Support for verifying OIDC JWT claims with custom Jose4j Validator

docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc

@@ -352,6 +352,45 @@ public class IssuerValidator implements ContainerRequestFilter {
 Consider using the `quarkus.oidc.token.audience` property to verify the token `aud` (`audience`) claim value.
 ====
 
+[[jose4j-validator]]
+=== Jose4j Validator
+
+You can register a custom [Jose4j Validator] to customize the JWT claim verification process, before `org.eclipse.microprofile.jwt.JsonWebToken` is initialized.
+For example:
+
+[source, java]
+----
+package org.acme.security.openid.connect;
+
+import static org.eclipse.microprofile.jwt.Claims.iss;
+
+import io.quarkus.arc.Unremovable;
+import jakarta.enterprise.context.ApplicationScoped;
+
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.consumer.JwtContext;
+import org.jose4j.jwt.consumer.Validator;
+
+@Unremovable
+@ApplicationScoped
+public class IssuerValidator implements Validator { <1>
+
+    @Override
+    public String validate(JwtContext jwtContext) throws MalformedClaimException {
+        if (jwtContext.getJwtClaims().hasClaim(iss.name())
+                && "my-issuer".equals(jwtContext.getJwtClaims().getClaimValueAsString(iss.name()))) {
+            return "wrong issuer"; <2>
+        }
+        return null; <3>
+    }
+}
+----
+<1> Register Jose4j Validator to verify JWT tokens for all OIDC tenants.
+<2> Return the claim verification error description.
+<3> Return `null` to confirm that this Validator has successfully verified the token.
+
+TIP: Use a `@quarkus.oidc.TenantFeature` annotation to bind a custom Validator to a specific OIDC tenant only.
+
 [[single-page-applications]]
 === Single-page applications
 

docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc

@@ -562,6 +562,11 @@ For more information about using the default token cache or registering a custom
 For information about the claim verification, including the `iss` (issuer) claim, see the xref:security-oidc-bearer-token-authentication.adoc#jwt-claim-verification[JSON Web Token claim verification] section.
 It applies to ID tokens and also to access tokens in a JWT format, if the `web-app` application has requested the access token verification.
 
+[[jose4j-validator]]
+=== Jose4j Validator
+
+You can register a custom [Jose4j Validator] to customize the JWT claim verification process. See xref:security-oidc-bearer-token-authentication.adoc#jose4j-validator[Jose4j] section for more information.
+
 ==== Further security with Proof Key for Code Exchange (PKCE)
 
 link:https://datatracker.ietf.org/doc/html/rfc7636[Proof Key for Code Exchange] (PKCE) minimizes the risk of authorization code interception.

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java

@@ -4,12 +4,14 @@
 import java.nio.charset.StandardCharsets;
 import java.security.Key;
 import java.time.Duration;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
 import java.util.Map;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 
+import jakarta.enterprise.inject.Default;
 import jakarta.json.JsonObject;
 
 import org.eclipse.microprofile.jwt.Claims;
@@ -30,12 +32,14 @@
 import org.jose4j.lang.InvalidAlgorithmException;
 import org.jose4j.lang.UnresolvableKeyException;
 
+import io.quarkus.arc.Arc;
 import io.quarkus.logging.Log;
 import io.quarkus.oidc.AuthorizationCodeTokens;
 import io.quarkus.oidc.OIDCException;
 import io.quarkus.oidc.OidcConfigurationMetadata;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.OidcTenantConfig.CertificateChain;
+import io.quarkus.oidc.TenantFeature.TenantFeatureLiteral;
 import io.quarkus.oidc.TokenCustomizer;
 import io.quarkus.oidc.TokenIntrospection;
 import io.quarkus.oidc.UserInfo;
@@ -67,6 +71,7 @@ public class OidcProvider implements Closeable {
     private static final AlgorithmConstraints SYMMETRIC_ALGORITHM_CONSTRAINTS = new AlgorithmConstraints(
             AlgorithmConstraints.ConstraintType.PERMIT, SignatureAlgorithm.HS256.getAlgorithm());
 
+    private final List<Validator> customValidators;
     final OidcProviderClient client;
     final RefreshableVerificationKeyResolver asymmetricKeyResolver;
     final DynamicVerificationKeyResolver keyResolverProvider;
@@ -79,11 +84,12 @@ public class OidcProvider implements Closeable {
     final AlgorithmConstraints requiredAlgorithmConstraints;
 
     public OidcProvider(OidcProviderClient client, OidcTenantConfig oidcConfig, JsonWebKeySet jwks, Key tokenDecryptionKey) {
-        this(client, oidcConfig, jwks, TokenCustomizerFinder.find(oidcConfig), tokenDecryptionKey);
+        this(client, oidcConfig, jwks, TokenCustomizerFinder.find(oidcConfig), tokenDecryptionKey,
+                getCustomValidators(oidcConfig));
     }
 
     public OidcProvider(OidcProviderClient client, OidcTenantConfig oidcConfig, JsonWebKeySet jwks,
-            TokenCustomizer tokenCustomizer, Key tokenDecryptionKey) {
+            TokenCustomizer tokenCustomizer, Key tokenDecryptionKey, List<Validator> customValidators) {
         this.client = client;
         this.oidcConfig = oidcConfig;
         this.tokenCustomizer = tokenCustomizer;
@@ -106,6 +112,12 @@ public OidcProvider(OidcProviderClient client, OidcTenantConfig oidcConfig, Json
         this.requiredClaims = checkRequiredClaimsProp();
         this.tokenDecryptionKey = tokenDecryptionKey;
         this.requiredAlgorithmConstraints = checkSignatureAlgorithm();
+
+        if (customValidators != null && !customValidators.isEmpty()) {
+            this.customValidators = customValidators;
+        } else {
+            this.customValidators = null;
+        }
     }
 
     public OidcProvider(String publicKeyEnc, OidcTenantConfig oidcConfig, Key tokenDecryptionKey) {
@@ -125,6 +137,7 @@ public OidcProvider(String publicKeyEnc, OidcTenantConfig oidcConfig, Key tokenD
         this.requiredClaims = checkRequiredClaimsProp();
         this.tokenDecryptionKey = tokenDecryptionKey;
         this.requiredAlgorithmConstraints = checkSignatureAlgorithm();
+        this.customValidators = getCustomValidators(oidcConfig);
     }
 
     private AlgorithmConstraints checkSignatureAlgorithm() {
@@ -210,6 +223,12 @@ private TokenVerificationResult verifyJwtTokenInternal(String token,
             builder.registerValidator(new CustomClaimsValidator(Map.of(OidcConstants.NONCE, nonce)));
         }
 
+        if (customValidators != null) {
+            for (Validator customValidator : customValidators) {
+                builder.registerValidator(customValidator);
+            }
+        }
+
         if (issuedAtRequired) {
             builder.setRequireIssuedAt();
         }
@@ -598,4 +617,25 @@ public String validate(JwtContext jwtContext) throws MalformedClaimException {
             return null;
         }
     }
+
+    private static List<Validator> getCustomValidators(OidcTenantConfig oidcTenantConfig) {
+        if (oidcTenantConfig != null && oidcTenantConfig.tenantId.isPresent()) {
+            var tenantsValidators = new ArrayList<Validator>();
+            for (var instance : Arc.container().listAll(Validator.class, Default.Literal.INSTANCE)) {
+                if (instance.isAvailable()) {
+                    tenantsValidators.add(instance.get());
+                }
+            }
+            for (var instance : Arc.container().listAll(Validator.class,
+                    TenantFeatureLiteral.of(oidcTenantConfig.tenantId.get()))) {
+                if (instance.isAvailable()) {
+                    tenantsValidators.add(instance.get());
+                }
+            }
+            if (!tenantsValidators.isEmpty()) {
+                return List.copyOf(tenantsValidators);
+            }
+        }
+        return null;
+    }
 }

extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcProviderTest.java

@@ -8,6 +8,7 @@
 import java.nio.charset.StandardCharsets;
 import java.time.Instant;
 import java.util.Base64;
+import java.util.List;
 
 import jakarta.json.Json;
 import jakarta.json.JsonObject;
@@ -19,7 +20,10 @@
 import org.jose4j.jwk.RsaJwkGenerator;
 import org.jose4j.jws.AlgorithmIdentifiers;
 import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.MalformedClaimException;
 import org.jose4j.jwt.consumer.InvalidJwtException;
+import org.jose4j.jwt.consumer.JwtContext;
+import org.jose4j.jwt.consumer.Validator;
 import org.jose4j.keys.EllipticCurves;
 import org.jose4j.lang.UnresolvableKeyException;
 import org.junit.jupiter.api.Test;
@@ -41,7 +45,7 @@ public void testAlgorithmCustomizer() throws Exception {
         JsonWebKeySet jwkSet = new JsonWebKeySet("{\"keys\": [" + rsaJsonWebKey.toJson() + "]}");
         OidcTenantConfig oidcConfig = new OidcTenantConfig();
 
-        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null)) {
             try {
                 provider.verifyJwtToken(newToken, false, false, null);
                 fail("InvalidJwtException expected");
@@ -57,7 +61,7 @@ public JsonObject customizeHeaders(JsonObject headers) {
                 return Json.createObjectBuilder(headers).add("alg", "RS256").build();
             }
 
-        }, null)) {
+        }, null, null)) {
             TokenVerificationResult result = provider.verifyJwtToken(newToken, false, false, null);
             assertEquals("http://keycloak/realm", result.localVerificationResult.getString("iss"));
         }
@@ -72,7 +76,7 @@ public void testTokenWithoutKidSingleRsaJwkWithoutKid() throws Exception {
 
         final String token = Jwt.issuer("http://keycloak/realm").sign(rsaJsonWebKey.getPrivateKey());
 
-        try (OidcProvider provider = new OidcProvider(null, new OidcTenantConfig(), jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, new OidcTenantConfig(), jwkSet, null)) {
             TokenVerificationResult result = provider.verifyJwtToken(token, false, false, null);
             assertEquals("http://keycloak/realm", result.localVerificationResult.getString("iss"));
         }
@@ -87,7 +91,7 @@ public void testTokenWithoutKidMultipleRSAJwkWithoutKid() throws Exception {
 
         final String token = Jwt.issuer("http://keycloak/realm").sign(rsaJsonWebKey1.getPrivateKey());
 
-        try (OidcProvider provider = new OidcProvider(null, new OidcTenantConfig(), jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, new OidcTenantConfig(), jwkSet, null)) {
             try {
                 provider.verifyJwtToken(token, false, false, null);
                 fail("InvalidJwtException expected");
@@ -119,13 +123,13 @@ public void testSubject() throws Exception {
 
         final String tokenWithSub = Jwt.subject("subject").jws().keyId("k1").sign(rsaJsonWebKey.getPrivateKey());
 
-        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null)) {
             TokenVerificationResult result = provider.verifyJwtToken(tokenWithSub, false, true, null);
             assertEquals("subject", result.localVerificationResult.getString(Claims.sub.name()));
         }
 
         final String tokenWithoutSub = Jwt.claims().jws().keyId("k1").sign(rsaJsonWebKey.getPrivateKey());
-        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null)) {
             try {
                 provider.verifyJwtToken(tokenWithoutSub, false, true, null);
                 fail("InvalidJwtException expected");
@@ -146,13 +150,13 @@ public void testNonce() throws Exception {
 
         final String tokenWithNonce = Jwt.claim("nonce", "123456").jws().keyId("k1").sign(rsaJsonWebKey.getPrivateKey());
 
-        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null)) {
             TokenVerificationResult result = provider.verifyJwtToken(tokenWithNonce, false, false, "123456");
             assertEquals("123456", result.localVerificationResult.getString(Claims.nonce.name()));
         }
 
         final String tokenWithoutNonce = Jwt.claims().jws().keyId("k1").sign(rsaJsonWebKey.getPrivateKey());
-        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null)) {
             try {
                 provider.verifyJwtToken(tokenWithoutNonce, false, false, "123456");
                 fail("InvalidJwtException expected");
@@ -183,15 +187,15 @@ public void testAge() throws Exception {
         OidcTenantConfig oidcConfig = new OidcTenantConfig();
         oidcConfig.token.issuedAtRequired = false;
 
-        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null)) {
             TokenVerificationResult result = provider.verifyJwtToken(token, false, false, null);
             assertNull(result.localVerificationResult.getString(Claims.iat.name()));
         }
 
         OidcTenantConfig oidcConfigRequireAge = new OidcTenantConfig();
         oidcConfigRequireAge.token.issuedAtRequired = true;
 
-        try (OidcProvider provider = new OidcProvider(null, oidcConfigRequireAge, jwkSet, null, null)) {
+        try (OidcProvider provider = new OidcProvider(null, oidcConfigRequireAge, jwkSet, null)) {
             try {
                 provider.verifyJwtToken(token, false, false, null);
                 fail("InvalidJwtException expected");
@@ -200,4 +204,72 @@ public void testAge() throws Exception {
             }
         }
     }
+
+    @Test
+    public void testJwtValidators() throws Exception {
+        RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
+        rsaJsonWebKey.setKeyId("k1");
+        JsonWebKeySet jwkSet = new JsonWebKeySet("{\"keys\": [" + rsaJsonWebKey.toJson() + "]}");
+
+        OidcTenantConfig oidcConfig = new OidcTenantConfig();
+
+        String token = Jwt.claim("claim1", "claimValue1").claim("claim2", "claimValue2").jws().keyId("k1")
+                .sign(rsaJsonWebKey.getPrivateKey());
+
+        // no validators
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null, null)) {
+            TokenVerificationResult result = provider.verifyJwtToken(token, false, false, null);
+            assertEquals("claimValue1", result.localVerificationResult.getString("claim1"));
+            assertEquals("claimValue2", result.localVerificationResult.getString("claim2"));
+        }
+
+        // one validator
+        Validator validator1 = new Validator() {
+            @Override
+            public String validate(JwtContext jwtContext) throws MalformedClaimException {
+                if (jwtContext.getJwtClaims().hasClaim("claim1")) {
+                    return "Claim1 is not allowed!";
+                }
+                return null;
+            }
+        };
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null, List.of(validator1))) {
+            try {
+                provider.verifyJwtToken(token, false, false, null);
+                fail("InvalidJwtException expected");
+            } catch (InvalidJwtException ex) {
+                assertTrue(ex.getMessage().contains("Claim1 is not allowed!"));
+            }
+        }
+
+        // two validators
+        Validator validator2 = new Validator() {
+            @Override
+            public String validate(JwtContext jwtContext) throws MalformedClaimException {
+                if (jwtContext.getJwtClaims().hasClaim("claim2")) {
+                    return "Claim2 is not allowed!";
+                }
+                return null;
+            }
+        };
+        // check the first validator is still run
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null, List.of(validator1, validator2))) {
+            try {
+                provider.verifyJwtToken(token, false, false, null);
+                fail("InvalidJwtException expected");
+            } catch (InvalidJwtException ex) {
+                assertTrue(ex.getMessage().contains("Claim1 is not allowed!"));
+            }
+        }
+        // check the second validator is applied
+        token = Jwt.claim("claim2", "claimValue2").jws().keyId("k1").sign(rsaJsonWebKey.getPrivateKey());
+        try (OidcProvider provider = new OidcProvider(null, oidcConfig, jwkSet, null, null, List.of(validator1, validator2))) {
+            try {
+                provider.verifyJwtToken(token, false, false, null);
+                fail("InvalidJwtException expected");
+            } catch (InvalidJwtException ex) {
+                assertTrue(ex.getMessage().contains("Claim2 is not allowed!"));
+            }
+        }
+    }
 }

integration-tests/oidc-tenancy/src/main/java/io/quarkus/it/keycloak/GlobalJwtPreferredNameValidator.java

@@ -0,0 +1,24 @@
+package io.quarkus.it.keycloak;
+
+import jakarta.enterprise.context.Dependent;
+
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.consumer.JwtContext;
+import org.jose4j.jwt.consumer.Validator;
+
+import io.quarkus.arc.Unremovable;
+
+@Unremovable
+@Dependent
+public class GlobalJwtPreferredNameValidator implements Validator {
+
+    @Override
+    public String validate(JwtContext jwtContext) throws MalformedClaimException {
+        if (jwtContext.getJwtClaims().hasClaim("preferred_username")
+                && jwtContext.getJwtClaims().isClaimValueString("preferred_username")
+                && jwtContext.getJwtClaims().getClaimValueAsString("preferred_username").contains("jdoe")) {
+            return "scope validation failed, the 'fail-validation' scope is not allowed";
+        }
+        return null;
+    }
+}