Skip to content

Commit 98b24f0

Browse files
grgrzybekgtully
authored andcommitted
ARTEMIS-5200 Implement JAAS OIDC LoginModule for JWT authentication
ARTEMIS-5200 Initial implementation of JAAS OIDC Login Module * support for fetching OIDC metadata * caching and handling JWK keys * JAAS Login module that verifies claims and JWT signature * extensive test coverage * based on JDK HTTP Client * JAAS string-based configuration (etc/login.config) ARTEMIS-5200 Extracting principal identities/roles from JWT ARTEMIS-5200 Add logging information and signature tests ARTEMIS-5200 Implement RFC 8705 (OAuth2 + mTLS) ARTEMIS-5200 Add test for full LoginContext usage with OIDC in login.config ARTEMIS-5200 Fix SSL Context initialization in HttpClient ARTEMIS-5200 Adjust OSGi headers and features for artemis-server-osgi ARTEMIS-5200 Cleanup in OIDCLoginModule.logout()
1 parent 3573b66 commit 98b24f0

22 files changed

Lines changed: 4519 additions & 2 deletions

File tree

artemis-features/src/main/resources/features.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,7 @@
7979
<bundle dependency="true">mvn:org.apache.commons/commons-pool2/${commons.pool2.version}</bundle>
8080
<!-- Micrometer can't be included until it supports OSGi. It is currently an "optional" Maven dependency. -->
8181
<!--bundle dependency="true">mvn:io.micrometer/micrometer-core/${version.micrometer}</bundle-->
82+
<bundle dependency="true">mvn:com.nimbusds/nimbus-jose-jwt/${nimbus.jwt.version}</bundle>
8283

8384
<bundle>mvn:org.apache.activemq/activemq-artemis-native/${activemq-artemis-native-version}</bundle>
8485
<bundle>mvn:org.apache.artemis/artemis-lockmanager-api/${pom.version}</bundle>

artemis-pom/pom.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -943,6 +943,14 @@
943943
<type>pom</type>
944944
<scope>import</scope>
945945
</dependency>
946+
947+
<dependency>
948+
<groupId>com.nimbusds</groupId>
949+
<artifactId>nimbus-jose-jwt</artifactId>
950+
<version>${nimbus.jwt.version}</version>
951+
<!-- License: Apache 2.0 -->
952+
</dependency>
953+
946954
</dependencies>
947955
</dependencyManagement>
948956

artemis-server-osgi/pom.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,8 @@
132132
io.netty.buffer;io.netty.*;version="[4.1,5)",
133133
java.net.http*;resolution:=optional,
134134
com.sun.net.httpserver*;resolution:=optional,
135+
com.nimbusds.jose*;resolution:=optional,
136+
com.nimbusds.jwt*;resolution:=optional,
135137
*
136138
</Import-Package>
137139
<_exportcontents>org.apache.activemq.artemis.*;-noimport:=true</_exportcontents>

artemis-server/pom.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,10 @@
160160
<groupId>io.micrometer</groupId>
161161
<artifactId>micrometer-core</artifactId>
162162
</dependency>
163+
<dependency>
164+
<groupId>com.nimbusds</groupId>
165+
<artifactId>nimbus-jose-jwt</artifactId>
166+
</dependency>
163167
<dependency>
164168
<groupId>org.apache.activemq</groupId>
165169
<artifactId>activemq-artemis-native</artifactId>

artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/JaasCallbackHandler.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,9 @@ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallback
5757
nameCallback.setName(username);
5858
} else if (callback instanceof CertificateCallback certificateCallback) {
5959
certificateCallback.setCertificates(getCertsFromConnection(remotingConnection));
60+
} else if (callback instanceof JwtCallback jwtCallback) {
61+
// TODO: switch to obtaining the token from RemotingConnection and protocol-specific implementation (SASL frames)
62+
jwtCallback.setJwtToken(password);
6063
} else if (callback instanceof PrincipalsCallback principalsCallback) {
6164

6265
Subject peerSubject = remotingConnection.getSubject();
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
/*
2+
* Licensed to the Apache Software Foundation (ASF) under one or more
3+
* contributor license agreements. See the NOTICE file distributed with
4+
* this work for additional information regarding copyright ownership.
5+
* The ASF licenses this file to You under the Apache License, Version 2.0
6+
* (the "License"); you may not use this file except in compliance with
7+
* the License. You may obtain a copy of the License at
8+
*
9+
* http://www.apache.org/licenses/LICENSE-2.0
10+
*
11+
* Unless required by applicable law or agreed to in writing, software
12+
* distributed under the License is distributed on an "AS IS" BASIS,
13+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
* See the License for the specific language governing permissions and
15+
* limitations under the License.
16+
*/
17+
package org.apache.activemq.artemis.spi.core.security.jaas;
18+
19+
import javax.security.auth.callback.Callback;
20+
21+
/**
22+
* A {@link Callback} for passing JWT token to {@link javax.security.auth.spi.LoginModule login modules}. JWT
23+
* tokens may come from {@code Bearer} HTTP header or SASL messages.
24+
*/
25+
public class JwtCallback implements Callback {
26+
27+
private String jwtToken;
28+
29+
public String getJwtToken() {
30+
return jwtToken;
31+
}
32+
33+
public void setJwtToken(String jwtToken) {
34+
this.jwtToken = jwtToken;
35+
}
36+
37+
}

0 commit comments

Comments
 (0)