Refresh jwks when validation fails (#334)

OKTA-689349 Refresh jwks when validation fails

Remove async in tokenRequest method

Author: FeiChen-okta

auth-foundation/src/main/java/com/okta/authfoundation/client/OAuth2Client.kt

@@ -32,8 +32,6 @@ import com.okta.authfoundation.credential.TokenType
 import com.okta.authfoundation.jwt.Jwks
 import com.okta.authfoundation.jwt.SerializableJwks
 import com.okta.authfoundation.util.CoalescingOrchestrator
-import kotlinx.coroutines.async
-import kotlinx.coroutines.coroutineScope
 import kotlinx.serialization.json.JsonObject
 import okhttp3.FormBody
 import okhttp3.Request
@@ -232,12 +230,8 @@ class OAuth2Client private constructor(
 
     private fun jwksCoalescingOrchestrator(): CoalescingOrchestrator<OAuth2ClientResult<Jwks>> =
         CoalescingOrchestrator(
-            factory = {
-                actualJwks()
-            },
-            keepDataInMemory = { result ->
-                result is OAuth2ClientResult.Success
-            }
+            factory = ::actualJwks,
+            keepDataInMemory = { result -> result is OAuth2ClientResult.Success }
         )
 
     private suspend fun actualJwks(): OAuth2ClientResult<Jwks> {
@@ -266,6 +260,7 @@ class OAuth2Client private constructor(
             is OAuth2ClientResult.Error -> {
                 null
             }
+
             is OAuth2ClientResult.Success -> {
                 result.result
             }
@@ -281,53 +276,59 @@ class OAuth2Client private constructor(
         maxAge: Int? = null,
         requestToken: Token? = null,
     ): OAuth2ClientResult<Token> {
-        return coroutineScope {
-            val isRefreshRequest = requestToken != null
-            val tokenId = requestToken?.id ?: UUID.randomUUID().toString()
-            val tokenDeferred =
-                async {
-                    performRequest(SerializableToken.serializer(), request) { serializableToken ->
-                        serializableToken.asToken(id = tokenId, oidcConfiguration = configuration)
-                    }
-                }
-            val jwksDeferred =
-                async {
-                    endpointsOrNull()?.jwksUri ?: return@async null
-                    jwks()
+        val isRefreshRequest = requestToken != null
+        val tokenId = requestToken?.id ?: UUID.randomUUID().toString()
+        val tokenResult =
+            performRequest(SerializableToken.serializer(), request) { serializableToken ->
+                serializableToken.asToken(id = tokenId, oidcConfiguration = configuration)
+            }
+
+        if (tokenResult is OAuth2ClientResult.Success) {
+            suspend fun validateToken(
+                token: Token,
+                jwksResult: OAuth2ClientResult<Jwks>?,
+            ) {
+                TokenValidator(this@OAuth2Client, token, nonce, maxAge, jwksResult).validate()
+                configuration.eventCoordinator.sendEvent(TokenCreatedEvent(token))
+                if (isRefreshRequest) {
+                    Credential.credentialDataSource().replaceToken(token)
                 }
-            val tokenResult = tokenDeferred.await()
-            if (tokenResult is OAuth2ClientResult.Success) {
-                val token = tokenResult.result
-
-                try {
-                    TokenValidator(this@OAuth2Client, token, nonce, maxAge, jwksDeferred.await()).validate()
-                    configuration.eventCoordinator.sendEvent(TokenCreatedEvent(token))
-                    if (isRefreshRequest) {
-                        Credential.credentialDataSource().replaceToken(token)
-                    }
-                } catch (e: Exception) {
-                    return@coroutineScope OAuth2ClientResult.Error(e)
+            }
+
+            runCatching {
+                validateToken(tokenResult.result, endpointsOrNull()?.jwksUri?.run { jwks() })
+            }.recoverCatching { throwable ->
+                if (throwable is IdTokenValidator.Error) {
+                    val refreshJwksOrchestrator = CoalescingOrchestrator(::actualJwks, { result -> result is OAuth2ClientResult.Success }).get()
+                    if (refreshJwksOrchestrator is OAuth2ClientResult.Error) throw throwable else validateToken(tokenResult.result, refreshJwksOrchestrator)
+                } else {
+                    throw throwable
                 }
+            }.onFailure { e ->
+                return OAuth2ClientResult.Error(e as Exception)
             }
-            return@coroutineScope tokenResult
         }
+        return tokenResult
     }
 
     private fun Token.getTokenOfType(tokenType: TokenType): Result<String> =
         when (tokenType) {
             TokenType.ACCESS_TOKEN -> {
                 Result.success(accessToken)
             }
+
             TokenType.REFRESH_TOKEN -> {
                 refreshToken?.let {
                     Result.success(it)
                 } ?: Result.failure(IllegalStateException("No refresh token."))
             }
+
             TokenType.ID_TOKEN -> {
                 idToken?.let {
                     Result.success(it)
                 } ?: Result.failure(IllegalStateException("No id token."))
             }
+
             TokenType.DEVICE_SECRET -> {
                 deviceSecret?.let {
                     Result.success(it)

auth-foundation/src/test/java/com/okta/authfoundation/client/OAuth2ClientTest.kt

@@ -16,11 +16,14 @@
 package com.okta.authfoundation.client
 
 import com.google.common.truth.Truth.assertThat
+import com.okta.authfoundation.client.IdTokenValidator.Error.Companion.INVALID_JWT_SIGNATURE
 import com.okta.authfoundation.client.dto.OidcIntrospectInfo
 import com.okta.authfoundation.client.dto.OidcUserInfo
 import com.okta.authfoundation.client.events.TokenCreatedEvent
+import com.okta.authfoundation.client.internal.performRequest
 import com.okta.authfoundation.credential.Credential
 import com.okta.authfoundation.credential.RevokeTokenType
+import com.okta.authfoundation.credential.SerializableToken
 import com.okta.authfoundation.credential.Token
 import com.okta.authfoundation.credential.TokenType
 import com.okta.authfoundation.credential.createToken
@@ -36,13 +39,17 @@ import com.okta.testhelpers.RequestMatchers.path
 import com.okta.testhelpers.RequestMatchers.query
 import com.okta.testhelpers.testBodyFromFile
 import io.mockk.coEvery
+import io.mockk.coVerify
 import io.mockk.mockk
+import io.mockk.mockkConstructor
 import io.mockk.mockkObject
+import io.mockk.mockkStatic
+import io.mockk.spyk
 import io.mockk.unmockkAll
 import kotlinx.coroutines.runBlocking
+import kotlinx.serialization.DeserializationStrategy
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
-import kotlinx.serialization.encodeToString
 import okhttp3.HttpUrl.Companion.toHttpUrl
 import org.junit.After
 import org.junit.Before
@@ -533,6 +540,12 @@ class OAuth2ClientTest {
                 val keys = createJwks().toSerializableJwks()
                 response.setBody(oktaRule.configuration.json.encodeToString(keys))
             }
+            oktaRule.enqueue(
+                path("/oauth2/default/v1/keys")
+            ) { response ->
+                val keys = createJwks().toSerializableJwks()
+                response.setBody(oktaRule.configuration.json.encodeToString(keys))
+            }
             oktaRule.enqueue(
                 method("POST"),
                 path("/oauth2/default/v1/token")
@@ -554,7 +567,64 @@ class OAuth2ClientTest {
             assertThat(exception).hasMessageThat().isEqualTo("Invalid id_token signature")
             assertThat(exception).isInstanceOf(IdTokenValidator.Error::class.java)
             val idTokenValidatorError = exception as IdTokenValidator.Error
-            assertThat(idTokenValidatorError.identifier).isEqualTo(IdTokenValidator.Error.INVALID_JWT_SIGNATURE)
+            assertThat(idTokenValidatorError.identifier).isEqualTo(INVALID_JWT_SIGNATURE)
+        }
+
+    @Test
+    fun `when validation fails, retry to with new jwks, expect success result returned`() =
+        runBlocking {
+            // arrange
+            mockkStatic("com.okta.authfoundation.client.internal.NetworkUtilsKt")
+
+            val token = createToken(idToken = "dummyIdToken", refreshToken = "dummyRefreshToken")
+            coEvery {
+                any<OAuth2Client>().performRequest(any<DeserializationStrategy<SerializableToken>>(), any(), any(), any<Function1<SerializableToken, Token>>())
+            } returns OAuth2ClientResult.Success(token)
+
+            val spyClient = spyk(oktaRule.createOAuth2Client(oktaRule.createEndpoints(includeJwks = true)))
+            val jwksSuccess = OAuth2ClientResult.Success(createJwks())
+
+            coEvery { spyClient.jwks() } returns jwksSuccess
+            mockkConstructor(TokenValidator::class)
+            coEvery { anyConstructed<TokenValidator>().validate() } throws IdTokenValidator.Error("fail", INVALID_JWT_SIGNATURE) andThen Unit
+
+            // Act
+            val result = spyClient.tokenRequest(mockk(), requestToken = token)
+
+            // Assert
+            coVerify(exactly = 2) { anyConstructed<TokenValidator>().validate() }
+            assertThat(result).isInstanceOf(OAuth2ClientResult.Success::class.java)
+            unmockkAll()
+        }
+
+    @Test
+    fun `when validation fails, retry to with new jwks but still fails expect failure result returned`() =
+        runBlocking {
+            // arrange
+            mockkStatic("com.okta.authfoundation.client.internal.NetworkUtilsKt")
+
+            val token = createToken(idToken = "dummyIdToken", refreshToken = "dummyRefreshToken")
+            coEvery {
+                any<OAuth2Client>().performRequest(any<DeserializationStrategy<SerializableToken>>(), any(), any(), any<Function1<SerializableToken, Token>>())
+            } returns OAuth2ClientResult.Success(token)
+
+            val spyClient = spyk(oktaRule.createOAuth2Client(oktaRule.createEndpoints(includeJwks = true)))
+            val jwksSuccess = OAuth2ClientResult.Success(createJwks())
+
+            coEvery { spyClient.jwks() } returns jwksSuccess
+            mockkConstructor(TokenValidator::class)
+            coEvery { anyConstructed<TokenValidator>().validate() } throws IdTokenValidator.Error("fail", INVALID_JWT_SIGNATURE)
+
+            // Act
+            val result = spyClient.tokenRequest(mockk(), requestToken = token)
+
+            // Assert
+            coVerify(exactly = 2) { anyConstructed<TokenValidator>().validate() }
+            assertThat(result).isInstanceOf(OAuth2ClientResult.Error::class.java)
+            assertThat((result as OAuth2ClientResult.Error).exception)
+                .hasMessageThat()
+                .isEqualTo("fail")
+            unmockkAll()
         }
 }
 

buildSrc/src/main/java/Configuration.kt

@@ -2,11 +2,11 @@ import org.gradle.api.JavaVersion
 import org.gradle.api.Project
 import java.util.Properties
 
-const val BOM_VERSION = "2.0.3"
-const val AUTH_FOUNDATION_VERSION = "2.0.3"
-const val OAUTH2_VERSION = "2.0.3"
-const val WEB_AUTHENTICATION_UI_VERSION = "2.0.3"
-const val LEGACY_TOKEN_MIGRATION_VERSION = "2.0.3"
+const val BOM_VERSION = "2.0.4"
+const val AUTH_FOUNDATION_VERSION = "2.0.4"
+const val OAUTH2_VERSION = "2.0.4"
+const val WEB_AUTHENTICATION_UI_VERSION = "2.0.4"
+const val LEGACY_TOKEN_MIGRATION_VERSION = "2.0.4"
 const val MIN_SDK = 23
 const val COMPILE_SDK = 35
 const val TARGET_SDK = 35