Add support for "JWT Introspection Response". (#49)

Author: hidebike712

src/main/java/com/authlete/jaxrs/server/api/IntrospectionEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Authlete, Inc.
+ * Copyright (C) 2017-2023 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +29,9 @@
 import com.authlete.common.api.AuthleteApiFactory;
 import com.authlete.common.web.BasicCredentials;
 import com.authlete.jaxrs.BaseIntrospectionEndpoint;
+import com.authlete.jaxrs.IntrospectionRequestHandler.Params;
+import com.authlete.jaxrs.server.db.ResourceServerDao;
+import com.authlete.jaxrs.server.db.ResourceServerEntity;
 
 
 /**
@@ -39,6 +42,7 @@
  *      >RFC 7662, OAuth 2.0 Token Introspection</a>
  *
  * @author Takahiko Kawasaki
+ * @author Hideki Ikeda
  */
 @Path("/api/introspection")
 public class IntrospectionEndpoint extends BaseIntrospectionEndpoint
@@ -53,6 +57,7 @@ public class IntrospectionEndpoint extends BaseIntrospectionEndpoint
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     public Response post(
             @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,
+            @HeaderParam(HttpHeaders.ACCEPT) String accept,
             MultivaluedMap<String, String> parameters)
     {
         // "2.1. Introspection Request" in RFC 7662 says as follows:
@@ -68,46 +73,47 @@ public Response post(
         // Therefore, this API must be protected in some way or other.
         // Basic Authentication and Bearer Token are typical means, and
         // both use the value of the 'Authorization' header.
-        //
-        // Authenticate the API caller.
-        boolean authenticated = authenticateApiCaller(authorization);
 
-        // If the API caller does not have necessary privileges to call this API.
-        if (authenticated == false)
+        BasicCredentials credentials = BasicCredentials.parse(authorization);
+
+        // Fetch the information about the resource server from DB.
+        ResourceServerEntity rsEntity = ResourceServerDao.get(credentials.getUserId());
+
+        // If failed to authenticate the resource server.
+        if (authenticateResourceServer(rsEntity, credentials) == false)
         {
             // Return "401 Unauthorized".
             return Response.status(Status.UNAUTHORIZED).build();
         }
 
+        // Build a Param object to call the request handler.
+        Params params = buildParams(parameters, accept, rsEntity);
+
         // Handle the introspection request.
-        return handle(AuthleteApiFactory.getDefaultApi(), parameters);
+        return handle(AuthleteApiFactory.getDefaultApi(), params);
     }
 
 
-    /**
-     * Authenticate the API caller.
-     *
-     * @param authorization
-     *         The value of the {@code Authorization} header of the API call.
-     *
-     * @return
-     *         True if the API caller has necessary privileges to access
-     *         the introspection endpoint.
-     */
-    private boolean authenticateApiCaller(String authorization)
+    private Params buildParams(
+            MultivaluedMap<String, String> parameters, String accept, ResourceServerEntity rsEntity)
     {
-        // TODO: This implementation is for demonstration purpose only.
+        return new Params()
+                .setParameters(parameters)
+                .setHttpAcceptHeader(accept)
+                .setRsUri(rsEntity.getUri())
+                .setIntrospectionSignAlg(rsEntity.getIntrospectionSignAlg())
+                .setIntrospectionEncryptionAlg(rsEntity.getIntrospectionEncryptionAlg())
+                .setIntrospectionEncryptionEnc(rsEntity.getIntrospectionEncryptionEnc())
+                .setPublicKeyForEncryption(rsEntity.getPublicKeyForIntrospectionResponseEncryption())
+                .setSharedKeyForSign(rsEntity.getSharedKeyForIntrospectionResponseSign())
+                .setSharedKeyForEncryption(rsEntity.getSharedKeyForIntrospectionResponseEncryption());
+    }
 
-        // If the Authorization header contains "Basic Authentication" and
-        // if the user part is "nobody".
-        BasicCredentials credentials = BasicCredentials.parse(authorization);
-        if (credentials != null && "nobody".equals(credentials.getUserId()))
-        {
-            // Reject the introspection request by "nobody".
-            return false;
-        }
 
-        // Accept anybody except "nobody".
-        return true;
+    private boolean authenticateResourceServer(
+            ResourceServerEntity rsEntity, BasicCredentials credentials)
+    {
+        return rsEntity != null &&
+               rsEntity.getSecret().equals(credentials.getPassword());
     }
 }

src/main/java/com/authlete/jaxrs/server/db/BaseDao.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2023 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package com.authlete.jaxrs.server.db;
+
+
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.nio.charset.StandardCharsets;
+
+
+public class BaseDao
+{
+    /**
+     * Create a Reader instance that reads the specified resource.
+     */
+    protected static Reader createReader(Class<?> clazz, String resource)
+    {
+        return new InputStreamReader(
+                clazz.getResourceAsStream(resource), StandardCharsets.UTF_8);
+    }
+}

src/main/java/com/authlete/jaxrs/server/db/DatasetDao.java

@@ -18,9 +18,7 @@
 
 
 import java.io.IOException;
-import java.io.InputStreamReader;
 import java.io.Reader;
-import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -33,7 +31,7 @@
 /**
  * Sources of datasets (contents of "verified_claims").
  */
-public class DatasetDao
+public class DatasetDao extends BaseDao
 {
     // Sources of datasets. The JSON files have been copied from
     // https://bitbucket.org/openid/ekyc-ida/src/master/examples/response/
@@ -100,7 +98,7 @@ private static Map<String, List<Map<String, Object>>> createSubjectDatasetsMap()
     private static Map<String, Object> loadDataset(String resource)
     {
         // Create a Reader to read the resource.
-        try (Reader reader = createReader(resource))
+        try ( Reader reader = createReader(DatasetDao.class, resource) )
         {
             // Convert the JSON in the resource into a Map instance.
             Map<String, Object> map = new Gson().fromJson(reader, Map.class);
@@ -118,17 +116,6 @@ private static Map<String, Object> loadDataset(String resource)
     }
 
 
-    /**
-     * Create a Reader instance that reads the specified resource.
-     */
-    private static Reader createReader(String resource)
-    {
-        return new InputStreamReader(
-                DatasetDao.class.getResourceAsStream(resource),
-                StandardCharsets.UTF_8);
-    }
-
-
     /**
      * Get the datasets of the subject (user identifier).
      *

src/main/java/com/authlete/jaxrs/server/db/ResourceServerDao.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2023 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the
+ * License.
+ */
+package com.authlete.jaxrs.server.db;
+
+
+import java.io.IOException;
+import java.io.Reader;
+import java.lang.reflect.Type;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+
+
+/**
+ * Operations to access the resource server database.
+ */
+public class ResourceServerDao extends BaseDao
+{
+    private static final String RESOURCE_SERVER = "/resource_servers.json";
+
+
+    /**
+     * Holder of the cache of resource server entities.
+     */
+    private static final class ResourceServerEntityHolder
+    {
+        // Cache of resource server entities. Keys are resource server
+        // IDs. Values are ResourceServerEntity objects loaded from JSON
+        // files.
+        private static final Map<String, ResourceServerEntity> INSTANCE =
+                createResourceServers();
+    }
+
+
+    /**
+     * Create the content of ResourceServersHolder.INSTANCE.
+     */
+    private static Map<String, ResourceServerEntity> createResourceServers()
+    {
+        return loadResourceServers(RESOURCE_SERVER)
+                .stream()
+                .collect(Collectors.toMap(s -> s.getId(), s -> s));
+    }
+
+
+    /**
+     * Load configurations of resource servers from the resource.
+     */
+    private static List<ResourceServerEntity> loadResourceServers(String resource)
+    {
+        // Create a Reader to read the resource.
+        try ( Reader reader = createReader(ResourceServerDao.class, resource) )
+        {
+            // The type of the object to be loaded.
+            Type type = new TypeToken<ArrayList<ResourceServerEntity>>(){}.getType();
+
+            // Convert the JSON in the resource into a list of ResourceServerEntity.
+            return new Gson().fromJson(reader, type);
+        }
+        catch (IOException e)
+        {
+            // Failed to read the resource.
+            e.printStackTrace();
+
+            return Collections.emptyList();
+        }
+    }
+
+
+    /**
+     * Get a resource server entity.
+     *
+     * @param rsId
+     *         The ID of a resource server.
+     *
+     * @return
+     *         A resource server entity specified by the ID. null is
+     *         returned when the resource server entity is unavailable.
+     */
+    public static ResourceServerEntity get(String rsId)
+    {
+        return ResourceServerEntityHolder.INSTANCE.get(rsId);
+    }
+}