Adds support for provider-uri

Author: jvanderhoof

app/domain/authentication/authn_jwt/v2/strategy.rb

@@ -12,7 +12,8 @@ def initialize(
           jwt: JWT,
           http: Net::HTTP, # check that this is needed
           json: JSON,
-          cache: Rails.cache
+          cache: Rails.cache,
+          oidc_discovery_configuration: ::OpenIDConnect::Discovery::Provider::Config
         )
           @authenticator = authenticator
           @logger = logger
@@ -21,6 +22,7 @@ def initialize(
           @json = json
           @http = http
           @cache = cache
+          @oidc_discovery_configuration = oidc_discovery_configuration
         end
 
         def callback(parameters:, request_body:)
@@ -53,14 +55,32 @@ def callback(parameters:, request_body:)
                 hash[:aud] = @authenticator.audience
                 hash[:verify_aud] = true
               end
-              hash[:jwks] = jwk_loader
+              hash[:jwks] = jwk_loader(@authenticator.jwks_uri)
             elsif @authenticator.public_keys.present?
               hash[:iss] = @authenticator.issuer
               hash[:verify_iss] = true
               # Looks like loading from the public key is really just injesting
               # a JWKS endpoint from a local source.
               keys = @json.parse(@authenticator.public_keys)&.deep_symbolize_keys
               hash[:jwks] = keys[:value]
+            elsif @authenticator.provider_uri.present?
+              begin
+                if @authenticator.issuer.present?
+                  hash[:iss] = @authenticator.issuer
+                  hash[:verify_iss] = true
+                end
+                if @authenticator.audience.present?
+                  hash[:aud] = @authenticator.audience
+                  hash[:verify_aud] = true
+                end
+                hash[:jwks] = jwk_loader(
+                  @oidc_discovery_configuration.discover!(
+                    @authenticator.provider_uri
+                  )&.jwks_uri
+                )
+              rescue Exception => e
+                raise Errors::Authentication::OAuth::ProviderDiscoveryFailed.new(@authenticator.provider_uri, e.inspect)
+              end
             else
               raise Errors::Authentication::AuthnJwt::InvalidSigningKeySettings,
                 'Failed to find a JWT decode option. Either `jwks-uri` or `public-keys` variable must be set.'
@@ -92,9 +112,9 @@ def callback(parameters:, request_body:)
             # Looks like only the "malformed JWT" decode error has a unique custom exception
             if e.message == 'Not enough or too many segments'
               raise Errors::Authentication::Jwt::RequestBodyMissingJWTToken
-            else
-              raise Errors::Authentication::Jwt::TokenDecodeFailed, e.inspect
             end
+
+            raise Errors::Authentication::Jwt::TokenDecodeFailed, e.inspect
           rescue => e
             raise Errors::Authentication::Jwt::TokenVerificationFailed, e.inspect
           end
@@ -115,14 +135,14 @@ def callback(parameters:, request_body:)
 
         private
 
-        def jwk_loader
+        def jwk_loader(jwks_url)
           ->(options) do
-            jwks(force: options[:invalidate]) || {}
+            jwks(jwks_url: jwks_url, force: options[:invalidate]) || {}
           end
         end
 
-        def fetch_jwks
-          uri = URI(@authenticator.jwks_uri)
+        def fetch_jwks(url)
+          uri = URI(url)
           http = @http.new(uri.host, uri.port)
           if uri.instance_of?(URI::HTTPS)
             # Enable SSL support
@@ -140,11 +160,13 @@ def fetch_jwks
             http.cert_store = store
           end
 
+          # If path is an empty string, the get request will fail. We set it default to a slash.
+          path = uri.path.empty? ? '/' : uri.path
           begin
-            response = http.request(@http::Get.new(uri.path))
+            response = http.request(@http::Get.new(path))
           rescue Exception => e
             raise Errors::Authentication::AuthnJwt::FetchJwksKeysFailed.new(
-              @authenticator.jwks_uri,
+              url,
               e.inspect
             )
           end
@@ -154,14 +176,14 @@ def fetch_jwks
           @json.parse(response.body)
         end
 
-        def jwks(force: false)
+        def jwks(jwks_url:, force: false)
           # TODO: Need a mechanism to allow us to expire cache from Cucumber tests
           # so that we can include tests with different JWKS certificates.
           #
           # @cache.fetch(@cache_key, force: force, skip_nil: true) do
-          #   fetch_jwks
+          #   fetch_jwks(jwks_url)
           # end&.deep_symbolize_keys
-          fetch_jwks&.deep_symbolize_keys
+          fetch_jwks(jwks_url)&.deep_symbolize_keys
         end
       end
     end

app/domain/authentication/handler/authentication_handler.rb

@@ -65,7 +65,6 @@ def call(request_ip:, parameters: nil, request_body: nil, action: nil)
           )
         end
 
-        # binding.pry
         begin
           role = @identity_resolver.new(authenticator: authenticator).call(
             identifier: @strategy.new(
@@ -115,24 +114,16 @@ def call(request_ip:, parameters: nil, request_body: nil, action: nil)
 
         TokenFactory.new.signed_token(
           account: parameters[:account],
-          username: role.login,  # role.role_id.split(':').last,
+          username: role.login,
           user_ttl: authenticator.token_ttl
         )
       rescue => e
-        # binding.pry
-          #   log_audit_failure(
-  #     authn_params: authenticator_input,
-  #     audit_event_class: Audit::Event::Authn::Authenticate,
-  #     error: e
-  #   )
-
         log_audit_failure(authenticator, role&.role_id, request_ip, @authenticator_type, e)
         handle_error(e)
       end
 
       def handle_error(err)
         @logger.info("#{err.class.name}: #{err.message}")
-        # binding.pry
         err.backtrace.each {|l| @logger.info(l) }
 
         case err
@@ -183,7 +174,6 @@ def log_audit_success(service, role_id, client_ip, type)
       end
 
       def log_audit_failure(service, role_id, client_ip, type, error)
-        # binding.pry
         @audit_logger.log(
           ::Audit::Event::Authn::Authenticate.new(
             authenticator_name: type,

cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature

@@ -63,7 +63,7 @@ Feature: JWT Authenticator - Fetch signing key
     When I authenticate via authn-jwt with the ID token
     Then host "alice" has been authorized by Conjur
 
-  @negative @acceptance @skip
+  @negative @acceptance
   Scenario: ONYX-8704: provider uri configured with bad value
     Given I load a policy:
     """
@@ -265,7 +265,7 @@ Feature: JWT Authenticator - Fetch signing key
     cucumber:host:alice successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/keycloak
     """
 
-  @acceptance @skip
+  @acceptance
   Scenario: jwks uri configured dynamically changed to provider uri
     Given I load a policy:
     """
@@ -364,7 +364,7 @@ Feature: JWT Authenticator - Fetch signing key
     And I authenticate via authn-jwt with the ID token
     Then host "alice" has been authorized by Conjur
 
-  @sanity @acceptance @skip
+  @sanity @acceptance
   Scenario: ONYX-8709: provider-uri dynamically changed, 502 ERROR resolves to 200 OK
     Given I load a policy:
     """
@@ -607,7 +607,7 @@ Feature: JWT Authenticator - Fetch signing key
     CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')
     """
 
-  @negative @acceptance @skip
+  @negative @acceptance
   Scenario: ONYX-8914: provider-uri with untrusted self sign certificate
     Given I load a policy:
     """
@@ -632,7 +632,7 @@ Feature: JWT Authenticator - Fetch signing key
     CONJ00011E Failed to discover Identity Provider (Provider URI: 'https://jwks'). Reason: '#<OpenIDConnect::Discovery::DiscoveryFailed: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)>
     """
 
-  @negative @acceptance @skip
+  @negative @acceptance
   Scenario: ONYX-8913: jwks-uri with untrusted self sign certificate
     Given I load a policy:
     """
@@ -728,7 +728,7 @@ Feature: JWT Authenticator - Fetch signing key
     CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::DecodeError: No key id (kid) found from token headers>')
     """
 
-  @sanity @smoke @skip
+  @sanity @smoke
   Scenario: ONYX-15322: public-keys happy path
     Given I load a policy:
     """