Merge pull request #12083 from GihanAyesh/master

JWT decoding for both base64url and base64

components/apimgt/org.wso2.carbon.apimgt.common.gateway/src/main/java/org/wso2/carbon/apimgt/common/gateway/dto/JWTConfigurationDto.java

@@ -34,6 +34,7 @@ public class JWTConfigurationDto {
  private String jwtHeader = "X-JWT-Assertion";
  private String consumerDialectUri = "http://wso2.org/claims";
  private String signatureAlgorithm = "SHA256withRSA";
+ private String jwtDecoding = "base64";
  private boolean enableUserClaims;
  private String gatewayJWTGeneratorImpl;
  private Map<String, TokenIssuerDto> tokenIssuerDtoMap = new HashMap();
@@ -58,6 +59,7 @@ public JWTConfigurationDto(JWTConfigurationDto jwtConfigurationDto) {
  this.jwtHeader = jwtConfigurationDto.jwtHeader;
  this.consumerDialectUri = jwtConfigurationDto.consumerDialectUri;
  this.signatureAlgorithm = jwtConfigurationDto.signatureAlgorithm;
+ this.jwtDecoding = jwtConfigurationDto.jwtDecoding;
  this.enableUserClaims = jwtConfigurationDto.enableUserClaims;
  this.gatewayJWTGeneratorImpl = jwtConfigurationDto.gatewayJWTGeneratorImpl;
  this.tokenIssuerDtoMap = jwtConfigurationDto.tokenIssuerDtoMap;
@@ -140,6 +142,14 @@ public void setJwtExcludedClaims(Set<String> jwtClaims) {
  this.jwtExcludedClaims = jwtClaims;
  }
 
+ public String getJwtDecoding() {
+ return jwtDecoding;
+ }
+
+ public void setJwtDecoding(String jwtDecoding) {
+ this.jwtDecoding = jwtDecoding;
+ }
+
  public boolean isEnableUserClaims() {
 
  return enableUserClaims;

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/apikey/ApiKeyAuthenticator.java

@@ -515,7 +515,12 @@ private String generateAndRetrieveBackendJWTToken(String tokenSignature, JWTInfo
  if (token != null) {
  endUserToken = (String) token;
  String[] splitToken = ((String) token).split("\\.");
- JSONObject payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
+ JSONObject payload;
+ if (APIConstants.JwtTokenConstants.DECODING_ALGORITHM_BASE64URL.equals(jwtConfigurationDto.getJwtDecoding())) {
+ payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
+ } else {
+ payload = new JSONObject(new String(Base64.getDecoder().decode(splitToken[1])));
+ }
  long exp = payload.getLong("exp");
  long timestampSkew = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
  valid = (exp - System.currentTimeMillis() > timestampSkew);

components/apimgt/org.wso2.carbon.apimgt.gateway/src/main/java/org/wso2/carbon/apimgt/gateway/handlers/security/jwt/JWTValidator.java

@@ -290,7 +290,12 @@ private String generateAndRetrieveJWTToken(String tokenSignature, JWTInfoDto jwt
  if (token != null) {
  endUserToken = (String) token;
  String[] splitToken = ((String) token).split("\\.");
- JSONObject payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
+ JSONObject payload;
+ if (APIConstants.JwtTokenConstants.DECODING_ALGORITHM_BASE64URL.equals(jwtConfigurationDto.getJwtDecoding())) {
+ payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
+ } else {
+ payload = new JSONObject(new String(Base64.getDecoder().decode(splitToken[1])));
+ }
  long exp = payload.getLong("exp") * 1000L;
  long timestampSkew = getTimeStampSkewInSeconds() * 1000;
  valid = (exp - System.currentTimeMillis() > timestampSkew);

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIConstants.java

@@ -439,6 +439,7 @@ public final class APIConstants {
  public static final String JWT_DEFAULT_AUDIENCE = "http://org.wso2.apimgt/gateway";
  public static final String JWT_CONFIGS = "JWTConfiguration";
  public static final String JWT_HEADER = "JWTHeader";
+ public static final String JWT_DECODING = "JWTDecoding";
  public static final String ENABLE_USER_CLAIMS = "EnableUserClaims";
  public static final String BINDING_FEDERATED_USER_CLAIMS = "EnableBindingFederatedUserClaims";
  public static final String TOKEN_GENERATOR_IMPL = "JWTGeneratorImpl";
@@ -2101,6 +2102,7 @@ public static class JwtTokenConstants {
  public static final String INTERNAL_KEY_TOKEN_TYPE = "InternalKey";
  public static final String TOKEN_TYPE = "token_type";
  public static final String API_KEY_TOKEN_TYPE = "apiKey";
+ public static final String DECODING_ALGORITHM_BASE64URL = "base64url";
  }
 
  public static final String SIGNATURE_ALGORITHM_RS256 = "RS256";

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/APIManagerConfiguration.java

@@ -1608,6 +1608,11 @@ private void setJWTConfiguration(OMElement omElement) {
  if (jwtHeaderElement != null) {
  jwtConfigurationDto.setJwtHeader(jwtHeaderElement.getText());
  }
+ OMElement jwtDecoding =
+ omElement.getFirstChildWithName(new QName(APIConstants.JWT_DECODING));
+ if (jwtDecoding != null) {
+ jwtConfigurationDto.setJwtDecoding(jwtDecoding.getText());
+ }
  OMElement jwtUserClaimsElement =
  omElement.getFirstChildWithName(new QName(APIConstants.ENABLE_USER_CLAIMS));
  if (jwtUserClaimsElement != null) {

features/apimgt/org.wso2.carbon.apimgt.core.feature/src/main/resources/conf_templates/templates/repository/conf/api-manager.xml.j2

@@ -80,6 +80,14 @@
  <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
  Token generation the implementation is provided in URLSafeJWTGenerator -->
  <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->
+
+ <!-- Set the JWT decoding method. Options are "base64url" or "base64". The default value is "base64". -->
+ {% if apim.jwt.decoding %}
+ <JWTDecoding>{{apim.jwt.decoding}}</JWTDecoding>
+ {% elif apim.jwt.encoding %}
+ <JWTDecoding>{{apim.jwt.encoding}}</JWTDecoding>
+ {% endif %}
+
  {% if apim.jwt.enable_tenant_based_signing is defined %}
  <EnableTenantBasedSigning>{{apim.jwt.enable_tenant_based_signing}}</EnableTenantBasedSigning>
  {% endif %}