Use token exchange standard v2 (#123)

Co-authored-by: David Kocher <[email protected]>

Author: chenkins

hub/src/main/java/cloud/katta/protocols/hub/serializer/HubConfigDtoDeserializer.java

@@ -13,7 +13,7 @@
 import com.dd.plist.NSDictionary;
 
 import static ch.cyberduck.core.Profile.*;
-import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_AUDIENCE;
+import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID;
 
 public class HubConfigDtoDeserializer extends ProxyDeserializer<NSDictionary> {
 
@@ -34,7 +34,7 @@ public <L> List<L> listForKey(final String key) {
             case PROPERTIES_KEY:
                 final List<String> properties = new ArrayList<>(super.listForKey(key));
                 if(dto.getKeycloakClientIdCryptomatorVaults() != null) {
-                    properties.add(String.format("%s=%s", OAUTH_TOKENEXCHANGE_AUDIENCE, dto.getKeycloakClientIdCryptomatorVaults()));
+                    properties.add(String.format("%s=%s", OAUTH_TOKENEXCHANGE_CLIENT_ID, dto.getKeycloakClientIdCryptomatorVaults()));
                 }
                 return (List<L>) properties;
             case SCOPES_KEY:

hub/src/main/java/cloud/katta/protocols/hub/serializer/StorageProfileDtoWrapperDeserializer.java

@@ -6,15 +6,14 @@
 
 import ch.cyberduck.core.serializer.Deserializer;
 
-import cloud.katta.client.model.Protocol;
-
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
+import cloud.katta.client.model.Protocol;
 import cloud.katta.model.StorageProfileDtoWrapper;
 import cloud.katta.protocols.s3.S3AssumeRoleProtocol;
 import com.dd.plist.NSDictionary;
@@ -57,6 +56,7 @@ public <L> List<L> listForKey(final String key) {
                     if(dto.getStsDurationSeconds() != null) {
                         properties.add(String.format("%s=%s", S3AssumeRoleProtocol.S3_ASSUMEROLE_DURATIONSECONDS, dto.getStsDurationSeconds().toString()));
                     }
+                    properties.add(String.format("%s=%s", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_SECRET, ""));
                 }
                 log.debug("Return properties {} from {}", properties, dto);
                 return (List<L>) properties;

hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleProtocol.java

@@ -15,7 +15,8 @@ public class S3AssumeRoleProtocol extends S3Protocol {
 
     // Token exchange
     public static final String OAUTH_TOKENEXCHANGE = "oauth.tokenexchange";
-    public static final String OAUTH_TOKENEXCHANGE_AUDIENCE = "oauth.tokenexchange.audience";
+    public static final String OAUTH_TOKENEXCHANGE_CLIENT_ID = "oauth.tokenexchange.client_id";
+    public static final String OAUTH_TOKENEXCHANGE_CLIENT_SECRET = "oauth.tokenexchange.audience.client_secret";
     public static final String OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES = "oauth.tokenexchange.additional_scopes";
 
     // STS assume role with web identity from Cyberduck core (AWS + MinIO)

hub/src/main/java/cloud/katta/protocols/s3/TokenExchangeRequestInterceptor.java

@@ -4,12 +4,14 @@
 
 package cloud.katta.protocols.s3;
 
+import ch.cyberduck.core.Credentials;
 import ch.cyberduck.core.DefaultIOExceptionMappingService;
 import ch.cyberduck.core.Host;
 import ch.cyberduck.core.LoginCallback;
 import ch.cyberduck.core.OAuthTokens;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.exception.LoginCanceledException;
+import ch.cyberduck.core.exception.LoginFailureException;
 import ch.cyberduck.core.http.DefaultHttpResponseExceptionMappingService;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
 import ch.cyberduck.core.oauth.OAuthExceptionMappingService;
@@ -24,7 +26,11 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.google.api.client.auth.oauth2.TokenRequest;
 import com.google.api.client.auth.oauth2.TokenResponse;
 import com.google.api.client.auth.oauth2.TokenResponseException;
@@ -33,17 +39,24 @@
 import com.google.api.client.http.apache.v2.ApacheHttpTransport;
 import com.google.api.client.json.gson.GsonFactory;
 
+import static cloud.katta.protocols.s3.S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE;
+
 /**
- * Exchange OIDC token to scoped token using OAuth 2.0 Token Exchange
+ * Exchange OIDC token to scoped token using OAuth 2.0 Token Exchange. Used for S3-STS in Katta.
  */
 public class TokenExchangeRequestInterceptor extends OAuth2RequestInterceptor {
     private static final Logger log = LogManager.getLogger(TokenExchangeRequestInterceptor.class);
 
     // https://datatracker.ietf.org/doc/html/rfc8693#name-request
     public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange";
     public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_ID = "client_id";
-    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_AUDIENCE = "audience";
+    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_SECRET = "client_secret";
     public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN = "subject_token";
+    public static final String OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE = "subject_token_type";
+    public static final String OAUTH_TOKEN_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token";
+    // https://openid.net/specs/openid-connect-core-1_0.html
+    public static final String OIDC_AUTHORIZED_PARTY = "azp";
+
 
     private final Host bookmark;
     private final HttpClient client;
@@ -69,8 +82,7 @@ public OAuthTokens refresh(final OAuthTokens previous) throws BackgroundExceptio
      *
      * @param previous Input tokens retrieved to exchange at the token endpoint
      * @return New tokens
-     *
-     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_AUDIENCE
+     * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_CLIENT_ID
      * @see S3AssumeRoleProtocol#OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES
      */
     public OAuthTokens exchange(final OAuthTokens previous) throws BackgroundException {
@@ -83,10 +95,12 @@ public OAuthTokens exchange(final OAuthTokens previous) throws BackgroundExcepti
         );
         request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_ID, bookmark.getProtocol().getOAuthClientId());
         final PreferencesReader preferences = new HostPreferences(bookmark);
-        if(!StringUtils.isEmpty(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_AUDIENCE))) {
-            request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_AUDIENCE, preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_AUDIENCE));
+        if(!StringUtils.isEmpty(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID))) {
+            request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_ID, preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID));
+            request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_CLIENT_SECRET, preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_SECRET));
         }
         request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN, previous.getAccessToken());
+        request.set(OAUTH_GRANT_TYPE_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE, OAUTH_TOKEN_TYPE_ACCESS_TOKEN);
         final ArrayList<String> scopes = new ArrayList<>(bookmark.getProtocol().getOAuthScopes());
         if(!StringUtils.isEmpty(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES))) {
             scopes.addAll(Arrays.asList(preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_ADDITIONAL_SCOPES).split(" ")));
@@ -113,4 +127,34 @@ public OAuthTokens exchange(final OAuthTokens previous) throws BackgroundExcepti
             throw new DefaultIOExceptionMappingService().map(e);
         }
     }
+
+    @Override
+    public Credentials validate() throws BackgroundException {
+        final Credentials credentials = super.validate();
+        final OAuthTokens tokens = credentials.getOauth();
+        final String accessToken = tokens.getAccessToken();
+        final PreferencesReader preferences = new HostPreferences(bookmark);
+        final String tokenExchangeClientId = preferences.getProperty(S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID);
+        if(StringUtils.isEmpty(tokenExchangeClientId)) {
+            log.warn("Found {} empty, although {} is set to {} - misconfiguration?", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE_CLIENT_ID, OAUTH_TOKENEXCHANGE, preferences.getBoolean(OAUTH_TOKENEXCHANGE));
+            return credentials;
+        }
+        try {
+            final DecodedJWT jwt = JWT.decode(accessToken);
+
+            final List<String> auds = jwt.getAudience();
+            final String azp = jwt.getClaim(OIDC_AUTHORIZED_PARTY).asString();
+
+            final boolean audNotUnique = 1 != auds.size(); // either multiple audiences or none
+            // do exchange if aud is not unique or azp is not equal to aud
+            if(audNotUnique || !auds.get(0).equals(azp)) {
+                log.debug("None or multiple audiences found {} or audience differs from azp {}, triggering token-exchange.", Arrays.toString(auds.toArray()), azp);
+                return credentials.withOauth(this.exchange(tokens));
+            }
+        }
+        catch(JWTDecodeException e) {
+            throw new LoginFailureException("Invalid JWT or JSON format in authentication token", e);
+        }
+        return credentials;
+    }
 }

hub/src/test/java/cloud/katta/core/HubSynchronizeTest.java

@@ -27,7 +27,9 @@ class HubSynchronizeTest {
     @TestInstance(PER_CLASS)
     public class Local extends AbstractHubSynchronizeTest {
         private Stream<Arguments> arguments() {
-            return Stream.of(LOCAL_MINIO_STATIC, LOCAL_MINIO_STS);
+            return Stream.of(
+                    LOCAL_MINIO_STATIC,
+                    LOCAL_MINIO_STS);
         }
     }
 
@@ -56,7 +58,12 @@ private Stream<Arguments> arguments() {
     @TestInstance(PER_CLASS)
     public class Hybrid extends AbstractHubSynchronizeTest {
         private Stream<Arguments> arguments() {
-            return Stream.of(HYBRID_MINIO_STATIC, HYBRID_MINIO_STS, HYBRID_AWS_STATIC, HYBRID_AWS_STS);
+            return Stream.of(
+                    HYBRID_MINIO_STATIC,
+                    HYBRID_MINIO_STS ,
+                    HYBRID_AWS_STATIC,
+                    HYBRID_AWS_STS
+            );
         }
     }
 

hub/src/test/resources/.env

@@ -12,7 +12,7 @@ MINIO_HOSTNAME=localhost
 MINIO_PORT=9000
 MINIO_CONSOLE_PORT=9001
 
-KATTA_KEYCLOAK_IMAGE=ghcr.io/shift7-ch/keycloak:26.1.5
+KATTA_KEYCLOAK_IMAGE=ghcr.io/cryptomator/keycloak:26.2.2
 KEYCLOAK_HOSTNAME=localhost
 KEYCLOAK_HTTP_PORT=8180
 KEYCLOAK_HTTPS_PORT=8443

hub/src/test/resources/.local.env

@@ -12,7 +12,7 @@ MINIO_HOSTNAME=localhost
 MINIO_PORT=9100
 MINIO_CONSOLE_PORT=9101
 
-KATTA_KEYCLOAK_IMAGE=ghcr.io/shift7-ch/keycloak:26.1.5
+KATTA_KEYCLOAK_IMAGE=ghcr.io/cryptomator/keycloak:26.2.2
 KEYCLOAK_HOSTNAME=localhost
 KEYCLOAK_HTTP_PORT=8380
 KEYCLOAK_HTTPS_PORT=8443

hub/src/test/resources/docker-compose-minio-localhost-hub.yml

@@ -17,11 +17,11 @@ services:
       KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/dev/certs/keycloak-server.crt.pem
       KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/dev/certs/keycloak-server.key.pem
     volumes:
-      # renamed because of https://github.com/keycloak/keycloak/issues/37569 for Keycloak 26.1.5
+      # renamed because of https://github.com/keycloak/keycloak/issues/37569
       - ./keycloak/dev-realm.json:/opt/keycloak/data/import/keycloak.json
       - ./certs:/opt/keycloak/dev/certs
     # hub to Keycloak communication inside Docker network (http://keycloak:8180) goes to the container internal port! Therefore, we need to start keycloak with the same port `--http-port 8180`
-    command: start-dev --import-realm --db=dev-mem --health-enabled=true --hostname ${KEYCLOAK_HOSTNAME} --http-port ${KEYCLOAK_HTTP_PORT} --features=token-exchange,admin-fine-grained-authz
+    command: start-dev --import-realm --db=dev-mem --health-enabled=true --hostname ${KEYCLOAK_HOSTNAME} --http-port ${KEYCLOAK_HTTP_PORT}
     healthcheck:
       test: [ "CMD", "bash", "-c", "curl -v --fail http://127.0.0.1:${KEYCLOAK_HTTP_PORT}/realms/cryptomator/.well-known/openid-configuration" ]
       interval: 5s