Merge pull request #48525 from sberyozkin/oidc_client_reg_public_key

Simplify public key registration with OIDC client registration

Author: sberyozkin

extensions/oidc-client-registration/runtime/src/main/java/io/quarkus/oidc/client/registration/ClientMetadata.java

@@ -2,14 +2,26 @@
 
 import static io.quarkus.jsonp.JsonProviderHolder.jsonProvider;
 
+import java.security.PublicKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.EdECPublicKey;
+import java.security.interfaces.RSAPublicKey;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
+import jakarta.json.JsonArrayBuilder;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonObjectBuilder;
 
+import org.jose4j.jwk.JsonWebKey.OutputControlLevel;
+import org.jose4j.jwk.PublicJsonWebKey;
+import org.jose4j.lang.JoseException;
+
+import io.quarkus.oidc.client.registration.runtime.OidcClientRegistrationException;
 import io.quarkus.oidc.common.runtime.AbstractJsonObject;
 import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.smallrye.jwt.algorithm.SignatureAlgorithm;
 
 public class ClientMetadata extends AbstractJsonObject {
 
@@ -100,6 +112,70 @@ public Builder postLogoutUri(String postLogoutUri) {
             return this;
         }
 
+        public Builder grantType(String grantType) {
+            return grantTypes(Set.of(grantType));
+        }
+
+        public Builder grantTypes(Set<String> grantTypes) {
+            if (built) {
+                throw new IllegalStateException();
+            }
+            JsonArrayBuilder arrayBuilder = jsonProvider().createArrayBuilder();
+            for (String grantType : grantTypes) {
+                arrayBuilder.add(grantType);
+            }
+            builder.add(OidcConstants.CLIENT_METADATA_GRANT_TYPES, arrayBuilder.build());
+            return this;
+        }
+
+        public Builder tokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
+            if (built) {
+                throw new IllegalStateException();
+            }
+            builder.add(OidcConstants.CLIENT_METADATA_TOKEN_ENDPOINT_AUTH_METHOD, tokenEndpointAuthMethod);
+            return this;
+        }
+
+        public Builder jwk(PublicKey publicKey) {
+            return jwks(Set.of(publicKey));
+        }
+
+        public Builder jwks(Set<PublicKey> publicKeys) {
+            if (built) {
+                throw new IllegalStateException();
+            }
+            JsonArrayBuilder keysBuilder = jsonProvider().createArrayBuilder();
+            for (PublicKey publicKey : publicKeys) {
+                JsonObjectBuilder jwkBuilder = jsonProvider().createObjectBuilder();
+                for (Map.Entry<String, Object> entry : convertPublicKeyToJwk(publicKey).entrySet()) {
+                    jwkBuilder.add(entry.getKey(), entry.getValue().toString());
+                }
+                jwkBuilder.add("use", "sig");
+                jwkBuilder.add("alg", getAlgorithm(publicKey));
+                keysBuilder.add(jwkBuilder);
+            }
+            JsonObjectBuilder jwksBuilder = jsonProvider().createObjectBuilder();
+            jwksBuilder.add("keys", keysBuilder);
+            builder.add(OidcConstants.CLIENT_METADATA_JWKS, jwksBuilder);
+            return this;
+        }
+
+        public Builder jwk(Map<String, String> keyProperties) {
+            if (built) {
+                throw new IllegalStateException();
+            }
+            JsonArrayBuilder keysBuilder = jsonProvider().createArrayBuilder();
+            JsonObjectBuilder jwkBuilder = jsonProvider().createObjectBuilder();
+            for (Map.Entry<String, String> entry : keyProperties.entrySet()) {
+                jwkBuilder.add(entry.getKey(), entry.getValue());
+            }
+            keysBuilder.add(jwkBuilder);
+            JsonObjectBuilder jwksBuilder = jsonProvider().createObjectBuilder();
+            jwksBuilder.add("keys", keysBuilder);
+            builder.add(OidcConstants.CLIENT_METADATA_JWKS, jwksBuilder);
+            return this;
+        }
+
         public Builder extraProps(Map<String, String> extraProps) {
             if (built) {
                 throw new IllegalStateException();
@@ -108,6 +184,26 @@ public Builder extraProps(Map<String, String> extraProps) {
             return this;
         }
 
+        private static Map<String, Object> convertPublicKeyToJwk(PublicKey key) {
+            try {
+                return PublicJsonWebKey.Factory.newPublicJwk(key).toParams(OutputControlLevel.PUBLIC_ONLY);
+            } catch (JoseException ex) {
+                throw new OidcClientRegistrationException(ex);
+            }
+        }
+
+        private static String getAlgorithm(PublicKey publicKey) {
+            if (publicKey instanceof RSAPublicKey) {
+                return SignatureAlgorithm.RS256.getAlgorithm();
+            } else if (publicKey instanceof ECPublicKey) {
+                return SignatureAlgorithm.ES256.getAlgorithm();
+            } else if (publicKey instanceof EdECPublicKey) {
+                return SignatureAlgorithm.EDDSA.getAlgorithm();
+            } else {
+                throw new OidcClientRegistrationException("Unrecognized public key algorithm: " + publicKey.getAlgorithm());
+            }
+        }
+
         public ClientMetadata build() {
             built = true;
             return new ClientMetadata(builder.build());

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcConstants.java

@@ -86,6 +86,9 @@ public final class OidcConstants {
 
     public static final String CLIENT_METADATA_CLIENT_NAME = "client_name";
     public static final String CLIENT_METADATA_REDIRECT_URIS = "redirect_uris";
+    public static final String CLIENT_METADATA_GRANT_TYPES = "grant_types";
+    public static final String CLIENT_METADATA_JWKS = "jwks";
+    public static final String CLIENT_METADATA_TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method";
     public static final String CLIENT_METADATA_POST_LOGOUT_URIS = "post_logout_redirect_uris";
     public static final String CLIENT_METADATA_SECRET_EXPIRES_AT = "client_secret_expires_at";
     public static final String CLIENT_METADATA_ID_ISSUED_AT = "client_id_issued_at";

integration-tests/oidc-client-registration/src/main/java/io/quarkus/it/keycloak/ClientAuthWithSignedJwtCreator.java

@@ -1,21 +1,15 @@
 package io.quarkus.it.keycloak;
 
 import java.io.IOException;
-import java.math.BigInteger;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
 
 import jakarta.enterprise.event.Observes;
 import jakarta.inject.Singleton;
 
 import org.eclipse.microprofile.config.inject.ConfigProperty;
-import org.jose4j.base64url.Base64Url;
 
 import io.quarkus.logging.Log;
 import io.quarkus.oidc.client.registration.ClientMetadata;
@@ -43,7 +37,7 @@ public class ClientAuthWithSignedJwtCreator {
     void observe(@Observes StartupEvent event, OidcClientRegistration clientRegistration,
             @ConfigProperty(name = "keycloak.url") String keycloakUrl) {
         generateRsaKeyPair();
-        var requestClientMetadata = new ClientMetadata(createClientMetadataJson(keycloakUrl));
+        var requestClientMetadata = createClientMetadata();
         var registeredClient = clientRegistration.registerClient(requestClientMetadata).await().indefinitely();
         this.createdClientMetadata = registeredClient.metadata();
         var signedJwt = createSignedJwt(keycloakUrl, this.createdClientMetadata.getClientId());
@@ -76,38 +70,13 @@ private String createSignedJwt(String keycloakUrl, String clientId) {
                 .sign(keyPair.getPrivate());
     }
 
-    private String createClientMetadataJson(String keycloakUrl) {
-        RSAPublicKey rsaKey = (RSAPublicKey) keyPair.getPublic();
-        String modulus = Base64Url.encode(toIntegerBytes(rsaKey.getModulus()));
-        String publicExponent = Base64Url.encode(toIntegerBytes(rsaKey.getPublicExponent()));
-        return """
-                {
-                  "redirect_uris" : [ "http://localhost:8081/protected/jwt-bearer-token-file" ],
-                  "token_endpoint_auth_method" : "private_key_jwt",
-                  "grant_types" : [ "client_credentials", "authorization_code" ],
-                  "client_name" : "signed-jwt-test",
-                  "client_uri" : "%1$s/auth/realms/quarkus/app",
-                  "jwks" : {
-                    "keys" : [ {
-                      "kid" : "%4$s",
-                      "kty" : "RSA",
-                      "alg" : "RS256",
-                      "use" : "sig",
-                      "e" : "%3$s",
-                      "n" : "%2$s"
-                    } ]
-                  }
-                }
-                """
-                .formatted(keycloakUrl, modulus, publicExponent, createKeyId());
-    }
-
-    private String createKeyId() {
-        try {
-            return Base64Url.encode(MessageDigest.getInstance("SHA-256").digest(keyPair.getPrivate().getEncoded()));
-        } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException("Failed to generate key id", e);
-        }
+    private ClientMetadata createClientMetadata() {
+        return ClientMetadata.builder()
+                .redirectUri("http://localhost:8081/protected/jwt-bearer-token-file")
+                .tokenEndpointAuthMethod("private_key_jwt")
+                .clientName("signed-jwt-test")
+                .jwk(keyPair.getPublic())
+                .build();
     }
 
     private static KeyPair generateRsaKeyPair() {
@@ -119,25 +88,4 @@ private static KeyPair generateRsaKeyPair() {
             throw new RuntimeException("Failed to generate RSA key pair", e);
         }
     }
-
-    private static byte[] toIntegerBytes(final BigInteger bigInt) {
-        final int bitlen = bigInt.bitLength();
-        // following code comes from the Keycloak project
-
-        final int bytelen = (bitlen + 7) / 8;
-        final byte[] array = bigInt.toByteArray();
-        if (array.length == bytelen) {
-            // expected number of bytes, return them
-            return array;
-        } else if (bytelen < array.length) {
-            // if array is greater is because the sign bit (it can be only 1 byte more), remove it
-            return Arrays.copyOfRange(array, array.length - bytelen, array.length);
-        } else {
-            // if array is smaller fill it with zeros
-            final byte[] resizedBytes = new byte[bytelen];
-            System.arraycopy(array, 0, resizedBytes, bytelen - array.length, array.length);
-            return resizedBytes;
-        }
-    }
-
 }