Merge pull request #70 from privacyidea/69-reuse-saved-jwt-auth-token-until-it-expire-1

69 reuse saved jwt auth token until it expire 1

Author: lukasmatusiewicz

.github/workflows/build.yml

@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Setup Java Development Kits
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: 17
         distribution: microsoft

pom.xml

@@ -115,5 +115,10 @@
             <version>2.0.5</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.4.0</version>
+        </dependency>
     </dependencies>
 </project>

src/main/java/org/privacyidea/AsyncRequestCallable.java

@@ -22,7 +22,6 @@
 import org.jetbrains.annotations.NotNull;
 
 import java.io.IOException;
-import java.util.Collections;
 import java.util.Map;
 import java.util.concurrent.Callable;
 import java.util.concurrent.CountDownLatch;
@@ -35,7 +34,7 @@
  */
 public class AsyncRequestCallable implements Callable<String>, Callback
 {
-    private String path;
+    private final String path;
     private final String method;
     private final Map<String, String> headers;
     private final Map<String, String> params;
@@ -63,32 +62,8 @@ public String call() throws Exception
         // If an auth token is required for the request, get that first then do the actual request
         if (this.authTokenRequired)
         {
-            if (!privacyIDEA.serviceAccountAvailable())
-            {
-                privacyIDEA.error("Service account is required to retrieve auth token!");
-                return null;
-            }
-            latch = new CountDownLatch(1);
-            String tmpPath = path;
-            path = ENDPOINT_AUTH;
-            endpoint.sendRequestAsync(ENDPOINT_AUTH, privacyIDEA.serviceAccountParam(), Collections.emptyMap(), PIConstants.POST, this);
-            if (!latch.await(30, TimeUnit.SECONDS))
-            {
-                privacyIDEA.error("Latch timed out...");
-                return "";
-            }
-            // Extract the auth token from the response
-            String response = callbackResult[0];
-            String authToken = privacyIDEA.parser.extractAuthToken(response);
-            if (authToken == null)
-            {
-                // The parser already logs the error.
-                return null;
-            }
-            // Add the auth token to the header
-            headers.put(PIConstants.HEADER_AUTHORIZATION, authToken);
-            path = tmpPath;
-            callbackResult[0] = null;
+            // Wait for the auth token to be retrieved and add it to the header
+            headers.put(PIConstants.HEADER_AUTHORIZATION, privacyIDEA.getJWT());
         }
 
         // Do the actual request

src/main/java/org/privacyidea/Endpoint.java

@@ -37,7 +37,7 @@
 /**
  * This class handles sending requests to the server.
  */
-class Endpoint
+public class Endpoint
 {
     private final PrivacyIDEA privacyIDEA;
     private final PIConfig piConfig;

src/main/java/org/privacyidea/JSONParser.java

@@ -18,10 +18,7 @@
 
 import com.google.gson.*;
 
-import java.util.ArrayList;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import static org.privacyidea.PIConstants.*;
 
@@ -66,9 +63,9 @@ public String formatJson(String json)
      * Extract the auth token from the response of the server.
      *
      * @param serverResponse response of the server
-     * @return the auth token or null if error
+     * @return the AuthToken obj or null if error
      */
-    String extractAuthToken(String serverResponse)
+    LinkedHashMap<String, String> extractAuthToken(String serverResponse)
     {
         if (serverResponse != null && !serverResponse.isEmpty())
         {
@@ -78,11 +75,21 @@ String extractAuthToken(String serverResponse)
                 try
                 {
                     JsonObject obj = root.getAsJsonObject();
-                    return obj.getAsJsonObject(RESULT).getAsJsonObject(VALUE).getAsJsonPrimitive(TOKEN).getAsString();
+                    String authToken = obj.getAsJsonObject(RESULT).getAsJsonObject(VALUE).getAsJsonPrimitive(TOKEN).getAsString();
+                    var parts = authToken.split("\\.");
+                    String dec = new String(Base64.getDecoder().decode(parts[1]));
+
+                    // Extract the expiration date from the token
+                    int respDate = obj.getAsJsonPrimitive(TIME).getAsInt();
+                    int expDate = JsonParser.parseString(dec).getAsJsonObject().getAsJsonPrimitive(EXP).getAsInt();
+                    int difference = expDate - respDate;
+                    privacyIDEA.log("JWT Validity: " + difference / 60 + " minutes. Token expires at: " + new Date(expDate * 1000L));
+
+                    return new LinkedHashMap<>(Map.of(AUTH_TOKEN, authToken, AUTH_TOKEN_EXP, String.valueOf(expDate)));
                 }
                 catch (Exception e)
                 {
-                    privacyIDEA.error("Response did not contain an authorization token: " + formatJson(serverResponse));
+                    privacyIDEA.error("Auth token extraction failed: " + e);
                 }
             }
         }
@@ -232,7 +239,7 @@ else if ("interactive".equals(modeFromResponse))
 
                     if (TOKEN_TYPE_WEBAUTHN.equals(type))
                     {
-                        String webauthnSignRequest = getItemFromAttributes(WEBAUTHN_SIGN_REQUEST, challenge);
+                        String webauthnSignRequest = getItemFromAttributes(challenge);
                         response.multiChallenge.add(new WebAuthn(serial, message, clientMode, image, transactionID, webauthnSignRequest));
                     }
                     else
@@ -263,13 +270,13 @@ static String mergeWebAuthnSignRequest(WebAuthn webauthn, List<String> arr) thro
         return signRequest.toString();
     }
 
-    private String getItemFromAttributes(String item, JsonObject jsonObject)
+    private String getItemFromAttributes(JsonObject jsonObject)
     {
         String ret = "";
         JsonElement attributeElement = jsonObject.get(ATTRIBUTES);
         if (attributeElement != null && !attributeElement.isJsonNull())
         {
-            JsonElement requestElement = attributeElement.getAsJsonObject().get(item);
+            JsonElement requestElement = attributeElement.getAsJsonObject().get(PIConstants.WEBAUTHN_SIGN_REQUEST);
             if (requestElement != null && !requestElement.isJsonNull())
             {
                 ret = requestElement.toString();

src/main/java/org/privacyidea/PIConstants.java

@@ -48,7 +48,11 @@ public class PIConstants
     public static final String PASSWORD = "password";
     public static final String PASS = "pass";
     public static final String SERIAL = "serial";
+    public static final String TIME = "time";
+    public static final String EXP = "exp";
     public static final String CHALLENGE_STATUS = "challenge_status";
+    public static final String AUTH_TOKEN = "authToken";
+    public static final String AUTH_TOKEN_EXP = "authTokenExp";
     public static final String TYPE = "type";
     public static final String TRANSACTION_ID = "transaction_id";
     public static final String REALM = "realm";

src/main/java/org/privacyidea/PIResponse.java

@@ -23,7 +23,8 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
-import static org.privacyidea.PIConstants.*;
+import static org.privacyidea.PIConstants.TOKEN_TYPE_PUSH;
+import static org.privacyidea.PIConstants.TOKEN_TYPE_WEBAUTHN;
 
 /**
  * This class parses the JSON response of privacyIDEA into a POJO for easier access.