ARTEMIS-5200 Clarify configuration of Certificate-Bound JWT Access Tokens

Author: grgrzybek

artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/OIDCLoginModule.java

@@ -148,8 +148,9 @@ public class OIDCLoginModule implements AuditLoginModule {
    private String[] rolesPaths;
 
    /**
-    * <p>Flag which turns on OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
-    * (RFC 8705).</p>
+    * <p>Flag which enforces OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
+    * (RFC 8705). If a token contains {@code cnf/x5t#256} claim, it is always verified and mTLS is required.</p>
+    *
     * <p>{@code cnf} claim itself comes from RFC 7800 (Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs))
     * and represents a proof that the token was issued for the actual sender (and was not stolen). {@code x5t#256}
     * is a specific type of proof from RFC 7515 (JSON Web Signature (JWS)) and represents an SHA-256 digest
@@ -245,14 +246,10 @@ public boolean login() throws LoginException {
       JWT jwt;
       JWTClaimsSet claims = null;
       try {
-         CertificateCallback x509Callback = null;
+         CertificateCallback x509Callback = new CertificateCallback();
          JwtCallback jwtCallback = new JwtCallback();
-         if (requireOAuth2MTLS) {
-            x509Callback = new CertificateCallback();
-            handler.handle(new Callback[] {x509Callback, jwtCallback});
-         } else {
-            handler.handle(new Callback[] {jwtCallback});
-         }
+         // attempt to get the certificate in all the cases - to use it if JWT contains the cnf claim
+         handler.handle(new Callback[] {x509Callback, jwtCallback});
 
          String token = jwtCallback.getJwtToken();
 
@@ -278,7 +275,7 @@ public boolean login() throws LoginException {
          // we may want to verify the proof of possession even if it's not required, but the claim is
          // present in the token
          String thumbprint = OIDCSupport.getThumbprint(claims);
-         X509Certificate[] certificates = x509Callback == null ? new X509Certificate[0] : x509Callback.getCertificates();
+         X509Certificate[] certificates = x509Callback.getCertificates();
 
          if (requireOAuth2MTLS || thumbprint != null) {
             String msg = null;
@@ -303,10 +300,12 @@ public boolean login() throws LoginException {
          }
 
          if (debug) {
-            if (requireOAuth2MTLS) {
+            if (requireOAuth2MTLS || thumbprint != null) {
+               // if there's no LoginException, the cnf claim is ensured to be in the token
+               String digest = OIDCSupport.stringArrayForPath(claims, "cnf.x5t#256").value()[0];
                logger.debug("JAAS login successful for JWT token with {} and X.509 thumbprint {}",
                      OIDCSupport.getTokenSummary(claims),
-                     OIDCSupport.stringArrayForPath(claims, "cnf.x5t#256").value()[0]);
+                     digest);
             } else {
                logger.debug("JAAS login successful for JWT token with {}", OIDCSupport.getTokenSummary(claims));
             }

artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/oidc/OIDCSupport.java

@@ -430,9 +430,9 @@ public enum ConfigKey {
       // When enabled, the field contains a base64url(sha256(der(client certificate))) value which SHOULD
       // match the certificate from actual mTLS (as handled by
       // org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule - but this module is not
-      // required as a prerequisite of OIDCLoginModule, as it doesn't put the certificate as "public credential")
-      // this flag defaults to false, but when cnf/x5t#256 is present in the token, it's used - and the
-      // validation fails if there's no underlying mTLS
+      // required as a prerequisite of OIDCLoginModule, as it doesn't put the certificate into "public credentials").
+      // This flag defaults to false, but when cnf/x5t#256 is present in the token, the proof-of-possession
+      // validation is performed regardless.
       REQUIRE_OAUTH_MTLS("requireOAuth2MTLS", "false");
 
       private final String name;

artemis-server/src/test/java/org/apache/activemq/artemis/spi/core/security/jaas/OIDCLoginModuleTest.java

@@ -788,6 +788,65 @@ public byte[] getEncoded() {
       assertTrue(lm.login());
    }
 
+   @Test
+   public void correctProofOfPossessionWithoutExplicitConfiguration() throws NoSuchAlgorithmException, JOSEException, LoginException {
+      KeyPairGenerator kpgRSA = KeyPairGenerator.getInstance("RSA");
+      KeyPair pairRSA = kpgRSA.generateKeyPair();
+
+      List<JWK> keys = new ArrayList<>();
+      // directly from the public key
+      keys.add(new RSAKey.Builder((RSAPublicKey) pairRSA.getPublic()).keyID("k1").build());
+
+      Map<String, String> config = configMap(
+            OIDCSupport.ConfigKey.DEBUG.getName(), "true",
+            // set to false (the default), but should be enforced for tokens with cnf/x5t#256 claim
+            OIDCSupport.ConfigKey.REQUIRE_OAUTH_MTLS.getName(), "false"
+      );
+
+      OIDCLoginModule lm = new OIDCLoginModule();
+      lm.setOidcSupport(new OIDCSupport(config, true) {
+         @Override
+         public JWKSecurityContext currentContext() {
+            return new JWKSecurityContext(keys);
+         }
+      });
+
+      StubX509Certificate cert = new StubX509Certificate(new UserPrincipal("Alice")) {
+         @Override
+         public byte[] getEncoded() {
+            // see for example org.keycloak.crypto.elytron.ElytronPEMUtilsProvider#encode()
+            return new byte[] {0x42, 0x2a};
+         }
+      };
+
+      byte[] digest = MessageDigest.getInstance("SHA256").digest(cert.getEncoded());
+      String x5t = Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
+
+      JWTClaimsSet claims = new JWTClaimsSet.Builder()
+            .issuer("http://localhost")
+            .subject("Alice")
+            .jwtID(UUID.randomUUID().toString())
+            .audience(List.of("me-the-broker", "some-other-api"))
+            .claim("azp", "artemis-oidc-client")
+            .claim("cnf", Map.of("x5t#256", x5t))
+            .expirationTime(new Date(new Date().getTime() + 3_600_000))
+            .build();
+      SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("k1").build(), claims);
+      JWSSigner signer = new RSASSASigner(pairRSA.getPrivate());
+      signedJWT.sign(signer);
+      String token = signedJWT.serialize();
+
+      RemotingConnection remotingConnection = mock(RemotingConnection.class);
+      NettyServerConnection nettyConnection = mock(NettyServerConnection.class);
+      when(remotingConnection.getTransportConnection()).thenReturn(nettyConnection);
+      when(nettyConnection.getPeerCertificates()).thenReturn(new X509Certificate[] {cert});
+
+      Subject subject = new Subject();
+      lm.initialize(subject, new JaasCallbackHandler(null, token, remotingConnection), null, config);
+
+      assertTrue(lm.login());
+   }
+
    @Test
    public void correctProofOfPossessionButNotConfiguredAndWithoutMTLS() throws NoSuchAlgorithmException, JOSEException {
       KeyPairGenerator kpgRSA = KeyPairGenerator.getInstance("RSA");

artemis-server/src/test/resources/login.config

@@ -235,8 +235,9 @@ OIDCLogin {
         identityPaths=sub
         // comma-separated "json paths" to JWT fields with the roles of the caller
         rolesPaths="realm_access.roles"
-        // Whether the token should contain cnf/x5t#256 claim according RFC 8705 (requires mTLS enabled)
-        // defaults to false, unless the token contains cnf/x5t#256 - then it's treated as enabled
+        // Enforces cnf/x5t#256 claim validation according to RFC 8705 (requires mTLS enabled)
+        // defaults to false, unless the token contains cnf/x5t#256 - then the validation
+        // is performed regardless of this option's value
         requireOAuth2MTLS=false
 
         // these use defaults values:

docs/user-manual/security.adoc

@@ -1309,9 +1309,14 @@ arrays or whitespace-separated strings) used as _user roles_ (translated into `o
 There's no default value. For Keycloak OpenID Connect provider it could be for example `realm_access.roles`.
 
 requireOAuth2MTLS::
-This option adds extra layer of security and enables https://datatracker.ietf.org/doc/html/rfc8705[OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens]. With this option enabled, JWT tokens must include `cnf/x5t#256` claim which contains
-a SHA256 digest of client's X.509 certificate. This certificate should match a certificate from TLS layer and requires enabled mTLS at the broker level. +
-Defaults to `false`. But when the token is sent with `cnf/x5t#256`, the option is ignored and treated as enabled.
+This option adds extra layer of security and enforces https://datatracker.ietf.org/doc/html/rfc8705[OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens]. +
+With this option enabled, JWT tokens must include `cnf/x5t#256` claim which contains
+a SHA256 digest of client's X.509 certificate. This certificate should match a certificate from TLS layer and requires mTLS
+being enabled at the broker level. +
+This mechanism protects against token stealing, making the tokens valid only in the
+context of mTLS connection with a matching certificate. +
+Defaults to `false`. But when the JWT token is sent with `cnf/x5t#256` claim, the validation is performed regardless of this
+option's value.
 
 === SCRAM-SHA SASL Mechanism