Distinction between core and fed keys, updated compatibility with spid-cie-oidc-django v1.4.0

README.md

@@ -105,7 +105,7 @@ Sample projects using the library can be executed as docker or docker-compose. S
 
 ### SpringBoot Relying Party example
 
-A simple [SpringBoot](examples/relying-party-spring-boot) web application using the starter-kit to implement a Relying Party.
+A simple [SpringBoot](examples/relying-party-spring-boot) web application using the starter-kit to implement a Relying Party, as well to perform the complete onboarding and login/logout test within the CIE Federation.
 
 This application is for demo purpose only, please don't use it in production or critical environment.
 

coverage/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>it.spid.cie.oidc</groupId>
 		<artifactId>starter-kit-parent</artifactId>
-		<version>0.4.1-SNAPSHOT</version>
+		<version>1.0.0-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

examples/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>it.spid.cie.oidc</groupId>
 		<artifactId>starter-kit-parent</artifactId>
-		<version>0.4.1-SNAPSHOT</version>
+		<version>1.0.0-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

examples/relying-party-spring-boot/README.md

@@ -15,7 +15,7 @@ Run the provider [federation](https://github.com/italia/spid-cie-oidc-django)
 - the project should run on [http://127.0.0.1:8000](http://127.0.0.1:8000), keep it running
 
 
-Clone this repository and install all the lement inside the MavenLocal registry
+Clone this repository and install all the elements inside the MavenLocal registry
 ```
 git clone https://github.com/italia/spid-cie-oidc-java
 
@@ -39,9 +39,10 @@ this will start the relying party server on [http://127.0.0.1:8080](http://127.0
 Do the on-boarding process
 - generate the relying party jwks
   - go [here](http://127.0.0.1:8080/) to auto-generate it
-  - jwks are exposed on the page and inside application log
-  - create the file `${user.home}/oidc-rp-jwk.json` with the jwks
-  - use "reload" link to proceed with next step
+  - federation jwks and core jwks are exposed on the page and inside application log
+  - create the file `${user.home}/oidc-rp-jwk.json` with the federation jwks
+  - create the file `${user.home}/oidc-rp-core-jwk.json` with the core jwks
+  - - use "reload" link to proceed with next step
 - show on-boarding datas
   - go [here](http://127.0.0.1:8080/) to see it
 - register the relying party [here](http://127.0.0.1:8000/admin/spid_cie_oidc_authority/federationdescendant/add)
@@ -76,10 +77,32 @@ A docker image containing this example can be built a run:
 - visit `http://relying-party.org:8080/`
 
 Some hints:
-- we are using [federation](https://github.com/italia/spid-cie-oidc-django) v1.2.0
+- we are using [federation](https://github.com/italia/spid-cie-oidc-django) v1.4.0
 - docker images currently sets a proxy of the exposed ports on the localhost interface, so you could use
 previous chapter instructions replacing `127.0.0.1` with the right hostname
-- docker image mounts the folder `./docker/data-java` as `/data` inside spring-boot container to externalize `jwk` and `trust-marks` configuration
+- docker image mounts the folder `./docker/data-java` as `/data` inside spring-boot container to externalize federation and core `jwks` and `trust-marks` configuration
 
 
 [Docker Compose in action on YouTube](https://www.youtube.com/watch?v=U2Ec0No2EKg)
+
+**To be onboarded into CIE Federation**:
+- use always appropriate and valid TLS Certificates
+- use IP from Italian networks for server [CIE Federation servers uses geoblocking]
+- as contact use the same institutional email address as stated into the administrative part [do not use PEC]
+- when copy the federation public key please follow this pattern:
+  - ```
+    {
+    "keys": [
+        {
+          "alg": "RS256",
+          "kid": "....",
+          "kty": "RSA",
+          "n": ".....",
+          "e": "AQAB",
+          "use": "sig"
+        }
+      ]
+    }
+    ```
+- when onboarded, please retrieve the Trust Mark form TA fetch endpoint like this example for preproduction: `https://preprod.oidc.registry.servizicie.interno.gov.it/fetch?sub={your_client_id}` 
+- remember to (put `[` `]` around the Trust Mark when writing the appropriate file

examples/relying-party-spring-boot/docker/Dockerfile-cie.django

@@ -2,7 +2,7 @@ FROM python:3.11-slim
 
 RUN apt update && apt -y install git
 
-RUN git clone --depth=1 --branch v1.2.0 https://github.com/italia/spid-cie-oidc-django && \
+RUN git clone --depth=1 --branch v1.4.0 https://github.com/italia/spid-cie-oidc-django && \
 	cd spid-cie-oidc-django && \
 	pip install --upgrade pip && \
 	pip install -e . && \

examples/relying-party-spring-boot/docker/Dockerfile.django

@@ -2,7 +2,7 @@ FROM python:3.11-slim
 
 RUN apt update && apt -y install git
 
-RUN git clone --depth=1 --branch v1.2.0 https://github.com/italia/spid-cie-oidc-django && \
+RUN git clone --depth=1 --branch v1.4.0 https://github.com/italia/spid-cie-oidc-django && \
 	cd spid-cie-oidc-django && \
 	pip install --upgrade pip && \
 	pip install -e . && \

examples/relying-party-spring-boot/docker/Dockerfile.java-rp

@@ -13,7 +13,8 @@ VOLUME ["/data"]
 ENV OIDC_HOSTS_TRUST_ANCHOR="trust-anchor.org"
 ENV OIDC_HOSTS_CIE_PROVIDER="cie-provider.org"
 ENV OIDC_HOSTS_RELYING_PARTY="relying-party.org"
-ENV OIDC_RELYING_PARTY_JWK_FILE_PATH="/data/oidc-rp-jwk.json"
+ENV OIDC_RELYING_PARTY_JWK_FED_FILE_PATH="/data/oidc-rp-jwk.json"
+ENV OIDC_RELYING_PARTY_CORE_JWK_CORE_FILE_PATH="/data/oidc-rp-core-jwk.json"
 ENV OIDC_RELYING_PARTY_TRUST_MARKS_FILE_PATH="/data/oidc-rp-trust-marks.json"
 ENV SPRING_H2_CONSOLE_SETTINGS_WEB_ALLOW_OTHERS="true"
 

examples/relying-party-spring-boot/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>it.spid.cie.oidc</groupId>
 		<artifactId>it.spid.cie.oidc.examples</artifactId>
-		<version>0.4.1-SNAPSHOT</version>
+		<version>1.0.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>it.spid.cie.oidc.relying.party.spring-boot-sample</artifactId>

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/RelyingPartyWrapper.java

@@ -48,10 +48,10 @@ public JSONObject getUserInfo(String state, String code)
 	}
 
 	public String getUserKey(JSONObject userInfo) {
-		String userKey = userInfo.optString("email");
+		String userKey = userInfo.optString("sub");
 
 		if (Validator.isNullOrEmpty(userKey)) {
-			userKey = userInfo.optString("email", "");
+			userKey = userInfo.optString("sub", "");
 		}
 
 		return userKey;
@@ -83,11 +83,12 @@ public void reloadHandler() throws OIDCException {
 
 	@PostConstruct
 	private void postConstruct() throws OIDCException {
-		String jwk = readFile(oidcConfig.getRelyingParty().getJwkFilePath());
+		String jwkFed = readFile(oidcConfig.getRelyingParty().getJwkFedFilePath());
+		String jwkCore = readFile(oidcConfig.getRelyingParty().getJwkCoreFilePath());
 		String trustMarks = readFile(
 			oidcConfig.getRelyingParty().getTrustMarksFilePath());
 
-		logger.info("final jwk: " + jwk);
+		logger.info("final jwkFed: " + jwkFed);
 		logger.info("final trust_marks: " + trustMarks);
 
 		RelyingPartyOptions options = new RelyingPartyOptions()
@@ -110,7 +111,8 @@ private void postConstruct() throws OIDCException {
 				.setLogoUri(oidcConfig.getRelyingParty().getLogoUri())
 				.setPolicyUri(oidcConfig.getRelyingParty().getPolicyUri())
 				.setFederationContacts(oidcConfig.getRelyingParty().getFederationContacts())
-				.setJWK(jwk)
+				.setJWKFed(jwkFed)
+				.setJWKCore(jwkCore)
 				.setTrustMarks(trustMarks);
 
 		relyingPartyHandler = new RelyingPartyHandler(options, persistenceImpl);

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/config/OidcConfig.java

@@ -208,10 +208,12 @@ public Set<String> getRedirectUris() {
 //			return jwk;
 //		}
 
-		public String getJwkFilePath() {
-			return jwkFilePath;
+		public String getJwkFedFilePath() {
+			return jwkFedFilePath;
+		}
+		public String getJwkCoreFilePath() {
+			return jwkCoreFilePath;
 		}
-
 //		public String getTrustMarks() {
 //			return trustMarks;
 //		}
@@ -271,10 +273,13 @@ public void setFederationContacts(Set<String> federationContacts) {
 //			this.jwk = jwk;
 //		}
 
-		public void setJwkFilePath(String jwkFilePath) {
-			this.jwkFilePath = jwkFilePath;
+		public void setJwkFedFilePath(String jwkFedFilePath) {
+			this.jwkFedFilePath = jwkFedFilePath;
 		}
 
+		public void setJwkCoreFilePath(String jwkCoreFilePath) {
+			this.jwkCoreFilePath = jwkCoreFilePath;
+		}
 //		public void setTrustMarks(String trustMarks) {
 //			this.trustMarks = trustMarks;
 //		}
@@ -305,7 +310,8 @@ public JSONObject toJSON() {
 			json.put("clientId", clientId);
 			json.put("redirectUris", redirectUris);
 			//json.put("jwk", jwk);
-			json.put("jwkFilePath", jwkFilePath);
+			json.put("jwkFilePath", jwkFedFilePath);
+			json.put("jwkCoreFilePath", jwkCoreFilePath);
 			//json.put("trustMarks", trustMarks);
 			json.put("trustMarksFilePath", trustMarksFilePath);
 
@@ -319,7 +325,8 @@ public JSONObject toJSON() {
 		private String clientId;
 		private Set<String> redirectUris = new HashSet<>();
 		//private String jwk;
-		private String jwkFilePath;
+		private String jwkFedFilePath;
+		private String jwkCoreFilePath;
 		//private String trustMarks;
 		private String trustMarksFilePath;
 

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/controller/EntityStatementController.java

@@ -70,7 +70,7 @@ public ResponseEntity<String> resolveEntityStatement(
                     .body(response.toString());
         } else {
             JWTHelper jws = new JWTHelper(new RelyingPartyOptions());
-            return new ResponseEntity<>(jws.createJWS(response, JWTHelper.getJWKSetFromJSON(entityConfiguration.getJwks())), HttpStatus.OK);
+            return new ResponseEntity<>(jws.createJWS(response, JWTHelper.getJWKSetFromJSON(entityConfiguration.getJwksFed())), HttpStatus.OK);
         }
     }
 }

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/controller/HomeController.java

@@ -2,6 +2,8 @@
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.json.JSONArray;
+import org.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -29,8 +31,13 @@ public ModelAndView home(HttpServletRequest request)
 		mav.addObject("trustAnchorHost", oidcConfig.getHosts().getTrustAnchor());
 
 		if (wellKnow.hasOnlyJwks()) {
-			mav.addObject("mineJwks", wellKnow.getValue());
-			mav.addObject("configFile", oidcConfig.getRelyingParty().getJwkFilePath());
+			JSONArray json = new JSONArray(wellKnow.getValue());
+
+			mav.addObject("fedJwks", json.get(0).toString());
+			mav.addObject("coreJwks", json.get(1).toString());
+
+			mav.addObject("configFile", oidcConfig.getRelyingParty().getJwkFedFilePath());
+			mav.addObject("configCoreFile", oidcConfig.getRelyingParty().getJwkCoreFilePath());
 		}
 
 		if (wellKnow.isIntermediate()) {

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/controller/WellKnownController.java

@@ -37,7 +37,7 @@ public ResponseEntity<String> wellKnownFederation(
 		if (wellKnown.getStep() == WellKnownData.STEP_ONLY_JWKS) {
 			logger.info(
 				"Generated jwk. Please add it into 'application.yaml' or save as '" +
-				oidcConfig.getRelyingParty().getJwkFilePath() + "'.\n" +
+				oidcConfig.getRelyingParty().getJwkFedFilePath() + "'.\n" +
 				wellKnown.getValue());
 
 			String body = new JSONObject()

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/persistence/model/FederationEntityModel.java

@@ -9,6 +9,7 @@
 import javax.persistence.Id;
 import javax.persistence.Table;
 
+import com.nimbusds.jose.jwk.KeyUse;
 import it.spid.cie.oidc.model.FederationEntity;
 import it.spid.cie.oidc.util.GetterUtil;
 import it.spid.cie.oidc.util.Validator;
@@ -30,7 +31,8 @@ public static FederationEntityModel of(FederationEntity source) {
 		target.setActive(source.isActive());
 		target.setAuthorityHints(source.getAuthorityHints());
 		target.setConstraints(source.getConstraints());
-		target.setJwks(source.getJwks());
+		target.setJwksFed(source.getJwksFed());
+		target.setJwksCore(source.getJwksCore());
 		target.setTrustMarks(source.getTrustMarks());
 		target.setTrustMarkIssuers(source.gettrustMarkIssuers());
 		target.setMetadata(source.getMetadata());
@@ -71,8 +73,12 @@ public String getAuthorityHints() {
 		return authorityHints;
 	}
 
-	public String getJwks() {
-		return jwks;
+	public String getJwksFed() {
+		return jwksFed;
+	}
+
+	public String getJwksCore() {
+		return jwksCore;
 	}
 
 	public String getTrustMarks() {
@@ -126,10 +132,12 @@ public void setAuthorityHints(String authorityHints) {
 		this.authorityHints = authorityHints;
 	}
 
-	public void setJwks(String jwks) {
-		this.jwks = jwks;
+	public void setJwksFed(String jwksFed) {
+		this.jwksFed = jwksFed;
+	}
+	public void setJwksCore(String jwksCore) {
+		this.jwksCore = jwksCore;
 	}
-
 	public void setTrustMarks(String trustMarks) {
 		this.trustMarks = trustMarks;
 	}
@@ -167,7 +175,8 @@ public FederationEntity toFederationEntity() {
 		target.setActive(isActive());
 		target.setAuthorityHints(getAuthorityHints());
 		target.setConstraints(getConstraints());
-		target.setJwks(getJwks());
+		target.setJwksFed(getJwksFed());
+		target.setJwksCore(getJwksCore());
 		target.setTrustMarks(getTrustMarks());
 		target.settrustMarkIssuers(getTrustMarkIssuers());
 		target.setMetadata(getMetadata());
@@ -213,8 +222,10 @@ private String getStorageId() {
 	private String authorityHints;
 
 	@Column(nullable = false, length = 2000)
-	private String jwks;
+	private String jwksFed;
 
+	@Column(nullable = false, length = 2000)
+	private String jwksCore;
 	@Column(name = "trust_marks", nullable = false, length = 2000)
 	private String trustMarks;
 

examples/relying-party-spring-boot/src/main/resources/application.yml

@@ -63,7 +63,7 @@ oidc:
       token-endpoint-auth-method: "private_key_jwt"
       id-token-signed-response-alg: "RS256"
       userinfo-signed-response-alg: "RS256"
-      userinfo-encrypted-response-alg: "RSA-OAEP"
+      userinfo-encrypted-response-alg: "RSA-OAEP-256"
       userinfo-encrypted-response-enc: "A128CBC-HS256"
 
       federation-resolve-endpoint: "http://${oidc.hosts.relying-party}:8080/resolve"
@@ -77,5 +77,6 @@ oidc:
       client-id: "http://${oidc.hosts.relying-party}:8080/oidc/rp/"
       redirect-uris:
       - "http://${oidc.hosts.relying-party}:8080/oidc/rp/callback"
-      jwk-file-path: ${user.home}/oidc-rp-jwk.json
+      jwk-fed-file-path: ${user.home}/oidc-rp-jwk.json
+      jwk-core-file-path: ${user.home}/oidc-rp-core-jwk.json
       trust-marks-file-path: ${user.home}/oidc-rp-trust-marks.json

examples/relying-party-spring-boot/src/main/resources/sql/schema.sql

@@ -38,7 +38,8 @@ CREATE TABLE IF NOT EXISTS federation_entity_configuration (
 	default_exp INTEGER NOT NULL,
 	default_signature_alg VARCHAR(16) NOT NULL,
 	authority_hints VARCHAR NOT NULL,
-	jwks VARCHAR NOT NULL,
+	jwks_fed VARCHAR NOT NULL,
+	jwks_core VARCHAR NOT NULL,
 	trust_marks VARCHAR NOT NULL,
 	trust_mark_issuers VARCHAR NOT NULL,
 	metadata VARCHAR NOT NULL,

examples/relying-party-spring-boot/src/main/resources/templates/home.html

@@ -2,14 +2,27 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
 	<head>
 		<title>OIDC Relying Party SpringBoot Example</title>
+		<style>
+			pre {
+				white-space: pre-wrap;       /* Since CSS 2.1 */
+				white-space: -moz-pre-wrap;  /* Mozilla, since 1999 */
+				white-space: -pre-wrap;      /* Opera 4-6 */
+				white-space: -o-pre-wrap;    /* Opera 7 */
+				word-wrap: break-word;       /* Internet Explorer 5.5+ */
+			}
+		</style>
 	</head>
 	<body>
 		<h3>OIDC Relying Party SpringBoot Example</h1>
 
 		<div th:if="${onlyJwks}">
-			<p>Before continue, put generated jwk into '<span th:text="${configFile}" />'</p>
+			<p>Before continue, put generated Federation jwk into '<span th:text="${configFile}" />'</p>
 			<p>
-				<pre th:text="${mineJwks}" />
+				<pre th:text="${fedJwks}" />
+			</p>
+			<p>the Core Sig and Enc jwks into '<span th:text="${configCoreFile}" />'</p>
+			<p>
+			<pre th:text="${coreJwks}" />
 			</p>
 			<p>then make the app <a th:href="@{/reload-handler}"> reload </a> it.</p>
 		</div>

examples/relying-party-spring-boot/src/main/resources/templates/landing.html

@@ -36,7 +36,7 @@
 								<div class="nav-mobile">
 									<nav>
 										<a class="it-opener d-lg-none" data-toggle="collapse" href="#menu-principale" role="button" aria-expanded="false" aria-controls="menu-principale">
-											<span>OIDC Relying Partyi JAVA</span>
+											<span>OIDC Relying Party JAVA</span>
 										</a>
 									</nav>
 								</div>