feature: add persistence support for private_key_jwt client authentication

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientDetailsCreation.java

@@ -13,6 +13,12 @@ public class ClientDetailsCreation extends BaseClientDetails {
     @JsonProperty("secondary_client_secret")
     private String secondaryClientSecret;
 
+    @JsonProperty("jwks_uri")
+    private String jsonWebKeyUri;
+
+    @JsonProperty("jwks")
+    private String jsonWebKeySet;
+
     @JsonIgnore
     public String getSecondaryClientSecret() {
         return secondaryClientSecret;
@@ -21,4 +27,20 @@ public String getSecondaryClientSecret() {
     public void setSecondaryClientSecret(final String secondaryClientSecret) {
         this.secondaryClientSecret = secondaryClientSecret;
     }
+
+    public String getJsonWebKeyUri() {
+        return jsonWebKeyUri;
+    }
+
+    public void setJsonWebKeyUri(String jsonWebKeyUri) {
+        this.jsonWebKeyUri = jsonWebKeyUri;
+    }
+
+    public String getJsonWebKeySet() {
+        return jsonWebKeySet;
+    }
+
+    public void setJsonWebKeySet(String jsonWebKeySet) {
+        this.jsonWebKeySet = jsonWebKeySet;
+    }
 }

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtChangeRequest.java

@@ -0,0 +1,81 @@
+package org.cloudfoundry.identity.uaa.oauth.client;
+
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import static org.cloudfoundry.identity.uaa.oauth.client.ClientJwtChangeRequest.ChangeMode.ADD;
+
+/**
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ClientJwtChangeRequest {
+
+    public enum ChangeMode {
+        UPDATE,
+        ADD,
+        DELETE
+    }
+    @JsonProperty("kid")
+    private String keyId;
+    @JsonProperty("jwks_uri")
+    private String jsonWebKeyUri;
+    @JsonProperty("jwks")
+    private String jsonWebKeySet;
+    @JsonProperty("client_id")
+    private String clientId;
+    private ChangeMode changeMode = ADD;
+
+    public ClientJwtChangeRequest() {
+    }
+
+    public ClientJwtChangeRequest(String clientId, String jsonWebKeyUri, String jsonWebKeySet) {
+        this.jsonWebKeyUri = jsonWebKeyUri;
+        this.jsonWebKeySet = jsonWebKeySet;
+        this.clientId = clientId;
+    }
+
+    public String getJsonWebKeyUri() {
+        return jsonWebKeyUri;
+    }
+
+    public void setJsonWebKeyUri(String jsonWebKeyUri) {
+        this.jsonWebKeyUri = jsonWebKeyUri;
+    }
+
+    public String getJsonWebKeySet() {
+        return jsonWebKeySet;
+    }
+
+    public void setJsonWebKeySet(String jsonWebKeySet) {
+        this.jsonWebKeySet = jsonWebKeySet;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public ChangeMode getChangeMode() {
+        return changeMode;
+    }
+
+    public void setChangeMode(ChangeMode changeMode) {
+        this.changeMode = changeMode;
+    }
+
+    public String getKeyId() { return keyId;}
+
+    public void setKeyId(String keyId) {
+        this.keyId = keyId;
+    }
+
+    public String getKey() {
+        return jsonWebKeyUri != null ? jsonWebKeyUri : jsonWebKeySet;
+    }
+}

model/src/test/java/org/cloudfoundry/identity/uaa/oauth/client/ClientJwtChangeRequestTest.java

@@ -0,0 +1,23 @@
+package org.cloudfoundry.identity.uaa.oauth.client;
+
+import org.cloudfoundry.identity.uaa.util.JsonUtils;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+
+class ClientJwtChangeRequestTest {
+
+  @Test
+  void testRequestSerialization() {
+    ClientJwtChangeRequest def = new ClientJwtChangeRequest(null, null, null);
+    def.setKeyId("key-1");
+    def.setChangeMode(ClientJwtChangeRequest.ChangeMode.DELETE);
+    def.setJsonWebKeyUri("http://localhost:8080/uaa/token_key");
+    def.setJsonWebKeySet("{}");
+    def.setClientId("admin");
+    String jsonRequest = JsonUtils.writeValueAsString(def);
+    ClientJwtChangeRequest request = JsonUtils.readValue(jsonRequest, ClientJwtChangeRequest.class);
+    assertNotEquals(def, request);
+  }
+
+}

server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminBootstrap.java

@@ -19,6 +19,7 @@
 import org.cloudfoundry.identity.uaa.authentication.SystemAuthentication;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
 import org.cloudfoundry.identity.uaa.user.UaaAuthority;
+import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.cloudfoundry.identity.uaa.zone.MultitenantClientServices;
@@ -158,7 +159,7 @@ private void addNewClients() {
             if (map.get("authorized-grant-types") == null) {
                 throw new InvalidClientDetailsException("Client must have at least one authorized-grant-type. client ID: " + clientId);
             }
-            BaseClientDetails client = new BaseClientDetails(clientId, (String) map.get("resource-ids"),
+            UaaClientDetails client = new UaaClientDetails(clientId, (String) map.get("resource-ids"),
                     (String) map.get("scope"), (String) map.get("authorized-grant-types"),
                     (String) map.get("authorities"), getRedirectUris(map));
 
@@ -204,11 +205,26 @@ private void addNewClients() {
             }
             for (String key : Arrays.asList("resource-ids", "scope", "authorized-grant-types", "authorities",
                     "redirect-uri", "secret", "id", "override", "access-token-validity",
-                    "refresh-token-validity", "show-on-homepage", "app-launch-url", "app-icon")) {
+                    "refresh-token-validity", "show-on-homepage", "app-launch-url", "app-icon", "jwks", "jwks_uri")) {
                 info.remove(key);
             }
 
             client.setAdditionalInformation(info);
+
+            if (map.get("jwks_uri") instanceof String) {
+                String jwksUri = (String) map.get("jwks_uri");
+                ClientJwtConfiguration keyConfig = ClientJwtConfiguration.parse(UaaUrlUtils.normalizeUri(jwksUri), null);
+                if (keyConfig != null && keyConfig.getCleanString() != null) {
+                    keyConfig.writeValue(client);
+                }
+            } else if (map.get("jwks") instanceof String) {
+                String jwks = (String) map.get("jwks");
+                ClientJwtConfiguration keyConfig = ClientJwtConfiguration.parse(null, jwks);
+                if (keyConfig != null && keyConfig.getCleanString() != null) {
+                    keyConfig.writeValue(client);
+                }
+            }
+
             try {
                 clientRegistrationService.addClientDetails(client, IdentityZone.getUaaZoneId());
                 if (secondSecret != null) {

server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpoints.java

@@ -20,6 +20,7 @@
 import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsCreation;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
+import org.cloudfoundry.identity.uaa.oauth.client.ClientJwtChangeRequest;
 import org.cloudfoundry.identity.uaa.oauth.client.SecretChangeRequest;
 import org.cloudfoundry.identity.uaa.resources.ActionResult;
 import org.cloudfoundry.identity.uaa.resources.AttributeNameMapper;
@@ -535,6 +536,53 @@ public ActionResult changeSecret(@PathVariable String client_id, @RequestBody Se
         return result;
     }
 
+    @RequestMapping(value = "/oauth/clients/{client_id}/clientjwt", method = RequestMethod.PUT)
+    @ResponseBody
+    public ActionResult changeClientJwt(@PathVariable String client_id, @RequestBody ClientJwtChangeRequest change) {
+
+        UaaClientDetails uaaClientDetails;
+        try {
+            uaaClientDetails = (UaaClientDetails) clientDetailsService.retrieve(client_id, IdentityZoneHolder.get().getId());
+        } catch (InvalidClientException e) {
+            throw new NoSuchClientException("No such client: " + client_id);
+        }
+
+        try {
+            checkPasswordChangeIsAllowed(uaaClientDetails, "");
+        } catch (IllegalStateException e) {
+            throw new InvalidClientDetailsException(e.getMessage());
+        }
+
+        ClientJwtConfiguration clientKeyConfig = ClientJwtConfiguration.readValue(uaaClientDetails);
+
+        ActionResult result;
+        switch (change.getChangeMode()){
+            case ADD :
+                if (change.getKey() != null) {
+                    clientRegistrationService.addClientJwtConfig(client_id, change.getKey(), IdentityZoneHolder.get().getId(), false);
+                    result = new ActionResult("ok", "Client jwt configuration is added");
+                } else {
+                    result = new ActionResult("ok", "No key added");
+                }
+                break;
+
+            case DELETE :
+                String deleteString = change.getKeyId() == null ? change.getKey() : change.getKeyId();
+                if (clientKeyConfig != null && deleteString != null) {
+                    clientRegistrationService.deleteClientJwtConfig(client_id, deleteString, IdentityZoneHolder.get().getId());
+                }
+                result = new ActionResult("ok", "Client jwt configuration is deleted");
+                break;
+
+            default:
+                clientRegistrationService.addClientJwtConfig(client_id, change.getKey(), IdentityZoneHolder.get().getId(), true);
+                result = new ActionResult("ok", "Client jwt configuration updated");
+        }
+        clientSecretChanges.incrementAndGet();
+
+        return result;
+    }
+
     private boolean validateCurrentClientSecretAdd(String clientSecret) {
         return clientSecret == null || clientSecret.split(" ").length == 1;
     }

server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsValidator.java

@@ -12,14 +12,15 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.client;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
+import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsCreation;
 import org.cloudfoundry.identity.uaa.resources.QueryableResourceManager;
 import org.cloudfoundry.identity.uaa.security.beans.SecurityContextAccessor;
 import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
 import org.cloudfoundry.identity.uaa.zone.ClientSecretValidator;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -245,6 +246,19 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
                 }
                 clientSecretValidator.validate(client.getClientSecret());
             }
+
+            if (prototype instanceof ClientDetailsCreation) {
+                ClientDetailsCreation clientDetailsCreation = (ClientDetailsCreation) prototype;
+                if (StringUtils.hasText(clientDetailsCreation.getJsonWebKeyUri()) || StringUtils.hasText(clientDetailsCreation.getJsonWebKeySet())) {
+                    ClientJwtConfiguration clientJwtConfiguration = ClientJwtConfiguration.parse(clientDetailsCreation.getJsonWebKeyUri(),
+                        clientDetailsCreation.getJsonWebKeySet());
+                    if (clientJwtConfiguration != null) {
+                        clientJwtConfiguration.writeValue(client);
+                    } else {
+                        logger.warn("Client with client jwt configuration not valid");
+                    }
+                }
+            }
         }
 
         return client;