Add refresh-token support to OAuth2

It adds refresh tokens support to OAuth2. Whenever refresh-token is issued
it's beeing wrapped along with access-token into self issued JWT token
and send to the client. Whenever token needs to be refreshed, refresh-token
is extracted and used to refresh access-token.

Author: s2lomon

core/trino-main/src/main/java/io/trino/server/security/AbstractBearerAuthenticator.java

@@ -38,10 +38,10 @@ public Identity authenticate(ContainerRequestContext request, String token)
             throws AuthenticationException
     {
         try {
-            return createIdentity(token).orElseThrow(() -> needAuthentication(request, "Invalid credentials"));
+            return createIdentity(token).orElseThrow(() -> needAuthentication(request, Optional.of(token), "Invalid credentials"));
         }
         catch (JwtException | UserMappingException e) {
-            throw needAuthentication(request, e.getMessage());
+            throw needAuthentication(request, Optional.empty(), e.getMessage());
         }
         catch (RuntimeException e) {
             throw new RuntimeException("Authentication error", e);
@@ -53,7 +53,7 @@ public String extractToken(ContainerRequestContext request)
     {
         List<String> headers = request.getHeaders().get(AUTHORIZATION);
         if (headers == null || headers.size() == 0) {
-            throw needAuthentication(request, null);
+            throw needAuthentication(request, Optional.empty(), null);
         }
         if (headers.size() > 1) {
             throw new IllegalArgumentException(format("Multiple %s headers detected: %s, where only single %s header is supported", AUTHORIZATION, headers, AUTHORIZATION));
@@ -62,17 +62,17 @@ public String extractToken(ContainerRequestContext request)
         String header = headers.get(0);
         int space = header.indexOf(' ');
         if ((space < 0) || !header.substring(0, space).equalsIgnoreCase("bearer")) {
-            throw needAuthentication(request, null);
+            throw needAuthentication(request, Optional.empty(), null);
         }
         String token = header.substring(space + 1).trim();
         if (token.isEmpty()) {
-            throw needAuthentication(request, null);
+            throw needAuthentication(request, Optional.empty(), null);
         }
         return token;
     }
 
     protected abstract Optional<Identity> createIdentity(String token)
             throws UserMappingException;
 
-    protected abstract AuthenticationException needAuthentication(ContainerRequestContext request, String message);
+    protected abstract AuthenticationException needAuthentication(ContainerRequestContext request, Optional<String> currentToken, String message);
 }

core/trino-main/src/main/java/io/trino/server/security/jwt/JwtAuthenticator.java

@@ -72,7 +72,7 @@ protected Optional<Identity> createIdentity(String token)
     }
 
     @Override
-    protected AuthenticationException needAuthentication(ContainerRequestContext request, String message)
+    protected AuthenticationException needAuthentication(ContainerRequestContext request, Optional<String> currentToken, String message)
     {
         return new AuthenticationException(message, "Bearer realm=\"Trino\", token_type=\"JWT\"");
     }

core/trino-main/src/main/java/io/trino/server/security/oauth2/ForRefreshTokens.java

@@ -0,0 +1,31 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.server.security.oauth2;
+
+import com.google.inject.BindingAnnotation;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Retention(RUNTIME)
+@Target({FIELD, PARAMETER, METHOD})
+@BindingAnnotation
+public @interface ForRefreshTokens
+{
+}

core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializer.java

@@ -0,0 +1,179 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.server.security.oauth2;
+
+import com.nimbusds.jose.EncryptionMethod;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWEHeader;
+import com.nimbusds.jose.JWEObject;
+import com.nimbusds.jose.KeyLengthException;
+import com.nimbusds.jose.Payload;
+import com.nimbusds.jose.crypto.AESDecrypter;
+import com.nimbusds.jose.crypto.AESEncrypter;
+import io.airlift.units.Duration;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.CompressionCodec;
+import io.jsonwebtoken.CompressionException;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.JwtParser;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+import java.security.NoSuchAlgorithmException;
+import java.text.ParseException;
+import java.time.Clock;
+import java.util.Date;
+import java.util.Map;
+import java.util.Optional;
+
+import static com.google.common.base.Preconditions.checkState;
+import static io.trino.server.security.jwt.JwtUtil.newJwtBuilder;
+import static io.trino.server.security.jwt.JwtUtil.newJwtParserBuilder;
+import static java.lang.String.format;
+import static java.util.Objects.requireNonNull;
+
+public class JweTokenSerializer
+        implements TokenPairSerializer
+{
+    private static final JWEAlgorithm ALGORITHM = JWEAlgorithm.A256KW;
+    private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.A256CBC_HS512;
+    private static final CompressionCodec COMPRESSION_CODEC = new ZstdCodec();
+    private static final String ACCESS_TOKEN_KEY = "access_token";
+    private static final String EXPIRATION_TIME_KEY = "expiration_time";
+    private static final String REFRESH_TOKEN_KEY = "refresh_token";
+    private final OAuth2Client client;
+    private final Clock clock;
+    private final String issuer;
+    private final String audience;
+    private final Duration tokenExpiration;
+    private final JwtParser parser;
+    private final AESEncrypter jweEncrypter;
+    private final AESDecrypter jweDecrypter;
+    private final String principalField;
+
+    public JweTokenSerializer(
+            RefreshTokensConfig config,
+            OAuth2Client client,
+            String issuer,
+            String audience,
+            String principalField,
+            Clock clock,
+            Duration tokenExpiration)
+            throws KeyLengthException, NoSuchAlgorithmException
+    {
+        SecretKey secretKey = createKey(requireNonNull(config, "config is null"));
+        this.jweEncrypter = new AESEncrypter(secretKey);
+        this.jweDecrypter = new AESDecrypter(secretKey);
+        this.client = requireNonNull(client, "client is null");
+        this.issuer = requireNonNull(issuer, "issuer is null");
+        this.principalField = requireNonNull(principalField, "principalField is null");
+        this.audience = requireNonNull(audience, "issuer is null");
+        this.clock = requireNonNull(clock, "clock is null");
+        this.tokenExpiration = requireNonNull(tokenExpiration, "tokenExpiration is null");
+
+        this.parser = newJwtParserBuilder()
+                .setClock(() -> Date.from(clock.instant()))
+                .requireIssuer(this.issuer)
+                .requireAudience(this.audience)
+                .setCompressionCodecResolver(JweTokenSerializer::resolveCompressionCodec)
+                .build();
+    }
+
+    @Override
+    public TokenPair deserialize(String token)
+    {
+        requireNonNull(token, "token is null");
+
+        try {
+            JWEObject jwe = JWEObject.parse(token);
+            jwe.decrypt(jweDecrypter);
+            Claims claims = parser.parseClaimsJwt(jwe.getPayload().toString()).getBody();
+            return TokenPair.accessAndRefreshTokens(
+                    claims.get(ACCESS_TOKEN_KEY, String.class),
+                    claims.get(EXPIRATION_TIME_KEY, Date.class),
+                    claims.get(REFRESH_TOKEN_KEY, String.class));
+        }
+        catch (ParseException ex) {
+            throw new IllegalArgumentException("Malformed jwt token", ex);
+        }
+        catch (JOSEException ex) {
+            throw new IllegalArgumentException("Decryption failed", ex);
+        }
+    }
+
+    @Override
+    public String serialize(TokenPair tokenPair)
+    {
+        requireNonNull(tokenPair, "tokenPair is null");
+
+        Optional<Map<String, Object>> accessTokenClaims = client.getClaims(tokenPair.getAccessToken());
+        if (accessTokenClaims.isEmpty()) {
+            throw new IllegalArgumentException("Claims are missing");
+        }
+        Map<String, Object> claims = accessTokenClaims.get();
+        if (!claims.containsKey(principalField)) {
+            throw new IllegalArgumentException(format("%s field is missing", principalField));
+        }
+        JwtBuilder jwt = newJwtBuilder()
+                .setExpiration(Date.from(clock.instant().plusMillis(tokenExpiration.toMillis())))
+                .claim(principalField, claims.get(principalField).toString())
+                .setAudience(audience)
+                .setIssuer(issuer)
+                .claim(ACCESS_TOKEN_KEY, tokenPair.getAccessToken())
+                .claim(EXPIRATION_TIME_KEY, tokenPair.getExpiration())
+                .claim(REFRESH_TOKEN_KEY, tokenPair.getRefreshToken().orElseThrow(JweTokenSerializer::throwExceptionForNonExistingRefreshToken))
+                .compressWith(COMPRESSION_CODEC);
+
+        try {
+            JWEObject jwe = new JWEObject(
+                    new JWEHeader(ALGORITHM, ENCRYPTION_METHOD),
+                    new Payload(jwt.compact()));
+            jwe.encrypt(jweEncrypter);
+            return jwe.serialize();
+        }
+        catch (JOSEException ex) {
+            throw new IllegalStateException("Encryption failed", ex);
+        }
+    }
+
+    private static SecretKey createKey(RefreshTokensConfig config)
+            throws NoSuchAlgorithmException
+    {
+        SecretKey signingKey = config.getSecretKey();
+        if (signingKey == null) {
+            KeyGenerator generator = KeyGenerator.getInstance("AES");
+            generator.init(256);
+            return generator.generateKey();
+        }
+        return signingKey;
+    }
+
+    private static RuntimeException throwExceptionForNonExistingRefreshToken()
+    {
+        throw new IllegalStateException("Expected refresh token to be present. Please check your identity provider setup, or disable refresh tokens");
+    }
+
+    private static CompressionCodec resolveCompressionCodec(Header header)
+            throws CompressionException
+    {
+        if (header.getCompressionAlgorithm() != null) {
+            checkState(header.getCompressionAlgorithm().equals(ZstdCodec.CODEC_NAME), "Unknown codec '%s' used for token compression", header.getCompressionAlgorithm());
+            return COMPRESSION_CODEC;
+        }
+        return null;
+    }
+}

core/trino-main/src/main/java/io/trino/server/security/oauth2/JweTokenSerializerModule.java

@@ -0,0 +1,57 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.server.security.oauth2;
+
+import com.google.inject.Binder;
+import com.google.inject.Inject;
+import com.google.inject.Provides;
+import com.google.inject.Singleton;
+import com.nimbusds.jose.KeyLengthException;
+import io.airlift.configuration.AbstractConfigurationAwareModule;
+import io.trino.client.NodeVersion;
+
+import java.security.NoSuchAlgorithmException;
+import java.time.Clock;
+
+import static io.airlift.configuration.ConfigBinder.configBinder;
+
+public class JweTokenSerializerModule
+        extends AbstractConfigurationAwareModule
+{
+    @Override
+    protected void setup(Binder binder)
+    {
+        configBinder(binder).bindConfig(RefreshTokensConfig.class);
+    }
+
+    @Provides
+    @Singleton
+    @Inject
+    public TokenPairSerializer getTokenPairSerializer(
+            OAuth2Client client,
+            NodeVersion nodeVersion,
+            RefreshTokensConfig config,
+            OAuth2Config oAuth2Config)
+            throws KeyLengthException, NoSuchAlgorithmException
+    {
+        return new JweTokenSerializer(
+                config,
+                client,
+                config.getIssuer() + "_" + nodeVersion.getVersion(),
+                config.getAudience(),
+                oAuth2Config.getPrincipalField(),
+                Clock.systemUTC(),
+                config.getTokenExpiration());
+    }
+}