TOMEE-4296 - MicroProfile JWT 2.1 (#962)

* Implement MP-JWT-TCK 2.1

boms/tomee-microprofile-api/pom.xml

@@ -219,7 +219,7 @@
     <dependency>
       <groupId>org.eclipse.microprofile.jwt</groupId>
       <artifactId>microprofile-jwt-auth-api</artifactId>
-      <version>2.0</version>
+      <version>2.1</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

boms/tomee-microprofile/pom.xml

@@ -1929,7 +1929,7 @@
     <dependency>
       <groupId>org.eclipse.microprofile.jwt</groupId>
       <artifactId>microprofile-jwt-auth-api</artifactId>
-      <version>2.0</version>
+      <version>2.1</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

boms/tomee-plume-api/pom.xml

@@ -219,7 +219,7 @@
     <dependency>
       <groupId>org.eclipse.microprofile.jwt</groupId>
       <artifactId>microprofile-jwt-auth-api</artifactId>
-      <version>2.0</version>
+      <version>2.1</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

boms/tomee-plume/pom.xml

@@ -2050,7 +2050,7 @@
     <dependency>
       <groupId>org.eclipse.microprofile.jwt</groupId>
       <artifactId>microprofile-jwt-auth-api</artifactId>
-      <version>2.0</version>
+      <version>2.1</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

boms/tomee-plus-api/pom.xml

@@ -230,7 +230,7 @@
     <dependency>
       <groupId>org.eclipse.microprofile.jwt</groupId>
       <artifactId>microprofile-jwt-auth-api</artifactId>
-      <version>2.0</version>
+      <version>2.1</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

boms/tomee-plus/pom.xml

@@ -2072,7 +2072,7 @@
     <dependency>
       <groupId>org.eclipse.microprofile.jwt</groupId>
       <artifactId>microprofile-jwt-auth-api</artifactId>
-      <version>2.0</version>
+      <version>2.1</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java

@@ -425,8 +425,8 @@ public static JWTCallerPrincipal parse(final String token, final JWTAuthConfigur
                 if (authContextInfo.getIssuer() != null) {
                     builder.setExpectedIssuer(authContextInfo.getIssuer());
                 }
-                if (authContextInfo.getExpGracePeriodSecs() > 0) {
-                    builder.setAllowedClockSkewInSeconds(authContextInfo.getExpGracePeriodSecs());
+                if (authContextInfo.getClockSkew()>= 0) {
+                    builder.setAllowedClockSkewInSeconds(authContextInfo.getClockSkew());
                 } else {
                     builder.setEvaluationTime(NumericDate.fromSeconds(0));
                 }
@@ -460,7 +460,11 @@ public static JWTCallerPrincipal parse(final String token, final JWTAuthConfigur
                     builder.setEnableRequireEncryption();
                 }
 
-
+                if (authContextInfo.getTokenAge() != null){
+                    builder.setRequireIssuedAt();
+                    builder.setIssuedAtRestrictions(authContextInfo.getTokenAge(), authContextInfo.getTokenAge());
+                }
+
                 final JwtConsumer jwtConsumer = builder.build();
                 final JwtContext jwtContext = jwtConsumer.process(token);
                 final String type = jwtContext.getJoseObjects().get(0).getHeader("typ");
@@ -478,7 +482,6 @@ public static JWTCallerPrincipal parse(final String token, final JWTAuthConfigur
                 }
                 claimsSet.setClaim(Claims.raw_token.name(), token);
                 principal = new JWTCallerPrincipal(token, type, claimsSet, principalName);
-
             } catch (final InvalidJwtException e) {
                 VALIDATION.warning(e.getMessage());
                 throw new ParseException("Failed to verify token", e);

mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/JWTAuthConfiguration.java

@@ -36,6 +36,8 @@ public class JWTAuthConfiguration {
     private final String headerScheme = "Bearer";
     private final boolean allowNoExpiryClaim;
     private final String cookieName;
+    private final Integer tokenAge;
+    private final Integer clockSkew;
 
     /**
      * mp.jwt.verify.publickey.algorithm
@@ -54,7 +56,7 @@ public class JWTAuthConfiguration {
      */
     private String decryptAlgorithm;
 
-    public JWTAuthConfiguration(final Supplier<Map<String, Key>> publicKeys, final String issuer, final boolean allowNoExpiryClaim, final String[] audiences, final Supplier<Map<String, Key>> decryptKeys, final String header, final String cookie, final String decryptAlgorithm, final String signatureAlgorithm) {
+    public JWTAuthConfiguration(final Supplier<Map<String, Key>> publicKeys, final String issuer, final boolean allowNoExpiryClaim, final String[] audiences, final Supplier<Map<String, Key>> decryptKeys, final String header, final String cookie, final String decryptAlgorithm, final String signatureAlgorithm, final Integer tokenAge, final Integer clockSkew) {
         this.publicKeys = publicKeys;
         this.decryptKeys = decryptKeys;
         this.issuer = issuer;
@@ -64,6 +66,8 @@ public JWTAuthConfiguration(final Supplier<Map<String, Key>> publicKeys, final S
         this.cookieName = cookie;
         this.decryptAlgorithm = decryptAlgorithm;
         this.signatureAlgorithm = signatureAlgorithm;
+        this.tokenAge = tokenAge;
+        this.clockSkew = clockSkew;
     }
 
     public String getCookieName() {
@@ -109,4 +113,12 @@ public String getSignatureAlgorithm() {
     public String getDecryptAlgorithm() {
         return decryptAlgorithm;
     }
+
+    public Integer getTokenAge() {
+        return tokenAge;
+    }
+
+    public Integer getClockSkew() {
+        return clockSkew;
+    }
 }

mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/JWTAuthConfigurationProperties.java

@@ -47,6 +47,8 @@
 import static org.eclipse.microprofile.jwt.config.Names.TOKEN_HEADER;
 import static org.eclipse.microprofile.jwt.config.Names.VERIFIER_PUBLIC_KEY;
 import static org.eclipse.microprofile.jwt.config.Names.VERIFIER_PUBLIC_KEY_LOCATION;
+import static org.eclipse.microprofile.jwt.config.Names.TOKEN_AGE;
+import static org.eclipse.microprofile.jwt.config.Names.CLOCK_SKEW;
 
 /**
  * The purpose of this class is to create an instance of JWTAuthConfiguration using
@@ -117,7 +119,9 @@ private JWTAuthConfiguration createJWTAuthConfiguration() {
                 config.getOptionalValue(TOKEN_HEADER, String.class).map(String::toLowerCase).orElse("authorization"),
                 config.getOptionalValue(TOKEN_COOKIE, String.class).map(String::toLowerCase).orElse("bearer"),
                 config.getOptionalValue("mp.jwt.decrypt.key.algorithm", String.class).orElse(null),
-                config.getOptionalValue("mp.jwt.verify.publickey.algorithm", String.class).orElse(null));
+                config.getOptionalValue("mp.jwt.verify.publickey.algorithm", String.class).orElse(null),
+                config.getOptionalValue(TOKEN_AGE, Integer.class).orElse(null),
+                config.getOptionalValue(CLOCK_SKEW, Integer.class).orElse(0));
     }
 
     private Boolean queryAllowExp(){

pom.xml

@@ -179,7 +179,7 @@
     <version.microprofile.config>3.0.3</version.microprofile.config>
     <version.microprofile.fault-tolerance>4.0.2</version.microprofile.fault-tolerance>
     <version.microprofile.health>4.0.1</version.microprofile.health>
-    <version.microprofile.jwt>2.0</version.microprofile.jwt>
+    <version.microprofile.jwt>2.1</version.microprofile.jwt>
     <version.microprofile.metrics>4.0.1</version.microprofile.metrics>
     <version.microprofile.openapi>3.0</version.microprofile.openapi>
     <version.microprofile.opentracing>3.0</version.microprofile.opentracing>