remove logic retrieving consumer app tenant domain to get resident IDP.

remove logic to get JWKS endpoint to validate signature.

Author: dushaniw

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/factory/KeyManagerHolder.java

@@ -211,7 +211,7 @@ private static JWTValidator getJWTValidator(KeyManagerConfiguration keyManagerCo
                         tokenIssuerDto.setJwksConfigurationDTO(jwksConfigurationDTO);
                     } else {
                         X509Certificate x509Certificate =
-                                APIUtil.retrieveCertificateFromContent((String) certificateValue);
+                                APIUtil.retrieveCertificateFromURLEncodedContent((String) certificateValue);
                         if (x509Certificate != null) {
                             tokenIssuerDto.setCertificate(x509Certificate);
                         }

components/apimgt/org.wso2.carbon.apimgt.impl/src/main/java/org/wso2/carbon/apimgt/impl/utils/APIUtil.java

@@ -9229,7 +9229,14 @@ public static String getX509certificateContent(String certificate) {
         return content.trim();
     }
 
-    public static X509Certificate retrieveCertificateFromContent(String base64EncodedCertificate)
+    /**
+     * Util method to convert Base64 URL encoded certificate content to X509Certificate instance.
+     *
+     * @param base64EncodedCertificate Base64 URL encoded cert string
+     * @return javax.security.cert.X509Certificate
+     * @throws APIManagementException if an error occurs while retrieving from IDP
+     */
+    public static X509Certificate retrieveCertificateFromURLEncodedContent(String base64EncodedCertificate)
             throws APIManagementException {
 
         if (base64EncodedCertificate != null) {
@@ -9253,6 +9260,30 @@ public static X509Certificate retrieveCertificateFromContent(String base64Encode
         return null;
     }
 
+    /**
+     * Util method to convert non URL encoded but base64 encoded certificate content to X509Certificate instance.
+     *
+     * @param base64EncodedCertificate Base64 encoded cert string (not URL encoded)
+     * @return javax.security.cert.X509Certificate
+     * @throws APIManagementException if an error occurs while retrieving from IDP
+     */
+    public static X509Certificate retrieveCertificateFromContent(String base64EncodedCertificate)
+            throws APIManagementException {
+
+        if (base64EncodedCertificate != null) {
+            base64EncodedCertificate = APIUtil.getX509certificateContent(base64EncodedCertificate);
+            byte[] bytes = Base64.decodeBase64(base64EncodedCertificate.getBytes());
+            try (InputStream inputStream = new ByteArrayInputStream(bytes)) {
+                return X509Certificate.getInstance(inputStream);
+            } catch (IOException | javax.security.cert.CertificateException e) {
+                String msg = "Error while converting into X509Certificate";
+                log.error(msg, e);
+                throw new APIManagementException(msg, e);
+            }
+        }
+        return null;
+    }
+
     /**
      * Replace new RESTAPI Role mappings to tenant-conf.
      *

components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/impl/OAuthJwtAuthenticatorImpl.java

@@ -20,16 +20,13 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import com.nimbusds.jwt.util.DateUtils;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.cxf.message.Message;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.OAuthTokenInfo;
 import org.wso2.carbon.apimgt.common.gateway.constants.JWTConstants;
-import org.wso2.carbon.apimgt.common.gateway.dto.JWKSConfigurationDTO;
 import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
 import org.wso2.carbon.apimgt.common.gateway.dto.TokenIssuerDto;
 import org.wso2.carbon.apimgt.impl.APIConstants;
@@ -48,12 +45,8 @@
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
 import org.wso2.carbon.identity.application.common.model.IdentityProvider;
-import org.wso2.carbon.identity.application.common.model.IdentityProviderProperty;
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationConstants;
 import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
-import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
-import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
-import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 import org.wso2.carbon.idp.mgt.IdentityProviderManager;
 import org.wso2.carbon.user.api.UserStoreException;
@@ -63,9 +56,6 @@
 import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
 
 import javax.security.cert.X509Certificate;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.text.ParseException;
@@ -338,17 +328,7 @@ private JWTValidator validateAndGetJWTValidatorForIssuer(JWTClaimsSet jwtClaimsS
                     + tokenIssuer + ") does not match with the token issuer (" + tokenIssuers.keySet() + ")");
         }
         String residentTenantDomain = APIConstants.SUPER_TENANT_DOMAIN;
-        String consumerKey = (String) jwtClaimsSet.getClaim("azp");
-        if (consumerKey != null) {
-            try {
-                residentTenantDomain = OAuth2Util.getTenantDomainOfOauthApp(consumerKey);
-            } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
-                throw new APIManagementException("JWT token issuer validation failed. Reason: Error while retrieving "
-                        + "organization for the consumer app: " + consumerKey);
-            }
-        }
-        IdentityProvider residentIDP
-                = validateAndGetResidentIDPForIssuer(residentTenantDomain, tokenIssuer);
+        IdentityProvider residentIDP = validateAndGetResidentIDPForIssuer(residentTenantDomain, tokenIssuer);
         if (residentIDP == null) {
             //invalid issuer. invalid token
             throw new APIManagementException("JWT token issuer validation failed. Reason: Resident Identity Provider "
@@ -357,47 +337,22 @@ private JWTValidator validateAndGetJWTValidatorForIssuer(JWTClaimsSet jwtClaimsS
         JWTValidator jwtValidator = new JWTValidatorImpl();
         TokenIssuerDto tokenIssuerDto = new TokenIssuerDto(tokenIssuer);
         if (residentIDP.getCertificate() != null) {
-            tokenIssuerDto.setCertificate(retrieveCertificateFromContent(residentIDP.getCertificate()));
+            X509Certificate certificate = APIUtil.retrieveCertificateFromContent(residentIDP.getCertificate());
+            if (certificate == null) {
+                throw new APIManagementException("JWT token issuer validation failed. Reason: Certificate for resident"
+                        + " identity provider is not in base64 encoded format in organization: "
+                        + residentTenantDomain);
+            }
+            tokenIssuerDto.setCertificate(certificate);
+
         } else {
-            JWKSConfigurationDTO jwksConfigurationDTO = new JWKSConfigurationDTO();
-            jwksConfigurationDTO.setEnabled(true);
-            jwksConfigurationDTO.setUrl(getJwksUriForIDP(residentIDP));
-            tokenIssuerDto.setJwksConfigurationDTO(jwksConfigurationDTO);
+            throw new APIManagementException("JWT token issuer validation failed. Reason: Certificate for resident" +
+                    " identity provider cannot be found for the organization: " + residentTenantDomain);
         }
         jwtValidator.loadTokenIssuerConfiguration(tokenIssuerDto);
         return jwtValidator;
     }
 
-    /**
-     * Retrieve JWKS URI configured for the resident IDP.
-     *
-     * @param idp IdentityProvider
-     * @return JWKS URI
-     */
-    private String getJwksUriForIDP(IdentityProvider idp) {
-
-        String jwksUri = null;
-        IdentityProviderProperty[] identityProviderProperties = idp.getIdpProperties();
-        if (!ArrayUtils.isEmpty(identityProviderProperties)) {
-            for (IdentityProviderProperty identityProviderProperty : identityProviderProperties) {
-                if (StringUtils.equals(identityProviderProperty.getName(), JWKS_URI)) {
-                    jwksUri = identityProviderProperty.getValue();
-                    if (log.isDebugEnabled()) {
-                        log.debug("JWKS endpoint set for the identity provider : " + idp.getIdentityProviderName()
-                                + ", jwks_uri : " + jwksUri);
-                    }
-                    break;
-                } else {
-                    if (log.isDebugEnabled()) {
-                        log.debug("JWKS endpoint not specified for the identity provider : "
-                                + idp.getIdentityProviderName());
-                    }
-                }
-            }
-        }
-        return jwksUri;
-    }
-
     /**
      * Retrieve token issuer details from deployment.toml file.
      *
@@ -465,28 +420,4 @@ private IdentityProvider validateAndGetResidentIDPForIssuer(String tenantDomain,
         }
         return jwtIssuer.equals(issuer) ? residentIdentityProvider : null;
     }
-
-    /**
-     * Util method to convert base64 encoded certificate content to X509Certificate instance.
-     *
-     * @param base64EncodedCertificate Base64 encoded cert string (not URL encoded)
-     * @return javax.security.cert.X509Certificate
-     * @throws APIManagementException if an error occurs while retrieving from IDP
-     */
-    private X509Certificate retrieveCertificateFromContent(String base64EncodedCertificate)
-            throws APIManagementException {
-
-        if (base64EncodedCertificate != null) {
-            base64EncodedCertificate = APIUtil.getX509certificateContent(base64EncodedCertificate);
-            byte[] bytes = Base64.decodeBase64(base64EncodedCertificate.getBytes());
-            try (InputStream inputStream = new ByteArrayInputStream(bytes)) {
-                return X509Certificate.getInstance(inputStream);
-            } catch (IOException | javax.security.cert.CertificateException e) {
-                String msg = "Error while converting into X509Certificate";
-                log.error(msg, e);
-                throw new APIManagementException(msg, e);
-            }
-        }
-        return null;
-    }
 }