TOMEE-4351 - Jakarta Security 3.0 - OpenIdAuthenticationMechanismDefinition implementation

[jungm]

Opening as a draft PR for now as it's still WIP

Doesn't work/WIP:

• Token expiration checks (@AutoApplySession is used right now on the auth mechanism, I've mainly done this for testing purposes and will likely drop it)
• redirectToOriginalResource=true, isn't implemented yet
• Large parts of the code aren't covered by unit/integration tests

What does work:

• Authentication against Keycloak (Both in a real app and in examples/openid-security tests) and https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server (used in security TCK)
• Passes TCK app-openid and app-openid2, app-openid3 tests redirectToOriginalResource which is not implemented yet:

  • [INFO] Reactor Summary for Jakarta Security TCK - main 3.0.1:
    [INFO] 
    [INFO] Jakarta Security TCK - main ........................ SUCCESS [  2.672 s]
    [INFO] common ............................................. SUCCESS [  0.699 s]
    [INFO] app-openid ......................................... SUCCESS [  6.441 s]
    [INFO] app-openid2 ........................................ SUCCESS [ 16.031 s]
    [INFO] app-openid3 ........................................ FAILURE [  6.057 s]
    [INFO] ------------------------------------------------------------------------
    [INFO] BUILD FAILURE
    [INFO] ------------------------------------------------------------------------
    

I've been working on this on and off for a couple of weeks now, with this PR getting quite big by now. So I'd highly appreciate if someone can take a look and give some feedback 🙂

[jungm]

redirectToOriginalResource=true works now and all openid modules of the TCK are passing:

[INFO] Reactor Summary for Jakarta Security TCK - main 3.0.1:
[INFO] 
[INFO] Jakarta Security TCK - main ........................ SUCCESS [  2.725 s]
[INFO] common ............................................. SUCCESS [  0.748 s]
[INFO] app-openid ......................................... SUCCESS [  6.556 s]
[INFO] app-openid2 ........................................ SUCCESS [ 15.742 s]
[INFO] app-openid3 ........................................ SUCCESS [ 14.100 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  39.986 s
[INFO] Finished at: 2024-06-02T17:24:15+02:00
[INFO] ------------------------------------------------------------------------

[jungm]

Thanks @rzo1 for triggering a full build: https://ci-builds.apache.org/job/Tomee/view/tomee-10.x/job/pull-request-manual/106/

All tests are passing 🙂

[tandraschko]

looks really good from a short review and tests are running; +1

great work!

[rzo1]

Looks really good from a short review.

[jungm]

what really needs a closer look and maybe needs to be discussed:

• JWT Validation is using jose.4.j, this introduces a new dependency in all tomee flavours (wasn't in webprofile before). Maybe it needs to be added in some notice file?
• Spec mentions a special variable that can be used in the annotation: ${baseURL}, I implemented this with producing an @nAmed String
• I built a basic delegate in OpenIdAuthenticationMechanismDefinitionDelegate that automatically resolves the configuration from the openid provider
• SavedRequest (originally from @logintocontinue) has been rewritten so I can serialize it for use in cookies
• Spec is ambiguous on how to handle subjectTypeSupported, idTokenSigningAlgorithmsSupported and responseTypeSupported (See CompositeOpenIdProviderMetadata). A user can override these, but it's not obvious if that has been done or not. I handled these the same way soteria does, but it's probably worth a spec issue in the future?
• Requests to openid provider are done using JAX-RS Client, maybe we want to use something else in TomEE? Really the only reason I chose this was because it's convenient

(See https://lists.apache.org/thread/sghf41f1z75gpnhpf236o1lrj1sl4vr8 for whole thread on mailing list)

[rzo1]

Thanks @jungm