Changes required to support JWT tokens (CADC-14107) #269

andamian · 2025-06-12T23:38:00Z

pdowler · 2025-07-07T15:31:26Z

cadc-util/src/main/java/ca/nrc/cadc/auth/SignedToken.java

@@ -248,6 +248,25 @@ private static StringBuilder getContent(SignedToken token) {
        return sb;
    }

+    /**
+     * Checks whether a token is a CADC access token or not


"a CADC access token" -> SignedToken

also, Base64.decodeString(String) exists and could be used instead of new String... it's the same code but intended for this use case

should be catch(IllegalArgumentException ignore)

Q. Why does this handle plain text and base64-encoded test? And why is the condition different in those two cases? Aren't all SignedToken values in headers base64 encoded?

pdowler · 2025-07-07T15:43:05Z

cadc-util/src/main/java/ca/nrc/cadc/auth/TokenValidator.java

@@ -149,11 +149,14 @@ public static Subject validateTokens(Subject subject) throws NotAuthenticatedExc
                log.debug("credentials: " + credentials);

                try {
+                    if (!SignedToken.isSignedToken(credentials)) {


The logic in validateTokens could be simplified:

remove the initial if(AuthenticationUtil.TOKEN_TYPE_CADC bit entirely (and remove the deprecated constants in AuthenticationUtil and all use of them)

the if (AuthenticationUtil.AUTHORIZATION_HEADER part of where we look for SignedTokens, but now that we're only looking for one form, I would consolidate this with the subsequent if like this:

if (AuthenticationUtil.AUTHORIZATION_HEADER.equals(p.getHeaderKey())) { // split on space(s) and trim String challenge = ... String credentials = ... if (SignedToken.isSignedToken(credentials) { SignedToken validatedToken = SignedToken.parse(credentials); ... } // else: some other kind of bearer token: leave AuthorizationTokenPrincipal for additional processing }

pdowler · 2025-07-07T15:49:56Z

cadc-util/src/main/java/ca/nrc/cadc/auth/AuthenticationUtil.java

@@ -776,6 +776,9 @@ public static String getPrincipalType(Principal userID) {
        if (userID instanceof X500Principal) {
            return IdentityType.X500.getValue().toLowerCase();
        }
+        if (userID instanceof OpenIdPrincipal) {
+            return ((OpenIdPrincipal)userID).getIssuer().toExternalForm();


I recall discussing the API to /ac/users/{value}?idType={type} and that we could do this for OpenID:

/ac/users/{sub}?iss={issuer}

So I don't see why we want to have this misleading/incorrect treatment of the issuer as a type???

the AC specific code (ACIdentityManager only?) that knows about this should treat OpenIDPrincipal explicitly and call getIssuer() itself to match the query param is is going to use... or is there some reason that you think that API should really use type as the param?

Changes required to support JWT tokens

648cc5a

andamian mentioned this pull request Jun 12, 2025

Automatic user account creation with OpenID authentication (CADC-14107) opencadc/ac#179

Open

Merge branch 'main' of https://github.com/opencadc/core into CADC-14107

06271e2

andamian marked this pull request as ready for review June 27, 2025 21:49

Merge branch 'main' of https://github.com/opencadc/core into CADC-14107

26fa34a

pdowler requested changes Jul 7, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Changes required to support JWT tokens (CADC-14107) #269

Changes required to support JWT tokens (CADC-14107) #269

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Changes required to support JWT tokens (CADC-14107) #269

Are you sure you want to change the base?

Changes required to support JWT tokens (CADC-14107) #269

Uh oh!

Conversation

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!