You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jclouds.apache.org by na...@apache.org on 2016/05/19 22:34:14 UTC
[2/2] jclouds git commit: client credentials JWT support
client credentials JWT support
Project: http://git-wip-us.apache.org/repos/asf/jclouds/repo
Commit: http://git-wip-us.apache.org/repos/asf/jclouds/commit/f46b38dd
Tree: http://git-wip-us.apache.org/repos/asf/jclouds/tree/f46b38dd
Diff: http://git-wip-us.apache.org/repos/asf/jclouds/diff/f46b38dd
Branch: refs/heads/master
Commit: f46b38dd89626bc3d32d8260dd816d44255a8420
Parents: ccd1ef2
Author: Jim Spring <jm...@gmail.com>
Authored: Sat May 14 19:35:39 2016 -0700
Committer: Ignasi Barrera <na...@apache.org>
Committed: Fri May 20 00:10:37 2016 +0200
----------------------------------------------------------------------
apis/oauth/README | 13 +-
.../org/jclouds/oauth/v2/AuthorizationApi.java | 14 +++
.../config/CertificateFingerprintSupplier.java | 113 +++++++++++++++++
.../jclouds/oauth/v2/config/CredentialType.java | 5 +-
.../jclouds/oauth/v2/config/OAuthModule.java | 13 +-
.../oauth/v2/config/OAuthProperties.java | 9 +-
.../oauth/v2/domain/CertificateFingerprint.java | 43 +++++++
.../v2/domain/ClientCredentialsAuthArgs.java | 48 ++++++++
.../v2/domain/ClientCredentialsClaims.java | 61 ++++++++++
.../ClientCredentialsJWTBearerTokenFlow.java | 120 +++++++++++++++++++
.../ClientCredentialsClaimsToAssertion.java | 93 ++++++++++++++
.../oauth/v2/AuthorizationApiLiveTest.java | 34 +++++-
.../oauth/v2/AuthorizationApiMockTest.java | 85 +++++++++++--
apis/oauth/src/test/resources/testcert.pem | 22 ++++
14 files changed, 652 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/README
----------------------------------------------------------------------
diff --git a/apis/oauth/README b/apis/oauth/README
index 7d039b1..73e6e5b 100644
--- a/apis/oauth/README
+++ b/apis/oauth/README
@@ -23,7 +23,7 @@ mvn clean install -Plive \
-Dtest.jclouds.oauth.scope=https://www.googleapis.com/auth/prediction \
-To Run the live test against Azure Active Directory which uses the client_credentials grant type:
+To Run the live test against Azure Active Directory which uses the client_credentials grant type when using a password:
mvn clean install -Plive \
-Dtest.oauth.identity=<azure app id> \
@@ -32,3 +32,14 @@ mvn clean install -Plive \
-Dtest.jclouds.oauth.resource=https://management.azure.com/ \
-Dtest.jclouds.oauth.credential-type=clientCredentialsSecret
+To run the live test against Azure Active directory using the client_credentials grant type with a certificate and private key:
+
+mvn clean install -Plive \
+-Dtest.jclouds.oauth.credential-type=clientCredentialsP12 \
+-Dtest.jclouds.oauth.resource=https://management.azure.com/ \
+-Dtest.oauth.endpoint=https://login.microsoftonline.com/<tenant id>/oauth2/token \
+-Dtest.jclouds.oauth.audience=https://login.microsoftonline.com/<tenant id>/oauth2/token
+-Dtest.oauth.identity=<azure app id> \
+-Dtest.oauth.credential=<path to unencrypted private key PEM file> \
+-Dtest.jclouds.oauth.certificate=<path to certificate PEM file>
+
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/AuthorizationApi.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/AuthorizationApi.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/AuthorizationApi.java
index b77a8de..50c6668 100644
--- a/apis/oauth/src/main/java/org/jclouds/oauth/v2/AuthorizationApi.java
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/AuthorizationApi.java
@@ -29,8 +29,10 @@ import org.jclouds.javax.annotation.Nullable;
import org.jclouds.oauth.v2.OAuthFallbacks.AuthorizationExceptionOn4xx;
import org.jclouds.oauth.v2.config.Authorization;
import org.jclouds.oauth.v2.domain.Claims;
+import org.jclouds.oauth.v2.domain.ClientCredentialsClaims;
import org.jclouds.oauth.v2.domain.Token;
import org.jclouds.oauth.v2.functions.ClaimsToAssertion;
+import org.jclouds.oauth.v2.functions.ClientCredentialsClaimsToAssertion;
import org.jclouds.rest.annotations.Endpoint;
import org.jclouds.rest.annotations.Fallback;
import org.jclouds.rest.annotations.FormParams;
@@ -59,4 +61,16 @@ public interface AuthorizationApi extends Closeable {
@FormParam("resource") String resource,
@FormParam("scope") @Nullable String scope
);
+
+ @Named("oauth2:authorize_client_p12")
+ @POST
+ @FormParams(keys = {"grant_type", "client_assertion_type"}, values = {"client_credentials", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"})
+ @Consumes(APPLICATION_JSON)
+ @Fallback(AuthorizationExceptionOn4xx.class)
+ Token authorize(
+ @FormParam("client_id") String client_id,
+ @FormParam("client_assertion") @ParamParser(ClientCredentialsClaimsToAssertion.class) ClientCredentialsClaims claim,
+ @FormParam("resource") String resource,
+ @FormParam("scope") @Nullable String scope
+ );
}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CertificateFingerprintSupplier.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CertificateFingerprintSupplier.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CertificateFingerprintSupplier.java
new file mode 100644
index 0000000..b59064c
--- /dev/null
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CertificateFingerprintSupplier.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jclouds.oauth.v2.config;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Throwables.propagate;
+import static org.jclouds.crypto.Pems.x509Certificate;
+import static org.jclouds.oauth.v2.config.OAuthProperties.CERTIFICATE;
+import static org.jclouds.util.Throwables2.getFirstThrowableOfType;
+
+import java.io.IOException;
+import java.security.PrivateKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import javax.inject.Named;
+
+import org.jclouds.domain.Credentials;
+import org.jclouds.location.Provider;
+import org.jclouds.oauth.v2.domain.CertificateFingerprint;
+import org.jclouds.rest.AuthorizationException;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Supplier;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+import com.google.common.util.concurrent.UncheckedExecutionException;
+import com.google.common.hash.Hashing;
+import static com.google.common.io.BaseEncoding.base64;
+import com.google.common.hash.HashCode;
+
+/**
+ * Loads the fingerprint of a certificate associated with the {@link PrivateKey} from a pem X509Certificate.
+ */
+@Singleton // due to cache
+final class CertificateFingerprintSupplier implements Supplier<CertificateFingerprint> {
+
+ private final Supplier<Credentials> creds;
+ private final LoadingCache<Credentials, CertificateFingerprint> certCache;
+
+ @Inject CertificateFingerprintSupplier(@Provider Supplier<Credentials> creds, CertificateFingerprintForCredentials loader) {
+ this.creds = creds;
+ // throw out the certificate fingerprint related to old credentials
+ this.certCache = CacheBuilder.newBuilder().maximumSize(2).build(checkNotNull(loader, "loader"));
+ }
+
+ /**
+ * it is relatively expensive to extract a certificate from a PEM and calculate it's fingerprint.
+ * cache the relationship between current credentials so that the fingerprint is only recalculated once.
+ */
+ @VisibleForTesting
+ static final class CertificateFingerprintForCredentials extends CacheLoader<Credentials, CertificateFingerprint> {
+ @Inject(optional = true) @Named(CERTIFICATE) String certInPemFormat;
+
+ @Override public CertificateFingerprint load(Credentials in) {
+ try {
+ /**
+ * CERTIFICATE made optional on injection so that it's not required when other OAuth methods
+ * are used.
+ */
+ if (certInPemFormat == null) {
+ throw new IllegalArgumentException("certificate not specified.");
+ }
+ X509Certificate cert = null;
+ cert = x509Certificate(certInPemFormat);
+
+ /** Get the fingerprint in Base64 format */
+ byte[] encodedCert = cert.getEncoded();
+ HashCode hash = Hashing.sha1().hashBytes(encodedCert);
+ String fingerprint = base64().encode(hash.asBytes());
+
+ return CertificateFingerprint.create(fingerprint, cert);
+ } catch (CertificateException e) {
+ throw new AssertionError(e);
+ } catch (IOException e) {
+ throw propagate(e);
+ } catch (IllegalArgumentException e) {
+ throw new AuthorizationException("cannot parse cert. " + e.getMessage(), e);
+ }
+ }
+ }
+
+ @Override public CertificateFingerprint get() {
+ try {
+ // loader always throws UncheckedExecutionException so no point in using get()
+ return certCache.getUnchecked(checkNotNull(creds.get(), "credential supplier returned null"));
+ } catch (UncheckedExecutionException e) {
+ AuthorizationException authorizationException = getFirstThrowableOfType(e, AuthorizationException.class);
+ if (authorizationException != null) {
+ throw authorizationException;
+ }
+ throw e;
+ }
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CredentialType.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CredentialType.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CredentialType.java
index b80f4c4..1719cb4 100644
--- a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CredentialType.java
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/CredentialType.java
@@ -29,7 +29,10 @@ public enum CredentialType {
P12_PRIVATE_KEY_CREDENTIALS,
/** Contents are an ID and Secret */
- CLIENT_CREDENTIALS_SECRET;
+ CLIENT_CREDENTIALS_SECRET,
+
+ /** Contents are an ID and PEM-encoded Private Key. The certificate is specified as it's own property. */
+ CLIENT_CREDENTIALS_P12_AND_CERTIFICATE;
@Override public String toString() {
return UPPER_UNDERSCORE.to(LOWER_CAMEL, name());
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthModule.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthModule.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthModule.java
index 97d58b7..ffc03cd 100644
--- a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthModule.java
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthModule.java
@@ -16,10 +16,11 @@
*/
package org.jclouds.oauth.v2.config;
+import static org.jclouds.oauth.v2.config.OAuthProperties.CREDENTIAL_TYPE;
import static org.jclouds.oauth.v2.config.CredentialType.BEARER_TOKEN_CREDENTIALS;
-import static org.jclouds.oauth.v2.config.CredentialType.CLIENT_CREDENTIALS_SECRET;
import static org.jclouds.oauth.v2.config.CredentialType.P12_PRIVATE_KEY_CREDENTIALS;
-import static org.jclouds.oauth.v2.config.OAuthProperties.CREDENTIAL_TYPE;
+import static org.jclouds.oauth.v2.config.CredentialType.CLIENT_CREDENTIALS_SECRET;
+import static org.jclouds.oauth.v2.config.CredentialType.CLIENT_CREDENTIALS_P12_AND_CERTIFICATE;
import static org.jclouds.rest.config.BinderUtils.bindHttpApi;
import java.net.URI;
@@ -30,9 +31,11 @@ import javax.inject.Named;
import javax.inject.Singleton;
import org.jclouds.oauth.v2.AuthorizationApi;
+import org.jclouds.oauth.v2.domain.CertificateFingerprint;
+import org.jclouds.oauth.v2.filters.JWTBearerTokenFlow;
import org.jclouds.oauth.v2.filters.BearerTokenFromCredentials;
+import org.jclouds.oauth.v2.filters.ClientCredentialsJWTBearerTokenFlow;
import org.jclouds.oauth.v2.filters.ClientCredentialsSecretFlow;
-import org.jclouds.oauth.v2.filters.JWTBearerTokenFlow;
import org.jclouds.oauth.v2.filters.OAuthFilter;
import com.google.common.base.Supplier;
@@ -51,6 +54,7 @@ public final class OAuthModule extends AbstractModule {
bindHttpApi(binder(), AuthorizationApi.class);
bind(CredentialType.class).toProvider(CredentialTypeFromPropertyOrDefault.class);
bind(new TypeLiteral<Supplier<PrivateKey>>() {}).annotatedWith(Authorization.class).to(PrivateKeySupplier.class);
+ bind(new TypeLiteral<Supplier<CertificateFingerprint>>() {}).annotatedWith(Authorization.class).to(CertificateFingerprintSupplier.class);
}
@Provides
@@ -76,7 +80,8 @@ public final class OAuthModule extends AbstractModule {
protected Map<CredentialType, Class<? extends OAuthFilter>> authenticationFlowMap() {
return ImmutableMap.of(P12_PRIVATE_KEY_CREDENTIALS, JWTBearerTokenFlow.class,
BEARER_TOKEN_CREDENTIALS, BearerTokenFromCredentials.class,
- CLIENT_CREDENTIALS_SECRET, ClientCredentialsSecretFlow.class);
+ CLIENT_CREDENTIALS_SECRET, ClientCredentialsSecretFlow.class,
+ CLIENT_CREDENTIALS_P12_AND_CERTIFICATE, ClientCredentialsJWTBearerTokenFlow.class);
}
@Provides
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthProperties.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthProperties.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthProperties.java
index 87b5ca9..29498f1 100644
--- a/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthProperties.java
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/config/OAuthProperties.java
@@ -37,13 +37,20 @@ public final class OAuthProperties {
public static final String CREDENTIAL_TYPE = "jclouds.oauth.credential-type";
/**
- * When using oauth with Azure Active Direction and Client Credentials, a "resource" must
+ * When using oauth with Azure Active Directory and Client Credentials, a "resource" must
* be specified as part of the request.
*
* @see <a href="https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx">doc</a>
*/
public static final String RESOURCE = "jclouds.oauth.resource";
+ /**
+ * When using oauth with Azure Active Directory, Client Credentials, and using JWT
+ * authentication, the certificate associated with the Private Key must be provided.
+ * The fingerprint of the certificate is included in the JWT headers.
+ */
+ public static final String CERTIFICATE = "jclouds.oauth.certificate";
+
private OAuthProperties() {
}
}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/CertificateFingerprint.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/CertificateFingerprint.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/CertificateFingerprint.java
new file mode 100644
index 0000000..a2f797b
--- /dev/null
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/CertificateFingerprint.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jclouds.oauth.v2.domain;
+
+import org.jclouds.json.SerializedNames;
+
+import com.google.auto.value.AutoValue;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * Details corresponding the a client_credential Azure AD Oauth request
+ */
+@AutoValue
+public abstract class CertificateFingerprint {
+ /** The fingerprint of the certificate **/
+ public abstract String fingerprint();
+
+ /** The certificate */
+ public abstract X509Certificate certificate();
+
+ @SerializedNames({ "fingerprint", "certificate" })
+ public static CertificateFingerprint create(String fingerprint, X509Certificate certificate) {
+ return new AutoValue_CertificateFingerprint(fingerprint, certificate);
+ }
+
+ CertificateFingerprint() {
+ }
+}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsAuthArgs.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsAuthArgs.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsAuthArgs.java
new file mode 100644
index 0000000..1dcad42
--- /dev/null
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsAuthArgs.java
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jclouds.oauth.v2.domain;
+
+import org.jclouds.javax.annotation.Nullable;
+import org.jclouds.json.SerializedNames;
+
+import com.google.auto.value.AutoValue;
+
+/**
+ * Details corresponding the a client_credential Azure AD Oauth request
+ */
+@AutoValue
+public abstract class ClientCredentialsAuthArgs {
+ /** The ID of the client. **/
+ public abstract String clientId();
+
+ /** The claims for the JWT. */
+ public abstract ClientCredentialsClaims claims();
+
+ /** The resource to authorize against. **/
+ public abstract String resource();
+
+ /** The scope(s) to authorize against. **/
+ @Nullable public abstract String scope();
+
+ @SerializedNames({ "client_id", "claims", "resource", "scope" })
+ public static ClientCredentialsAuthArgs create(String clientId, ClientCredentialsClaims claims, String resource, String scope) {
+ return new AutoValue_ClientCredentialsAuthArgs(clientId, claims, resource, scope);
+ }
+
+ ClientCredentialsAuthArgs() {
+ }
+}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsClaims.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsClaims.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsClaims.java
new file mode 100644
index 0000000..3c37bef
--- /dev/null
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/domain/ClientCredentialsClaims.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jclouds.oauth.v2.domain;
+
+import org.jclouds.json.SerializedNames;
+
+import com.google.auto.value.AutoValue;
+
+/**
+ * Claims corresponding to a {@linkplain Token JWT Token} for use when making a client_credentials grant request.
+ *
+ * @see <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4">registered list</a>
+ */
+@AutoValue
+public abstract class ClientCredentialsClaims {
+ /**
+ * The issuer of this token. In Azure, it is either the email address for the Active Directory account
+ * or the ID of the application set up as a Service Principal.
+ */
+ public abstract String iss();
+
+ /** The subject of the JWT. For Azure, "sub" is typically equal to "iss". */
+ public abstract String sub();
+
+ /**
+ * The oauth audience, who this token is intended for. For instance in JWT and for Azure
+ * Resource Manager APIs, this maps to https://login.microsoftonline.com/TENANT_ID/oauth2/token.
+ */
+ public abstract String aud();
+
+ /** The expiration time, in seconds since the epoch after which the JWT must not be accepted for processing. */
+ public abstract long exp();
+
+ /** The time before which the JWT must not be accepted for processing, in seconds since the epoch. */
+ public abstract long nbf();
+
+ /** "JWT ID", a unique identifier for the JWT. */
+ public abstract String jti();
+
+ @SerializedNames({ "iss", "sub", "aud", "exp", "nbf", "jti" })
+ public static ClientCredentialsClaims create(String iss, String sub, String aud, long exp, long nbf, String jti) {
+ return new AutoValue_ClientCredentialsClaims(iss, sub, aud, exp, nbf, jti);
+ }
+
+ ClientCredentialsClaims() {
+ }
+}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/filters/ClientCredentialsJWTBearerTokenFlow.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/filters/ClientCredentialsJWTBearerTokenFlow.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/filters/ClientCredentialsJWTBearerTokenFlow.java
new file mode 100644
index 0000000..dd11940
--- /dev/null
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/filters/ClientCredentialsJWTBearerTokenFlow.java
@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jclouds.oauth.v2.filters;
+
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.jclouds.Constants.PROPERTY_SESSION_INTERVAL;
+import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
+import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import java.util.List;
+import java.util.UUID;
+
+import org.jclouds.domain.Credentials;
+import org.jclouds.http.HttpException;
+import org.jclouds.http.HttpRequest;
+import org.jclouds.location.Provider;
+import org.jclouds.oauth.v2.AuthorizationApi;
+import org.jclouds.oauth.v2.config.OAuthScopes;
+import org.jclouds.oauth.v2.domain.ClientCredentialsAuthArgs;
+import org.jclouds.oauth.v2.domain.ClientCredentialsClaims;
+import org.jclouds.oauth.v2.domain.Token;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Supplier;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+
+/**
+ * Authorizes new Bearer Tokens at runtime by authorizing claims needed for the http request.
+ *
+ * <h3>Cache</h3>
+ * This maintains a time-based Bearer Token cache. By default expires after 59 minutes
+ * (the maximum time a token is valid is 60 minutes).
+ * This cache and expiry period is system-wide and does not attend to per-instance expiry time
+ * (e.g. "expires_in" from Google Compute -- which is set to the standard 3600 seconds).
+ */
+public class ClientCredentialsJWTBearerTokenFlow implements OAuthFilter {
+ private static final Joiner ON_SPACE = Joiner.on(" ");
+
+ private final String resource;
+ private final String audience;
+ private final Supplier<Credentials> credentialsSupplier;
+ private final OAuthScopes scopes;
+ private final long tokenDuration;
+ private final LoadingCache<ClientCredentialsAuthArgs, Token> tokenCache;
+
+ @Inject
+ ClientCredentialsJWTBearerTokenFlow(AuthorizeToken loader, @Named(PROPERTY_SESSION_INTERVAL) long tokenDuration,
+ @Provider Supplier<Credentials> credentialsSupplier,
+ OAuthScopes scopes,
+ @Named(AUDIENCE) String audience,
+ @Named(RESOURCE) String resource) {
+ this.credentialsSupplier = credentialsSupplier;
+ this.scopes = scopes;
+ this.audience = audience;
+ this.resource = resource;
+ this.tokenDuration = tokenDuration;
+ // since the session interval is also the token expiration time requested to the server make the token expire a
+ // bit before the deadline to make sure there aren't session expiration exceptions
+ long cacheExpirationSeconds = tokenDuration > 30 ? tokenDuration - 30 : tokenDuration;
+ this.tokenCache = CacheBuilder.newBuilder().expireAfterWrite(cacheExpirationSeconds, SECONDS).build(loader);
+ }
+
+ static final class AuthorizeToken extends CacheLoader<ClientCredentialsAuthArgs, Token> {
+ private final AuthorizationApi api;
+
+ @Inject AuthorizeToken(AuthorizationApi api) {
+ this.api = api;
+ }
+
+ @Override public Token load(ClientCredentialsAuthArgs key) throws Exception {
+ return api.authorize(key.clientId(), key.claims(), key.resource(), key.scope());
+ }
+ }
+
+ @Override public HttpRequest filter(HttpRequest request) throws HttpException {
+ long now = currentTimeSeconds();
+ List<String> configuredScopes = scopes.forRequest(request);
+ ClientCredentialsClaims claims = ClientCredentialsClaims.create( //
+ credentialsSupplier.get().identity, // iss
+ credentialsSupplier.get().identity, // sub
+ audience, // aud
+ now + tokenDuration, // exp
+ now, // nbf
+ UUID.randomUUID().toString() // jti
+ );
+ ClientCredentialsAuthArgs authArgs = ClientCredentialsAuthArgs.create(
+ credentialsSupplier.get().identity,
+ claims,
+ resource == null ? "" : resource,
+ configuredScopes.isEmpty() ? null : ON_SPACE.join(configuredScopes)
+ );
+
+ Token token = tokenCache.getUnchecked(authArgs);
+ String authorization = String.format("%s %s", token.tokenType(), token.accessToken());
+ return request.toBuilder().addHeader("Authorization", authorization).build();
+ }
+
+ long currentTimeSeconds() {
+ return System.currentTimeMillis() / 1000;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/main/java/org/jclouds/oauth/v2/functions/ClientCredentialsClaimsToAssertion.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/main/java/org/jclouds/oauth/v2/functions/ClientCredentialsClaimsToAssertion.java b/apis/oauth/src/main/java/org/jclouds/oauth/v2/functions/ClientCredentialsClaimsToAssertion.java
new file mode 100644
index 0000000..b43f579
--- /dev/null
+++ b/apis/oauth/src/main/java/org/jclouds/oauth/v2/functions/ClientCredentialsClaimsToAssertion.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jclouds.oauth.v2.functions;
+
+import static com.google.common.base.Charsets.UTF_8;
+import static com.google.common.base.Joiner.on;
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.io.BaseEncoding.base64Url;
+import static org.jclouds.oauth.v2.config.OAuthProperties.JWS_ALG;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+
+import org.jclouds.json.Json;
+import org.jclouds.oauth.v2.config.Authorization;
+import org.jclouds.oauth.v2.domain.CertificateFingerprint;
+import org.jclouds.rest.AuthorizationException;
+
+import com.google.common.base.Function;
+import com.google.common.base.Supplier;
+import com.google.common.collect.ImmutableList;
+
+public final class ClientCredentialsClaimsToAssertion implements Function<Object, String> {
+ private static final List<String> SUPPORTED_ALGS = ImmutableList.of("RS256", "none");
+
+ private final Supplier<PrivateKey> privateKey;
+ private final Supplier<CertificateFingerprint> certFingerprint;
+ private final Json json;
+ private final String alg;
+
+ @Inject ClientCredentialsClaimsToAssertion(@Named(JWS_ALG) String alg,
+ @Authorization Supplier<PrivateKey> privateKey,
+ @Authorization Supplier<CertificateFingerprint> certFingerprint,
+ Json json) {
+ this.alg = alg;
+ checkArgument(SUPPORTED_ALGS.contains(alg), "%s %s not in supported list", JWS_ALG, alg, SUPPORTED_ALGS);
+ this.privateKey = privateKey;
+ this.certFingerprint = certFingerprint;
+ this.json = json;
+ }
+
+ @Override public String apply(Object input) {
+ String encodedHeader = String.format("{\"alg\":\"%s\",\"typ\":\"JWT\",\"x5t\":\"%s\"}", alg, certFingerprint.get().fingerprint());
+ String encodedClaimSet = json.toJson(input);
+
+ encodedHeader = base64Url().omitPadding().encode(encodedHeader.getBytes(UTF_8));
+ encodedClaimSet = base64Url().omitPadding().encode(encodedClaimSet.getBytes(UTF_8));
+
+ byte[] signature = alg.equals("none")
+ ? null
+ : sha256(privateKey.get(), on(".").join(encodedHeader, encodedClaimSet).getBytes(UTF_8));
+ String encodedSignature = signature != null ? base64Url().omitPadding().encode(signature) : "";
+
+ // the final assertion in base 64 encoded {header}.{claimSet}.{signature} format
+ return on(".").join(encodedHeader, encodedClaimSet, encodedSignature);
+ }
+
+ static byte[] sha256(PrivateKey privateKey, byte[] input) {
+ try {
+ Signature signature = Signature.getInstance("SHA256withRSA");
+ signature.initSign(privateKey);
+ signature.update(input);
+ return signature.sign();
+ } catch (NoSuchAlgorithmException e) {
+ throw new AssertionError(e);
+ } catch (SignatureException e) {
+ throw new AuthorizationException(e);
+ } catch (InvalidKeyException e) {
+ throw new AuthorizationException(e);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiLiveTest.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiLiveTest.java b/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiLiveTest.java
index 1ded5dc..5d0d7cf 100644
--- a/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiLiveTest.java
+++ b/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiLiveTest.java
@@ -21,11 +21,13 @@ import static org.jclouds.oauth.v2.OAuthTestUtils.setCredential;
import static org.jclouds.oauth.v2.config.OAuthProperties.JWS_ALG;
import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
+import static org.jclouds.oauth.v2.config.OAuthProperties.CERTIFICATE;
import static org.jclouds.oauth.v2.config.OAuthProperties.CREDENTIAL_TYPE;
import static org.jclouds.providers.AnonymousProviderMetadata.forApiOnEndpoint;
import static org.testng.Assert.assertNotNull;
import java.util.Properties;
+import java.util.UUID;
import org.jclouds.apis.BaseApiLiveTest;
import org.jclouds.oauth.v2.config.CredentialType;
@@ -33,6 +35,7 @@ import org.jclouds.oauth.v2.config.OAuthModule;
import org.jclouds.oauth.v2.config.OAuthScopes;
import org.jclouds.oauth.v2.config.OAuthScopes.SingleScope;
import org.jclouds.oauth.v2.domain.Claims;
+import org.jclouds.oauth.v2.domain.ClientCredentialsClaims;
import org.jclouds.oauth.v2.domain.Token;
import org.jclouds.providers.ProviderMetadata;
import org.testng.annotations.DataProvider;
@@ -51,6 +54,7 @@ public class AuthorizationApiLiveTest extends BaseApiLiveTest<AuthorizationApi>
private String audience;
private String credentialType;
private String resource;
+ private String certificate;
public AuthorizationApiLiveTest() {
provider = "oauth";
@@ -65,7 +69,13 @@ public class AuthorizationApiLiveTest extends BaseApiLiveTest<AuthorizationApi>
@DataProvider
public Object[][] onlyRunForClientCredentialsSecret() {
return (CredentialType.fromValue(credentialType) == CredentialType.CLIENT_CREDENTIALS_SECRET) ?
- OAuthTestUtils.SINGLE_NO_ARG_INVOCATION : OAuthTestUtils.NO_INVOCATIONS;
+ OAuthTestUtils.SINGLE_NO_ARG_INVOCATION : OAuthTestUtils.NO_INVOCATIONS;
+ }
+
+ @DataProvider
+ public Object[][] onlyRunForClientCredentialsP12() {
+ return (CredentialType.fromValue(credentialType) == CredentialType.CLIENT_CREDENTIALS_P12_AND_CERTIFICATE) ?
+ OAuthTestUtils.SINGLE_NO_ARG_INVOCATION : OAuthTestUtils.NO_INVOCATIONS;
}
@Test(dataProvider = "onlyRunForP12PrivateKeyCredentials")
@@ -98,6 +108,23 @@ public class AuthorizationApiLiveTest extends BaseApiLiveTest<AuthorizationApi>
assertNotNull(token, "no token when authorizing " + identity);
}
+ @Test(dataProvider = "onlyRunForClientCredentialsP12")
+ public void authenticateClientCredentialsP12Test() throws Exception {
+ long now = System.currentTimeMillis() / 1000;
+ ClientCredentialsClaims claims = ClientCredentialsClaims.create(
+ identity, // iss
+ identity, // sub
+ audience, // aud
+ now + 3600, // exp
+ now, // iat
+ UUID.randomUUID().toString()
+ );
+
+ Token token = api.authorize(identity, claims, resource, null);
+
+ assertNotNull(token, "no token when authorizing " + claims);
+ }
+
/** OAuth isn't registered as a provider intentionally, so we fake one. */
@Override protected ProviderMetadata createProviderMetadata() {
return forApiOnEndpoint(AuthorizationApi.class, endpoint).toBuilder().id("oauth").build();
@@ -121,6 +148,11 @@ public class AuthorizationApiLiveTest extends BaseApiLiveTest<AuthorizationApi>
// Set the credential specific properties.
if (CredentialType.fromValue(credentialType) == CredentialType.CLIENT_CREDENTIALS_SECRET) {
resource = checkNotNull(setIfTestSystemPropertyPresent(props, RESOURCE), "test." + RESOURCE);
+ } else if (CredentialType.fromValue(credentialType) == CredentialType.CLIENT_CREDENTIALS_P12_AND_CERTIFICATE) {
+ audience = checkNotNull(setIfTestSystemPropertyPresent(props, AUDIENCE), "test.jclouds.oauth.audience");
+ resource = checkNotNull(setIfTestSystemPropertyPresent(props, RESOURCE), "test." + RESOURCE);
+ certificate = setCredential(props, CERTIFICATE);
+ credential = setCredential(props, "oauth.credential");
} else if (CredentialType.fromValue(credentialType) == CredentialType.P12_PRIVATE_KEY_CREDENTIALS) {
audience = checkNotNull(setIfTestSystemPropertyPresent(props, AUDIENCE), "test.jclouds.oauth.audience");
credential = setCredential(props, "oauth.credential");
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiMockTest.java
----------------------------------------------------------------------
diff --git a/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiMockTest.java b/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiMockTest.java
index adc7585..89fe953 100644
--- a/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiMockTest.java
+++ b/apis/oauth/src/test/java/org/jclouds/oauth/v2/AuthorizationApiMockTest.java
@@ -23,10 +23,12 @@ import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
import static org.jclouds.Constants.PROPERTY_MAX_RETRIES;
import static org.jclouds.oauth.v2.config.CredentialType.P12_PRIVATE_KEY_CREDENTIALS;
import static org.jclouds.oauth.v2.config.CredentialType.CLIENT_CREDENTIALS_SECRET;
+import static org.jclouds.oauth.v2.config.CredentialType.CLIENT_CREDENTIALS_P12_AND_CERTIFICATE;
+import static org.jclouds.oauth.v2.config.OAuthProperties.CERTIFICATE;
import static org.jclouds.oauth.v2.config.OAuthProperties.AUDIENCE;
-import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
import static org.jclouds.oauth.v2.config.OAuthProperties.CREDENTIAL_TYPE;
import static org.jclouds.oauth.v2.config.OAuthProperties.JWS_ALG;
+import static org.jclouds.oauth.v2.config.OAuthProperties.RESOURCE;
import static org.jclouds.util.Strings2.toStringAndClose;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.fail;
@@ -42,6 +44,7 @@ import org.jclouds.oauth.v2.config.OAuthModule;
import org.jclouds.oauth.v2.config.OAuthScopes;
import org.jclouds.oauth.v2.config.OAuthScopes.SingleScope;
import org.jclouds.oauth.v2.domain.Claims;
+import org.jclouds.oauth.v2.domain.ClientCredentialsClaims;
import org.jclouds.oauth.v2.domain.Token;
import org.jclouds.rest.AnonymousHttpApiMetadata;
import org.jclouds.rest.AuthorizationException;
@@ -76,13 +79,28 @@ public class AuthorizationApiMockTest {
1328569781 // iat
);
+ private static final String clientCredentialsHeader = "{\"alg\":\"RS256\",\"typ\":\"JWT\",\"x5t\":\"RZk6mx4gGECvF6XWZWkK9qaGdHk=\"}";
+ private static final String clientCredentialsClaims = "{\"iss\":\"a242b44e-2c2a-3bdd-b094-6152da263c54\"," +
+ "\"sub\":\"a242b44e-2c2a-3bdd-b094-6152da263c54\",\"aud\":" +
+ "\"https://login.microsoftonline.com/a242ccee-1a1a-3bdd-b094-6152da263c54/oauth2/token\"" +
+ ",\"exp\":1328573381,\"nbf\":1328569781,\"jti\":\"abcdefgh\"}";
+
+ private static final ClientCredentialsClaims CLIENT_CREDENTIALS_CLAIMS = ClientCredentialsClaims.create(
+ "a242b44e-2c2a-3bdd-b094-6152da263c54", // iss
+ "a242b44e-2c2a-3bdd-b094-6152da263c54", // sub
+ "https://login.microsoftonline.com/a242ccee-1a1a-3bdd-b094-6152da263c54/oauth2/token", //aud
+ 1328573381, // exp
+ 1328569781, // nbf
+ "abcdefgh" // jti
+ );
+
public void testGenerateJWTRequest() throws Exception {
MockWebServer server = new MockWebServer();
try {
server.enqueue(new MockResponse().setBody("{\n"
- + " \"access_token\" : \"1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M\",\n"
- + " \"token_type\" : \"Bearer\",\n" + " \"expires_in\" : 3600\n" + "}"));
+ + " \"access_token\" : \"1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M\",\n"
+ + " \"token_type\" : \"Bearer\",\n" + " \"expires_in\" : 3600\n" + "}"));
server.play();
AuthorizationApi api = api(server.getUrl("/"), P12_PRIVATE_KEY_CREDENTIALS);
@@ -95,16 +113,16 @@ public class AuthorizationApiMockTest {
assertEquals(request.getHeader("Content-Type"), "application/x-www-form-urlencoded");
assertEquals(
- new String(request.getBody(), UTF_8), //
- "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&"
- +
- // Base64 Encoded Header
- "assertion="
- + Joiner.on('.').join(encoding.encode(header.getBytes(UTF_8)),
- encoding.encode(claims.getBytes(UTF_8)),
- // Base64 encoded {header}.{claims} signature (using
- // SHA256)
- "W2Lesr_98AzVYiMbzxFqmwcOjpIWlwqkC6pNn1fXND9oSDNNnFhy-AAR6DKH-x9ZmxbY80"
+ new String(request.getBody(), UTF_8), //
+ "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&"
+ +
+ // Base64 Encoded Header
+ "assertion="
+ + Joiner.on('.').join(encoding.encode(header.getBytes(UTF_8)),
+ encoding.encode(claims.getBytes(UTF_8)),
+ // Base64 encoded {header}.{claims} signature (using
+ // SHA256)
+ "W2Lesr_98AzVYiMbzxFqmwcOjpIWlwqkC6pNn1fXND9oSDNNnFhy-AAR6DKH-x9ZmxbY80"
+ "R5fH-OCeWumXlVgceKN8Z2SmgQsu8ElTpypQA54j_5j8vUImJ5hsOUYPeyF1U2BUzZ3L5g"
+ "03PXBA0YWwRU9E1ChH28dQBYuGiUmYw"));
} finally {
@@ -161,6 +179,46 @@ public class AuthorizationApiMockTest {
}
}
+ public void testGenerateClientCredentialsJWTRequest() throws Exception {
+ MockWebServer server = new MockWebServer();
+
+ String identity = "user";
+ String resource = "http://management.azure.com/";
+ String encoded_resource = "http%3A//management.azure.com/";
+
+ try {
+ server.enqueue(new MockResponse().setBody("{\n"
+ + " \"access_token\" : \"1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M\",\n"
+ + " \"token_type\" : \"Bearer\",\n" + " \"expires_in\" : 3600\n" + "}"));
+ server.play();
+
+ AuthorizationApi api = api(server.getUrl("/"), CLIENT_CREDENTIALS_P12_AND_CERTIFICATE);
+ assertEquals(api.authorize(identity, CLIENT_CREDENTIALS_CLAIMS, resource, null), TOKEN);
+
+ RecordedRequest request = server.takeRequest();
+ assertEquals(request.getMethod(), "POST");
+ assertEquals(request.getHeader("Accept"), APPLICATION_JSON);
+ assertEquals(request.getHeader("Content-Type"), "application/x-www-form-urlencoded");
+
+ assertEquals(
+ new String(request.getBody(), UTF_8),
+ "grant_type=client_credentials&" +
+ "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&" +
+ "client_id=" + identity + "&" +
+ "client_assertion=" +
+ Joiner.on(".").join(encoding.encode(clientCredentialsHeader.getBytes(UTF_8)),
+ encoding.encode(clientCredentialsClaims.getBytes(UTF_8)),
+ "ip3i0YLlunb4iq8sUMlpYDKnEuzmvlLpF4NQvn_aiysO5cuT5QHuGREq" +
+ "gyEa-UMhfZoW49ggUWjS7YBT00r64cFE3dovaNMiZYZuVWu_" +
+ "FpqO2QlwV7uXqhaRIE0cyabbKG44YJwA-NE4rtFZedFMo94F" +
+ "6aOz2FN3en8zS9UVqmM"
+ ) + "&" +
+ "resource=" + encoded_resource);
+ } finally {
+ server.shutdown();
+ }
+ }
+
private final BaseEncoding encoding = base64Url().omitPadding();
private AuthorizationApi api(URL url, CredentialType credentialType) throws IOException {
@@ -171,6 +229,7 @@ public class AuthorizationApiMockTest {
overrides.setProperty(AUDIENCE, "https://accounts.google.com/o/oauth2/token");
overrides.setProperty(RESOURCE, "https://management.azure.com/");
overrides.setProperty(PROPERTY_MAX_RETRIES, "1");
+ overrides.setProperty(CERTIFICATE, toStringAndClose(OAuthTestUtils.class.getResourceAsStream("/testcert.pem")));
return ContextBuilder.newBuilder(AnonymousHttpApiMetadata.forApi(AuthorizationApi.class))
.credentials("foo", toStringAndClose(OAuthTestUtils.class.getResourceAsStream("/testpk.pem")))
http://git-wip-us.apache.org/repos/asf/jclouds/blob/f46b38dd/apis/oauth/src/test/resources/testcert.pem
----------------------------------------------------------------------
diff --git a/apis/oauth/src/test/resources/testcert.pem b/apis/oauth/src/test/resources/testcert.pem
new file mode 100644
index 0000000..19e744d
--- /dev/null
+++ b/apis/oauth/src/test/resources/testcert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnmgAwIBAgIJAISFMZeicwQVMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApTYW50YSBDcnV6
+MQ8wDQYDVQQKDAZKQ1Rlc3QxFTATBgNVBAMMDGpjdGVzdHNwY2VydDAeFw0xNjA1
+MTQxNzUzMzFaFw0yNjA1MTIxNzUzMzFaMF8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI
+DApDYWxpZm9ybmlhMRMwEQYDVQQHDApTYW50YSBDcnV6MQ8wDQYDVQQKDAZKQ1Rl
+c3QxFTATBgNVBAMMDGpjdGVzdHNwY2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALKkugQxFZq224O2Hb1Q+J8VyXs+fjbwGSErhyY0ynENvCaq2trG
+Mia0NAqtRZmG5Fn3KEYo9yCjjm0N34mer5u8X8aErvBa1LTkwrK2dQQ1oXGtbFn1
+dTqho00YwxzMxT3raDw9xXhexloDQbr/EAm4f1zu+05BSC3xSDVvvzARBPSseVfw
+gxWpS4M4aQp9M6Tv2ENYnecfl6StkaPdxaguJeVdpSoBe7piEEz1f2LEoC3Fw6De
+JIUgzQyVoffCWCA+RCf3o8GOqce0+INW50rcEv1JrGrDSUeEUYDCg+FniT9vKBsm
+sV8u3o1YxvtWmAY3KtXC7akwqHSdifecLtECAwEAAaNQME4wHQYDVR0OBBYEFL2W
+1+sMin4FbE9RFQr6FqEh9NFUMB8GA1UdIwQYMBaAFL2W1+sMin4FbE9RFQr6FqEh
+9NFUMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADaHB0PbSooF1PkD
+2KwwYck7cm9C0jmnUVdcmJ6GrG8OdXEP14E4rUzrstFK0XSPHYoBH0p0xMISutHD
+RVLgsxXbnPhXVKaTuDspgedSAaHPFQJNEtMHHCNaSS2Vyh+2Ha9HLD7dsy+9QBKf
+Et4MMLXT/n4WVzKJcweWI/T8oIIbfHzPTo+jWYfTxxKJcL+C/GY2QREkKs+5mR2t
+N4q69ydcjeajB9F8XPbJlTDen+6ofwtQ45tS5w5EjV3SvOh4QOEVz1su9F5Ojw7Q
+oPuUKMynxeo2E6FsiNj5m+8NPLKiX2phnKMogbJyOhligj1QRR+zBc/62aPCP6Z4
+2pWp7Lc=
+-----END CERTIFICATE-----