io.strimzi.kafka.oauth.validator

Class JWTSignatureValidator

java.lang.Object

io.strimzi.kafka.oauth.validator.JWTSignatureValidator

All Implemented Interfaces:

TokenValidator

public class JWTSignatureValidator
extends java.lang.Object
implements TokenValidator

This class is responsible for validating the JWT token signatures during session authentication.

It performs fast local token validation without the need to immediately contact the authorization server. for that it relies on the JWKS endpoint exposed at authorization server, which is a standard OAuth2 public endpoint containing the information about public keys that can be used to validate JWT signatures.

A single threaded refresh job is run periodically or upon detecting an unknown signing key, that fetches the latest trusted public keys for signature validation from authorization server. If the refresh job is unsuccessful it employs the so called 'exponential back-off' to retry later in order to reduce any out-of-sync time with the authorization server while still not flooding the server with endless consecutive requests.

Constructor Summary

Constructors

Constructor and Description

JWTSignatureValidator(java.lang.String validatorId, java.lang.String clientId, java.lang.String clientSecret, TokenProvider bearerTokenProvider, java.lang.String keysEndpointUri, javax.net.ssl.SSLSocketFactory socketFactory, javax.net.ssl.HostnameVerifier verifier, PrincipalExtractor principalExtractor, java.lang.String groupsClaimQuery, java.lang.String groupsClaimDelimiter, java.lang.String validIssuerUri, int refreshSeconds, int refreshMinPauseSeconds, int expirySeconds, boolean ignoreKeyUse, boolean checkAccessTokenType, java.lang.String audience, java.lang.String customClaimCheck, int connectTimeoutSeconds, int readTimeoutSeconds, boolean enableMetrics, boolean failFast, boolean includeAcceptHeader) Create a new instance.

Method Summary

Modifier and Type	Method and Description
void	close() Close any allocated resources like background threads
java.lang.String	getValidatorId() Return the id of this validator
TokenInfo	validate(java.lang.String token) Validate the passed access token return it wrapped in TokenInfo with

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JWTSignatureValidator

public JWTSignatureValidator(java.lang.String validatorId,
                             java.lang.String clientId,
                             java.lang.String clientSecret,
                             TokenProvider bearerTokenProvider,
                             java.lang.String keysEndpointUri,
                             javax.net.ssl.SSLSocketFactory socketFactory,
                             javax.net.ssl.HostnameVerifier verifier,
                             PrincipalExtractor principalExtractor,
                             java.lang.String groupsClaimQuery,
                             java.lang.String groupsClaimDelimiter,
                             java.lang.String validIssuerUri,
                             int refreshSeconds,
                             int refreshMinPauseSeconds,
                             int expirySeconds,
                             boolean ignoreKeyUse,
                             boolean checkAccessTokenType,
                             java.lang.String audience,
                             java.lang.String customClaimCheck,
                             int connectTimeoutSeconds,
                             int readTimeoutSeconds,
                             boolean enableMetrics,
                             boolean failFast,
                             boolean includeAcceptHeader)

Create a new instance.

Parameters:

validatorId - A unique id to associate with this validator for the purpose of validator lifecycle and metrics tracking

clientId - The clientId of the OAuth2 client representing this Kafka broker - used to authenticate to the introspection endpoint using Basic authentication

clientSecret - The secret of the OAuth2 client representing this Kafka broker - used to authenticate to the introspection endpoint using Basic authentication

bearerTokenProvider - The provider of the bearer token as an alternative to clientId and secret of the OAuth2 client representing this Kafka broker - used to authenticate to the introspection endpoint using Bearer authentication

keysEndpointUri - The JWKS endpoint url at the authorization server

socketFactory - The optional SSL socket factory to use when establishing the connection to authorization server

verifier - The optional hostname verifier used to validate the TLS certificate by the authorization server

principalExtractor - The object used to extract the username from the JWT token

groupsClaimQuery - The optional JSONPath query for group extraction

groupsClaimDelimiter - The optional delimiter for group extraction

validIssuerUri - The required value of the 'iss' claim in JWT token

refreshSeconds - The optional time interval between two consecutive regular JWKS keys refresh runs

refreshMinPauseSeconds - The optional minimum pause between two consecutive JWKS keys refreshes.

expirySeconds - The maximum time to trust the unrefreshed JWKS keys. If keys are not successfully refreshed within this time, the validation will start failing.

ignoreKeyUse - Should any key present in JWKS key set be considered a public key for signature checking

checkAccessTokenType - Should the 'typ' claim in the token be validated (be equal to 'Bearer')

audience - The optional audience

customClaimCheck - The optional JSONPath filter query for additional custom claim checking

connectTimeoutSeconds - The maximum time to wait for connection to authorization server to be established (in seconds)

readTimeoutSeconds - The maximum time to wait for response from authorization server after connection has been established and request sent (in seconds)

enableMetrics - The switch that enables metrics collection

failFast - Should exception be thrown during initialisation if unable to retrieve JWKS keys

includeAcceptHeader - Should we send the Accept header when making outbound http requests

Method Detail

validate

public TokenInfo validate(java.lang.String token)

Description copied from interface: TokenValidator

Validate the passed access token return it wrapped in TokenInfo with

Specified by:

validate in interface TokenValidator

Parameters:

token - An access token to validate

Returns:

TokenInfo wrapping a valid token

getValidatorId

public java.lang.String getValidatorId()

Description copied from interface: TokenValidator

Return the id of this validator

Specified by:

getValidatorId in interface TokenValidator

Returns:

A validator id

close

public void close()

Description copied from interface: TokenValidator

Close any allocated resources like background threads

Specified by:

close in interface TokenValidator