects() {
     }
 
     public void testInvalidIssuerIsCheckedBeforeAlgorithm() throws ParseException {
-        doTestInvalidIssuerIsCheckedBeforeAlgorithm(buildJwtAuthenticator(fallbackSub, fallbackAud));
+        doTestInvalidIssuerIsCheckedBeforeAlgorithm(buildJwtAuthenticator());
     }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticatorIdTokenTypeTests.java

@@ -8,35 +8,24 @@
 package org.elasticsearch.xpack.security.authc.jwt;
 
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.junit.Before;
 
 import java.text.ParseException;
 
 import static org.hamcrest.Matchers.containsString;
 
 public class JwtAuthenticatorIdTokenTypeTests extends JwtAuthenticatorTests {
 
-    private String fallbackSub;
-    private String fallbackAud;
-
-    @Before
-    public void beforeTest() {
-        doBeforeTest();
-        fallbackSub = null;
-        fallbackAud = null;
-    }
-
     @Override
     protected JwtRealmSettings.TokenType getTokenType() {
         return JwtRealmSettings.TokenType.ID_TOKEN;
     }
 
     public void testSubjectIsRequired() throws ParseException {
-        final IllegalArgumentException e = doTestSubjectIsRequired(buildJwtAuthenticator(fallbackSub, fallbackAud));
+        final IllegalArgumentException e = doTestSubjectIsRequired(buildJwtAuthenticator());
         assertThat(e.getMessage(), containsString("missing required string claim [sub]"));
     }
 
     public void testInvalidIssuerIsCheckedBeforeAlgorithm() throws ParseException {
-        doTestInvalidIssuerIsCheckedBeforeAlgorithm(buildJwtAuthenticator(fallbackSub, fallbackAud));
+        doTestInvalidIssuerIsCheckedBeforeAlgorithm(buildJwtAuthenticator());
     }
 }