Support Paseto tokens

gradle/libs.versions.toml

@@ -12,7 +12,7 @@ unboundid-ldapsdk = "6.0.8"
 bouncycastle = "1.70"
 kotlin = "1.8.21"
 bcpkix = "1.70"
-
+jpaseto="0.7.0"
 micronaut-test = "4.0.0-M3"
 micronaut-multitenancy = "5.0.0-M2"
 micronaut-reactor = "3.0.0-M1"
@@ -33,6 +33,11 @@ micronaut-session = { module = "io.micronaut.session:micronaut-session-bom", ver
 micronaut-views = { module = "io.micronaut.views:micronaut-views-bom", version.ref = "micronaut-views" }
 micronaut-validation = { module = "io.micronaut.validation:micronaut-validation-bom", version.ref = "micronaut-validation" }
 
+managed-jpaseto-api = { module = "dev.paseto:jpaseto-api", version.ref = "jpaseto" }
+managed-jpaseto-bouncy-castle = { module = "dev.paseto:jpaseto-bouncy-castle", version.ref = "jpaseto" }
+managed-jpaseto-impl = { module = "dev.paseto:jpaseto-impl", version.ref = "jpaseto" }
+managed-jpaseto-jackson = { module = "dev.paseto:jpaseto-jackson", version.ref = "jpaseto" }
+
 managed-nimbus-jose-jwt = { module = "com.nimbusds:nimbus-jose-jwt", version.ref = "managed-nimbus-jose-jwt" }
 geb-spock = { module = "org.gebish:geb-spock", version.ref = "geb" }
 junit-jupiter-api = { module = "org.junit.jupiter:junit-jupiter-api" }

security-jwt/src/main/java/io/micronaut/security/token/jwt/generator/JwtTokenGenerator.java

@@ -21,9 +21,9 @@
 import com.nimbusds.jwt.PlainJWT;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.claims.ClaimsGenerator;
 import io.micronaut.security.token.generator.TokenGenerator;
 import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
-import io.micronaut.security.token.jwt.generator.claims.ClaimsGenerator;
 import io.micronaut.security.token.jwt.signature.SignatureGeneratorConfiguration;
 import jakarta.inject.Named;
 import jakarta.inject.Singleton;

security-jwt/src/main/java/io/micronaut/security/token/jwt/generator/claims/JWTClaimsSetGenerator.java

@@ -20,6 +20,10 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.runtime.ApplicationConfiguration;
 import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.Claims;
+import io.micronaut.security.token.claims.ClaimsAudienceProvider;
+import io.micronaut.security.token.claims.ClaimsGenerator;
+import io.micronaut.security.token.claims.JtiGenerator;
 import io.micronaut.security.token.config.TokenConfiguration;
 import jakarta.inject.Singleton;
 import java.time.Instant;
@@ -43,7 +47,7 @@ public class JWTClaimsSetGenerator implements ClaimsGenerator {
     private static final String ROLES_KEY = "rolesKey";
 
     private final TokenConfiguration tokenConfiguration;
-    private final JwtIdGenerator jwtIdGenerator;
+    private final JtiGenerator jwtIdGenerator;
     private final ClaimsAudienceProvider claimsAudienceProvider;
     private final String appName;
 
@@ -54,7 +58,7 @@ public class JWTClaimsSetGenerator implements ClaimsGenerator {
      * @param applicationConfiguration The application configuration
      */
     public JWTClaimsSetGenerator(TokenConfiguration tokenConfiguration,
-                                 @Nullable JwtIdGenerator jwtIdGenerator,
+                                 @Nullable JtiGenerator jwtIdGenerator,
                                  @Nullable ClaimsAudienceProvider claimsAudienceProvider,
                                  @Nullable ApplicationConfiguration applicationConfiguration) {
         this.tokenConfiguration = tokenConfiguration;
@@ -189,7 +193,7 @@ protected void populateWithAuthentication(JWTClaimsSet.Builder builder, Authenti
     @Override
     public Map<String, Object> generateClaimsSet(Map<String, ?> oldClaims, Integer expiration) {
         JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
-        List<String> excludedClaims = Arrays.asList(JwtClaims.EXPIRATION_TIME, JwtClaims.ISSUED_AT, JwtClaims.NOT_BEFORE);
+        List<String> excludedClaims = Arrays.asList(Claims.EXPIRATION_TIME, Claims.ISSUED_AT, Claims.NOT_BEFORE);
         for (String k : oldClaims.keySet()
                 .stream()
                 .filter(p -> !excludedClaims.contains(p))

security-jwt/src/main/java/io/micronaut/security/token/jwt/generator/claims/JwtClaimsSetAdapter.java

@@ -18,15 +18,17 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
+import io.micronaut.security.token.Claims;
+
 import java.util.Set;
 
 /**
- * Adapts from {@link JWTClaimsSet} to {@link JwtClaims}.
+ * Adapts from {@link JWTClaimsSet} to {@link Claims}.
  *
  * @author Sergio del Amo
  * @since 1.1.0
  */
-public class JwtClaimsSetAdapter implements JwtClaims {
+public class JwtClaimsSetAdapter implements Claims {
 
     private final JWTClaimsSet jwtClaimsSet;
 

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/AudienceJwtClaimsValidator.java

@@ -15,14 +15,14 @@
  */
 package io.micronaut.security.token.jwt.validator;
 
+import java.util.List;
+import io.micronaut.security.token.Claims;
+import jakarta.inject.Singleton;
 import com.nimbusds.jwt.JWTClaimsSet;
 import io.micronaut.context.annotation.Requires;
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
-import jakarta.inject.Singleton;
-import java.util.List;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -80,7 +80,7 @@ protected boolean validate(JWTClaimsSet claimsSet) {
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims,
+    public boolean validate(@NonNull Claims claims,
                             @Nullable HttpRequest<?> request) {
         return validate(JWTClaimsSetUtils.jwtClaimsSetFromClaims(claims));
     }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/DefaultJwtAuthenticationFactory.java

@@ -18,14 +18,15 @@
 import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
 import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.AbstractTokenAuthenticationFactory;
+import io.micronaut.security.token.MapClaims;
 import io.micronaut.security.token.RolesFinder;
 import io.micronaut.security.token.config.TokenConfiguration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import jakarta.inject.Singleton;
 import java.text.ParseException;
-import java.util.Map;
 import java.util.Optional;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * Extracts the JWT claims and uses the {@link AuthenticationJWTClaimsSetAdapter} to construction an {@link Authentication} object.
@@ -34,17 +35,18 @@
  * @since 1.1.0
  */
 @Singleton
-public class DefaultJwtAuthenticationFactory implements JwtAuthenticationFactory {
+public class DefaultJwtAuthenticationFactory extends AbstractTokenAuthenticationFactory<JWT> implements JwtAuthenticationFactory {
 
     private static final Logger LOG = LoggerFactory.getLogger(DefaultJwtAuthenticationFactory.class);
 
-    private final TokenConfiguration tokenConfiguration;
-    private final RolesFinder rolesFinder;
-
+    /**
+     *
+     * @param tokenConfiguration Token Configuration
+     * @param rolesFinder Utility to retrieve roles from token claims
+     */
     public DefaultJwtAuthenticationFactory(TokenConfiguration tokenConfiguration,
                                            RolesFinder rolesFinder) {
-        this.tokenConfiguration = tokenConfiguration;
-        this.rolesFinder = rolesFinder;
+        super(tokenConfiguration, rolesFinder);
     }
 
     @Override
@@ -54,11 +56,7 @@ public Optional<Authentication> createAuthentication(JWT token) {
             if (claimSet == null) {
                 return Optional.empty();
             }
-            Map<String, Object> attributes = claimSet.getClaims();
-            return usernameForClaims(claimSet).map(username ->
-                    Authentication.build(username,
-                            rolesFinder.resolveRoles(attributes),
-                            attributes));
+            return createAuthentication(claimSet.getClaims());
         } catch (ParseException e) {
             if (LOG.isErrorEnabled()) {
                 LOG.error("ParseException creating authentication", e);
@@ -71,13 +69,11 @@ public Optional<Authentication> createAuthentication(JWT token) {
      *
      * @param claimSet JWT Claims
      * @return the username defined by {@link TokenConfiguration#getNameKey()} ()} or the sub claim.
+     * @deprecated Use {@link AbstractTokenAuthenticationFactory#usernameForClaims(io.micronaut.security.token.Claims)} instead.
      * @throws ParseException might be thrown parsing claims
      */
+    @Deprecated
     protected Optional<String> usernameForClaims(JWTClaimsSet claimSet) throws ParseException {
-        String username = claimSet.getStringClaim(tokenConfiguration.getNameKey());
-        if (username == null) {
-            return Optional.ofNullable(claimSet.getSubject());
-        }
-        return Optional.of(username);
+        return super.usernameForClaims(new MapClaims(claimSet.getClaims()));
     }
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/ExpirationJwtClaimsValidator.java

@@ -21,11 +21,11 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.core.util.StringUtils;
 import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
-import jakarta.inject.Singleton;
-import java.util.Date;
+import io.micronaut.security.token.Claims;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import jakarta.inject.Singleton;
+import java.util.Date;
 
 /**
  * Validate JWT is not expired.
@@ -59,7 +59,7 @@ protected boolean validate(@NonNull JWTClaimsSet claimsSet) {
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims, @Nullable HttpRequest<?> request) {
         return validate(JWTClaimsSetUtils.jwtClaimsSetFromClaims(claims));
     }
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/IssuerJwtClaimsValidator.java

@@ -19,7 +19,7 @@
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 import jakarta.inject.Singleton;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -54,11 +54,11 @@ public IssuerJwtClaimsValidator(JwtClaimsValidatorConfiguration jwtClaimsValidat
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims, @Nullable HttpRequest<?> request) {
         if (expectedIssuer == null) {
             return true;
         }
-        Object issuerObject = claims.get(JwtClaims.ISSUER);
+        Object issuerObject = claims.get(Claims.ISSUER);
         if (issuerObject == null) {
             if (LOG.isTraceEnabled()) {
                 LOG.trace("Expected JWT issuer claim of '{}', but the token did not include an issuer.", expectedIssuer);

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/JWTClaimsSetUtils.java

@@ -16,7 +16,7 @@
 package io.micronaut.security.token.jwt.validator;
 
 import com.nimbusds.jwt.JWTClaimsSet;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 
 /**
  * Utils class to instantiate a JWClaimsSet give a map of claims.
@@ -34,7 +34,7 @@ private JWTClaimsSetUtils() {
      * @param claims JWT claims
      * @return A JWTClaimsSet
      */
-    public static JWTClaimsSet jwtClaimsSetFromClaims(JwtClaims claims) {
+    public static JWTClaimsSet jwtClaimsSetFromClaims(Claims claims) {
         JWTClaimsSet.Builder claimsSetBuilder = new JWTClaimsSet.Builder();
         for (String k : claims.names()) {
             claimsSetBuilder.claim(k, claims.get(k));

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/JwtClaimsValidator.java

@@ -18,7 +18,7 @@
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 
 /**
  * Provides a contract to create custom JWT claims validations.
@@ -33,5 +33,5 @@ public interface JwtClaimsValidator {
      * @param request HTTP request
      * @return whether the JWT claims pass validation.
      */
-    boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request);
+    boolean validate(@NonNull Claims claims, @Nullable HttpRequest<?> request);
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/JwtValidator.java

@@ -28,8 +28,8 @@
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpRequest;
+import io.micronaut.security.token.Claims;
 import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
 import io.micronaut.security.token.jwt.generator.claims.JwtClaimsSetAdapter;
 import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
 import io.micronaut.security.token.jwt.signature.jwks.JwksCache;
@@ -125,7 +125,7 @@ public Optional<JWT> validate(@NonNull JWT token, @Nullable HttpRequest<?> reque
         } else {
             return validationResult.filter(jwt -> {
                 try {
-                    JwtClaims claims = new JwtClaimsSetAdapter(jwt.getJWTClaimsSet());
+                    Claims claims = new JwtClaimsSetAdapter(jwt.getJWTClaimsSet());
                     return claimsValidators.stream().allMatch(validator -> validator.validate(claims, request));
                 } catch (ParseException e) {
                     if (LOG.isErrorEnabled()) {

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/NotBeforeJwtClaimsValidator.java

@@ -21,12 +21,13 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.core.util.StringUtils;
 import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 import jakarta.inject.Singleton;
-import java.util.Date;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.Date;
+
 /**
  * Validate current time is not before the not-before claim of a JWT token.
  *
@@ -72,7 +73,7 @@ protected boolean validate(@NonNull JWTClaimsSet claimsSet) {
      * @return true if the not-before claim denotes a date before now
      */
     @Override
-    public boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims, @Nullable HttpRequest<?> request) {
         return validate(JWTClaimsSetUtils.jwtClaimsSetFromClaims(claims));
     }
 

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/SubjectNotNullJwtClaimsValidator.java

@@ -21,7 +21,7 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.core.util.StringUtils;
 import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 import jakarta.inject.Singleton;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -53,7 +53,7 @@ public boolean validate(JWTClaimsSet claimsSet) {
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims, @Nullable HttpRequest<?> request) {
         return validate(JWTClaimsSetUtils.jwtClaimsSetFromClaims(claims));
     }
 }

security-jwt/src/test/groovy/io/micronaut/docs/jwtclaimsoverride/JwtClaimsOverrideSpec.groovy

@@ -8,7 +8,7 @@ import io.micronaut.http.MediaType
 import io.micronaut.security.authentication.Authentication
 import io.micronaut.security.authentication.UsernamePasswordCredentials
 import io.micronaut.security.testutils.EmbeddedServerSpecification
-import io.micronaut.security.token.jwt.render.AccessRefreshToken
+import io.micronaut.security.token.render.AccessRefreshToken
 import io.micronaut.security.token.jwt.validator.JwtTokenValidator
 import io.micronaut.security.token.validator.TokenValidator
 import reactor.core.publisher.Flux

security-jwt/src/test/groovy/io/micronaut/security/endpoints/introspection/IntrospectionEndpointSpec.groovy

@@ -10,7 +10,7 @@ import io.micronaut.security.authentication.UsernamePasswordCredentials
 import io.micronaut.security.testutils.EmbeddedServerSpecification
 import io.micronaut.security.testutils.authprovider.MockAuthenticationProvider
 import io.micronaut.security.testutils.authprovider.SuccessAuthenticationScenario
-import io.micronaut.security.token.jwt.render.BearerAccessRefreshToken
+import io.micronaut.security.token.render.BearerAccessRefreshToken
 import jakarta.inject.Singleton
 
 class IntrospectionEndpointSpec extends EmbeddedServerSpecification {