Merge pull request #62 from authlete/feature/client-attestation

[feature] OAuth 2.0 Attestation-Based Client Authentication

Author: TakahikoKawasaki

pom.xml

@@ -12,9 +12,9 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-    <authlete.java.common.version>4.2</authlete.java.common.version>
-    <authlete.java.jaxrs.version>2.70</authlete.java.jaxrs.version>
-    <authlete.cbor.version>1.14</authlete.cbor.version>
+    <authlete.java.common.version>4.3</authlete.java.common.version>
+    <authlete.java.jaxrs.version>2.79</authlete.java.jaxrs.version>
+    <authlete.cbor.version>1.18</authlete.cbor.version>
     <javax.servlet-api.version>3.0.1</javax.servlet-api.version>
     <jersey.version>2.30.1</jersey.version>
     <jetty.version>9.4.27.v20200227</jetty.version>

src/main/java/com/authlete/jaxrs/server/api/PushedAuthReqEndpoint.java

@@ -86,6 +86,11 @@ private Params buildParams(
         // Even the call of the setHtm(String) method can be omitted, too.
         // When "htm" is not set, "POST" is used as the default value.
 
+        // OAuth 2.0 Attestation-Based Client Authentication
+        params.setClientAttestation(   request.getHeader("OAuth-Client-Attestation"))
+              .setClientAttestationPop(request.getHeader("OAuth-Client-Attestation-PoP"))
+              ;
+
         return params;
     }
 }

src/main/java/com/authlete/jaxrs/server/api/RevocationEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Authlete, Inc.
+ * Copyright (C) 2016-2024 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,24 +17,27 @@
 package com.authlete.jaxrs.server.api;
 
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
-import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
+import com.authlete.common.api.AuthleteApi;
 import com.authlete.common.api.AuthleteApiFactory;
 import com.authlete.jaxrs.BaseRevocationEndpoint;
+import com.authlete.jaxrs.RevocationRequestHandler.Params;
 
 
 /**
  * An implementation of revocation endpoint (<a href=
- * "http://tools.ietf.org/html/rfc7009">RFC 7009</a>).
+ * "https://www.rfc-editor.org/rfc/rfc7009.html">RFC 7009</a>).
  *
- * @see <a href="http://tools.ietf.org/html/rfc7009"
- *      >RFC 7009, OAuth 2.0 Token Revocation</a>
+ * @see <a href="https://www.rfc-editor.org/rfc/rfc7009.html"
+ *      >RFC 7009: OAuth 2.0 Token Revocation</a>
  *
  * @author Takahiko Kawasaki
  */
@@ -44,16 +47,46 @@ public class RevocationEndpoint extends BaseRevocationEndpoint
     /**
      * The revocation endpoint for {@code POST} method.
      *
-     * @see <a href="http://tools.ietf.org/html/rfc7009#section-2.1"
+     * @see <a href="https://www.rfc-editor.org/rfc/rfc7009.html#section-2.1"
      *      >RFC 7009, 2.1. Revocation Request</a>
      */
     @POST
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     public Response post(
-            @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,
+            @Context HttpServletRequest request,
             MultivaluedMap<String, String> parameters)
     {
+        // Authlete API
+        AuthleteApi authleteApi = AuthleteApiFactory.getDefaultApi();
+
+        // Parameters for Authlete's /auth/revocation API
+        Params params = buildParams(request, parameters);
+
         // Handle the revocation request.
-        return handle(AuthleteApiFactory.getDefaultApi(), parameters, authorization);
+        return handle(authleteApi, params);
+    }
+
+
+    private Params buildParams(
+            HttpServletRequest request, MultivaluedMap<String, String> parameters)
+    {
+        Params params = new Params();
+
+        // RFC 6749
+        // The OAuth 2.0 Authorization Framework
+        params.setParameters(parameters)
+              .setAuthorization(request.getHeader(HttpHeaders.AUTHORIZATION))
+              ;
+
+        // MTLS
+        // RFC 8705 : OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
+        params.setClientCertificatePath(extractClientCertificateChain(request));
+
+        // OAuth 2.0 Attestation-Based Client Authentication
+        params.setClientAttestation(   request.getHeader("OAuth-Client-Attestation"))
+              .setClientAttestationPop(request.getHeader("OAuth-Client-Attestation-PoP"))
+              ;
+
+        return params;
     }
 }

src/main/java/com/authlete/jaxrs/server/api/TokenEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2020 Authlete, Inc.
+ * Copyright (C) 2016-2024 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -139,6 +139,11 @@ private Params buildParams(
         // Even the call of the setHtm(String) method can be omitted, too.
         // When "htm" is not set, "POST" is used as the default value.
 
+        // OAuth 2.0 Attestation-Based Client Authentication
+        params.setClientAttestation(   request.getHeader("OAuth-Client-Attestation"))
+              .setClientAttestationPop(request.getHeader("OAuth-Client-Attestation-PoP"))
+              ;
+
         return params;
     }
 

src/main/java/com/authlete/jaxrs/server/api/backchannel/BackchannelAuthenticationEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2019 Authlete, Inc.
+ * Copyright (C) 2019-2024 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,21 +19,22 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
-import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
+import com.authlete.common.api.AuthleteApi;
 import com.authlete.common.api.AuthleteApiFactory;
+import com.authlete.jaxrs.BackchannelAuthenticationRequestHandler.Params;
 import com.authlete.jaxrs.BaseBackchannelAuthenticationEndpoint;
 
 
 /**
- *  An implementation of backchannel authentication endpoint of CIBA (Client Initiated
- *  Backchannel Authentication).
+ * An implementation of backchannel authentication endpoint of CIBA (Client Initiated
+ * Backchannel Authentication).
  *
  * @author Hideki Ikeda
  */
@@ -46,15 +47,41 @@ public class BackchannelAuthenticationEndpoint extends BaseBackchannelAuthentica
     @POST
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     public Response post(
-            @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,
-            MultivaluedMap<String, String> parameters,
-            @Context HttpServletRequest request)
+            @Context HttpServletRequest request,
+            MultivaluedMap<String, String> parameters)
     {
-        String[] clientCertificates = extractClientCertificateChain(request);
+        // Authlete API
+        AuthleteApi authleteApi = AuthleteApiFactory.getDefaultApi();
+
+        // Parameters for Authlete's /backchannel/authentication API
+        Params params = buildParams(request, parameters);
 
         // Handle the backchannel authentication request.
-        return handle(AuthleteApiFactory.getDefaultApi(),
-                new BackchannelAuthenticationRequestHandlerSpiImpl(), parameters,
-                authorization, clientCertificates);
+        return handle(authleteApi,
+                new BackchannelAuthenticationRequestHandlerSpiImpl(), params);
+    }
+
+
+    private Params buildParams(
+            HttpServletRequest request, MultivaluedMap<String, String> parameters)
+    {
+        Params params = new Params();
+
+        // RFC 6749
+        // The OAuth 2.0 Authorization Framework
+        params.setParameters(parameters)
+              .setAuthorization(request.getHeader(HttpHeaders.AUTHORIZATION))
+              ;
+
+        // MTLS
+        // RFC 8705 : OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
+        params.setClientCertificatePath(extractClientCertificateChain(request));
+
+        // OAuth 2.0 Attestation-Based Client Authentication
+        params.setClientAttestation(   request.getHeader("OAuth-Client-Attestation"))
+              .setClientAttestationPop(request.getHeader("OAuth-Client-Attestation-PoP"))
+              ;
+
+        return params;
     }
 }

src/main/java/com/authlete/jaxrs/server/api/device/DeviceAuthorizationEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2019 Authlete, Inc.
+ * Copyright (C) 2019-2024 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,22 +19,26 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
-import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
+import com.authlete.common.api.AuthleteApi;
 import com.authlete.common.api.AuthleteApiFactory;
 import com.authlete.jaxrs.BaseDeviceAuthorizationEndpoint;
+import com.authlete.jaxrs.DeviceAuthorizationRequestHandler.Params;
 
 
 /**
  * An implementation of device authorization endpoint of OAuth 2.0 Device Authorization
  * Grant (Device Flow).
  *
+ * @see <a href="https://www.rfc-editor.org/rfc/rfc8628.html"
+ *      >RFC 8628: OAuth 2.0 Device Authorization Grant</a>
+ *
  * @author Hideki Ikeda
  */
 @Path("/api/device/authorization")
@@ -46,14 +50,40 @@ public class DeviceAuthorizationEndpoint extends BaseDeviceAuthorizationEndpoint
     @POST
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     public Response post(
-            @HeaderParam(HttpHeaders.AUTHORIZATION) String authorization,
-            MultivaluedMap<String, String> parameters,
-            @Context HttpServletRequest request)
+            @Context HttpServletRequest request,
+            MultivaluedMap<String, String> parameters)
     {
-        String[] clientCertificates = extractClientCertificateChain(request);
+        // Authlete API
+        AuthleteApi authleteApi = AuthleteApiFactory.getDefaultApi();
+
+        // Parameters for Authlete's /device/authorization API
+        Params params = buildParams(request, parameters);
 
         // Handle the device authorization request.
-        return handle(AuthleteApiFactory.getDefaultApi(), parameters, authorization,
-                clientCertificates);
+        return handle(authleteApi, params);
+    }
+
+
+    private Params buildParams(
+            HttpServletRequest request, MultivaluedMap<String, String> parameters)
+    {
+        Params params = new Params();
+
+        // RFC 6749
+        // The OAuth 2.0 Authorization Framework
+        params.setParameters(parameters)
+              .setAuthorization(request.getHeader(HttpHeaders.AUTHORIZATION))
+              ;
+
+        // MTLS
+        // RFC 8705 : OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
+        params.setClientCertificatePath(extractClientCertificateChain(request));
+
+        // OAuth 2.0 Attestation-Based Client Authentication
+        params.setClientAttestation(   request.getHeader("OAuth-Client-Attestation"))
+              .setClientAttestationPop(request.getHeader("OAuth-Client-Attestation-PoP"))
+              ;
+
+        return params;
     }
 }