fix: use numeric JWT claims instead of ISO-8601

Author: paullatzelsperger

core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/ExpirationIssuedAtValidationRuleTest.java

@@ -19,7 +19,6 @@
 import org.eclipse.edc.token.spi.TokenValidationRule;
 import org.junit.jupiter.api.Test;
 
-import java.sql.Date;
 import java.time.Clock;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -39,7 +38,7 @@ class ExpirationIssuedAtValidationRuleTest {
     @Test
     void validationOk() {
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(now.plusSeconds(600)))
+                .claim(EXPIRATION_TIME, now.plusSeconds(600).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -50,7 +49,7 @@ void validationOk() {
     @Test
     void validationKoBecauseExpirationTimeNotRespected() {
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(now.minusSeconds(10)))
+                .claim(EXPIRATION_TIME, now.minusSeconds(10).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -85,8 +84,8 @@ void validationKoBecauseExpirationTimeNotProvided_doesNotAllowNull() {
     @Test
     void validationKoBecauseIssuedAtAfterExpires() {
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(now.plusSeconds(60)))
-                .claim(ISSUED_AT, Date.from(now.plusSeconds(65)))
+                .claim(EXPIRATION_TIME, now.plusSeconds(60).getEpochSecond())
+                .claim(ISSUED_AT, now.plusSeconds(65).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -98,8 +97,8 @@ void validationKoBecauseIssuedAtAfterExpires() {
     @Test
     void validationKoBecauseIssuedAtInFuture() {
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(now.plusSeconds(60)))
-                .claim(ISSUED_AT, Date.from(now.plusSeconds(10)))
+                .claim(EXPIRATION_TIME, now.plusSeconds(60).getEpochSecond())
+                .claim(ISSUED_AT, now.plusSeconds(10).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -113,8 +112,8 @@ void validationKoBecauseIssuedAtInFutureOutsideLeeway() {
         var rule = new ExpirationIssuedAtValidationRule(clock, 5, false);
 
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(now.plusSeconds(60)))
-                .claim(ISSUED_AT, Date.from(now.plusSeconds(10)))
+                .claim(EXPIRATION_TIME, now.plusSeconds(60).getEpochSecond())
+                .claim(ISSUED_AT, now.plusSeconds(10).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -128,8 +127,8 @@ void validationOkBecauseIssuedAtInFutureButWithinLeeway() {
         var rule = new ExpirationIssuedAtValidationRule(clock, 20, false);
 
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(now.plusSeconds(60)))
-                .claim(ISSUED_AT, Date.from(now.plusSeconds(10)))
+                .claim(EXPIRATION_TIME, now.plusSeconds(60).getEpochSecond())
+                .claim(ISSUED_AT, now.plusSeconds(10).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -155,8 +154,8 @@ void validationKoWithRoundedIssuedAtAndNoLeeway() {
         var rule = new ExpirationIssuedAtValidationRule(clock, 0, false);
 
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(expiresAt))
-                .claim(ISSUED_AT, Date.from(issuedAt))
+                .claim(EXPIRATION_TIME, expiresAt.getEpochSecond())
+                .claim(ISSUED_AT, expiresAt.getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -183,8 +182,8 @@ void validationOkWithRoundedIssuedAtAndMinimalLeeway() {
         var rule = new ExpirationIssuedAtValidationRule(clock, 2, false);
 
         var token = ClaimToken.Builder.newInstance()
-                .claim(EXPIRATION_TIME, Date.from(expiresAt))
-                .claim(ISSUED_AT, Date.from(issuedAt))
+                .claim(EXPIRATION_TIME, expiresAt.getEpochSecond())
+                .claim(ISSUED_AT, issuedAt.getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());

core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/NotBeforeValidationRuleTest.java

@@ -19,7 +19,6 @@
 import org.eclipse.edc.token.spi.TokenValidationRule;
 import org.junit.jupiter.api.Test;
 
-import java.sql.Date;
 import java.time.Clock;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -39,7 +38,7 @@ class NotBeforeValidationRuleTest {
     @Test
     void validNotBefore() {
         var token = ClaimToken.Builder.newInstance()
-                .claim(NOT_BEFORE, Date.from(now.plusSeconds(notBeforeLeeway)))
+                .claim(NOT_BEFORE, now.plusSeconds(notBeforeLeeway).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());
@@ -50,7 +49,7 @@ void validNotBefore() {
     @Test
     void validationKoBecauseNotBeforeTimeNotRespected() {
         var token = ClaimToken.Builder.newInstance()
-                .claim(NOT_BEFORE, Date.from(now.plusSeconds(notBeforeLeeway + 1)))
+                .claim(NOT_BEFORE, now.plusSeconds(notBeforeLeeway + 1).getEpochSecond())
                 .build();
 
         var result = rule.checkRule(token, emptyMap());

extensions/common/iam/identity-trust/identity-trust-core/src/main/java/org/eclipse/edc/iam/identitytrust/core/DcpDefaultServicesExtension.java

@@ -36,7 +36,6 @@
 
 import java.time.Clock;
 import java.util.Map;
-import java.util.function.Consumer;
 
 import static org.eclipse.edc.spi.result.Result.success;
 
@@ -99,10 +98,4 @@ public ClaimTokenCreatorFunction defaultClaimTokenFunction() {
         };
     }
 
-    private void checkProperty(String key, String value, Consumer<String> onMissing) {
-        if (value == null) {
-            onMissing.accept("No setting found for key '%s'.".formatted(key));
-        }
-    }
-
 }

extensions/common/iam/identity-trust/identity-trust-service/src/main/java/org/eclipse/edc/iam/identitytrust/service/IdentityAndTrustService.java

@@ -110,7 +110,7 @@ public Result<TokenRepresentation> obtainClientCredentials(TokenParameters param
         }
 
         // create claims for the STS
-        var claims = new HashMap<String, String>();
+        var claims = new HashMap<String, Object>();
         parameters.getClaims().forEach((k, v) -> claims.replace(k, v.toString()));
 
         claims.putAll(Map.of(
@@ -134,12 +134,12 @@ public Result<ClaimToken> verifyJwtToken(TokenRepresentation tokenRepresentation
         var accessToken = claimToken.getStringClaim(PRESENTATION_TOKEN_CLAIM);
         var issuer = claimToken.getStringClaim(ISSUER);
 
-        var siTokenClaims = Map.of(PRESENTATION_TOKEN_CLAIM, accessToken,
-                ISSUED_AT, Instant.now().toString(),
+        Map<String, Object> siTokenClaims = Map.of(PRESENTATION_TOKEN_CLAIM, accessToken,
+                ISSUED_AT, Instant.now().getEpochSecond(),
                 AUDIENCE, issuer,
                 ISSUER, myOwnDid,
                 SUBJECT, myOwnDid,
-                EXPIRATION_TIME, Instant.now().plus(5, ChronoUnit.MINUTES).toString());
+                EXPIRATION_TIME, Instant.now().plus(5, ChronoUnit.MINUTES).getEpochSecond());
         var siToken = secureTokenService.createToken(siTokenClaims, null);
         if (siToken.failed()) {
             return siToken.mapFailure();

extensions/common/iam/identity-trust/identity-trust-sts/lib/identity-trust-sts-remote-lib/src/main/java/org/eclipse/edc/iam/identitytrust/sts/remote/RemoteSecureTokenService.java

@@ -51,13 +51,13 @@ public RemoteSecureTokenService(Oauth2Client oauth2Client, StsRemoteClientConfig
     }
 
     @Override
-    public Result<TokenRepresentation> createToken(Map<String, String> claims, @Nullable String bearerAccessScope) {
+    public Result<TokenRepresentation> createToken(Map<String, Object> claims, @Nullable String bearerAccessScope) {
         return createRequest(claims, bearerAccessScope)
                 .compose(oauth2Client::requestToken);
     }
 
     @NotNull
-    private Result<Oauth2CredentialsRequest> createRequest(Map<String, String> claims, @Nullable String bearerAccessScope) {
+    private Result<Oauth2CredentialsRequest> createRequest(Map<String, Object> claims, @Nullable String bearerAccessScope) {
 
         var secret = vault.resolveSecret(configuration.clientSecretAlias());
         if (secret != null) {

extensions/common/iam/oauth2/oauth2-client/src/main/java/org/eclipse/edc/iam/oauth2/client/Oauth2ClientImpl.java

@@ -63,7 +63,7 @@ private static FormBody createRequestBody(Oauth2CredentialsRequest request) {
         var builder = new FormBody.Builder();
         request.getParams().entrySet().stream()
                 .filter(entry -> entry.getValue() != null)
-                .forEach(entry -> builder.add(entry.getKey(), entry.getValue()));
+                .forEach(entry -> builder.add(entry.getKey(), entry.getValue().toString()));
         return builder.build();
     }
 

extensions/common/iam/oauth2/oauth2-client/src/test/java/org/eclipse/edc/iam/oauth2/client/Oauth2ClientImplTest.java

@@ -55,7 +55,7 @@ void verifyRequestTokenSuccess() {
 
         var formParameters = new Parameters(
                 request.getParams().entrySet().stream()
-                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue()))
+                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue().toString()))
                         .collect(Collectors.toList())
         );
 
@@ -75,7 +75,7 @@ void verifyRequestTokenSuccess_withExpiresIn() {
 
         var formParameters = new Parameters(
                 request.getParams().entrySet().stream()
-                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue()))
+                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue().toString()))
                         .collect(Collectors.toList())
         );
 
@@ -97,7 +97,7 @@ void verifyRequestTokenSuccess_withExpiresIn_whenNotNumber() {
 
         var formParameters = new Parameters(
                 request.getParams().entrySet().stream()
-                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue()))
+                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue().toString()))
                         .collect(Collectors.toList())
         );
 
@@ -118,7 +118,7 @@ void verifyRequestTokenSuccess_withAdditionalProperties() {
 
         var formParameters = new Parameters(
                 request.getParams().entrySet().stream()
-                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue()))
+                        .map(entry -> Parameter.param(entry.getKey(), entry.getValue().toString()))
                         .collect(Collectors.toList())
         );
 

extensions/data-plane/data-plane-http-oauth2-core/src/test/java/org/eclipse/edc/connector/dataplane/http/oauth2/Oauth2CredentialsRequestFactoryTest.java

@@ -116,7 +116,7 @@ void shouldCreatePrivateKeyRequest_whenPrivateKeyNameIsPresent() throws JOSEExce
                 })
                 .extracting(PrivateKeyOauth2CredentialsRequest::getClientAssertion)
                 .satisfies(assertion -> {
-                    var assertionToken = SignedJWT.parse(assertion);
+                    var assertionToken = SignedJWT.parse(assertion.toString());
                     var now = clock.instant().truncatedTo(ChronoUnit.SECONDS);
                     assertThat(assertionToken.verify(new RSASSAVerifier(keyPair.toRSAPublicKey()))).isTrue();
                     assertThat(assertionToken.getJWTClaimsSet().getClaims())

extensions/data-plane/data-plane-iam/src/main/java/org/eclipse/edc/connector/dataplane/iam/service/DataPlaneAuthorizationServiceImpl.java

@@ -140,7 +140,7 @@ private TokenParameters createTokenParams(DataFlowStartMessage message) {
                 .claims(JwtRegisteredClaimNames.AUDIENCE, message.getParticipantId())
                 .claims(JwtRegisteredClaimNames.ISSUER, ownParticipantId)
                 .claims(JwtRegisteredClaimNames.SUBJECT, ownParticipantId)
-                .claims(JwtRegisteredClaimNames.ISSUED_AT, clock.instant().toEpochMilli()) // todo: milli or second?
+                .claims(JwtRegisteredClaimNames.ISSUED_AT, clock.instant().getEpochSecond())
                 .build();
     }
 

gradle/libs.versions.toml

@@ -39,6 +39,7 @@ kafkaClients = "4.0.0"
 testcontainers = "1.21.0"
 tink = "1.17.0"
 dsp-tck = "0.1.1-SNAPSHOT"
+dcp-tck = "0.1.1-SNAPSHOT"
 junit = "1.12.2"
 
 [libraries]
@@ -106,7 +107,7 @@ postgres = { module = "org.postgresql:postgresql", version.ref = "postgres" }
 kafkaClients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafkaClients" }
 jsonschema = { module = "com.networknt:json-schema-validator", version = "1.5.6" }
 
-# DCP-TCK libraries
+# DSP-TCK libraries
 dsp-tck-runtime = { module = "org.eclipse.dataspacetck.dsp:tck-runtime", version.ref = "dsp-tck" }
 dsp-tck-core = { module = "org.eclipse.dataspacetck.dsp:core", version.ref = "dsp-tck" }
 dsp-tck-api = { module = "org.eclipse.dataspacetck.dsp:dsp-api", version.ref = "dsp-tck" }
@@ -115,6 +116,12 @@ dsp-tck-contractnegotiation = { module = "org.eclipse.dataspacetck.dsp:dsp-contr
 dsp-tck-transferprocess = { module = "org.eclipse.dataspacetck.dsp:dsp-transfer-process", version.ref = "dsp-tck" }
 junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher", version.ref = "junit" }
 
+# DCP-TCK libraries
+dcp-testcases = { module = "org.eclipse.dataspacetck.dcp:dcp-testcases", version.ref = "dcp-tck" }
+dcp-tck-runtime = { module = "org.eclipse.dataspacetck.dsp:tck-runtime", version.ref = "dcp-tck" }
+dcp-system = { module = "org.eclipse.dataspacetck.dcp:dcp-system", version.ref = "dcp-tck" }
+dsp-core = { module = "org.eclipse.dataspacetck.dsp:core", version.ref = "dcp-tck" }
+
 [bundles]
 jackson = ["jackson-annotations", "jackson-databind"]
 jersey-core = ["jersey-server", "jersey-common", "jersey-jackson", "jersey-multipart", "jersey-inject", "jersey-servlet", "jersey-servletcore"]

settings.gradle.kts

@@ -340,6 +340,7 @@ include(":system-tests:bom-tests")
 include(":system-tests:dsp-compatibility-tests:connector-under-test")
 include(":system-tests:dsp-compatibility-tests:compatibility-test-runner")
 include(":system-tests:protocol-tck:tck-extension")
+include(":system-tests:dcp-tck-tests:presentation")
 
 // BOM modules ----------------------------------------------------------------
 include(":dist:bom:controlplane-base-bom")

spi/common/core-spi/src/main/java/org/eclipse/edc/spi/iam/ClaimToken.java

@@ -71,21 +71,29 @@ public List<?> getListClaim(String claimName) {
     }
 
     /**
-     * Get the date claim value by name converted to {@link Instant}
+     * Get the NumericDate claim value by name converted to {@link Instant}. The claim must be a long value.
      *
      * @param claimName the name of the claim
      * @return the claim value, null if it does not exist
      */
     public Instant getInstantClaim(String claimName) {
         return Optional.of(claims)
                 .map(it -> it.get(claimName))
-                .map(Date.class::cast)
+                .map(o -> {
+                    if (o instanceof Long epoch) {
+                        return epoch;
+                    }
+                    if (o instanceof Date d) {
+                        return d.toInstant().getEpochSecond();
+                    }
+                    return null;
+                })
                 .map(this::convertToUtcTime)
                 .orElse(null);
     }
 
-    private Instant convertToUtcTime(Date date) {
-        return date.toInstant().atOffset(UTC).toInstant();
+    private Instant convertToUtcTime(Long epochSecond) {
+        return Instant.ofEpochSecond(epochSecond).atOffset(UTC).toInstant();
     }
 
     public static class Builder {

spi/common/identity-trust-spi/src/main/java/org/eclipse/edc/iam/identitytrust/spi/SecureTokenService.java

@@ -34,6 +34,6 @@ public interface SecureTokenService {
      *                          if bearerAccessScope != null -> creates a {@code token} claim, which is another JWT containing the scope as claims.
      *                          if bearerAccessScope == null -> creates a normal JWT using all the claims in the map
      */
-    Result<TokenRepresentation> createToken(Map<String, String> claims, @Nullable String bearerAccessScope);
+    Result<TokenRepresentation> createToken(Map<String, Object> claims, @Nullable String bearerAccessScope);
 
 }

spi/common/oauth2-spi/src/main/java/org/eclipse/edc/iam/oauth2/spi/Oauth2AssertionDecorator.java

@@ -20,7 +20,6 @@
 import org.eclipse.edc.token.spi.TokenDecorator;
 
 import java.time.Clock;
-import java.util.Date;
 import java.util.List;
 import java.util.Objects;
 import java.util.UUID;
@@ -51,8 +50,8 @@ public TokenParameters.Builder decorate(TokenParameters.Builder tokenParameters)
                 .claims(ISSUER, clientId)
                 .claims(SUBJECT, clientId)
                 .claims(JWT_ID, UUID.randomUUID().toString())
-                .claims(ISSUED_AT, Date.from(clock.instant()))
-                .claims(EXPIRATION_TIME, Date.from(clock.instant().plusSeconds(validity)));
+                .claims(ISSUED_AT, clock.instant().getEpochSecond())
+                .claims(EXPIRATION_TIME, clock.instant().plusSeconds(validity).getEpochSecond());
     }
 
     public static class Builder {