Merge pull request #508 from kazuki-ma/channelTokenV2

Support Channel access token v2.1

Author: imasahiro

build.gradle

@@ -97,6 +97,11 @@ subprojects {
                 entry 'converter-jackson'
                 entry 'retrofit'
             }
+            dependencySet(group: 'io.jsonwebtoken', version: '0.11.1') {
+                entry 'jjwt-api'
+                entry 'jjwt-impl'
+                entry 'jjwt-jackson'
+            }
         }
     }
 

line-bot-api-client/build.gradle

@@ -52,11 +52,15 @@ dependencies {
 
     integrationTestCompileOnly 'org.projectlombok:lombok'
     integrationTestAnnotationProcessor 'org.projectlombok:lombok'
+    integrationTestImplementation 'com.google.guava:guava'
+    integrationTestImplementation 'io.jsonwebtoken:jjwt-api'
+    integrationTestImplementation 'io.jsonwebtoken:jjwt-jackson'
     integrationTestImplementation 'org.springframework.boot:spring-boot-starter-test'
     integrationTestImplementation 'org.springframework.boot:spring-boot-starter-logging'
     integrationTestImplementation 'com.fasterxml.jackson.core:jackson-core'
     integrationTestImplementation 'com.fasterxml.jackson.core:jackson-databind'
     integrationTestImplementation 'com.fasterxml.jackson.core:jackson-annotations'
     integrationTestImplementation 'com.fasterxml.jackson.module:jackson-module-parameter-names'
     integrationTestImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml'
+    integrationTestRuntime 'io.jsonwebtoken:jjwt-impl'
 }

line-bot-api-client/src/integrationTest/java/com/linecorp/bot/client/IntegrationTestSettingsLoader.java

@@ -26,7 +26,7 @@
 import com.fasterxml.jackson.module.paramnames.ParameterNamesModule;
 
 public class IntegrationTestSettingsLoader {
-    public static final URL TEST_RESOURCE = ClassLoader.getSystemResource("integration_test_settings.yml");
+    private static final URL TEST_RESOURCE = ClassLoader.getSystemResource("integration_test_settings.yml");
 
     public static IntegrationTestSettings load() throws IOException {
         // Do not run all test cases in this class when src/test/resources/integration_test_settings.yml doesn't

line-bot-api-client/src/integrationTest/java/com/linecorp/bot/client/LineOAuthClientIntegrationTest.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright 2020 LINE Corporation
+ *
+ * LINE Corporation licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.linecorp.bot.client;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.bridge.SLF4JBridgeHandler;
+import org.yaml.snakeyaml.Yaml;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.io.BaseEncoding;
+
+import com.linecorp.bot.model.oauth.IssueChannelAccessTokenResponse;
+
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.jackson.io.JacksonSerializer;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class LineOAuthClientIntegrationTest {
+    private static final URL TEST_RESOURCE = ClassLoader.getSystemResource("integration_test_settings.yml");
+
+    private LineOAuthClient target;
+    private String endpoint;
+    private String pemPrivateKey;
+    private String channelId;
+    private String channelSecret;
+    private String kid;
+
+    @Before
+    public void setUp() throws IOException {
+        Assume.assumeTrue(TEST_RESOURCE != null);
+
+        final Map<?, ?> map = new ObjectMapper()
+                .convertValue(new Yaml().load(TEST_RESOURCE.openStream()), Map.class);
+
+        endpoint = (String) map.get("endpoint");
+        target = LineOAuthClient
+                .builder()
+                .apiEndPoint(endpoint)
+                .build();
+
+        pemPrivateKey = ((String) map.get("pemPrivateKey")).replaceAll("\n", "");
+        kid = (String) map.get("kid");
+        channelId = String.valueOf(map.get("channelId"));
+        channelSecret = (String) map.get("channelSecret");
+    }
+
+    static {
+        SLF4JBridgeHandler.removeHandlersForRootLogger();
+        SLF4JBridgeHandler.install();
+    }
+
+    @Test
+    public void gwtTokenIntegrationTest() throws Exception {
+        final Map<String, Object> header = ImmutableMap.of(
+                "alg", "RS256",
+                "typ", "JWT",
+                "kid", kid
+        );
+
+        final Map<String, Object> body = ImmutableMap.of(
+                "iss", channelId,
+                "sub", channelId,
+                "aud", endpoint,
+                "exp", Instant.now().plusSeconds(10).getEpochSecond(),
+                "token_exp", Duration.ofMinutes(1).getSeconds()
+        );
+
+        byte[] bytes = BaseEncoding.base64().decode(pemPrivateKey);
+
+        KeyFactory kf = KeyFactory.getInstance("RSA");
+        PrivateKey privateKey = kf.generatePrivate(new PKCS8EncodedKeySpec(bytes));
+
+        String jws = Jwts.builder()
+                         .serializeToJsonWith(new JacksonSerializer(new ObjectMapper()))
+                         .setHeader(header)
+                         .setClaims(body)
+                         .signWith(privateKey, SignatureAlgorithm.RS256)
+                         .compact();
+
+        log.info("{}", jws);
+
+        // Issue
+        IssueChannelAccessTokenResponse issueChannelAccessTokenResponse =
+                target.issueChannelTokenByJWT(jws).get();
+
+        log.info("{}", issueChannelAccessTokenResponse);
+        assertThat(issueChannelAccessTokenResponse.getExpiresInSecs()).isEqualTo(60);
+
+        // Revoke
+        target.revokeChannelTokenByJWT(
+                channelId,
+                channelSecret,
+                issueChannelAccessTokenResponse.getAccessToken())
+              .get();
+    }
+}

line-bot-api-client/src/main/java/com/linecorp/bot/client/LineOAuthClient.java

@@ -35,6 +35,32 @@ static LineOAuthClientBuilder builder() {
         return new LineOAuthClientBuilder();
     }
 
+    /**
+     * Issues a channel access token. This method lets you use JWT assertion for authentication.
+     *
+     * <p>You can issue up to 30 tokens.
+     * If you reach the maximum limit, additional requests of issuing channel access tokens are blocked.
+     *
+     * @param clientAssertion A JSON Web Token the client needs to create and sign with the private key created
+     *                        when issuing an assertion signing key.
+     * @see <a href="https://developers.line.biz/en/reference/messaging-api/#issue-channel-access-token-v2-1">Issue channel access token v2.1</a>
+     */
+    CompletableFuture<IssueChannelAccessTokenResponse> issueChannelTokenByJWT(
+            String clientAssertion);
+
+    /**
+     * Revokes a channel access token.
+     *
+     * @param clientId     Channel ID
+     * @param clientSecret Channel Secret
+     * @param accessToken  Channel access token
+     * @see <a href="https://developers.line.biz/en/reference/messaging-api/#revoke-channel-access-token-v2-1">Revoke channel access token v2.1</a>
+     */
+    CompletableFuture<Void> revokeChannelTokenByJWT(
+            String clientId,
+            String clientSecret,
+            String accessToken);
+
     /**
      * Issues a short-lived channel access token. Up to 30 tokens can be issued. If the maximum is exceeded,
      * existing channel access tokens are revoked in the order of when they were first issued.

line-bot-api-client/src/main/java/com/linecorp/bot/client/LineOAuthClientImpl.java

@@ -27,6 +27,7 @@
 import com.linecorp.bot.model.objectmapper.ModelObjectMapper;
 
 import lombok.AllArgsConstructor;
+import lombok.experimental.PackagePrivate;
 import retrofit2.Call;
 import retrofit2.Callback;
 import retrofit2.Response;
@@ -35,11 +36,26 @@
  * An implementation of {@link LineOAuthClient} that issues or revokes channel access tokens.
  */
 @AllArgsConstructor
+@PackagePrivate
 class LineOAuthClientImpl implements LineOAuthClient {
     private static final ObjectMapper objectMapper = ModelObjectMapper.createNewObjectMapper();
 
     private final LineOAuthService service;
 
+    @Override
+    public CompletableFuture<IssueChannelAccessTokenResponse> issueChannelTokenByJWT(final String jwt) {
+        return toFuture(service.issueChannelTokenByJWT(
+                "client_credentials",
+                "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+                jwt));
+    }
+
+    @Override
+    public CompletableFuture<Void> revokeChannelTokenByJWT(
+            String clientId, String clientSecret, String accessToken) {
+        return toFuture(service.revokeChannelTokenByJWT(clientId, clientSecret, accessToken));
+    }
+
     @Override
     public CompletableFuture<IssueChannelAccessTokenResponse> issueChannelToken(
             IssueChannelAccessTokenRequest req) {

line-bot-api-client/src/main/java/com/linecorp/bot/client/LineOAuthService.java

@@ -21,6 +21,7 @@
 import com.linecorp.bot.model.oauth.ChannelAccessTokenException;
 import com.linecorp.bot.model.oauth.IssueChannelAccessTokenResponse;
 
+import lombok.experimental.PackagePrivate;
 import retrofit2.Call;
 import retrofit2.http.Field;
 import retrofit2.http.FormUrlEncoded;
@@ -31,7 +32,22 @@
  * <a href="https://developers.line.biz/en/reference/messaging-api/#issue-channel-access-token">document</a>
  * for detail.
  */
+@PackagePrivate
 interface LineOAuthService {
+    @POST("oauth2/v2.1/token")
+    @FormUrlEncoded
+    Call<IssueChannelAccessTokenResponse> issueChannelTokenByJWT(
+            @Field("grant_type") String grantType,
+            @Field("client_assertion_type") String clientAssertionType,
+            @Field("client_assertion") String clientAssertion);
+
+    @POST("/oauth2/v2.1/revoke")
+    @FormUrlEncoded
+    Call<Void> revokeChannelTokenByJWT(
+            @Field("client_id") String clientId,
+            @Field("client_secret") String clientSecret,
+            @Field("access_token") String accessToken);
+
     /**
      * Issues a short-lived channel access token. Up to 30 tokens can be issued. If the maximum is exceeded,
      * existing channel access tokens are revoked in the order of when they were first issued.