Merge pull request #2216 from beyonnex-io/feature/2145-jwt-claim-header-injection

#2145: support configuration of JWT claim injection into headers

Author: thjaeckle

deployment/helm/ditto/Chart.yaml

@@ -16,8 +16,8 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.8.0-M7  # chart version is effectively set by release-job
-appVersion: 3.8.0-M4
+version: 3.8.0-M8  # chart version is effectively set by release-job
+appVersion: 3.8.0-M5
 keywords:
   - iot-chart
   - digital-twin

deployment/helm/ditto/service-config/gateway-extension.conf.tpl

@@ -12,6 +12,11 @@ ditto {
               "{{$subject}}"
             {{- end }}
             ]
+            inject-claims-into-headers = {
+            {{- range $claimKey, $claimValue := $value.injectClaimsIntoHeaders }}
+              {{$claimKey}} = "{{$claimValue}}"
+            {{- end }}
+            }
           }
         {{- end }}
         }
@@ -28,6 +33,11 @@ ditto {
                 "{{$subject}}"
               {{- end }}
               ]
+              inject-claims-into-headers = {
+              {{- range $claimKey, $claimValue := $value.injectClaimsIntoHeaders }}
+                {{$claimKey}} = "{{$claimValue}}"
+              {{- end }}
+              }
             }
           {{- end }}
           }

deployment/helm/ditto/values.yaml

@@ -2013,6 +2013,9 @@ gateway:
         #    authSubjects:
         #    - "{{ jwt:sub }}"
         #    - "{{ jwt:groups }}"
+        #    injectClaimsIntoHeaders:
+        #      user_email: "{{ jwt:email }}"
+        #      user_name: "{{ jwt:name }}"
         # configure the subject to inject in policy action activateTokenIntegration
         tokenIntegrationSubject: "integration:{{policy-entry:label}}:{{jwt:aud}}"
       # devops contains the configuration of the gateway's "/devops" API, e.g. access to it
@@ -2034,6 +2037,9 @@ gateway:
           #    authSubjects:
           #    - "{{ jwt:sub }}"
           #    - "{{ jwt:groups }}"
+          #    injectClaimsIntoHeaders:
+          #      user_email: "{{ jwt:email }}"
+          #      user_name: "{{ jwt:name }}"
         # oauthSubjects contains list of subjects authorized to use "/devops" and "/api/2/connections" resources
         oauthSubjects:
         # - "example-ops:devops-admin"

documentation/src/main/resources/pages/ditto/installation-operating.md

@@ -164,6 +164,14 @@ When `auth-subjects` is not provided, the `"sub"` claim (`{%raw%}{{ jwt:sub }}{%
 Please read [more details on the OpenId Connect configuration placeholder](basic-placeholders.html#scope-openid-connect-configuration)
 to find out what is possible when defining the `auth-subjects`.
 
+Since Ditto 3.8.0, it is in addition possible to configure `inject-claims-into-headers`. This is a configuration which
+takes a map of HTTP header names to JWT claim placeholders. Valid JWT tokens will be resolved and added to the headers
+of the command as custom headers.  
+Ditto by default forwards custom headers and preserves them, e.g. when forwarding a [message](basic-messages.html) or
+when emitting an [event](basic-signals-event.html) after a command changes a thing.  
+Using `inject-claims-into-headers`, it e.g. is possible to add the email address of the authenticated user as a custom
+header to a command so that e.g. in logging it can be determined which user caused a change.
+
 
 ```
 ditto.gateway.authentication {
@@ -182,6 +190,10 @@ ditto.gateway.authentication {
             "{%raw%}{{ jwt:sub }}/{{ jwt:scp }}@{{ jwt:non_existing }}{%endraw%}",
             "{%raw%}{{ jwt:roles/support }}{%endraw%}"
           ]
+          inject-claims-into-headers = {
+            user-email = "{%raw%}{{ jwt:email }}{%endraw%}"
+            user-name = "{%raw%}{{ jwt:name }}{%endraw%}"
+          }
         }
       }
     }

gateway/service/src/main/java/org/eclipse/ditto/gateway/service/security/authentication/AuthenticationChain.java

@@ -134,12 +134,12 @@ private AuthResultAccumulator appendResult(final AuthenticationProvider<?> authe
                 final AuthenticationResult nextResult) {
             if (nextResult.isSuccess()) {
                 logSuccess(authenticationProvider);
-                return new AuthResultAccumulator(nextResult, failureResults, requestContext, dittoHeaders);
+                return new AuthResultAccumulator(nextResult, failureResults, requestContext, nextResult.getDittoHeaders());
             } else {
                 logFailure(authenticationProvider, nextResult);
                 final var newFailureResults =
                         Stream.concat(failureResults.stream(), Stream.of(nextResult)).toList();
-                return new AuthResultAccumulator(successResult, newFailureResults, requestContext, dittoHeaders);
+                return new AuthResultAccumulator(successResult, newFailureResults, requestContext, nextResult.getDittoHeaders());
             }
         }
 

gateway/service/src/main/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProvider.java

@@ -13,6 +13,7 @@
 package org.eclipse.ditto.gateway.service.security.authentication.jwt;
 
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
 
@@ -44,7 +45,15 @@ public CompletionStage<JwtAuthenticationResult> getAuthenticationResult(final Js
             final DittoHeaders dittoHeaders) {
 
         final List<AuthorizationSubject> authSubjects = authSubjectsProvider.getAuthorizationSubjects(jwt);
-        return CompletableFuture.completedFuture(JwtAuthenticationResult.successful(dittoHeaders,
+        final Map<String, String> additionalHeadersToInject =
+                authSubjectsProvider.getAdditionalHeadersInjectedFromClaims(jwt);
+        final DittoHeaders adjustedHeaders;
+        if (!additionalHeadersToInject.isEmpty()) {
+            adjustedHeaders = dittoHeaders.toBuilder().putHeaders(additionalHeadersToInject).build();
+        } else {
+            adjustedHeaders = dittoHeaders;
+        }
+        return CompletableFuture.completedFuture(JwtAuthenticationResult.successful(adjustedHeaders,
                 AuthorizationModelFactory.newAuthContext(DittoAuthorizationContextType.JWT, authSubjects),
                 jwt));
     }

gateway/service/src/main/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DittoJwtAuthorizationSubjectsProvider.java

@@ -15,7 +15,9 @@
 import static org.eclipse.ditto.base.model.common.ConditionChecker.checkNotNull;
 
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
+import java.util.stream.Collectors;
 
 import javax.annotation.Nullable;
 import javax.annotation.concurrent.Immutable;
@@ -106,6 +108,29 @@ public List<AuthorizationSubject> getAuthorizationSubjects(final JsonWebToken js
                 .toList();
     }
 
+    @Override
+    public Map<String, String> getAdditionalHeadersInjectedFromClaims(final JsonWebToken jsonWebToken) {
+        checkNotNull(jsonWebToken);
+
+        final String issuer = jsonWebToken.getIssuer();
+        final JwtSubjectIssuerConfig jwtSubjectIssuerConfig = jwtSubjectIssuersConfig.getConfigItem(issuer)
+                .orElseThrow(() -> GatewayJwtIssuerNotSupportedException.newBuilder(issuer).build());
+
+        final Map<String, String> injectClaimsIntoHeaders = jwtSubjectIssuerConfig.getInjectClaimsIntoHeaders();
+        if (!injectClaimsIntoHeaders.isEmpty()) {
+            final ExpressionResolver expressionResolver = PlaceholderFactory.newExpressionResolver(
+                    PlaceholderFactory.newPlaceholderResolver(JwtPlaceholder.getInstance(), jsonWebToken));
+
+            return injectClaimsIntoHeaders.entrySet().stream()
+                    .collect(Collectors.toMap(
+                            Map.Entry::getKey,
+                            entry -> expressionResolver.resolve(entry.getValue()).findFirst().orElse(entry.getValue())
+                    ));
+        } else {
+            return Map.of();
+        }
+    }
+
     @Override
     public boolean equals(@Nullable final Object o) {
         if (this == o) {

gateway/service/src/main/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/JwtAuthorizationSubjectsProvider.java

@@ -15,16 +15,16 @@
 import static org.eclipse.ditto.base.model.common.ConditionChecker.checkNotNull;
 
 import java.util.List;
+import java.util.Map;
 
+import org.apache.pekko.actor.ActorSystem;
 import org.eclipse.ditto.base.model.auth.AuthorizationSubject;
 import org.eclipse.ditto.internal.utils.extension.DittoExtensionIds;
 import org.eclipse.ditto.internal.utils.extension.DittoExtensionPoint;
 import org.eclipse.ditto.jwt.model.JsonWebToken;
 
 import com.typesafe.config.Config;
 
-import org.apache.pekko.actor.ActorSystem;
-
 /**
  * A provider for {@link AuthorizationSubject}s contained in a {@link JsonWebToken}.
  */
@@ -39,6 +39,17 @@ public interface JwtAuthorizationSubjectsProvider extends DittoExtensionPoint {
      */
     List<AuthorizationSubject> getAuthorizationSubjects(JsonWebToken jsonWebToken);
 
+    /**
+     * Returns a map of additional headers to inject based on the {@code JsonWebToken} (configured statically in Ditto
+     * via {@code inject-claims-into-headers} config).
+     *
+     * @param jsonWebToken the token containing the claims to inject headers from.
+     * @return the map of additional headers to inject.
+     * @throws NullPointerException if {@code jsonWebToken} is {@code null}.
+     * @since 3.8.0
+     */
+    Map<String, String> getAdditionalHeadersInjectedFromClaims(JsonWebToken jsonWebToken);
+
     /**
      * Loads the implementation of {@code JwtAuthorizationSubjectsProvider} which is configured for the {@code ActorSystem}.
      *

gateway/service/src/main/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/JwtSubjectIssuerConfig.java

@@ -17,7 +17,9 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 
 import javax.annotation.Nullable;
@@ -34,6 +36,7 @@ public final class JwtSubjectIssuerConfig {
     private final SubjectIssuer subjectIssuer;
     private final List<String> issuers;
     private final List<String> authSubjectTemplates;
+    private final Map<String, String> injectClaimsIntoHeaders;
 
     private static final List<String> DEFAULT_AUTH_SUBJECT = Collections.singletonList("{{jwt:sub}}");
 
@@ -45,23 +48,26 @@ public final class JwtSubjectIssuerConfig {
      *
      */
     public JwtSubjectIssuerConfig(final SubjectIssuer subjectIssuer, final Collection<String> issuers) {
-        this(subjectIssuer, issuers, DEFAULT_AUTH_SUBJECT);
+        this(subjectIssuer, issuers, DEFAULT_AUTH_SUBJECT, Map.of());
     }
 
     /**
      * Constructs a new {@code JwtSubjectIssuerConfig}.
      *
      * @param subjectIssuer the subject issuer.
-     * @param issuers        the list of issuers.
-     * @param authSubjectTemplates  the authorization subject templates
-     *
+     * @param issuers the list of issuers.
+     * @param authSubjectTemplates the authorization subject templates
+     * @param injectClaimsIntoHeaders map of header-key to JWT claim placeholder to inject JWT claims into headers.
      */
     public JwtSubjectIssuerConfig(final SubjectIssuer subjectIssuer,
             final Collection<String> issuers,
-            final Collection<String> authSubjectTemplates) {
+            final Collection<String> authSubjectTemplates,
+            final Map<String, String> injectClaimsIntoHeaders) {
         this.subjectIssuer = requireNonNull(subjectIssuer);
         this.issuers = Collections.unmodifiableList(new ArrayList<>(requireNonNull(issuers)));
         this.authSubjectTemplates = Collections.unmodifiableList(new ArrayList<>(requireNonNull(authSubjectTemplates)));
+        this.injectClaimsIntoHeaders =
+                Collections.unmodifiableMap(new HashMap<>(requireNonNull(injectClaimsIntoHeaders)));
     }
 
     /**
@@ -91,19 +97,29 @@ public List<String> getAuthorizationSubjectTemplates() {
         return authSubjectTemplates;
     }
 
+    /**
+     * Returns claims of a token to inject into DittoHeaders (using the map key as key for the custom header to inject).
+     *
+     * @return claims of a token to inject into DittoHeaders (using the map key as key for the custom header to inject).
+     */
+    public Map<String, String> getInjectClaimsIntoHeaders() {
+        return injectClaimsIntoHeaders;
+    }
+
     @Override
     public boolean equals(@Nullable final Object o) {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         final JwtSubjectIssuerConfig that = (JwtSubjectIssuerConfig) o;
         return Objects.equals(issuers, that.issuers) &&
                 Objects.equals(subjectIssuer, that.subjectIssuer) &&
-                Objects.equals(authSubjectTemplates, that.authSubjectTemplates);
+                Objects.equals(authSubjectTemplates, that.authSubjectTemplates) &&
+                Objects.equals(injectClaimsIntoHeaders, that.injectClaimsIntoHeaders);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(issuers, subjectIssuer, authSubjectTemplates);
+        return Objects.hash(issuers, subjectIssuer, authSubjectTemplates, injectClaimsIntoHeaders);
     }
 
     @Override
@@ -112,6 +128,7 @@ public String toString() {
                 "subjectIssuer=" + subjectIssuer +
                 ", issuers=" + issuers +
                 ", authSubjectTemplates=" + authSubjectTemplates +
+                ", injectClaimsIntoHeaders=" + injectClaimsIntoHeaders +
                 "]";
     }
 

gateway/service/src/main/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/JwtSubjectIssuersConfig.java

@@ -28,6 +28,7 @@
 import javax.annotation.concurrent.Immutable;
 
 import org.eclipse.ditto.gateway.service.util.config.security.OAuthConfig;
+import org.eclipse.ditto.gateway.service.util.config.security.SubjectIssuerConfig;
 import org.eclipse.ditto.policies.model.SubjectIssuer;
 
 /**
@@ -66,8 +67,15 @@ public static JwtSubjectIssuersConfig fromOAuthConfig(final OAuthConfig config)
                 // merge the default and extension config
                 Stream.concat(config.getOpenIdConnectIssuers().entrySet().stream(),
                         config.getOpenIdConnectIssuersExtension().entrySet().stream())
-                        .map(entry -> new JwtSubjectIssuerConfig(entry.getKey(), entry.getValue().getIssuers(),
-                                entry.getValue().getAuthorizationSubjectTemplates()))
+                        .map(entry -> {
+                            final SubjectIssuerConfig issuerConfig = entry.getValue();
+                            return new JwtSubjectIssuerConfig(
+                                    entry.getKey(),
+                                    issuerConfig.getIssuers(),
+                                    issuerConfig.getAuthorizationSubjectTemplates(),
+                                    issuerConfig.getInjectClaimsIntoHeaders()
+                            );
+                        })
                         .collect(Collectors.toSet());
         return new JwtSubjectIssuersConfig(configItems, config.getProtocol());
     }