Add support for JWKS decoding of JWT's

README.md

@@ -177,4 +177,6 @@ the provider settings, so you will need to clear the browser's
   * Vault login failed. Expired or missing OAuth state.
 ```
 
-
+# Decoding JWKS based tokens
+To decode JWKS based tokens, set the astral.yml "jwks_url" parameter to the 
+jwks endpoint of your auth provider.

app/lib/services/auth.rb

@@ -1,23 +1,13 @@
+require_relative "../utils/decoder_factory"
 module Services
   class Auth
     class << self
       def authenticate!(token)
-        identity = decode(token)
+        identity = DecoderFactory.get(Config).decode(token)
         raise AuthError unless identity
         # TODO verify identity with authority?
         identity
       end
-
-      private
-
-      def decode(token)
-        # Decode a JWT access token using the configured base.
-        body = JWT.decode(token, Config[:jwt_signing_key])[0]
-        Identity.new(body)
-      rescue => e
-        Rails.logger.warn "Unable to decode token: #{e}"
-        nil
-      end
     end
   end
 end

app/lib/utils/decoder_factory.rb

@@ -0,0 +1,23 @@
+require_relative "secret_decoder"
+require_relative "jwks_decoder"
+class DecoderFactory
+  cattr_reader :decoders
+  class << self
+    # Any new decoders should be added here:
+    @@decoders = [ JwksDecoder.new(Config[:jwks_url]),
+                   SecretDecoder.new(Config[:jwt_signing_key]) ]
+
+    def get(config)
+      configured_decoders = getConfiguredDecoders(config)
+      if configured_decoders.length != 1
+        raise "Exactly one decoder must be configured"
+      end
+      configured_decoders[0]
+    end
+
+    private
+    def getConfiguredDecoders(config)
+      decoders.filter { |c| c.configured?(config) }
+    end
+  end
+end

app/lib/utils/jwks_decoder.rb

@@ -0,0 +1,38 @@
+require "open-uri"
+class JwksDecoder
+  def initialize(url)
+    @url = url
+  end
+
+  def configured?(config)
+    !@url.nil?
+  end
+
+  # Decode a JWT token signed with JWKS
+  def decode(token)
+    jwks = get_jwks_keyset_from_configured_url
+    jwks = filter_out_non_signing_keys(jwks)
+    body = JWT.decode(token, nil, true,
+                      algorithms: get_algorithms_from_keyset(jwks),
+                      jwks: jwks)[0]
+    Identity.new(body)
+  rescue => e
+    Rails.logger.warn "Unable to decode token: #{e}"
+    nil
+  end
+
+  private
+
+  def get_jwks_keyset_from_configured_url
+    jwks_json = URI.open(@url) { |f| f.read }
+    JWT::JWK::Set.new(JSON.parse(jwks_json))
+  end
+
+  def filter_out_non_signing_keys(jwks)
+    jwks.filter { |k| k[:use] == "sig" }
+  end
+
+  def get_algorithms_from_keyset(jwks)
+    jwks.map { |k| k[:alg] }.compact.uniq
+  end
+end

app/lib/utils/secret_decoder.rb

@@ -0,0 +1,18 @@
+class SecretDecoder
+  def initialize(secret)
+    @secret = secret
+  end
+
+  def configured?(config)
+    !@secret.nil?
+  end
+
+  def decode(token)
+    # Decode a JWT access token using the configured base.
+    body = JWT.decode(token, Config[:jwt_signing_key])[0]
+    Identity.new(body)
+  rescue => e
+    Rails.logger.warn "Unable to decode token: #{e}"
+    nil
+  end
+end

config/astral.yml

@@ -18,6 +18,9 @@ shared:
 
   jwt_signing_key:
 
+  # define this to allow jwks decoding of JWT's
+  jwks_url:
+
   # When using AppRegistry for Domain Ownership information
   app_registry_addr:
   app_registry_token:

test/lib/utils/decoder_factory_test.rb

@@ -0,0 +1,30 @@
+require "test_helper"
+require_relative "../../../app/lib/utils/decoder_factory"
+
+class DecoderFactoryTest < ActiveSupport::TestCase
+  test ".get returns configured decoder" do
+    decoders = [ UnconfiguredDecoder.new, ConfiguredDecoder.new ]
+    DecoderFactory.stub :decoders, decoders do
+      decoder = DecoderFactory.get({})
+      assert decoder.instance_of?(ConfiguredDecoder)
+    end
+  end
+
+  test ".get recognizes invalid config" do
+    decoders = [ ConfiguredDecoder.new, ConfiguredDecoder.new ]
+    DecoderFactory.stub :decoders, decoders do
+      assert_raises(
+        RuntimeError, "Exactly one decoder must be configured") do
+        decoder = DecoderFactory.get({})
+      end
+    end
+  end
+
+  class ConfiguredDecoder
+    def configured?(c) = true
+  end
+
+  class UnconfiguredDecoder
+    def configured?(c) = false
+  end
+end

test/lib/utils/jwks_decoder_test.rb

@@ -0,0 +1,40 @@
+require "test_helper"
+require "jwt"
+require "openssl"
+require "json"
+require "tempfile"
+require_relative "../../../app/lib/utils/jwks_decoder"
+
+class JwksDecoderTest < ActiveSupport::TestCase
+  test ".decode returns correct identity" do
+    jwk = generate_jwks_signing_key
+    token = generate_jwks_token(jwk)
+    keyset_path = generate_jwks_keyset(jwk)
+
+    identity = JwksDecoder.new(keyset_path).decode(token)
+    assert_equal "john.doe@example.com", identity.sub
+    assert_equal "astral", identity.aud
+  end
+
+  private
+
+  def generate_jwks_signing_key
+    optional_parameters = { kid: "1", use: "sig", alg: "RS256" }
+    jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
+  end
+
+  def generate_jwks_token(jwk)
+    payload = { "sub"=>"john.doe@example.com", "name"=>"John Doe", "iat"=>1516239022,
+               "groups"=>[ "group1", "group2" ], "aud"=>"astral" }
+
+    JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid])
+  end
+
+  def generate_jwks_keyset(jwk)
+    jwks_hash = JWT::JWK::Set.new(jwk).export
+    f = Tempfile.new
+    f.write(JSON.pretty_generate(jwks_hash))
+    f.close
+    f.path
+  end
+end

test/lib/utils/secret_decoder_test.rb

@@ -0,0 +1,11 @@
+require "test_helper"
+require_relative "../../../app/lib/utils/secret_decoder"
+
+class SecretDecoderTest < ActiveSupport::TestCase
+  test ".decode returns correct identity" do
+    identity = SecretDecoder.new(Config[:jwt_signing_key]).
+                 decode(jwt_authorized)
+    assert_equal "john.doe@example.com", identity.sub
+    assert_equal "astral", identity.aud
+  end
+end