Refresh remote JWKs on all errors (elastic#42850)

jkakavas · web-flow · commit 4d0c375e1810 · 2019-06-11T10:55:50.000+03:00
It turns out that key rotation on the OP, can manifest as both
a BadJWSException and a BadJOSEException in nimbus-jose-jwt. As
such we cannot depend on matching only BadJWSExceptions to
determine if we should poll the remote JWKs for an update.

This has the side-effect that a remote JWKs source will be polled
exactly one additional time too for errors that have to do with
configuration, or for errors that might be caused by not synched
clocks, forged JWTs, etc. ( These will throw a BadJWTException
which extends BadJOSEException also )
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java
@@ -12,7 +12,6 @@
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.BadJOSEException;
-import com.nimbusds.jose.proc.BadJWSException;
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
 import com.nimbusds.jose.util.IOUtils;
@@ -241,7 +240,7 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce
                 }
                 claimsListener.onResponse(enrichedVerifiedIdTokenClaims);
             }
-        } catch (BadJWSException e) {
+        } catch (BadJOSEException e) {
             // We only try to update the cached JWK set once if a remote source is used and
             // RSA or ECDSA is used for signatures
             if (shouldRetry
@@ -257,7 +256,7 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce
             } else {
                 claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));
             }
-        } catch (com.nimbusds.oauth2.sdk.ParseException | ParseException | BadJOSEException | JOSEException e) {
+        } catch (com.nimbusds.oauth2.sdk.ParseException | ParseException | JOSEException e) {
             claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));
         }
     }
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticatorTests.java
@@ -320,7 +320,11 @@ public void testImplicitFlowFailsWithExpiredToken() throws Exception {
         assertThat(e.getMessage(), containsString("Failed to parse or validate the ID Token"));
         assertThat(e.getCause(), instanceOf(BadJWTException.class));
         assertThat(e.getCause().getMessage(), containsString("Expired JWT"));
-        assertThat(callsToReloadJwk, equalTo(0));
+        if (jwk.getAlgorithm().getName().startsWith("HS")) {
+            assertThat(callsToReloadJwk, equalTo(0));
+        } else {
+            assertThat(callsToReloadJwk, equalTo(1));
+        }
     }
 
     public void testImplicitFlowFailsNotYetIssuedToken() throws Exception {
@@ -360,7 +364,11 @@ public void testImplicitFlowFailsNotYetIssuedToken() throws Exception {
         assertThat(e.getMessage(), containsString("Failed to parse or validate the ID Token"));
         assertThat(e.getCause(), instanceOf(BadJWTException.class));
         assertThat(e.getCause().getMessage(), containsString("JWT issue time ahead of current time"));
-        assertThat(callsToReloadJwk, equalTo(0));
+        if (jwk.getAlgorithm().getName().startsWith("HS")) {
+            assertThat(callsToReloadJwk, equalTo(0));
+        } else {
+            assertThat(callsToReloadJwk, equalTo(1));
+        }
     }
 
     public void testImplicitFlowFailsInvalidIssuer() throws Exception {
@@ -399,7 +407,11 @@ public void testImplicitFlowFailsInvalidIssuer() throws Exception {
         assertThat(e.getMessage(), containsString("Failed to parse or validate the ID Token"));
         assertThat(e.getCause(), instanceOf(BadJWTException.class));
         assertThat(e.getCause().getMessage(), containsString("Unexpected JWT issuer"));
-        assertThat(callsToReloadJwk, equalTo(0));
+        if (jwk.getAlgorithm().getName().startsWith("HS")) {
+            assertThat(callsToReloadJwk, equalTo(0));
+        } else {
+            assertThat(callsToReloadJwk, equalTo(1));
+        }
     }
 
     public void testImplicitFlowFailsInvalidAudience() throws Exception {
@@ -438,7 +450,11 @@ public void testImplicitFlowFailsInvalidAudience() throws Exception {
         assertThat(e.getMessage(), containsString("Failed to parse or validate the ID Token"));
         assertThat(e.getCause(), instanceOf(BadJWTException.class));
         assertThat(e.getCause().getMessage(), containsString("Unexpected JWT audience"));
-        assertThat(callsToReloadJwk, equalTo(0));
+        if (jwk.getAlgorithm().getName().startsWith("HS")) {
+            assertThat(callsToReloadJwk, equalTo(0));
+        } else {
+            assertThat(callsToReloadJwk, equalTo(1));
+        }
     }
 
     public void testAuthenticateImplicitFlowFailsWithForgedRsaIdToken() throws Exception {
@@ -611,7 +627,7 @@ public void testImplicitFlowFailsWithAlgorithmMixupAttack() throws Exception {
         assertThat(e.getMessage(), containsString("Failed to parse or validate the ID Token"));
         assertThat(e.getCause(), instanceOf(BadJOSEException.class));
         assertThat(e.getCause().getMessage(), containsString("Another algorithm expected, or no matching key(s) found"));
-        assertThat(callsToReloadJwk, equalTo(0));
+        assertThat(callsToReloadJwk, equalTo(1));
     }
 
     public void testImplicitFlowFailsWithUnsignedJwt() throws Exception {
@@ -648,7 +664,11 @@ public void testImplicitFlowFailsWithUnsignedJwt() throws Exception {
         assertThat(e.getMessage(), containsString("Failed to parse or validate the ID Token"));
         assertThat(e.getCause(), instanceOf(BadJWTException.class));
         assertThat(e.getCause().getMessage(), containsString("Signed ID token expected"));
-        assertThat(callsToReloadJwk, equalTo(0));
+        if (jwk.getAlgorithm().getName().startsWith("HS")) {
+            assertThat(callsToReloadJwk, equalTo(0));
+        } else {
+            assertThat(callsToReloadJwk, equalTo(1));
+        }
     }
 
     public void testJsonObjectMerging() throws Exception {

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@`
`12`	`12`	`import com.nimbusds.jose.jwk.JWKSet;`
`13`	`13`	`import com.nimbusds.jose.jwk.source.JWKSource;`
`14`	`14`	`import com.nimbusds.jose.proc.BadJOSEException;`
`15`		`-import com.nimbusds.jose.proc.BadJWSException;`
`16`	`15`	`import com.nimbusds.jose.proc.JWSVerificationKeySelector;`
`17`	`16`	`import com.nimbusds.jose.proc.SecurityContext;`
`18`	`17`	`import com.nimbusds.jose.util.IOUtils;`
`@@ -241,7 +240,7 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce`
`241`	`240`	`}`
`242`	`241`	`claimsListener.onResponse(enrichedVerifiedIdTokenClaims);`
`243`	`242`	`}`
`244`		`- } catch (BadJWSException e) {`
	`243`	`+ } catch (BadJOSEException e) {`
`245`	`244`	`// We only try to update the cached JWK set once if a remote source is used and`
`246`	`245`	`// RSA or ECDSA is used for signatures`
`247`	`246`	`if (shouldRetry`
`@@ -257,7 +256,7 @@ private void getUserClaims(@Nullable AccessToken accessToken, JWT idToken, Nonce`
`257`	`256`	`} else {`
`258`	`257`	`claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));`
`259`	`258`	`}`
`260`		`- } catch (com.nimbusds.oauth2.sdk.ParseException \| ParseException \| BadJOSEException \| JOSEException e) {`
	`259`	`+ } catch (com.nimbusds.oauth2.sdk.ParseException \| ParseException \| JOSEException e) {`
`261`	`260`	`claimsListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e));`
`262`	`261`	`}`
`263`	`262`	`}`