Skip to content

Commit 51e8060

Browse files
committed
Add integration test for JWKS endpoint support
1 parent 9a501b1 commit 51e8060

File tree

3 files changed

+28
-8
lines changed

3 files changed

+28
-8
lines changed

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/jwt/BackendJWTUtil.java

+8-1
Original file line numberDiff line numberDiff line change
@@ -49,13 +49,20 @@ public static void verifySignature(Header jwtheader) throws UnsupportedEncodingE
4949
* verify JWT Header
5050
*
5151
* @param decodedJWTHeaderString decoded JWT Header value
52+
* @param jwksKidClaim kid claim in JWKS endpoint
5253
* @throws JSONException if JSON payload is malformed
5354
*/
54-
public static void verifyJWTHeader(String decodedJWTHeaderString) throws JSONException {
55+
public static void verifyJWTHeader(String decodedJWTHeaderString, String jwksKidClaim) throws JSONException {
5556
JSONObject jsonHeaderObject = new JSONObject(decodedJWTHeaderString);
5657
Assert.assertEquals(jsonHeaderObject.getString("typ"), "JWT");
5758
Assert.assertEquals(jsonHeaderObject.getString("alg"), "RS256");
59+
60+
// Verify kid claim: check if kid claim in JWT header match with that of JWKS endpoint
5861
Assert.assertTrue(jsonHeaderObject.has("kid"));
62+
if (jwksKidClaim != null) {
63+
Assert.assertEquals(jsonHeaderObject.getString("kid"), jwksKidClaim, "kid claim in JWT header " +
64+
"does not match with that of JWKS endpoint");
65+
}
5966
}
6067

6168
/**

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/jwt/JWTTestCase.java

+18-5
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
import org.apache.http.client.methods.HttpGet;
2929
import org.apache.http.impl.client.HttpClientBuilder;
3030
import org.apache.http.message.BasicNameValuePair;
31+
import org.apache.http.util.EntityUtils;
3132
import org.json.JSONException;
3233
import org.json.JSONObject;
3334
import org.testng.Assert;
@@ -76,6 +77,7 @@
7677

7778
import javax.ws.rs.core.Response;
7879

80+
import static org.testng.Assert.assertEquals;
7981
import static org.testng.Assert.assertNotNull;
8082
import static org.testng.AssertJUnit.assertTrue;
8183

@@ -107,6 +109,7 @@ public class JWTTestCase extends APIManagerLifecycleBaseTest {
107109
URL tokenEndpointURL;
108110
private String tokenURL;
109111
private String identityLoginURL;
112+
private String jwksKidClaim;
110113
private final String CALLBACK_URL = "https://localhost:9443/store/";
111114

112115
@BeforeClass(alwaysRun = true)
@@ -191,6 +194,16 @@ public void setEnvironment() throws Exception {
191194
APIMIntegrationConstants.IS_API_EXISTS);
192195
waitForAPIDeploymentSync(user.getUserName(), api2Request.getName(), api2Request.getVersion(),
193196
APIMIntegrationConstants.IS_API_EXISTS);
197+
198+
// Invoke JWKS endpoint and retrieve kid claim to validate backend JWT
199+
HttpClient httpclient = HttpClientBuilder.create().build();
200+
HttpGet jwksGet = new HttpGet(getAPIInvocationURLHttp("jwks"));
201+
HttpResponse jwksResponse = httpclient.execute(jwksGet);
202+
assertEquals(jwksResponse.getStatusLine().getStatusCode(), HTTP_RESPONSE_CODE_OK,
203+
"Invocation fails for JWKS GET request");
204+
String jwksResponseString = EntityUtils.toString(jwksResponse.getEntity(), "UTF-8");
205+
JSONObject jwksResponseObject = new JSONObject(jwksResponseString);
206+
jwksKidClaim = jwksResponseObject.getJSONArray("keys").getJSONObject(0).getString("kid");
194207
}
195208

196209
@Test(groups = {"wso2.am"}, description = "Backend JWT Token Generation for Oauth Based App")
@@ -225,7 +238,7 @@ public void testEnableJWTAndClaimsForOauthApp() throws Exception {
225238
//Do the signature verification for super tenant as tenant key store not there accessible
226239
BackendJWTUtil.verifySignature(jwtheader);
227240
log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
228-
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
241+
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
229242
JSONObject jsonObject = new JSONObject(decodedJWTString);
230243
log.info("JWT Received ==" + jsonObject.toString());
231244
//Validate expiry time
@@ -273,7 +286,7 @@ public void testEnableJWTAndClaimsForJWTApp() throws Exception {
273286
//Do the signature verification
274287
BackendJWTUtil.verifySignature(jwtheader);
275288
log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
276-
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
289+
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
277290
JSONObject jsonObject = new JSONObject(decodedJWTString);
278291

279292
// check default claims
@@ -341,7 +354,7 @@ public void testEnableJWTAndClaimsForAPIKeyApp() throws Exception {
341354
//Do the signature verification
342355
BackendJWTUtil.verifySignature(jwtheader);
343356
log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
344-
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
357+
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
345358
JSONObject jsonObject = new JSONObject(decodedJWTString);
346359

347360
// check default claims
@@ -386,7 +399,7 @@ public void testBackendJWTWithClientCredentialsGrant() throws Exception {
386399
//Do the signature verification
387400
BackendJWTUtil.verifySignature(jwtheader);
388401
log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
389-
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
402+
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
390403
JSONObject jsonObject = new JSONObject(decodedJWTString);
391404

392405
// check default claims
@@ -434,7 +447,7 @@ public void testBackendJWTWithAuthCodeGrant() throws Exception {
434447
//Do the signature verification
435448
BackendJWTUtil.verifySignature(jwtheader);
436449
log.debug("Decoded JWT header String = " + decodedJWTHeaderString);
437-
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString);
450+
BackendJWTUtil.verifyJWTHeader(decodedJWTHeaderString, jwksKidClaim);
438451
JSONObject jsonObject = new JSONObject(decodedJWTString);
439452

440453
// check default claims

pom.xml

+2-2
Original file line numberDiff line numberDiff line change
@@ -1277,10 +1277,10 @@
12771277
<carbon.analytics.common.version>5.3.5</carbon.analytics.common.version>
12781278

12791279
<!-- APIM Portals Component Version -->
1280-
<carbon.apimgt.ui.version>9.0.453</carbon.apimgt.ui.version>
1280+
<carbon.apimgt.ui.version>9.0.468</carbon.apimgt.ui.version>
12811281

12821282
<!-- APIM Component Version -->
1283-
<carbon.apimgt.version>9.28.161</carbon.apimgt.version>
1283+
<carbon.apimgt.version>9.28.175</carbon.apimgt.version>
12841284

12851285
<carbon.apimgt.imp.pkg.version>[9.0.0, 10.0.0)</carbon.apimgt.imp.pkg.version>
12861286

0 commit comments

Comments
 (0)