pfed-sso: Enable bearer token authentication

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java

@@ -113,22 +113,7 @@ public boolean isTokenValid(String token, String nonce) {
         }
     }
 
-    /**
-     * Validates the token and returns the corresponding user login.
-     *
-     * @param token the JWT
-     * @return corresponding user login or <code>null</code> if the JWT is invalid
-     */
-    public String validateTokenAndGetLogin(String token) {
-        Map<String, Object> claims = validateTokenAndGetClaims(token);
-        if (claims == null) {
-            return null;
-        }
-        return (String) claims.get("sub");
-    }
-
-    private Map<String, Object> validateTokenAndGetClaims(String token) {
-
+    public Map<String, Object> validateTokenAndGetClaims(String token) {
         try {
             JWT jwt = validateToken(token);
             if (jwt == null) {

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoClient.java

@@ -126,9 +126,9 @@ public String getTokenSigningKey() throws IOException {
         }
     }
 
-    public Profile getUserProfile(String refreshToken) throws IOException {
+    public Profile getUserProfileByRefreshToken(String refreshToken) throws IOException {
         Token token = getTokenByRefreshToken(refreshToken);
-        return getProfile(token);
+        return getProfile(token.accessToken());
     }
 
     private Token getToken(String urlParameters) throws IOException {
@@ -178,15 +178,15 @@ private void postRequest(HttpURLConnection con, String urlParameters) throws IOE
         }
     }
 
-    private Profile getProfile(Token token) throws IOException {
+    public Profile getProfile(String accessToken) throws IOException {
         if (cfg.getUserInfoEndpointUrl() == null) {
             return null;
         }
         HttpURLConnection con = null;
         try {
             URL url = new URL(cfg.getUserInfoEndpointUrl());
             con = (HttpURLConnection) url.openConnection();
-            String authzHeaderValue = String.format("Bearer %s", token.accessToken());
+            String authzHeaderValue = String.format("Bearer %s", accessToken);
             con.setRequestProperty(HttpHeaders.AUTHORIZATION, authzHeaderValue);
             con.setRequestProperty(HttpHeaders.CONTENT_TYPE, CONTENT_TYPE_HEADER);
             con.setRequestMethod("GET");
@@ -240,6 +240,9 @@ public interface Token {
     @JsonIgnoreProperties(ignoreUnknown = true)
     public interface Profile {
 
+        @JsonProperty("sub")
+        String sub();
+
         @JsonProperty("sAMAccountName")
         String userId();
 

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java

@@ -56,30 +56,32 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r
 
         HttpServletRequest req = WebUtils.toHttp(request);
 
-        String token = SsoCookies.getTokenCookie(req);
+        String bearerToken = extractTokenFromRequest(req);
+        String token = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req);
+
         if (token == null) {
             return null;
         }
 
-        String login = jwtAuthenticator.validateTokenAndGetLogin(token);
-        if (login == null) {
+        if (!jwtAuthenticator.isTokenValid(token)) {
             return null;
         }
 
-        String[] as = parseDomain(login);
-
-        String refreshToken = SsoCookies.getRefreshCookie(req);
-        // get userprofile send the response as null if refreshToken is expired or used
-        SsoClient.Profile profile;
         try {
-            profile = ssoClient.getUserProfile(refreshToken);
+            SsoClient.Profile profile = bearerToken != null ? ssoClient.getProfile(bearerToken) :
+                    ssoClient.getUserProfileByRefreshToken(SsoCookies.getRefreshCookie(req));
+
+            if (profile == null) {
+                return null;
+            }
+
+            String[] as = parseDomain(profile.sub());
+
+            return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups());
+
         } catch (IOException e) {
             return null;
         }
-        if (profile == null) {
-            return null;
-        }
-        return new SsoToken(as[0], as[1], profile.displayName(), profile.mail(), profile.userPrincipalName(), profile.nameInNamespace(), profile.groups());
     }
 
     @Override
@@ -112,4 +114,20 @@ private String[] parseDomain(String s) {
         String domain = s.substring(pos + 1);
         return new String[]{username, domain};
     }
+
+    private String extractTokenFromRequest(HttpServletRequest request) {
+        final String value = request.getHeader("Authorization");
+
+        if (value == null || !value.toLowerCase().startsWith("bearer")) {
+            return null;
+        }
+
+        String[] parts = value.split(" ");
+
+        if (parts.length < 2) {
+            return null;
+        }
+
+        return parts[1].trim();
+    }
 }