feat: 🎸 better introspectionr results

Introspect based on the actual token contents. Ommit userinfo from
introspection. Implement introspection part from
https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-02.html.

BREAKING CHANGE: Requires db update (see v12.0.0.sql)

Author: dBucik

perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql

@@ -82,6 +82,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 CREATE TABLE IF NOT EXISTS saved_user_auth (
 	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
 	acr VARCHAR(1024),
+    auth_time BIGINT,
 	name VARCHAR(1024),
 	authenticated BOOLEAN,
     authentication_attributes VARCHAR(2048)

perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql

@@ -81,6 +81,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 CREATE TABLE IF NOT EXISTS saved_user_auth (
     id BIGINT AUTO_INCREMENT PRIMARY KEY,
     acr VARCHAR(1024),
+    auth_time BIGINT DEFAULT NULL,
     name VARCHAR(1024),
     authenticated BOOLEAN,
     authentication_attributes TEXT

perun-oidc-server-webapp/src/main/resources/db/mysql/v12.0.0.sql

@@ -0,0 +1 @@
+ALTER TABLE saved_user_auth ADD auth_time BIGINT DEFAULT NULL;

perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql

@@ -82,6 +82,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 CREATE TABLE IF NOT EXISTS saved_user_auth (
     id BIGSERIAL PRIMARY KEY,
     acr VARCHAR(1024),
+    auth_time BIGINT DEFAULT NULL,
     name VARCHAR(1024),
     authenticated BOOLEAN,
     authentication_attributes TEXT

perun-oidc-server-webapp/src/main/resources/db/psql/v12.0.0.sql

@@ -0,0 +1 @@
+ALTER TABLE saved_user_auth ADD COLUMN auth_time BIGINT DEFAULT NULL;

perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -442,11 +442,6 @@
 		<property name="perunUserInfoService" ref="userInfoService"/>
 	</bean>
 
-	<bean id="introspectionResultAssembler" class="cz.muni.ics.oidc.server.PerunIntrospectionResultAssembler" primary="true">
-		<constructor-arg name="configBean" ref="configBean"/>
-		<constructor-arg name="translator" ref="scopeClaimTranslator"/>
-	</bean>
-
 	<bean id="perunOidcConfig" class="cz.muni.ics.oidc.server.configurations.PerunOidcConfig">
 		<property name="rpcEnabled" value="${perun.rpc.enabled}"/>
 		<property name="rpcUrl" value="${perun.rpc.url}"/>

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/SavedUserAuthentication.java

@@ -21,6 +21,7 @@
 import cz.muni.ics.oidc.saml.SamlPrincipal;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.stream.Collectors;
 import javax.persistence.Basic;
 import javax.persistence.CollectionTable;
@@ -42,13 +43,16 @@
 import lombok.Setter;
 import lombok.ToString;
 import org.eclipse.persistence.annotations.CascadeOnDelete;
+import org.joda.time.DateTime;
+import org.joda.time.format.ISODateTimeFormat;
 import org.opensaml.saml2.core.AuthnContext;
 import org.opensaml.saml2.core.AuthnContextClassRef;
 import org.opensaml.saml2.core.AuthnStatement;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
 import org.springframework.security.saml.SAMLCredential;
+import org.springframework.util.StringUtils;
 
 /**
  * This class stands in for an original Authentication object.
@@ -90,6 +94,9 @@ public class SavedUserAuthentication implements Authentication {
 	@Column(name = "acr")
 	private String acr;
 
+	@Column(name = "auth_time")
+	private Long authTime = null;
+
 	@Column(name = "authentication_attributes")
 	@Convert(converter = SamlAuthenticationDetailsStringConverter.class)
 	private SamlAuthenticationDetails authenticationDetails;
@@ -100,8 +107,9 @@ public SavedUserAuthentication(Authentication src) {
 		setAuthenticated(src.isAuthenticated());
 		if (src instanceof SavedUserAuthentication) {
 			SavedUserAuthentication source = (SavedUserAuthentication) src;
-			this.setAcr(source.getAcr());
-			this.setAuthenticationDetails(source.getAuthenticationDetails());
+			this.setAcr(source.acr);
+			this.setAuthTime(source.authTime);
+			this.setAuthenticationDetails(source.authenticationDetails);
 		} else if (src instanceof ExpiringUsernameAuthenticationToken) {
 			ExpiringUsernameAuthenticationToken token = (ExpiringUsernameAuthenticationToken) src;
 			SAMLCredential credential = ((SamlPrincipal) token.getPrincipal()).getSamlCredential();
@@ -113,6 +121,8 @@ public SavedUserAuthentication(Authentication src) {
 					.map(AuthnContextClassRef::getAuthnContextClassRef)
 					.collect(Collectors.joining())
 			);
+			this.setAuthTime(credential.getAuthenticationAssertion()
+					.getAuthnStatements().get(0).getAuthnInstant().getMillis());
 			this.setAuthenticationDetails(new SamlAuthenticationDetails(credential));
 		}
 	}

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/IntrospectionResultAssembler.java

@@ -28,35 +28,40 @@
  */
 public interface IntrospectionResultAssembler {
 
-	String TOKEN_TYPE = "token_type";
+	String ACTIVE = "active";
+	String SCOPE = "scope";
 	String CLIENT_ID = "client_id";
-	String USER_ID = "user_id";
-	String SUB = "sub";
+	String USERNAME = "username";
+	String TOKEN_TYPE = "token_type";
 	String EXP = "exp";
-	String EXPIRES_AT = "expires_at";
+	String IAT = "iat";
+	String NBF = "nbf";
+	String SUB = "sub";
+	String AUD = "aud";
+	String ISS = "iss";
+	String JTI = "jti";
+
+	String ACR = "acr";
+	String AUTH_TIME = "auth_time";
 	String SCOPE_SEPARATOR = " ";
-	String SCOPE = "scope";
-	String ACTIVE = "active";
-	DateFormatter dateFormat = new DateFormatter(new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ"));
+
 
 	/**
 	 * Assemble a token introspection result from the given access token and user info.
 	 *
-	 * @param accessToken the access token
-	 * @param userInfo the user info
-	 * @param authScopes the scopes the client is authorized for
+	 * @param token the access token
+	 * @param introspectionRequesterScopes the scopes the client is authorized for
 	 * @return the token introspection result
 	 */
-	Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo, Set<String> authScopes);
+	Map<String, Object> assembleFrom(OAuth2AccessTokenEntity token, Set<String> introspectionRequesterScopes);
 
 	/**
 	 * Assemble a token introspection result from the given refresh token and user info.
 	 *
-	 * @param refreshToken the refresh token
-	 * @param userInfo the user info
-	 * @param authScopes the scopes the client is authorized for
+	 * @param token the refresh token
+	 * @param introspectionRequesterScopes the scopes the client is authorized for
 	 * @return the token introspection result
 	 */
-	Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity refreshToken, UserInfo userInfo, Set<String> authScopes);
+	Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity token, Set<String> introspectionRequesterScopes);
 
 }

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultIntrospectionResultAssembler.java

@@ -15,21 +15,35 @@
  *******************************************************************************/
 package cz.muni.ics.oauth2.service.impl;
 
-import static com.google.common.collect.Maps.newLinkedHashMap;
-
 import com.google.common.base.Joiner;
 import com.google.common.collect.Sets;
-import com.google.common.collect.Sets;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import cz.muni.ics.oauth2.model.AuthenticationHolderEntity;
+import cz.muni.ics.oauth2.model.AuthenticationStatement;
 import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
 import cz.muni.ics.oauth2.model.OAuth2RefreshTokenEntity;
+import cz.muni.ics.oauth2.model.SamlAuthenticationDetails;
+import cz.muni.ics.oauth2.model.SavedUserAuthentication;
 import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
-import cz.muni.ics.openid.connect.model.UserInfo;
-import java.text.ParseException;
-import java.util.Map;
-import java.util.Set;
 import lombok.extern.slf4j.Slf4j;
+import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormatter;
+import org.joda.time.format.ISODateTimeFormat;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.stereotype.Service;
+import org.springframework.util.StringUtils;
+
+import java.sql.Timestamp;
+import java.text.ParseException;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static com.google.common.collect.Maps.newLinkedHashMap;
 
 /**
  * Default implementation of the {@link IntrospectionResultAssembler} interface.
@@ -39,81 +53,147 @@
 public class DefaultIntrospectionResultAssembler implements IntrospectionResultAssembler {
 
 	@Override
-	public Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo, Set<String> authScopes) {
-
-		Map<String, Object> result = newLinkedHashMap();
-		OAuth2Authentication authentication = accessToken.getAuthenticationHolder().getAuthentication();
-
-		result.put(ACTIVE, true);
-
-
-		Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
-		result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
-
-		if (accessToken.getExpiration() != null) {
-			try {
-				result.put(EXPIRES_AT, dateFormat.valueToString(accessToken.getExpiration()));
-				result.put(EXP, accessToken.getExpiration().getTime() / 1000L);
-			} catch (ParseException e) {
-				log.error("Parse exception in token introspection", e);
-			}
-		}
-
-		if (userInfo != null) {
-			// if we have a UserInfo, use that for the subject
-			result.put(SUB, userInfo.getSub());
+	public Map<String, Object> assembleFrom(OAuth2AccessTokenEntity token, Set<String> introspectionRequesterScopes) {
+		AuthenticationHolderEntity authenticationHolder = token.getAuthenticationHolder();
+		OAuth2Authentication authentication = (authenticationHolder != null) ?
+				authenticationHolder.getAuthentication() : null;
+
+		Set<String> scopes = Sets.intersection(introspectionRequesterScopes, token.getScope());
+		String scope = Joiner.on(SCOPE_SEPARATOR).join(scopes);
+		Long exp = null;
+		if (token.getExpiration() != null) {
+			exp = token.getExpiration().getTime() / 1000L;
 		} else {
-			// otherwise, use the authentication's username
-			result.put(SUB, authentication.getName());
+			log.warn("WARNING - ACCESS TOKEN WITHOUT EXPIRATION DATE DETECTED ('{}')", token);
 		}
 
-		if(authentication.getUserAuthentication() != null) {
-			result.put(USER_ID, authentication.getUserAuthentication().getName());
+		String clientId = (authentication != null && authentication.getOAuth2Request() != null) ?
+				authentication.getOAuth2Request().getClientId() : null;
+		if (clientId == null) {
+			clientId = (token.getClient() != null) ? token.getClient().getClientId() : null;
 		}
 
-		result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());
+		String tokenType = OAuth2AccessToken.BEARER_TYPE;
+		JWT jwtValue = token.getJwtValue();
+		String username = (authenticationHolder != null
+						   && authenticationHolder.getAuthentication() != null
+						   && authenticationHolder.getAuthentication().getUserAuthentication() != null) ?
+				authenticationHolder.getAuthentication().getUserAuthentication().getName() : null;
 
-		result.put(TOKEN_TYPE, accessToken.getTokenType());
+		Map<String, Object> result = assemble(scope, exp, username, clientId, tokenType, jwtValue, authenticationHolder);
 
+		if (!token.isExpired()) {
+			result.put(ACTIVE, true);
+		} else {
+			result.clear();
+			result.put(ACTIVE, false);
+		}
 		return result;
 	}
 
 	@Override
-	public Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity refreshToken, UserInfo userInfo, Set<String> authScopes) {
+	public Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity token, Set<String> introspectionRequesterScopes) {
+		AuthenticationHolderEntity authenticationHolder = token.getAuthenticationHolder();
+		OAuth2Authentication authentication = (authenticationHolder != null) ?
+				authenticationHolder.getAuthentication() : null;
+		Set<String> tokenScopes = (authentication != null && authentication.getOAuth2Request() != null) ?
+				authentication.getOAuth2Request().getScope() : new HashSet<>();
+
+		Set<String> scopes = Sets.intersection(introspectionRequesterScopes, tokenScopes);
+		String scope = Joiner.on(SCOPE_SEPARATOR).join(scopes);
+		Long exp = null;
+		if (token.getExpiration() != null) {
+			exp = token.getExpiration().getTime() / 1000L;
+		} else {
+			log.warn("WARNING - REFRESH TOKEN WITHOUT EXPIRATION DATE DETECTED ('{}')", token);
+		}
 
-		Map<String, Object> result = newLinkedHashMap();
-		OAuth2Authentication authentication = refreshToken.getAuthenticationHolder().getAuthentication();
+		String clientId = (authentication != null && authentication.getOAuth2Request() != null) ?
+				authentication.getOAuth2Request().getClientId() : null;
+		String username = (authentication != null && authentication.getUserAuthentication() != null) ?
+			authentication.getUserAuthentication().getName() : null;
+		String tokenType = "refresh_token";
+		JWT jwtValue = token.getJwt();
 
-		result.put(ACTIVE, true);
+		Map<String, Object> result = assemble(scope, exp, username, clientId, tokenType, jwtValue, authenticationHolder);
 
-		Set<String> scopes = Sets.intersection(authScopes, authentication.getOAuth2Request().getScope());
+		if (!token.isExpired()) {
+			result.put(ACTIVE, true);
+		} else {
+			result.clear();
+			result.put(ACTIVE, false);
+		}
+		return result;
+	}
 
-		result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
+	private Map<String, Object> assemble(String scope,
+										 Long exp,
+										 String username,
+										 String clientId,
+										 String tokenType,
+										 JWT jwtValue,
+										 AuthenticationHolderEntity authenticationHolder)
+	{
+		Map<String, Object> result = new LinkedHashMap<>();
+		if (scope != null && !scope.isEmpty()) {
+			result.put(SCOPE, scope);
+		}
+		if (StringUtils.hasText(clientId)) {
+			result.put(CLIENT_ID, clientId);
+		}
+		if (StringUtils.hasText(tokenType)) {
+			result.put(TOKEN_TYPE, tokenType);
+		}
+		if (exp != null) {
+			result.put(EXP, exp);
+		}
+		if (StringUtils.hasText(username)) {
+			result.put(USERNAME, username);
+		}
+		if (jwtValue != null) {
+			fillDataFromJwt(jwtValue, result);
+		}
+		if (authenticationHolder != null && authenticationHolder.getUserAuth() != null) {
+			fillAcrAndAuthTime(authenticationHolder.getUserAuth(), result);
+		}
+		return result;
+	}
 
-		if (refreshToken.getExpiration() != null) {
-			try {
-				result.put(EXPIRES_AT, dateFormat.valueToString(refreshToken.getExpiration()));
-				result.put(EXP, refreshToken.getExpiration().getTime() / 1000L);
-			} catch (ParseException e) {
-				log.error("Parse exception in token introspection", e);
+	private void fillDataFromJwt(JWT atJwt, Map<String, Object> result) {
+		try {
+			JWTClaimsSet atClaimsSet = atJwt.getJWTClaimsSet();
+			if (atClaimsSet != null) {
+				if (atClaimsSet.getIssueTime() != null) {
+					result.put(IAT, atClaimsSet.getIssueTime().getTime() / 1000L);
+				}
+				if (atClaimsSet.getNotBeforeTime() != null) {
+					result.put(NBF, atClaimsSet.getNotBeforeTime().getTime() / 1000L);
+				}
+				if (StringUtils.hasText(atClaimsSet.getSubject())) {
+					result.put(SUB, atClaimsSet.getSubject());
+				}
+				if (atClaimsSet.getAudience() != null) {
+					result.put(AUD, atClaimsSet.getAudience());
+				}
+				if (StringUtils.hasText(atClaimsSet.getIssuer())) {
+					result.put(ISS, atClaimsSet.getIssuer());
+				}
+				if (StringUtils.hasText(atClaimsSet.getJWTID())) {
+					result.put(JTI, atClaimsSet.getJWTID());
+				}
 			}
+		} catch (ParseException e) {
+			log.warn("Caught exception while introspecting token and parsing JWT value '{}'", atJwt, e);
 		}
+	}
 
-
-		if (userInfo != null) {
-			// if we have a UserInfo, use that for the subject
-			result.put(SUB, userInfo.getSub());
-		} else {
-			// otherwise, use the authentication's username
-			result.put(SUB, authentication.getName());
+	private void fillAcrAndAuthTime(SavedUserAuthentication savedUserAuthentication, Map<String, Object> result) {
+		if (StringUtils.hasText(savedUserAuthentication.getAcr())) {
+			result.put(ACR, savedUserAuthentication.getAcr());
 		}
-
-		if(authentication.getUserAuthentication() != null) {
-			result.put(USER_ID, authentication.getUserAuthentication().getName());
+		if (savedUserAuthentication.getAuthTime() != null) {
+			result.put(AUTH_TIME, savedUserAuthentication.getAuthTime());
 		}
-
-		result.put(CLIENT_ID, authentication.getOAuth2Request().getClientId());
-
-		return result;
 	}
+
 }