Add tenant ID validation for JWT authentication (#2435)

* Add tenant ID validation for JWT authentication

Enhance JWT authentication by introducing tenant ID (`tid`) validation. Update `JwtAuthInterceptor` and `RequireAuth` classes to support `tid`. Add `TidValidator` to handle validation logic. Extend tests for tenant ID scenarios.

* fixed logic

---------

Co-authored-by: Tobias Polley <[email protected]>

Author: t-burch

core/src/main/java/com/predic8/membrane/core/interceptor/jwt/JwtAuthInterceptor.java

@@ -53,6 +53,7 @@ public static String ERROR_JWT_VALUE_NOT_PRESENT(String key) {
     JwtRetriever jwtRetriever;
     Jwks jwks;
     String expectedAud;
+    String expectedTid;
 
     // should be used read only after init
     // Hashmap done on purpose as only here the read only thread safety is guaranteed
@@ -163,6 +164,10 @@ private JwtConsumer createValidator(RsaJsonWebKey key) {
                         .setExpectedAudience(expectedAud);
         }
 
+        if (expectedTid != null && !expectedTid.isEmpty())
+            jwtConsumerBuilder
+                    .registerValidator(new TidValidator(expectedTid));
+
         return jwtConsumerBuilder.build();
     }
 
@@ -192,6 +197,10 @@ public String getExpectedAud() {
         return expectedAud;
     }
 
+    public String getExpectedTid() {
+        return expectedTid;
+    }
+
     /**
      * @description
      * <p>Expected audience ('aud') value of the token.</p>
@@ -203,6 +212,18 @@ public JwtAuthInterceptor setExpectedAud(String expectedAud) {
         return this;
     }
 
+    /**
+     * @description
+     * <p>Expected tenant ID ('tid') value of the token.</p>
+     * @default not set
+     * @example 67c869d3-0cd4-4a99-86db-088bed1a9601
+     */
+    @MCAttribute
+    public JwtAuthInterceptor setExpectedTid(String expectedTid) {
+        this.expectedTid = expectedTid;
+        return this;
+    }
+
     @Override
     public String getShortDescription() {
         return "Checks for a valid JWT.";

core/src/main/java/com/predic8/membrane/core/interceptor/jwt/TidValidator.java

@@ -0,0 +1,37 @@
+package com.predic8.membrane.core.interceptor.jwt;
+
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.consumer.ErrorCodeValidator;
+import org.jose4j.jwt.consumer.JwtContext;
+
+public class TidValidator implements ErrorCodeValidator {
+    private static final Error MISSING_TID = new Error(-1, "No Tenant ID (tid) claim present.");
+
+    private final String acceptableTenantId;
+
+    public TidValidator(String acceptableTenantId)
+    {
+        this.acceptableTenantId = acceptableTenantId;
+    }
+
+    @Override
+    public Error validate(JwtContext jwtContext) throws MalformedClaimException
+    {
+        final JwtClaims jwtClaims = jwtContext.getJwtClaims();
+
+        if (!jwtClaims.hasClaim("tid"))
+            return MISSING_TID;
+
+        String tid = jwtClaims.getClaimValue("tid", String.class);
+
+        if (acceptableTenantId.equals(tid)) {
+            return null;
+        } else {
+            StringBuilder sb = new StringBuilder();
+            sb.append("Tenant ID (tid) claim '").append(tid).append("' doesn't match the expected value '");
+            sb.append(acceptableTenantId).append("' .");
+            return new Error(-1, sb.toString());
+        }
+    }
+}

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/OAuth2Resource2Interceptor.java

@@ -56,6 +56,7 @@ public class OAuth2Resource2Interceptor extends AbstractInterceptorWithSession {
     private static final Logger log = LoggerFactory.getLogger(OAuth2Resource2Interceptor.class.getName());
     public static final String ERROR_STATUS = "oauth2-error-status";
     public static final String EXPECTED_AUDIENCE = "oauth2-expected-audience";
+    public static final String EXPECTED_TENANT_ID = "oauth2-expected-tenant-id";
     public static final String WANTED_SCOPE = "oauth2-wanted-scope";
 
     private AuthorizationService auth;

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/RequireAuth.java

@@ -32,6 +32,7 @@ public class RequireAuth extends AbstractInterceptor {
     private static final Logger log = LoggerFactory.getLogger(RequireAuth.class.getName());
 
     private String expectedAud;
+    private String expectedTid;
     private OAuth2Resource2Interceptor oauth2;
     private JwtAuthInterceptor jwtAuth;
     private boolean required = true;
@@ -53,6 +54,7 @@ public void init() {
         jwtAuth = new JwtAuthInterceptor();
         jwtAuth.setJwks(jwks);
         jwtAuth.setExpectedAud(expectedAud);
+        jwtAuth.setExpectedTid(expectedTid);
 
         jwtAuth.init(router);
     }
@@ -63,6 +65,7 @@ public Outcome handleRequest(Exchange exc) {
             if (errorStatus != null)
                 exc.setProperty(ERROR_STATUS, errorStatus);
             exc.setProperty(EXPECTED_AUDIENCE, expectedAud);
+            exc.setProperty(EXPECTED_TENANT_ID, expectedTid);
             exc.setProperty(WANTED_SCOPE, scope);
             var outcome = oauth2.handleRequest(exc);
             if (outcome != Outcome.CONTINUE) {
@@ -84,6 +87,10 @@ public String getExpectedAud() {
         return expectedAud;
     }
 
+    public String getExpectedTid() {
+        return expectedTid;
+    }
+
     @Required
     @MCAttribute
     public void setExpectedAud(String expectedAud) {
@@ -93,6 +100,14 @@ public void setExpectedAud(String expectedAud) {
         }
     }
 
+    @MCAttribute
+    public void setExpectedTid(String expectedTid) {
+        this.expectedTid = expectedTid;
+        if (jwtAuth != null) {
+            jwtAuth.setExpectedTid(expectedTid);
+        }
+    }
+
     public OAuth2Resource2Interceptor getOauth2() {
         return oauth2;
     }

core/src/test/java/com/predic8/membrane/core/interceptor/jwt/JwtAuthInterceptorTest.java

@@ -44,10 +44,12 @@ public class JwtAuthInterceptorTest{
     public static final String KID = "membrane";
     public static final String SUB_CLAIM_CONTENT = "Till, der fleissige Programmierer";
     private static final String AUDIENCE = "AusgestelltFuer";
+    private static final String TENANT_ID = "Tenant12345";
 
     public static Stream<Named<TestData>> data() throws Exception {
         return Stream.of(happyPath(),
                 wrongAudience(),
+                wrongTenantId(),
                 manipulatedSignature(),
                 unknownKey(),
                 wrongKId(),
@@ -188,6 +190,20 @@ private static TestData wrongAudience() {
         );
     }
 
+    private static TestData wrongTenantId() {
+        return new TestData(
+                "wrongTenantId",
+                (RsaJsonWebKey privateKey) -> new Request.Builder()
+                        .get("")
+                        .header("Authorization", "Bearer " + getSignedJwt(privateKey, getClaimsWithWrongTenantId()))
+                        .buildExchange(),
+                (Exchange exc) -> {
+                    assertTrue(exc.getResponse().isUserError());
+                    assertNull(exc.getProperties().get("jwt"));
+                    assertEquals(JwtAuthInterceptor.ERROR_VALIDATION_FAILED, unpackBody(exc).get("detail"));
+                }
+        );
+    }
 
     private static TestData happyPath() {
         return new TestData(
@@ -262,11 +278,12 @@ private JwtAuthInterceptor createInterceptor(RsaJsonWebKey publicOnly) {
         jwks.getJwks().add(jwk);
         interceptor.setJwks(jwks);
         interceptor.setExpectedAud(AUDIENCE);
+        interceptor.setExpectedTid(TENANT_ID);
         return interceptor;
     }
 
     private static String getSignedJwt(RsaJsonWebKey privateKey) throws JoseException {
-        return getSignedJwt(privateKey,createClaims(AUDIENCE));
+        return getSignedJwt(privateKey,createClaims(AUDIENCE, TENANT_ID));
     }
 
     private static String getSignedJwt(RsaJsonWebKey privateKey, JwtClaims claims) throws JoseException {
@@ -281,19 +298,23 @@ private static String getSignedJwt(RsaJsonWebKey privateKey, JwtClaims claims) t
         return jws.getCompactSerialization();
     }
 
-    private static JwtClaims createClaims(String audience){
+    private static JwtClaims createClaims(String audience, String tenantId){
         JwtClaims claims = new JwtClaims();
         claims.setExpirationTimeMinutesInTheFuture(10);
         claims.setIssuedAtToNow();
         claims.setNotBeforeMinutesInThePast(30);
         claims.setSubject(SUB_CLAIM_CONTENT);
         claims.setAudience(audience);
+        claims.setClaim("tid", tenantId);
 
         return claims;
     }
 
     private static JwtClaims getClaimsWithWrongAudience() {
-        return createClaims(AUDIENCE + "1");
+        return createClaims(AUDIENCE + "1", TENANT_ID);
     }
 
+    private static JwtClaims getClaimsWithWrongTenantId() {
+        return createClaims(AUDIENCE, TENANT_ID + "1");
+    }
 }