Handle subject in nested claim for JWT auth backends

[Rishav9852Kumar]

Description

This PR abstracts the subject configuration from jwt-backed auth backends to handle a list as config to get sub within nested claims of a JWT payload.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement of #5355

Issues Resolved

Resolves #5430

Supported Nested claims

Standard structure with top-level subject:
{
    "sub": "Leonard McCoy",
    "aud": "TestAudience",
    "iss": "TestIssuer",
    "roles": "role1,role2"
}

Standard structure with top-level subject with nested structures for roles:
{
    "sub": "Leonard McCoy",
    "aud": "TestAudience",
    "iss": "TestIssuer",
    "attributes": {
        "roles": "role1,role2"
    }
}

Nested subject under attributes:
{
    "aud": "TestAudience",
    "iss": "TestIssuer",
    "attributes": {
        "roles": "role1,role2",
        "sub": "Leonard McCoy"
    }
}

Separate nested structures for subject and roles:
{
    "attributes_sub": {
        "sub": "Leonard McCoy"
    },
    "aud": "TestAudience",
    "iss": "TestIssuer",
    "attributes": {
        "roles": "role1,role2"
    }
}

Testing

Unit Tests added

Added in HTTPJwtKeyByOpenIdConnectAuthenticatorTest

• testSubjectInNestedClaim
• testSubjectAndRolesInNestedClaim

Integ Tests added

Added in JwtAuthenticationNestedClaimsTests

• shouldAuthenticateWithNestedRolesClaim
• shouldAuthenticateWithNestedSubjectAndNestedRoles
• shouldAuthenticateWithNestedSubjectAndSimpleRoles
• shouldFailAuthenticationWithCompletelyWrongTokenStructure
• shouldFailAuthenticationWithMissingNestedSubject
• shouldFailAuthenticationWithWrongNestedSubjectStructure
• shouldHandleMissingNestedRolesClaim
• shouldHandleWrongNestedRolesStructure

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 67.85714% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.75%. Comparing base (5dc83be) to head (3feeafe).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...h/security/auth/http/jwt/HTTPJwtAuthenticator.java	70.58%	3 Missing and 2 partials ⚠️
...ty/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	63.63%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5467      +/-   ##
==========================================
- Coverage   72.78%   72.75%   -0.03%     
==========================================
  Files         398      398              
  Lines       24641    24657      +16     
  Branches     3747     3752       +5     
==========================================
+ Hits        17934    17939       +5     
- Misses       4878     4885       +7     
- Partials     1829     1833       +4     

Files with missing lines	Coverage Δ
...ty/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	60.74% <63.63%> (-0.87%)	⬇️
...h/security/auth/http/jwt/HTTPJwtAuthenticator.java	77.02% <70.58%> (-2.26%)	⬇️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

Thank you for this PR @Rishav9852Kumar ! The changes LGTM.

[shikharj05]

Thanks @Rishav9852Kumar !