Merge pull request #47450 from michalvavrik/feature/make-oidc-required-claims-array

Make OIDC required claims support arrays

Author: sberyozkin

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -2222,7 +2222,7 @@ public static Token fromAudience(String... audience) {
          * Strings are the only supported types. Use {@linkplain SecurityIdentityAugmentor} to verify claims of other types or
          * complex claims.
          */
-        public Map<String, String> requiredClaims = new HashMap<>();
+        public Map<String, Set<String>> requiredClaims = new HashMap<>();
 
         /**
          * Expected token type
@@ -2507,11 +2507,11 @@ public void setDecryptionKeyLocation(String decryptionKeyLocation) {
             this.decryptionKeyLocation = Optional.of(decryptionKeyLocation);
         }
 
-        public Map<String, String> getRequiredClaims() {
+        public Map<String, Set<String>> getRequiredClaims() {
             return requiredClaims;
         }
 
-        public void setRequiredClaims(Map<String, String> requiredClaims) {
+        public void setRequiredClaims(Map<String, Set<String>> requiredClaims) {
             this.requiredClaims = requiredClaims;
         }
 
@@ -2596,7 +2596,7 @@ public boolean subjectRequired() {
         }
 
         @Override
-        public Map<String, String> requiredClaims() {
+        public Map<String, Set<String>> requiredClaims() {
             return requiredClaims;
         }
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java

@@ -1,5 +1,7 @@
 package io.quarkus.oidc.runtime;
 
+import static java.util.Objects.requireNonNull;
+
 import java.io.Closeable;
 import java.nio.charset.StandardCharsets;
 import java.security.Key;
@@ -8,9 +10,11 @@
 import java.util.Base64;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 
+import jakarta.json.JsonArray;
 import jakarta.json.JsonObject;
 
 import org.eclipse.microprofile.jwt.Claims;
@@ -76,7 +80,7 @@ public class OidcProvider implements Closeable {
     final TokenCustomizer tokenCustomizer;
     final String issuer;
     final String[] audience;
-    final Map<String, String> requiredClaims;
+    final Map<String, Set<String>> requiredClaims;
     final Key tokenDecryptionKey;
     final AlgorithmConstraints requiredAlgorithmConstraints;
 
@@ -160,8 +164,9 @@ private String[] checkAudienceProp() {
         return audienceProp != null ? audienceProp.toArray(new String[] {}) : null;
     }
 
-    private Map<String, String> checkRequiredClaimsProp() {
-        return oidcConfig != null ? oidcConfig.token().requiredClaims() : null;
+    private Map<String, Set<String>> checkRequiredClaimsProp() {
+        return oidcConfig != null && !oidcConfig.token().requiredClaims().isEmpty() ? oidcConfig.token().requiredClaims()
+                : null;
     }
 
     public TokenVerificationResult verifySelfSignedJwtToken(String token, Key generatedInternalSignatureKey)
@@ -216,7 +221,7 @@ private TokenVerificationResult verifyJwtTokenInternal(String token,
         }
 
         if (nonce != null) {
-            builder.registerValidator(new CustomClaimsValidator(Map.of(OidcConstants.NONCE, nonce)));
+            builder.registerValidator(new CustomClaimsValidator(Map.of(OidcConstants.NONCE, Set.of(nonce))));
         }
 
         for (Validator customValidator : customValidators) {
@@ -241,7 +246,7 @@ private TokenVerificationResult verifyJwtTokenInternal(String token,
         } else {
             builder.setSkipDefaultAudienceValidation();
         }
-        if (requiredClaims != null && !requiredClaims.isEmpty()) {
+        if (requiredClaims != null) {
             builder.registerValidator(new CustomClaimsValidator(requiredClaims));
         }
 
@@ -387,22 +392,46 @@ public TokenIntrospection apply(TokenIntrospection introspectionResult, Throwabl
                             throw new AuthenticationFailedException(ex, tokenMap(token, idToken));
                         }
 
-                        if (requiredClaims != null && !requiredClaims.isEmpty()) {
-                            for (Map.Entry<String, String> requiredClaim : requiredClaims.entrySet()) {
-                                String introspectionClaimValue = null;
-                                try {
-                                    introspectionClaimValue = introspectionResult.getString(requiredClaim.getKey());
-                                } catch (ClassCastException ex) {
-                                    LOG.debugf("Introspection claim %s is not String", requiredClaim.getKey());
+                        if (requiredClaims != null) {
+                            for (Map.Entry<String, Set<String>> requiredClaim : requiredClaims.entrySet()) {
+                                final String requiredClaimName = requiredClaim.getKey();
+                                if (!introspectionResult.contains(requiredClaimName)) {
+                                    LOG.debugf("Introspection claim %s is missing", requiredClaimName);
                                     throw new AuthenticationFailedException(tokenMap(token, idToken));
                                 }
-                                if (introspectionClaimValue == null) {
-                                    LOG.debugf("Introspection claim %s is missing", requiredClaim.getKey());
+                                final Set<String> requiredClaimValues = requiredClaim.getValue();
+                                if (requiredClaimValues.size() == 1) {
+                                    String introspectionClaimValue = null;
+                                    try {
+                                        introspectionClaimValue = introspectionResult.getString(requiredClaimName);
+                                    } catch (ClassCastException ex) {
+                                        LOG.debugf("Introspection claim %s is not String", requiredClaimName);
+                                    }
+                                    String requiredClaimValue = requiredClaimValues.iterator().next();
+                                    if (requiredClaimValue.equals(introspectionClaimValue)) {
+                                        continue;
+                                    }
+                                }
+                                final JsonArray actualClaimValueArray;
+                                try {
+                                    actualClaimValueArray = requireNonNull(introspectionResult.getArray(requiredClaimName));
+                                } catch (Exception ignored) {
+                                    LOG.debugf("Introspection claim %s is neither string or array", requiredClaimName);
                                     throw new AuthenticationFailedException(tokenMap(token, idToken));
                                 }
-                                if (!introspectionClaimValue.equals(requiredClaim.getValue())) {
+                                requiredClaimValuesLoop: for (String requiredClaimValue : requiredClaimValues) {
+                                    for (int i = 0; i < actualClaimValueArray.size(); i++) {
+                                        try {
+                                            String actualClaimValue = actualClaimValueArray.getString(i);
+                                            if (requiredClaimValue.equals(actualClaimValue)) {
+                                                continue requiredClaimValuesLoop;
+                                            }
+                                        } catch (Exception ignored) {
+                                            // try next actual claim value
+                                        }
+                                    }
                                     LOG.debugf("Value of the introspection claim %s does not match required value of %s",
-                                            requiredClaim.getKey(), requiredClaim.getValue());
+                                            requiredClaimName, requiredClaimValue);
                                     throw new AuthenticationFailedException(tokenMap(token, idToken));
                                 }
                             }
@@ -416,8 +445,7 @@ public TokenIntrospection apply(TokenIntrospection introspectionResult, Throwabl
 
     private void verifyTokenExpiry(String token, boolean idToken, Long exp) {
         if (isTokenExpired(exp)) {
-            String error = String.format("Token issued to client %s has expired",
-                    oidcConfig.clientId().get());
+            String error = String.format("Token issued to client %s has expired", oidcConfig.clientId().get());
             LOG.debugf(error);
             throw new AuthenticationFailedException(
                     new InvalidJwtException(error,
@@ -436,7 +464,7 @@ private int getLifespanGrace() {
                 : 0;
     }
 
-    private static final long now() {
+    private static long now() {
         return System.currentTimeMillis();
     }
 
@@ -624,7 +652,7 @@ public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContex
         }
 
         private Key initKey(Key generatedInternalSignatureKey) {
-            String clientSecret = OidcCommonUtils.getClientOrJwtSecret(oidcConfig.credentials);
+            String clientSecret = OidcCommonUtils.getClientOrJwtSecret(oidcConfig.credentials());
             if (clientSecret != null) {
                 LOG.debug("Verifying internal ID token with a configured client secret");
                 return KeyUtils.createSecretKeyFromSecret(clientSecret);
@@ -642,11 +670,11 @@ public OidcConfigurationMetadata getMetadata() {
         return client == null ? null : client.getMetadata();
     }
 
-    private static class CustomClaimsValidator implements Validator {
+    private static final class CustomClaimsValidator implements Validator {
 
-        private final Map<String, String> customClaims;
+        private final Map<String, Set<String>> customClaims;
 
-        public CustomClaimsValidator(Map<String, String> customClaims) {
+        private CustomClaimsValidator(Map<String, Set<String>> customClaims) {
             this.customClaims = customClaims;
         }
 
@@ -658,13 +686,29 @@ public String validate(JwtContext jwtContext) throws MalformedClaimException {
                 if (!claims.hasClaim(claimName)) {
                     return "claim " + claimName + " is missing";
                 }
-                if (!claims.isClaimValueString(claimName)) {
-                    throw new MalformedClaimException("expected claim " + claimName + " to be a string");
-                }
-                var claimValue = claims.getStringClaimValue(claimName);
-                var targetValue = targetClaim.getValue();
-                if (!claimValue.equals(targetValue)) {
-                    return "claim " + claimName + " does not match expected value of " + targetValue;
+                Set<String> requiredClaimValues = targetClaim.getValue();
+                if (claims.isClaimValueString(claimName)) {
+                    if (requiredClaimValues.size() == 1) {
+                        String actualClaimValue = claims.getStringClaimValue(claimName);
+                        String requiredClaimValue = requiredClaimValues.iterator().next();
+                        if (!requiredClaimValue.equals(actualClaimValue)) {
+                            return "claim " + claimName + " does not match expected value of " + requiredClaimValues;
+                        }
+                    } else {
+                        throw new MalformedClaimException("expected claim " + claimName + " must be a list of strings");
+                    }
+                } else {
+                    if (claims.isClaimValueStringList(claimName)) {
+                        List<String> actualClaimValues = claims.getStringListClaimValue(claimName);
+                        for (String requiredClaimValue : requiredClaimValues) {
+                            if (!actualClaimValues.contains(requiredClaimValue)) {
+                                return "claim " + claimName + " does not match expected value of " + requiredClaimValues;
+                            }
+                        }
+                    } else {
+                        throw new MalformedClaimException(
+                                "expected claim " + claimName + " must be a list of strings or a string");
+                    }
                 }
             }
             return null;

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java

@@ -1002,13 +1002,14 @@ interface Token {
 
         /**
          * A map of required claims and their expected values.
-         * For example, `quarkus.oidc.token.required-claims.org_id = org_xyz` would require tokens to have the `org_id` claim to
-         * be present and set to `org_xyz`.
-         * Strings are the only supported types. Use {@linkplain SecurityIdentityAugmentor} to verify claims of other types or
-         * complex claims.
+         * For example, `quarkus.oidc.token.required-claims.org_id = org_xyz` would require tokens to have the `org_id`
+         * claim to be present and set to `org_xyz`. On the other hand, if it was set to `org_xyz,org_abc`,
+         * the `org_id` claim would need to have both `org_xyz` and `org_abc` values.
+         * Strings and arrays of strings are currently the only supported types.
+         * Use {@linkplain SecurityIdentityAugmentor} to verify claims of other types or complex claims.
          */
         @ConfigDocMapKey("claim-name")
-        Map<String, String> requiredClaims();
+        Map<String, Set<@WithConverter(TrimmedStringConverter.class) String>> requiredClaims();
 
         /**
          * Expected token type

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/StaticTenantResolver.java

@@ -6,6 +6,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.BiFunction;
 
@@ -19,6 +20,7 @@
 import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.vertx.http.runtime.security.ImmutablePathMatcher;
 import io.smallrye.mutiny.Uni;
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.web.RoutingContext;
 
@@ -246,9 +248,41 @@ private static String getTenantId(RoutingContext context, TenantConfigContext te
             return null;
         }
 
-        private static boolean requiredClaimsMatch(Map<String, String> requiredClaims, JsonObject tokenJson) {
-            for (Map.Entry<String, String> entry : requiredClaims.entrySet()) {
-                if (!entry.getValue().equals(tokenJson.getString(entry.getKey()))) {
+        private static boolean requiredClaimsMatch(Map<String, Set<String>> requiredClaims, JsonObject tokenJson) {
+            for (Map.Entry<String, Set<String>> entry : requiredClaims.entrySet()) {
+                Set<String> requiredClaimSet = entry.getValue();
+                String claimName = entry.getKey();
+                if (requiredClaimSet.size() == 1) {
+                    String actualClaimValueAsStr;
+                    try {
+                        actualClaimValueAsStr = tokenJson.getString(claimName);
+                    } catch (Exception ex) {
+                        actualClaimValueAsStr = null;
+                    }
+                    if (actualClaimValueAsStr != null && requiredClaimSet.contains(actualClaimValueAsStr)) {
+                        continue;
+                    }
+                }
+                final JsonArray actualClaimValues;
+                try {
+                    actualClaimValues = tokenJson.getJsonArray(claimName);
+                } catch (Exception e) {
+                    return false;
+                }
+                if (actualClaimValues == null) {
+                    return false;
+                }
+                outer: for (String requiredClaimValue : requiredClaimSet) {
+                    for (int i = 0; i < actualClaimValues.size(); i++) {
+                        try {
+                            String actualClaimValue = actualClaimValues.getString(i);
+                            if (requiredClaimValue.equals(actualClaimValue)) {
+                                continue outer;
+                            }
+                        } catch (Exception ignored) {
+                            // try next actual claim value
+                        }
+                    }
                     return false;
                 }
             }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/builders/TokenConfigBuilder.java

@@ -9,6 +9,9 @@
 import java.util.Objects;
 import java.util.Optional;
 import java.util.OptionalInt;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
 
 import io.quarkus.oidc.OidcTenantConfigBuilder;
 import io.quarkus.oidc.runtime.OidcTenantConfig;
@@ -20,7 +23,7 @@
 public final class TokenConfigBuilder {
 
     private record TokenImpl(Optional<String> issuer, Optional<List<String>> audience, boolean subjectRequired,
-            Map<String, String> requiredClaims, Optional<String> tokenType, OptionalInt lifespanGrace,
+            Map<String, Set<String>> requiredClaims, Optional<String> tokenType, OptionalInt lifespanGrace,
             Optional<Duration> age, boolean issuedAtRequired, Optional<String> principalClaim, boolean refreshExpired,
             Optional<Duration> refreshTokenTimeSkew, Duration forcedJwkRefreshInterval, Optional<String> header,
             String authorizationScheme, Optional<OidcTenantConfig.SignatureAlgorithm> signatureAlgorithm,
@@ -30,7 +33,7 @@ private record TokenImpl(Optional<String> issuer, Optional<List<String>> audienc
     }
 
     private final OidcTenantConfigBuilder builder;
-    private final Map<String, String> requiredClaims = new HashMap<>();
+    private final Map<String, Set<String>> requiredClaims = new HashMap<>();
     private final List<String> audience = new ArrayList<>();
     private Optional<String> issuer;
     private boolean subjectRequired;
@@ -103,7 +106,19 @@ public OidcTenantConfigBuilder end() {
     public TokenConfigBuilder requiredClaims(String requiredClaimName, String requiredClaimValue) {
         Objects.requireNonNull(requiredClaimName);
         Objects.requireNonNull(requiredClaimValue);
-        this.requiredClaims.put(requiredClaimName, requiredClaimValue);
+        this.requiredClaims.put(requiredClaimName, Set.of(requiredClaimValue));
+        return this;
+    }
+
+    /**
+     * @param requiredClaimName {@link OidcTenantConfig.Token#requiredClaims()} name
+     * @param requiredClaimValues {@link OidcTenantConfig.Token#requiredClaims()} value
+     * @return this builder
+     */
+    public TokenConfigBuilder requiredClaims(String requiredClaimName, Set<String> requiredClaimValues) {
+        Objects.requireNonNull(requiredClaimName);
+        Objects.requireNonNull(requiredClaimValues);
+        this.requiredClaims.put(requiredClaimName, Set.copyOf(requiredClaimValues));
         return this;
     }
 
@@ -112,6 +127,30 @@ public TokenConfigBuilder requiredClaims(String requiredClaimName, String requir
      * @return this builder
      */
     public TokenConfigBuilder requiredClaims(Map<String, String> requiredClaims) {
+        if (requiredClaims != null) {
+            return this.setRequiredClaims(requiredClaims
+                    .entrySet()
+                    .stream()
+                    .collect(Collectors.toMap(new Function<Map.Entry<String, String>, String>() {
+                        @Override
+                        public String apply(Map.Entry<String, String> stringStringEntry) {
+                            return stringStringEntry.getKey();
+                        }
+                    }, new Function<Map.Entry<String, String>, Set<String>>() {
+                        @Override
+                        public Set<String> apply(Map.Entry<String, String> e) {
+                            return Set.of(e.getValue());
+                        }
+                    })));
+        }
+        return this;
+    }
+
+    /**
+     * @param requiredClaims {@link OidcTenantConfig.Token#requiredClaims()}
+     * @return this builder
+     */
+    public TokenConfigBuilder setRequiredClaims(Map<String, Set<String>> requiredClaims) {
         if (requiredClaims != null) {
             this.requiredClaims.putAll(requiredClaims);
         }