add skeleton for updated AWS ALB JWK retrieval

which supports key rotation, see:
OpenIDC/mod_oauth2#73

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+02/10/2025
+- add skeleton for updated AWS ALB JWK retrieval which supports key rotation
+  see: https://github.com/OpenIDC/mod_oauth2/issues/73
+
 01/02/2024
 - update copyright year to 2025
 

src/cfg/verify.c

@@ -36,6 +36,7 @@
 #define OAUTH2_JOSE_VERIFY_JWK_JWK_STR "jwk"
 #define OAUTH2_JOSE_VERIFY_JWK_JWKS_URI_STR "jwks_uri"
 #define OAUTH2_JOSE_VERIFY_JWK_ECKEY_URI_STR "eckey_uri"
+#define OAUTH2_JOSE_VERIFY_JWK_AWS_ALB_STR "aws_alb"
 #define OAUTH2_CFG_VERIFY_INTROSPECT_URL_STR "introspect"
 #define OAUTH2_CFG_VERIFY_METADATA_URL_STR "metadata"
 
@@ -50,6 +51,7 @@ static oauth2_cfg_set_options_ctx_t _oauth2_cfg_verify_options_set[] = {
 	{ OAUTH2_JOSE_VERIFY_JWK_JWK_STR, oauth2_jose_verify_options_jwk_set_jwk },
 	{ OAUTH2_JOSE_VERIFY_JWK_JWKS_URI_STR, oauth2_jose_verify_options_jwk_set_jwks_uri },
 	{ OAUTH2_JOSE_VERIFY_JWK_ECKEY_URI_STR, oauth2_jose_verify_options_jwk_set_eckey_uri },
+	{ OAUTH2_JOSE_VERIFY_JWK_AWS_ALB_STR, oauth2_jose_verify_options_jwk_set_aws_alb },
 	{ OAUTH2_CFG_VERIFY_INTROSPECT_URL_STR, oauth2_verify_options_set_introspect_url },
 	{ OAUTH2_CFG_VERIFY_METADATA_URL_STR, oauth2_verify_options_set_metadata_url },
 	{ NULL, NULL }

src/jose.c

@@ -707,13 +707,17 @@ void oauth2_jose_jwk_list_free(oauth2_log_t *log, oauth2_jose_jwk_list_t *keys)
 
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_list_resolve(oauth2_log_t *, oauth2_jose_jwks_provider_t *,
-			      bool *);
+			      bool *, const cjose_header_t *);
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_uri_resolve(oauth2_log_t *, oauth2_jose_jwks_provider_t *,
-			     bool *);
+			     bool *, const cjose_header_t *);
 static oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_eckey_url_resolve(oauth2_log_t *,
-				   oauth2_jose_jwks_provider_t *, bool *);
+				   oauth2_jose_jwks_provider_t *, bool *,
+				   const cjose_header_t *);
+static oauth2_jose_jwk_list_t *
+oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *, oauth2_jose_jwks_provider_t *,
+				 bool *, const cjose_header_t *);
 
 static oauth2_jose_jwks_provider_t *
 _oauth2_jose_jwks_provider_init(oauth2_log_t *log,
@@ -737,6 +741,10 @@ _oauth2_jose_jwks_provider_init(oauth2_log_t *log,
 		provider->jwks_uri = oauth2_uri_ctx_init(log);
 		provider->resolve = oauth2_jose_jwks_eckey_url_resolve;
 		break;
+	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
+		provider->resolve = oauth2_jose_jwks_aws_alb_resolve;
+		provider->alb_arn = NULL;
+		break;
 	}
 
 	return provider;
@@ -765,6 +773,9 @@ _oauth2_jose_jwks_provider_clone(oauth2_log_t *log,
 	case OAUTH2_JOSE_JWKS_PROVIDER_ECKEY_URI:
 		dst->jwks_uri = oauth2_uri_ctx_clone(log, src->jwks_uri);
 		break;
+	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
+		dst->alb_arn = oauth2_strdup(src->alb_arn);
+		break;
 	}
 
 end:
@@ -790,6 +801,10 @@ _oauth2_jose_jwks_provider_free(oauth2_log_t *log,
 		if (provider->jwks_uri)
 			oauth2_uri_ctx_free(log, provider->jwks_uri);
 		break;
+	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
+		if (provider->alb_arn)
+			oauth2_mem_free(provider->alb_arn);
+		break;
 	}
 
 	oauth2_mem_free(provider);
@@ -1292,7 +1307,7 @@ bool oauth2_jose_jwt_verify(oauth2_log_t *log,
 	if (jwt_verify_ctx) {
 
 		keys = jwt_verify_ctx->jwks_provider->resolve(
-		    log, jwt_verify_ctx->jwks_provider, &refresh);
+		    log, jwt_verify_ctx->jwks_provider, &refresh, hdr);
 
 		ctx.jws = jws;
 		ctx.kid = cjose_header_get(hdr, "kid", &err);
@@ -1309,7 +1324,7 @@ bool oauth2_jose_jwt_verify(oauth2_log_t *log,
 			if (keys)
 				oauth2_jose_jwk_list_free(log, keys);
 			keys = jwt_verify_ctx->jwks_provider->resolve(
-			    log, jwt_verify_ctx->jwks_provider, &refresh);
+			    log, jwt_verify_ctx->jwks_provider, &refresh, hdr);
 			_oauth2_jose_verification_keys_loop(
 			    log, keys, _oauth2_jose_jwt_verify_jwk, &ctx);
 
@@ -1846,8 +1861,38 @@ _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_eckey_uri)
 	    "eckey_uri");
 }
 
-static oauth2_jose_jwk_list_t *oauth2_jose_jwks_list_resolve(
-    oauth2_log_t *log, oauth2_jose_jwks_provider_t *provider, bool *refresh)
+_OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_aws_alb)
+{
+	oauth2_cfg_token_verify_t *verify = (oauth2_cfg_token_verify_t *)ctx;
+	char *rv = NULL;
+	oauth2_jose_jwt_verify_ctx_t *ptr = NULL;
+
+	oauth2_debug(log, "enter");
+
+	verify->callback = _oauth2_jose_jwt_verify_callback;
+	verify->ctx->callbacks = &oauth2_jose_jwt_verify_ctx_funcs;
+	verify->ctx->ptr = verify->ctx->callbacks->init(log);
+	ptr = (oauth2_jose_jwt_verify_ctx_t *)verify->ctx->ptr;
+
+	if (oauth2_jose_jwt_verify_set_options(
+		log, ptr, OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB, params) == false) {
+		rv = oauth2_strdup("oauth2_jose_jwt_verify_set_options failed");
+		goto end;
+	}
+
+	ptr->jwks_provider->alb_arn = oauth2_strdup(value);
+
+end:
+
+	oauth2_debug(log, "leave: %s", rv);
+
+	return rv;
+}
+
+static oauth2_jose_jwk_list_t *
+oauth2_jose_jwks_list_resolve(oauth2_log_t *log,
+			      oauth2_jose_jwks_provider_t *provider,
+			      bool *refresh, const cjose_header_t *hdr)
 {
 	*refresh = false;
 	return oauth2_jose_jwk_list_clone(log, provider->jwks);
@@ -2171,22 +2216,55 @@ static oauth2_jose_jwk_list_t *_oauth2_jose_jwks_resolve_from_uri(
 	return dst;
 }
 
-static oauth2_jose_jwk_list_t *oauth2_jose_jwks_uri_resolve(
-    oauth2_log_t *log, oauth2_jose_jwks_provider_t *provider, bool *refresh)
+static oauth2_jose_jwk_list_t *
+oauth2_jose_jwks_uri_resolve(oauth2_log_t *log,
+			     oauth2_jose_jwks_provider_t *provider,
+			     bool *refresh, const cjose_header_t *hdr)
 {
 	return _oauth2_jose_jwks_resolve_from_uri(
 	    log, provider, refresh,
 	    _oauth2_jose_jwks_uri_resolve_response_callback);
 }
 
-static oauth2_jose_jwk_list_t *oauth2_jose_jwks_eckey_url_resolve(
-    oauth2_log_t *log, oauth2_jose_jwks_provider_t *provider, bool *refresh)
+static oauth2_jose_jwk_list_t *
+oauth2_jose_jwks_eckey_url_resolve(oauth2_log_t *log,
+				   oauth2_jose_jwks_provider_t *provider,
+				   bool *refresh, const cjose_header_t *hdr)
 {
 	return _oauth2_jose_jwks_resolve_from_uri(
 	    log, provider, refresh,
 	    _oauth2_jose_jwks_eckey_url_resolve_response_callback);
 }
 
+static oauth2_jose_jwk_list_t *
+oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *log,
+				 oauth2_jose_jwks_provider_t *provider,
+				 bool *refresh, const cjose_header_t *hdr)
+{
+	/*
+	 * 1. pull the 'signer' and `kid` claims from the header (a typedef-ed
+	 * JSON object)
+	 * 2. check it against the configured provider->arb_arn value, and if
+	 * they match:
+	 * 3. construct the EC keys URL:
+	 *      https://public-keys.auth.elb.<region from
+	 *      ALB_ARN>.amazonaws.com/<kid>
+	 *    TODO: make the base URL configurable in
+	 * oauth2_jose_verify_options_jwk_set_aws_alb and add a member
+	 * alb_arn_base_url to oauth2_jose_jwks_provider_t
+	 * 4. construct a temporary provider->jwks_uri
+	 * 5. call:
+	 *      _oauth2_jose_jwks_resolve_from_uri(log, provider, refresh,
+	 * oauth2_jose_jwks_eckey_url_resolve_response_callback);
+	 * and save the result (oauth2_jose_jwk_list_t *)
+	 * 6. free the temporary provider->jwks_uri (TODO: caching?)
+	 * 7. return the result
+	 *
+	 * add unit tests
+	 */
+	return NULL;
+}
+
 /*
 oauth2_jose_jwk_list_t *
 oauth2_jose_jwks_resolve(oauth2_log_t *log, oauth2_cfg_token_verify_t *verify,

src/jose_int.h

@@ -46,21 +46,24 @@ typedef struct oauth2_uri_ctx_t {
 typedef enum oauth2_jose_jwks_provider_type_t {
 	OAUTH2_JOSE_JWKS_PROVIDER_LIST,
 	OAUTH2_JOSE_JWKS_PROVIDER_JWKS_URI,
-	OAUTH2_JOSE_JWKS_PROVIDER_ECKEY_URI
+	OAUTH2_JOSE_JWKS_PROVIDER_ECKEY_URI,
+	OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB
 } oauth2_jose_jwks_provider_type_t;
 
 typedef struct oauth2_jose_jwks_provider_t oauth2_jose_jwks_provider_t;
 
 typedef oauth2_jose_jwk_list_t *(
     oauth2_jose_jwks_resolve_cb_t)(oauth2_log_t *,
-				   oauth2_jose_jwks_provider_t *, bool *);
+				   oauth2_jose_jwks_provider_t *, bool *,
+				   const cjose_header_t *hdr);
 
 typedef struct oauth2_jose_jwks_provider_t {
 	oauth2_jose_jwks_provider_type_t type;
 	oauth2_jose_jwks_resolve_cb_t *resolve;
 	union {
 		oauth2_uri_ctx_t *jwks_uri;
 		oauth2_jose_jwk_list_t *jwks;
+		char *alb_arn;
 	};
 	// struct oauth2_jose_jwks_provider_t *next;
 } oauth2_jose_jwks_provider_t;
@@ -88,6 +91,7 @@ _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_pubkey);
 _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_jwk);
 _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_jwks_uri);
 _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_eckey_uri);
+_OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_aws_alb);
 
 char *oauth2_jose_resolve_from_uri(oauth2_log_t *log, oauth2_uri_ctx_t *uri_ctx,
 				   bool *refresh);

test/check_jose.c

@@ -368,7 +368,8 @@ START_TEST(test_jwks_resolve_uri)
 	ck_assert_ptr_eq(rv, NULL);
 
 	ptr = (oauth2_jose_jwt_verify_ctx_t *)verify->ctx->ptr;
-	list = ptr->jwks_provider->resolve(_log, ptr->jwks_provider, &refresh);
+	list = ptr->jwks_provider->resolve(_log, ptr->jwks_provider, &refresh,
+					   NULL);
 	ck_assert_ptr_ne(list, NULL);
 
 	oauth2_jose_jwk_list_free(_log, list);
@@ -390,7 +391,8 @@ START_TEST(test_jwk_resolve_plain)
 	ck_assert_ptr_eq(rv, NULL);
 
 	ptr = (oauth2_jose_jwt_verify_ctx_t *)verify->ctx->ptr;
-	list = ptr->jwks_provider->resolve(_log, ptr->jwks_provider, &refresh);
+	list = ptr->jwks_provider->resolve(_log, ptr->jwks_provider, &refresh,
+					   NULL);
 	ck_assert_ptr_ne(list, NULL);
 
 	oauth2_jose_jwk_list_free(_log, list);