Authentication method reference claim now successfully appears in id_…

…token for non-MFA users

This required extending the HttpServletRequest to include additional information and a filter to determine when to do this. This filter has to execute after authentication has taken place so that the ExtendedAuthenticationToken can be retrieved from the security context.

This currently only works for non-MFA users, as the current implementation redirects all MFA users to the dashboard after authenticating (demo purposes).

iam-login-service/pom.xml

@@ -189,6 +189,11 @@
       <artifactId>spring-security-oauth2</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-oauth2-client</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-test</artifactId>

iam-login-service/src/main/java/it/infn/mw/iam/authn/multi_factor_authentication/ExtendedAuthenticationFilter.java

@@ -18,8 +18,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
@@ -29,10 +27,19 @@
 
 import it.infn.mw.iam.core.ExtendedAuthenticationToken;
 
+/**
+ * This replaces the default {@code UsernamePasswordAuthenticationFilter}. It is used to store a new
+ * {@code ExtendedAuthenticationToken} into the security context instead of a
+ * {@code UsernamePasswordAuthenticationToken}.
+ * 
+ * <p>
+ * Ultimately, we want to store information about the methods of authentication used for every login
+ * attempt. This is useful for registered clients, who may wish to restrict access to certain users
+ * based on the type or quantity of authentication methods used. The authentication methods are
+ * passed to the OAuth2 authorization endpoint and stored in the id_token returned to the client.
+ */
 public class ExtendedAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
 
-  public static final Logger LOG = LoggerFactory.getLogger(ExtendedAuthenticationFilter.class);
-
   private boolean postOnly = true;
   private AuthenticationManager authenticationManager;
 

iam-login-service/src/main/java/it/infn/mw/iam/authn/multi_factor_authentication/ExtendedHttpServletRequest.java

@@ -0,0 +1,122 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.authn.multi_factor_authentication;
+
+import static it.infn.mw.iam.authn.multi_factor_authentication.IamAuthenticationMethodReference.AUTHENTICATION_METHOD_REFERENCE_CLAIM_STRING;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+/**
+ * Represents an extended {@code HttpServletRequest} object. This is primarily used for including
+ * information in an OAuth2 authorization request about the authentication method(s) used by the
+ * user to sign in. These are ultimately passed to the token endpoint so they may be included in the
+ * id_token received by the client.
+ */
+public final class ExtendedHttpServletRequest extends HttpServletRequestWrapper {
+
+  private final Map<String, String[]> queryParameterMap;
+  private final Charset requestEncoding;
+
+  public ExtendedHttpServletRequest(HttpServletRequest request, String amrClaim) {
+    super(request);
+    Map<String, String[]> queryMap = getCommonQueryParamFromLegacy(request.getParameterMap());
+    queryMap.put(AUTHENTICATION_METHOD_REFERENCE_CLAIM_STRING, new String[] {amrClaim});
+    queryParameterMap = Collections.unmodifiableMap(queryMap);
+
+    String encoding = request.getCharacterEncoding();
+    requestEncoding = (encoding != null ? Charset.forName(encoding) : StandardCharsets.UTF_8);
+  }
+
+  private final Map<String, String[]> getCommonQueryParamFromLegacy(
+      Map<String, String[]> paramMap) {
+    Objects.requireNonNull(paramMap);
+
+    Map<String, String[]> commonQueryParamMap = new LinkedHashMap<>(paramMap);
+
+    return commonQueryParamMap;
+  }
+
+  @Override
+  public String getParameter(String name) {
+    String[] params = queryParameterMap.get(name);
+    return params != null ? params[0] : null;
+  }
+
+  @Override
+  public String[] getParameterValues(String name) {
+    return queryParameterMap.get(name);
+  }
+
+  @Override
+  public Map<String, String[]> getParameterMap() {
+    return queryParameterMap; // unmodifiable to uphold the interface contract.
+  }
+
+  @Override
+  public Enumeration<String> getParameterNames() {
+    return Collections.enumeration(queryParameterMap.keySet());
+  }
+
+  @Override
+  public String getQueryString() {
+    // @see : https://stackoverflow.com/a/35831692/9869013
+    // return queryParameterMap.entrySet().stream().flatMap(entry ->
+    // Stream.of(entry.getValue()).map(value -> entry.getKey() + "=" +
+    // value)).collect(Collectors.joining("&")); // without encoding !!
+    return queryParameterMap.entrySet()
+      .stream()
+      .flatMap(entry -> encodeMultiParameter(entry.getKey(), entry.getValue(), requestEncoding))
+      .collect(Collectors.joining("&"));
+  }
+
+  private Stream<String> encodeMultiParameter(String key, String[] values, Charset encoding) {
+    return Stream.of(values).map(value -> encodeSingleParameter(key, value, encoding));
+  }
+
+  private String encodeSingleParameter(String key, String value, Charset encoding) {
+    return urlEncode(key, encoding) + "=" + urlEncode(value, encoding);
+  }
+
+  private String urlEncode(String value, Charset encoding) {
+    try {
+      return URLEncoder.encode(value, encoding.name());
+    } catch (UnsupportedEncodingException e) {
+      throw new IllegalArgumentException("Cannot url encode " + value, e);
+    }
+  }
+
+  @Override
+  public ServletInputStream getInputStream() throws IOException {
+    throw new UnsupportedOperationException("getInputStream() is not implemented in this "
+        + HttpServletRequest.class.getSimpleName() + " wrapper");
+  }
+
+}

iam-login-service/src/main/java/it/infn/mw/iam/authn/multi_factor_authentication/ExtendedHttpServletRequestFilter.java

@@ -0,0 +1,91 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.authn.multi_factor_authentication;
+
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.GenericFilterBean;
+
+import it.infn.mw.iam.core.ExtendedAuthenticationToken;
+
+/**
+ * This filter is applied after authentication has taken place. It is used in the OAuth2 process to
+ * detect if a set of {@code IamAuthenticationMethodReference} objects are included in the current
+ * {@code Authentication} object. If so, these are passed to an {@code ExtendedHttpServletRequest}
+ * so they may be included in the authorization request and passed to OAuth2 clients.
+ */
+public class ExtendedHttpServletRequestFilter extends GenericFilterBean {
+
+  public static final String AUTHORIZATION_REQUEST_INCLUDES_AMR =
+      "AUTHORIZATION_REQUEST_INCLUDES_AMR";
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+      throws IOException, ServletException {
+
+    // We fetch the ExtendedAuthenticationToken from the security context. This contains the
+    // authentication method references we want to include in the authorization request
+    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+
+    // Checking to see if this filter has been applied already (if so, this attribute will have
+    // already been set)
+    Object amrAttribute = request.getAttribute(AUTHORIZATION_REQUEST_INCLUDES_AMR);
+
+    if (amrAttribute == null && auth instanceof ExtendedAuthenticationToken) {
+      Set<IamAuthenticationMethodReference> amrSet =
+          ((ExtendedAuthenticationToken) auth).getAuthenticationMethodReferences();
+      String amrClaim = parseAuthenticationMethodReferences(amrSet);
+
+      ExtendedHttpServletRequest extendedRequest =
+          new ExtendedHttpServletRequest((HttpServletRequest) request, amrClaim);
+
+      extendedRequest.setAttribute(AUTHORIZATION_REQUEST_INCLUDES_AMR, Boolean.TRUE);
+      request = extendedRequest;
+    }
+
+    chain.doFilter(request, response);
+  }
+
+  /**
+   * Convert a set of authentication method references into a request parameter string Values are
+   * separated with a + symbol
+   * 
+   * @param amrSet the set of authentication method references
+   * @return the parsed string
+   */
+  private String parseAuthenticationMethodReferences(Set<IamAuthenticationMethodReference> amrSet) {
+    String amrClaim = "";
+    Iterator<IamAuthenticationMethodReference> it = amrSet.iterator();
+    while (it.hasNext()) {
+      IamAuthenticationMethodReference current = it.next();
+      amrClaim += current.getName() + "+";
+    }
+
+    // Remove trailing + symbol at end of string
+    amrClaim = amrClaim.substring(0, amrClaim.length() - 1);
+    return amrClaim;
+  }
+}

iam-login-service/src/main/java/it/infn/mw/iam/authn/multi_factor_authentication/IamAuthenticationMethodReference.java

@@ -17,8 +17,14 @@
 
 public class IamAuthenticationMethodReference {
 
+  public static final String AUTHENTICATION_METHOD_REFERENCE_CLAIM_STRING = "amr";
+
   public enum AuthenticationMethodReferenceValues {
-    PASSWORD("pwd"), ONE_TIME_PASSWORD("otp"), HARDWARE_KEY("hwk");
+    // Add additional values here if new authentication factors get added, e.g. HARDWARE_KEY("hwk")
+    // Consult here for standardised reference values -
+    // https://datatracker.ietf.org/doc/html/rfc8176
+
+    PASSWORD("pwd"), ONE_TIME_PASSWORD("otp");
 
     private final String value;
 

iam-login-service/src/main/java/it/infn/mw/iam/config/security/IamWebSecurityConfig.java

@@ -57,6 +57,7 @@
 import it.infn.mw.iam.authn.MultiFactorAuthenticationSuccessHandler;
 import it.infn.mw.iam.authn.RootIsDashboardSuccessHandler;
 import it.infn.mw.iam.authn.multi_factor_authentication.ExtendedAuthenticationFilter;
+import it.infn.mw.iam.authn.multi_factor_authentication.ExtendedHttpServletRequestFilter;
 import it.infn.mw.iam.authn.multi_factor_authentication.MultiFactorAuthenticationProvider;
 import it.infn.mw.iam.authn.oidc.OidcAuthenticationProvider;
 import it.infn.mw.iam.authn.oidc.OidcClientFilter;
@@ -181,6 +182,7 @@ protected void configure(final HttpSecurity http) throws Exception {
         .and()
           .addFilterAt(new ExtendedAuthenticationFilter(this.authenticationManager(), successHandler()), UsernamePasswordAuthenticationFilter.class)
           .addFilterBefore(authorizationRequestFilter, SecurityContextPersistenceFilter.class)
+          .addFilterAfter(new ExtendedHttpServletRequestFilter(), UsernamePasswordAuthenticationFilter.class)
         .logout()
           .logoutUrl("/logout")
         .and().anonymous()

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/IamOAuth2RequestFactory.java

@@ -147,12 +147,6 @@ public TokenRequest createTokenRequest(Map<String, String> requestParameters,
       }
     }
 
-    // These should come from the incoming request anyway
-    // Ideally will come in application/x-www-form-urlencoded format ?amr=pwd&amr=otp
-    // Adding in here for demo purposes at the moment
-    // Need to figure out how to add this to the request from the /authorize endpoint
-    requestParameters.put("amr", "pwd,otp");
-
     String grantType = requestParameters.get(OAuth2Utils.GRANT_TYPE);
 
     Set<String> scopes = OAuth2Utils.parseParameterList(requestParameters.get(OAuth2Utils.SCOPE));

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/iam/IamJWTProfileIdTokenCustomizer.java

@@ -16,6 +16,7 @@
 package it.infn.mw.iam.core.oauth.profile.iam;
 
 import static it.infn.mw.iam.core.oauth.profile.iam.ClaimValueHelper.ADDITIONAL_CLAIMS;
+import static it.infn.mw.iam.authn.multi_factor_authentication.IamAuthenticationMethodReference.AUTHENTICATION_METHOD_REFERENCE_CLAIM_STRING;
 
 import java.util.Set;
 
@@ -64,10 +65,11 @@ public void customizeIdTokenClaims(Builder idClaims, ClientDetailsEntity client,
       .forEach(c -> idClaims.claim(c, claimValueHelper.getClaimValueFromUserInfo(c, info)));
 
     // Add the methods of authentication to the id_token
-    String amrParam = request.getRequestParameters().get("amr");
+    String amrParam =
+        request.getRequestParameters().get(AUTHENTICATION_METHOD_REFERENCE_CLAIM_STRING);
     if (amrParam != null) {
-      String[] amrArr = amrParam.split(",");
-      idClaims.claim("amr", amrArr);
+      String[] amrArr = amrParam.split("\\+");
+      idClaims.claim(AUTHENTICATION_METHOD_REFERENCE_CLAIM_STRING, amrArr);
     }
 
     includeLabelsInIdToken(idClaims, client, request, account, accessToken);

pom.xml

@@ -31,6 +31,7 @@
 
     <mitreid.version>1.3.5.cnaf-spring-update-SNAPSHOT</mitreid.version>
     <spring-security-oauth2.version>2.5.1.RELEASE</spring-security-oauth2.version>
+    <spring-security-oauth2-client.version>5.6.1</spring-security-oauth2-client.version>
 
     <voms.version>3.3.2</voms.version>
     <spring-security-saml.version>1.0.10.RELEASE</spring-security-saml.version>
@@ -249,6 +250,12 @@
         <version>${jaxb-runtime.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.springframework.security</groupId>
+        <artifactId>spring-security-oauth2-client</artifactId>
+        <version>${spring-security-oauth2-client.version}</version>
+      </dependency>
+
     </dependencies>
 
   </dependencyManagement>