provide a JwtDecoder bean with enabled prooftoken check (#1539)

Signed-off-by: liga-oz <[email protected]>

CHANGELOG.md

@@ -8,7 +8,11 @@ All notable changes to this project will be documented in this file.
   and `ClientCertificate` class has been extended with new constructor that takes `java.security.cert.Certificate[]`
   and `java.security.PrivateKey` as an argument and corresponding getters for these fields.
 - [token-client] `SSLContextFactory` class has been extended and supports Keys in PKCS#8 format with ECC algorithm.
-- [spring-security] fixed NPE in IdentityServicesPropertySourceFactory on application startup when bound to a list of XSUAA services whose service plans are ALL not supported
+- [spring-security]
+  - fixed NPE in IdentityServicesPropertySourceFactory on application startup when bound to a list of XSUAA services
+    whose service plans are ALL not supported
+  - provides an autoconfiguration that creates an Identity Service JwtDecoder with enabled proof token check. To enable
+    it, set the `sap.spring.security.identity.prooftoken` spring property to true.
 
 
 ## 3.4.3

spring-security/README.md

@@ -87,10 +87,11 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/
 | [SecurityContextEnvironmentPostProcessor](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java)               | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync                                                                                                                                                                                                   |
 
 #### Autoconfiguration properties
-| Autoconfiguration property           | Default value | Description                                                                                                             |
-|--------------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------|
-| sap.spring.security.hybrid.auto      | true          | This enables all auto-configurations that setup your project for hybrid IAS and/or XSUAA token validation.              |
-| sap.spring.security.xsuaa.flows.auto | true          | This enables all auto-configurations required for XSUAA token exchange using [`token-client`](../token-client) library. |
+| Autoconfiguration property              | Default value | Description                                                                                                             |
+|-----------------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------|
+| sap.spring.security.hybrid.auto         | true          | This enables all auto-configurations that setup your project for hybrid IAS and/or XSUAA token validation.              |
+| sap.spring.security.xsuaa.flows.auto    | true          | This enables all auto-configurations required for XSUAA token exchange using [`token-client`](../token-client) library. |
+| sap.spring.security.identity.prooftoken | true          | This creates a `JwtDecoder` for identity service with enabled prooftoken check                                          |
 
 You can gradually replace auto-configurations as explained [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html).
 

spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java

@@ -33,7 +33,7 @@
 /**
  * {@link EnableAutoConfiguration} exposes a {@link JwtDecoder}, which has the standard Spring Security Jwt validators
  * as well as the SCP identity provider-specific validators.
- *
+ * <p>
  * Activates when there is a bean of type {@link Jwt} configured in the context.
  *
  * <p>
@@ -100,6 +100,17 @@ public JwtDecoder hybridJwtDecoderMultiXsuaaServices(IdentityServiceConfiguratio
 					.build();
 		}
 
+		@Bean
+		@ConditionalOnProperty(name = "sap.spring.security.identity.prooftoken", havingValue = "true")
+		@ConditionalOnMissingBean(JwtDecoder.class)
+		public JwtDecoder iasJwtDecoderWithProofTokenCheck(IdentityServiceConfiguration identityConfig) {
+			LOGGER.debug("auto-configures iasJwtDecoderWithProofTokenCheck.");
+			return new JwtDecoderBuilder()
+					.withIasServiceConfiguration(identityConfig)
+					.enableProofTokenCheck()
+					.build();
+		}
+
 		@Bean
 		@ConditionalOnProperty("sap.security.services.identity.domains")
 		@ConditionalOnMissingBean(JwtDecoder.class)

spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JwtDecoderBuilder.java

@@ -33,6 +33,7 @@ public class JwtDecoderBuilder {
 	private final List<ValidationListener> validationListeners = new ArrayList<>();
 	protected CloseableHttpClient httpClient;
 	private CacheConfiguration tokenKeyCacheConfiguration;
+	private boolean enableProofTokenCheck;
 
 	/**
 	 * Use to configure the token key cache.
@@ -160,12 +161,19 @@ private CombiningValidator<Token> getValidators(Service name) {
 			}
 			return xsuaaValidatorBuilder.build();
 		}
-		if (name == Service.IAS) {
-			if (iasConfiguration != null && !iasConfiguration.getProperties().isEmpty()) {
-				JwtValidatorBuilder iasValidatorBuilder = initializeBuilder(iasConfiguration);
-				return iasValidatorBuilder.build();
+		if (name == Service.IAS && (iasConfiguration != null && !iasConfiguration.getProperties().isEmpty())) {
+			JwtValidatorBuilder iasValidatorBuilder = initializeBuilder(iasConfiguration);
+			if (enableProofTokenCheck) {
+				iasValidatorBuilder.enableProofTokenCheck();
 			}
+			return iasValidatorBuilder.build();
+
 		}
 		return null;
 	}
+
+	public JwtDecoderBuilder enableProofTokenCheck() {
+		this.enableProofTokenCheck = true;
+		return this;
+	}
 }

spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfigurationTest.java

@@ -172,6 +172,21 @@ void autoConfigurationIdentityServiceOnly() {
 		runner.run(context -> assertNotNull(context.getBean("iasJwtDecoder", IasJwtDecoder.class)));
 	}
 
+	@Test
+	void autoConfigurationProofTokenCheckEnabled() {
+		List<String> identityProperties = new ArrayList<>();
+		identityProperties.add("sap.security.services.identity.url:http://localhost");
+		identityProperties.add("sap.security.services.identity.domains:localhost");
+		identityProperties.add("sap.security.services.identity.clientid:cid");
+		identityProperties.add("sap.spring.security.identity.prooftoken:true");
+
+		WebApplicationContextRunner runner = new WebApplicationContextRunner()
+				.withPropertyValues(identityProperties.toArray(new String[0]))
+				.withBean(org.springframework.web.context.support.HttpRequestHandlerServlet.class)
+				.withConfiguration(AutoConfigurations.of(HybridIdentityServicesAutoConfiguration.class));
+		runner.run(context -> assertNotNull(context.getBean("iasJwtDecoderWithProofTokenCheck", IasJwtDecoder.class)));
+	}
+
 	@Configuration
 	static class UserConfiguration {