Update oidc related dependencies (#71521)

Update:

Non-issue, no notable changes. 

- json-smart from 2.3 to 2.4.2
- accessors-smart from 1.2 to 2.4.2
- asm from 7.1 to 8.0.1
- nimbus-jose-jwt from 8.6 to 9.8.1
- oauth2-oidc-sdk from 7.0.2 to 9.3.1

Author: jkakavas

x-pack/plugin/security/build.gradle

@@ -59,14 +59,14 @@ dependencies {
   runtimeOnly 'com.google.guava:guava:19.0'
 
   // Dependencies for oidc
-  api "com.nimbusds:oauth2-oidc-sdk:7.0.2"
-  api "com.nimbusds:nimbus-jose-jwt:8.6"
+  api "com.nimbusds:oauth2-oidc-sdk:9.3.1"
+  api "com.nimbusds:nimbus-jose-jwt:9.8.1"
   api "com.nimbusds:lang-tag:1.4.4"
   api "com.sun.mail:jakarta.mail:1.6.3"
   api "net.jcip:jcip-annotations:1.0"
-  api "net.minidev:json-smart:2.3"
-  api "net.minidev:accessors-smart:1.2"
-  api "org.ow2.asm:asm:7.1"
+  api "net.minidev:json-smart:2.4.2"
+  api "net.minidev:accessors-smart:2.4.2"
+  api "org.ow2.asm:asm:8.0.1"
 
   testImplementation 'org.elasticsearch:securemock:1.2'
   testImplementation "org.elasticsearch:mocksocket:${versions.mocksocket}"
@@ -84,7 +84,7 @@ dependencies {
   testImplementation('org.apache.kerby:kerb-crypto:1.1.1')
   testImplementation('org.apache.kerby:kerb-util:1.1.1')
   testImplementation('org.apache.kerby:token-provider:1.1.1')
-  testImplementation('com.nimbusds:nimbus-jose-jwt:8.6')
+  testImplementation('com.nimbusds:nimbus-jose-jwt:9.8.1')
   testImplementation('net.jcip:jcip-annotations:1.0')
   testImplementation('org.apache.kerby:kerb-admin:1.1.1')
   testImplementation('org.apache.kerby:kerb-server:1.1.1')
@@ -264,13 +264,6 @@ tasks.named("thirdPartyAudit").configure {
     'net.sf.ehcache.Element',
     // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
     'org.slf4j.ext.EventData',
-    // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
-    'org.cryptomator.siv.SivMode',
-    // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
-    'com.google.crypto.tink.subtle.Ed25519Sign',
-    'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
-    'com.google.crypto.tink.subtle.Ed25519Verify',
-    'com.google.crypto.tink.subtle.X25519',
     // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We
     // acknowledge them here instead of adding bouncy castle as a compileOnly dependency
     'org.bouncycastle.asn1.ASN1Encodable',
@@ -420,11 +413,13 @@ tasks.named("thirdPartyAudit").configure {
     'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util',
     'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil',
     'org.bouncycastle.jce.provider.BouncyCastleProvider',
+    'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider',
     'org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec',
     'org.bouncycastle.math.ec.ECFieldElement',
     'org.bouncycastle.math.ec.ECPoint',
     'org.bouncycastle.openssl.jcajce.JcaPEMWriter',
     'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
+    'org.bouncycastle.operator.OperatorCreationException',
     'org.bouncycastle.util.Arrays',
     'org.bouncycastle.util.Strings',
     'org.bouncycastle.util.io.Streams',
@@ -454,7 +449,13 @@ tasks.named("thirdPartyAudit").configure {
           'javax.xml.bind.JAXBException',
           'javax.xml.bind.Unmarshaller',
           'javax.xml.bind.UnmarshallerHandler',
-          // Optional dependencies of oauth2-oidc-sdk
+          // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
+          'org.cryptomator.siv.SivMode',
+          // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
+          'com.google.crypto.tink.subtle.Ed25519Sign',
+          'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
+          'com.google.crypto.tink.subtle.Ed25519Verify',
+          'com.google.crypto.tink.subtle.X25519',
           'com.nimbusds.common.contenttype.ContentType',
           'javax.activation.ActivationDataFlavor',
           'javax.activation.DataContentHandler',

x-pack/plugin/security/licenses/accessors-smart-1.2.jar.sha1

@@ -0,0 +1 @@
+4f09981a3c80f0766998c68d83bfd060812d5bcd

x-pack/plugin/security/licenses/accessors-smart-2.4.2.jar.sha1

@@ -0,0 +1 @@
+3f5199523fb95304b44563f5d56d9f5a07270669

x-pack/plugin/security/licenses/asm-7.1.jar.sha1

@@ -0,0 +1 @@
+a7fcd0f985696c37cd3546f19c85c2ff367f2e85

x-pack/plugin/security/licenses/asm-8.0.1.jar.sha1

@@ -0,0 +1 @@
+2af7f734313320e4b156522d22ce32b775633909

x-pack/plugin/security/licenses/json-smart-2.3.jar.sha1

@@ -0,0 +1 @@
+85891e8c391911ee1073f5e1737689cd804f1a9b

x-pack/plugin/security/licenses/json-smart-2.4.2.jar.sha1

@@ -41,7 +41,6 @@
 import com.nimbusds.openid.connect.sdk.validators.AccessTokenValidator;
 import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
 import net.minidev.json.JSONArray;
-import net.minidev.json.JSONObject;
 import org.apache.commons.codec.Charsets;
 import org.apache.http.Header;
 import org.apache.http.HttpEntity;
@@ -234,9 +233,9 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce
                 LOGGER.trace("Received and validated the Id Token for the user: [{}]", verifiedIdTokenClaims);
             }
             // Add the Id Token string as a synthetic claim
-            final JSONObject verifiedIdTokenClaimsObject = verifiedIdTokenClaims.toJSONObject();
+            final Map<String, Object> verifiedIdTokenClaimsObject = verifiedIdTokenClaims.toJSONObject();
             final JWTClaimsSet idTokenClaim = new JWTClaimsSet.Builder().claim("id_token_hint", idToken.serialize()).build();
-            verifiedIdTokenClaimsObject.merge(idTokenClaim.toJSONObject());
+            mergeObjects(verifiedIdTokenClaimsObject, idTokenClaim.toJSONObject());
             final JWTClaimsSet enrichedVerifiedIdTokenClaims = JWTClaimsSet.parse(verifiedIdTokenClaimsObject);
             if (accessToken != null && opConfig.getUserinfoEndpoint() != null) {
                 getAndCombineUserInfoClaims(accessToken, enrichedVerifiedIdTokenClaims, claimsListener);
@@ -413,9 +412,9 @@ private void handleUserinfoResponse(HttpResponse httpResponse, JWTClaimsSet veri
                     final JWTClaimsSet userInfoClaims = JWTClaimsSet.parse(contentAsString);
                     validateUserInfoResponse(userInfoClaims, verifiedIdTokenClaims.getSubject(), claimsListener);
                     if (LOGGER.isTraceEnabled()) {
-                        LOGGER.trace("Successfully retrieved user information: [{}]", userInfoClaims.toJSONObject().toJSONString());
+                        LOGGER.trace("Successfully retrieved user information: [{}]", userInfoClaims);
                     }
-                    final JSONObject combinedClaims = verifiedIdTokenClaims.toJSONObject();
+                    final Map<String, Object> combinedClaims = verifiedIdTokenClaims.toJSONObject();
                     mergeObjects(combinedClaims, userInfoClaims.toJSONObject());
                     claimsListener.onResponse(JWTClaimsSet.parse(combinedClaims));
                 } else if (ContentType.parse(contentHeader.getValue()).getMimeType().equals("application/jwt")) {
@@ -664,22 +663,21 @@ private void setMetadataFileWatcher(String jwkSetPath) throws IOException {
     }
 
     /**
-     * Merges the JsonObject with the claims of the ID Token with the JsonObject with the claims of the UserInfo response. This is
-     * necessary as some OPs return slightly different values for some claims (i.e. Google for the profile picture) and
-     * {@link JSONObject#merge(Object)} would throw a runtime exception. The merging is performed based on the following rules:
+     * Merges the Map with the claims of the ID Token with the Map with the claims of the UserInfo response.
+     * The merging is performed based on the following rules:
      * <ul>
      * <li>If the values for a given claim are primitives (of the same type), the value from the ID Token is retained</li>
      * <li>If the values for a given claim are Objects, the values are merged</li>
      * <li>If the values for a given claim are Arrays, the values are merged without removing duplicates</li>
      * <li>If the values for a given claim are of different types, an exception is thrown</li>
      * </ul>
      *
-     * @param userInfo The JsonObject with the ID Token claims
-     * @param idToken  The JsonObject with the UserInfo Response claims
-     * @return the merged JsonObject
+     * @param userInfo The Map with the ID Token claims
+     * @param idToken  The Map with the UserInfo Response claims
+     * @return the merged Map
      */
     // pkg protected for testing
-    static JSONObject mergeObjects(JSONObject idToken, JSONObject userInfo) {
+    static Map<String, Object> mergeObjects(Map<String, Object> idToken, Map<String, Object> userInfo) {
         for (Map.Entry<String, Object> entry : idToken.entrySet()) {
             Object value1 = entry.getValue();
             Object value2 = userInfo.get(entry.getKey());
@@ -688,8 +686,8 @@ static JSONObject mergeObjects(JSONObject idToken, JSONObject userInfo) {
             }
             if (value1 instanceof JSONArray) {
                 idToken.put(entry.getKey(), mergeArrays((JSONArray) value1, value2));
-            } else if (value1 instanceof JSONObject) {
-                idToken.put(entry.getKey(), mergeObjects((JSONObject) value1, value2));
+            } else if (value1 instanceof Map) {
+                idToken.put(entry.getKey(), mergeObjects((Map<String, Object>) value1, value2));
             } else if (value1.getClass().equals(value2.getClass()) == false) {
                 // A special handling for certain OPs that mix the usage of true and "true"
                 if (value1 instanceof Boolean && value2 instanceof String && String.valueOf(value1).equals(value2)) {
@@ -710,15 +708,15 @@ static JSONObject mergeObjects(JSONObject idToken, JSONObject userInfo) {
         return idToken;
     }
 
-    private static JSONObject mergeObjects(JSONObject jsonObject1, Object jsonObject2) {
+    private static Map<String, Object> mergeObjects(Map<String, Object>  jsonObject1, Object jsonObject2) {
         if (jsonObject2 == null) {
             return jsonObject1;
         }
-        if (jsonObject2 instanceof JSONObject) {
-            return mergeObjects(jsonObject1, (JSONObject) jsonObject2);
+        if (jsonObject2 instanceof Map) {
+            return mergeObjects(jsonObject1, (Map<String, Object>) jsonObject2);
         }
         throw new IllegalStateException("Error while merging ID token and userinfo claims. " +
-            "Cannot merge JSONObject with [" + jsonObject2.getClass().getName() + "]");
+            "Cannot merge a Map with a [" + jsonObject2.getClass().getName() + "]");
     }
 
     private static JSONArray mergeArrays(JSONArray jsonArray1, Object jsonArray2) {

x-pack/plugin/security/licenses/nimbus-jose-jwt-8.6.jar.sha1

@@ -41,7 +41,6 @@
 import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
 import com.nimbusds.openid.connect.sdk.validators.InvalidHashException;
 import net.minidev.json.JSONArray;
-import net.minidev.json.JSONObject;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.PlainActionFuture;
@@ -74,6 +73,7 @@
 import java.util.Base64;
 import java.util.Collections;
 import java.util.Date;
+import java.util.Map;
 import java.util.UUID;
 
 import static java.time.Instant.now;
@@ -698,14 +698,14 @@ public void testJsonObjectMerging() throws Exception {
         final JWK jwk = keyMaterial.v2().getKeys().get(0);
         RelyingPartyConfiguration rpConfig = getRpConfig(jwk.getAlgorithm().getName());
         OpenIdConnectProviderConfiguration opConfig = getOpConfig();
-        JSONObject address = new JWTClaimsSet.Builder()
+        Map<String, Object> address = new JWTClaimsSet.Builder()
             .claim("street_name", "12, Test St.")
             .claim("locality", "New York")
             .claim("region", "NY")
             .claim("country", "USA")
             .build()
             .toJSONObject();
-        JSONObject idTokenObject = new JWTClaimsSet.Builder()
+        Map<String, Object> idTokenObject = new JWTClaimsSet.Builder()
             .jwtID(randomAlphaOfLength(8))
             .audience(rpConfig.getClientId().getValue())
             .expirationTime(Date.from(now().plusSeconds(3600)))
@@ -724,7 +724,7 @@ public void testJsonObjectMerging() throws Exception {
             .build()
             .toJSONObject();
 
-        JSONObject userinfoObject = new JWTClaimsSet.Builder()
+        Map<String, Object> userinfoObject = new JWTClaimsSet.Builder()
             .claim("given_name", "Jane Doe")
             .claim("family_name", "Doe")
             .claim("profile", "https://test-profiles.com/jane.doe")
@@ -752,7 +752,7 @@ public void testJsonObjectMerging() throws Exception {
         assertTrue(idTokenObject.containsKey("email"));
 
         // Claims with different types throw an error
-        JSONObject wrongTypeInfo = new JWTClaimsSet.Builder()
+        Map<String, Object> wrongTypeInfo = new JWTClaimsSet.Builder()
             .claim("given_name", "Jane Doe")
             .claim("family_name", 123334434)
             .claim("profile", "https://test-profiles.com/jane.doe")
@@ -767,7 +767,7 @@ public void testJsonObjectMerging() throws Exception {
         });
 
         // Userinfo Claims overwrite ID Token claims
-        JSONObject overwriteUserInfo = new JWTClaimsSet.Builder()
+        Map<String, Object> overwriteUserInfo = new JWTClaimsSet.Builder()
             .claim("given_name", "Jane Doe")
             .claim("family_name", "Doe")
             .claim("profile", "https://test-profiles.com/jane.doe2")
@@ -778,11 +778,11 @@ public void testJsonObjectMerging() throws Exception {
             .toJSONObject();
 
         OpenIdConnectAuthenticator.mergeObjects(idTokenObject, overwriteUserInfo);
-        assertThat(idTokenObject.getAsString("email"), equalTo("[email protected]"));
-        assertThat(idTokenObject.getAsString("profile"), equalTo("https://test-profiles.com/jane.doe"));
+        assertThat(idTokenObject.get("email"), equalTo("[email protected]"));
+        assertThat(idTokenObject.get("profile"), equalTo("https://test-profiles.com/jane.doe"));
 
         // Merging Arrays
-        JSONObject userInfoWithRoles = new JWTClaimsSet.Builder()
+        Map<String, Object> userInfoWithRoles = new JWTClaimsSet.Builder()
             .claim("given_name", "Jane Doe")
             .claim("family_name", "Doe")
             .claim("profile", "https://test-profiles.com/jane.doe")
@@ -797,13 +797,13 @@ public void testJsonObjectMerging() throws Exception {
         assertThat((JSONArray) idTokenObject.get("roles"), containsInAnyOrder("role1", "role2", "role3", "role4", "role5"));
 
         // Merging nested objects
-        JSONObject addressUserInfo = new JWTClaimsSet.Builder()
+        Map<String, Object> addressUserInfo = new JWTClaimsSet.Builder()
             .claim("street_name", "12, Test St.")
             .claim("locality", "New York")
             .claim("postal_code", "10024")
             .build()
             .toJSONObject();
-        JSONObject userInfoWithAddress = new JWTClaimsSet.Builder()
+        Map<String, Object> userInfoWithAddress = new JWTClaimsSet.Builder()
             .claim("given_name", "Jane Doe")
             .claim("family_name", "Doe")
             .claim("profile", "https://test-profiles.com/jane.doe")
@@ -816,7 +816,7 @@ public void testJsonObjectMerging() throws Exception {
             .toJSONObject();
         OpenIdConnectAuthenticator.mergeObjects(idTokenObject, userInfoWithAddress);
         assertTrue(idTokenObject.containsKey("address"));
-        JSONObject combinedAddress = (JSONObject) idTokenObject.get("address");
+        Map<String, Object> combinedAddress = (Map<String, Object>) idTokenObject.get("address");
         assertTrue(combinedAddress.containsKey("street_name"));
         assertTrue(combinedAddress.containsKey("locality"));
         assertTrue(combinedAddress.containsKey("street_name"));
@@ -826,14 +826,14 @@ public void testJsonObjectMerging() throws Exception {
     }
 
     public void testJsonObjectMergingWithBooleanLeniency() {
-        final JSONObject idTokenObject = new JWTClaimsSet.Builder()
+        final Map<String, Object> idTokenObject = new JWTClaimsSet.Builder()
             .claim("email_verified", true)
             .claim("email_verified_1", "true")
             .claim("email_verified_2", false)
             .claim("email_verified_3", "false")
             .build()
             .toJSONObject();
-        final JSONObject userInfoObject = new JWTClaimsSet.Builder()
+        final Map<String, Object> userInfoObject = new JWTClaimsSet.Builder()
             .claim("email_verified", "true")
             .claim("email_verified_1", true)
             .claim("email_verified_2", "false")
@@ -846,23 +846,23 @@ public void testJsonObjectMergingWithBooleanLeniency() {
         assertSame(Boolean.FALSE, idTokenObject.get("email_verified_2"));
         assertSame(Boolean.FALSE, idTokenObject.get("email_verified_3"));
 
-        final JSONObject idTokenObject1 = new JWTClaimsSet.Builder()
+        final Map<String, Object> idTokenObject1 = new JWTClaimsSet.Builder()
             .claim("email_verified", true)
             .build()
             .toJSONObject();
-        final JSONObject userInfoObject1 = new JWTClaimsSet.Builder()
+        final Map<String, Object> userInfoObject1 = new JWTClaimsSet.Builder()
             .claim("email_verified", "false")
             .build()
             .toJSONObject();
         IllegalStateException e =
             expectThrows(IllegalStateException.class, () -> OpenIdConnectAuthenticator.mergeObjects(idTokenObject1, userInfoObject1));
         assertThat(e.getMessage(), containsString("Cannot merge [java.lang.Boolean] with [java.lang.String]"));
 
-        final JSONObject idTokenObject2 = new JWTClaimsSet.Builder()
+        final Map<String, Object> idTokenObject2 = new JWTClaimsSet.Builder()
             .claim("email_verified", true)
             .build()
             .toJSONObject();
-        final JSONObject userInfoObject2 = new JWTClaimsSet.Builder()
+        final Map<String, Object> userInfoObject2 = new JWTClaimsSet.Builder()
             .claim("email_verified", "yes")
             .build()
             .toJSONObject();
@@ -951,7 +951,11 @@ private Tuple<AccessToken, JWT> buildTokens(JWTClaimsSet idToken, Key key, Strin
         if (withAccessToken) {
             accessToken = new BearerAccessToken(Base64.getUrlEncoder().encodeToString(randomByteArrayOfLength(32)));
             AccessTokenHash expectedHash = AccessTokenHash.compute(accessToken, JWSAlgorithm.parse(alg));
-            idToken = JWTClaimsSet.parse(idToken.toJSONObject().appendField("at_hash", expectedHash.getValue()));
+            Map<String, Object> idTokenMap = idToken.toJSONObject();
+            idTokenMap.put("at_hash", expectedHash.getValue());
+            // This is necessary as if nonce claim is of type Nonce, the library won't take it into consideration when serializing the JWT
+            idTokenMap.put("nonce", idTokenMap.get("nonce").toString());
+            idToken = JWTClaimsSet.parse(idTokenMap);
         }
         SignedJWT jwt = new SignedJWT(
             new JWSHeader.Builder(JWSAlgorithm.parse(alg)).keyID(keyId).build(),