Replaced `auth0` lib with `jjwt` by `io.jsonwebtoken` that doesn't require jackson at runtime if not used

2024-04-30 20:13:30 +02:00 · 2024-04-30 20:13:30 +02:00 · 5938bf4af8
parent e339be5083
commit 5938bf4af8
3 changed files with 32 additions and 79 deletions
--- a/pom.xml
+++ b/pom.xml
@ -27,8 +27,10 @@
 	</dependencyManagement>

 	<scm>
-		<connection>scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git</connection>
-		<developerConnection>scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git</developerConnection>
+		<connection>
+			scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git</connection>
+		<developerConnection>
+			scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git</developerConnection>
 		<url>https://code-repo.d4science.org/gCubeSystem/${project.artifactId}</url>
 	</scm>

@ -36,6 +38,7 @@
 		<java.version>1.8</java.version>
 		<maven.compiler.source>${java.version}</maven.compiler.source>
 		<maven.compiler.target>${java.version}</maven.compiler.target>
+		<jjwt.version>0.12.5</jjwt.version>
 	</properties>

 	<dependencies>
@ -66,9 +69,22 @@
 		</dependency>

 		<dependency>
-			<groupId>com.auth0</groupId>
-			<artifactId>java-jwt</artifactId>
-			<version>4.4.0</version>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-api</artifactId>
+			<version>${jjwt.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-impl</artifactId>
+			<version>${jjwt.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt-jackson</artifactId>
+			<version>${jjwt.version}</version>
+			<scope>compile</scope>
 		</dependency>

 		<dependency>
--- a/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
+++ b/src/main/java/org/gcube/common/keycloak/model/ModelUtils.java
@ -15,10 +15,9 @@ import org.gcube.com.fasterxml.jackson.databind.ObjectWriter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

-import com.auth0.jwt.JWT;
-import com.auth0.jwt.algorithms.Algorithm;
-import com.auth0.jwt.exceptions.TokenExpiredException;
-import com.auth0.jwt.interfaces.JWTVerifier;
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwts;

 /**
 * @author <a href="mailto:mauro.mugnaini@nubisware.com">Mauro Mugnaini</a>
@ -83,35 +82,6 @@ public class ModelUtils {
        }
    }

-    /**
-     * Verifies the token validity
-     * 
-     * @param token the base64 JWT token string
-     * @param rsaPublicKey the realm's RSA public key on server
-     * @return <code>true</code> if the token is valid, <code>false</code> otherwise
-     * @throws RuntimeException if an error occurs constructing the verifier
-     */
-    public static boolean isValid(String token, RSAPublicKey rsaPublicKey) throws Exception {
-        return isValid(token, rsaPublicKey, true);
-    }
-
-    /**
-     * Verifies the token validity
-     * 
-     * @param token the base64 JWT token string
-     * @param rsaPublicKey the realm's RSA public key on server
-     * @param checkExpiration if <code>false</code> token expiration check is disabled
-     * @return <code>true</code> if the token is valid, <code>false</code> otherwise
-     * @throws RuntimeException if an error occurs constructing the verifier
-     */
-    public static boolean isValid(String token, RSAPublicKey rsaPublicKey, boolean checkExpiration) throws Exception {
-        try {
-            return isValid(token, Algorithm.RSA256(rsaPublicKey, null), checkExpiration);
-        } catch (Exception e) {
-            throw new RuntimeException("Cannot construct the JWT verifier", e);
-        }
-    }
-
    /**
     * Verifies the token validity
     * 
@ -121,41 +91,8 @@ public class ModelUtils {
     * @return <code>true</code> if the token is valid, <code>false</code> otherwise
     * @throws RuntimeException if an error occurs constructing the verifier
     */
-    public static boolean isValid(String token, PublicKey publicKey, String keyAlgorithm) throws Exception {
-        return isValid(token, publicKey, keyAlgorithm, true);
-    }
-
-    /**
-     * Verifies the token validity
-     * 
-     * @param token the base64 JWT token string
-     * @param publicKey the realm's public key on server
-     * @param keyAlgorithm the public key algorithm
-     * @param checkExpiration if <code>false</code> token expiration check is disabled
-     * @return <code>true</code> if the token is valid, <code>false</code> otherwise
-     * @throws RuntimeException if an error occurs constructing the verifier
-     */
-    public static boolean isValid(String token, PublicKey publicKey, String keyAlgorithm, boolean checkExpiration) throws Exception {
-        try {
-            Algorithm algorithm = null;
-            switch (keyAlgorithm) {
-            case "RS256":
-                algorithm = Algorithm.RSA256((RSAPublicKey) publicKey, null);
-                break;
-            case "RS384":
-                algorithm = Algorithm.RSA384((RSAPublicKey) publicKey, null);
-                break;
-            case "RS512":
-                algorithm = Algorithm.RSA512((RSAPublicKey) publicKey, null);
-                break;
-            default:
-                throw new RuntimeException("Unsupported key algorithm: " + algorithm);
-            }
-            
-            return isValid(token, algorithm, checkExpiration);
-        } catch (Exception e) {
-            throw new RuntimeException("Cannot construct the JWT verifier", e);
-        }
+    public static boolean isValid(String token, PublicKey publicKey) throws Exception {
+        return isValid(token, publicKey, true);
    }

    /**
@ -166,12 +103,12 @@ public class ModelUtils {
     * @param checkExpiration if <code>false</code> token expiration check is disabled
     * @return <code>true</code> if the token is valid, <code>false</code> otherwise
     */
-    public static boolean isValid(String token, Algorithm algorithm, boolean checkExpiration) throws Exception {
-        JWTVerifier verifier = JWT.require(algorithm).build();;
+    public static boolean isValid(String token, PublicKey publicKey, boolean checkExpiration) throws Exception {
+        JwtParser jwtParser = Jwts.parser().verifyWith(publicKey).build();
        try {
-            verifier.verify(token);
+            jwtParser.parse(token);
            return true;
-        } catch (TokenExpiredException e) {
+        } catch (ExpiredJwtException e) {
            // This is OK because expiration check is after the signature validation in the implementation
            if (logger.isDebugEnabled()) {
                logger.debug("JWT is expired: {}", e.getMessage());
@ -294,4 +231,4 @@ public class ModelUtils {
            return "";
        }
    }
-}
+}
--- a/src/test/java/org/gcube/common/keycloak/TestModelUtils.java
+++ b/src/test/java/org/gcube/common/keycloak/TestModelUtils.java
@ -44,9 +44,9 @@ public class TestModelUtils {

        // Valid signature 
        Assert.assertFalse("Token is valid", ModelUtils.isValid(tr.getAccessToken(), publicKey));
+        Assert.assertFalse("Token is not expired", ModelUtils.isValid(tr.getAccessToken(), publicKey, true));
        Assert.assertTrue("Token is valid", ModelUtils.isValid(tr.getAccessToken(), publicKey, false));
        Assert.assertFalse("Token signature is valid", ModelUtils.isValid(tr.getAccessToken().replace("ZV9hY2Nlc3", "ZV9hY2Nlcc"), publicKey));
-        Assert.assertFalse("Token is not expired", ModelUtils.isValid(tr.getAccessToken(), publicKey, true));
    }

    @Test