Challenge Overview
Topcoder is in the process of migrating own account service to auth0.
For this challenge, we'd like to support for another version of JWT Token verification.
1. Currently we are using HS256 JWT Token, like following
The update should be in
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/api/v3/util/jwt/JWTToken.java
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/auth/JWTAuthenticator.java���
Note that in the new token, some of the locations of data have changed (like email, userID, and roles) and will still need to be accessed. In order to handle this, I'd recommend "copying" that data to the same place it is currently being referenced (this will minimize changes for other areas of the application that are trying to reference it). This is also the approach we took for our Javascript applications (connect / community-app). The approach we took there was to "search" the token for the fields and then copy the data. For example - we'd search the token to find which key contained "roles" then copy it to the same place it would be in an HS256 token. I'd like to use this search approach here as well (rather than referencing it directly at "https://topcoder.com/claims/roles"). This will allow that path to change in the future without re-coding that part.
Please make sure the AuthUser object is still be populated by the data from the JWT Token.
In order to properly test the changes, you can use the tech.core.sample.dropwizard codebase, which has built the sample restful APIs. Please get the test JWT token from locally.
1. Since JWT Token is required, you can login our dev environment (https://connect-auth0.topcoder-dev.com/) to get the new JWT Token in the v3jwt cookie.
2. The public cert should be cached periodically, you can reference tc-core-library-js logic.
- Verification Steps Showing that the New RS256 JWT Token can be properly handled in the new version of CORE API
For this challenge, we'd like to support for another version of JWT Token verification.
1. Currently we are using HS256 JWT Token, like following
{ "typ": "JWT", "alg": "HS256" } { "roles": [ "copilot", "aaa", "testRole", "tony_test_1", "Topcoder User", "asdd", "administrator" ], "iss": "https://api.topcoder-dev.com", "handle": "mtwomey", "exp": 1511026835, "userId": "40016356", "iat": 1511026235, "email": "mtwomey@topcoder.com", "jti": "a401da09-7ab7-43dd-96c0-e125d4947439" }2. The new version is RS256 JWT Token,
{ "typ": "JWT", "alg": "RS256", "kid": "OTlCN0Y4QTVBRDE2RDkwMDgyNzBDRTVEN0FCOUU4RjQzODVCMzBDRQ" } { "https://topcoder.com/claims/userId": "40016356", "https://topcoder.com/claims/email": "mtwomey@topcoder.com", "https://topcoder.com/claims/handle": "mtwomey", "https://topcoder.com/claims/roles": [ "copilot", "aaa", "testRole", "tony_test_1", "Topcoder User", "asdd", "administrator" ], "iss": "https://topcoder-newauth.auth0.com/", "sub": "auth0|40016356", "aud": [ "https://api.topcoder-dev.com/v3", "https://topcoder-newauth.auth0.com/userinfo" ], "iat": 1511025831, "exp": 1511033031, "azp": "G76ar2SI4tXz0jAyEbVGM7jFxheRnkqc", "scope": "openid profile" }The scope of this challenge is to add the support for verification of RS256 JWT Token.
During token verification, the application needs to detect if the token algorithm is HS256 or RS256. In the case of HS256, the token can be handled as it currently is. In the case of RS256, the verification will need to change to:
-
Use the https://<<auth0 provider>>/.well-known/jwks.json location to lookup the public cert for the key (jwk), the auth0 provider should be getting from the iss field, but it should be checked validation from a configured valid issuers. The ValidIssuers should be configurable through environment like a json array string.
-
Validate the JWT with the cert
-
Copy the data in the new locations to wherever it is in the HS256 tokens
The update should be in
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/api/v3/util/jwt/JWTToken.java
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/auth/JWTAuthenticator.java���
Note that in the new token, some of the locations of data have changed (like email, userID, and roles) and will still need to be accessed. In order to handle this, I'd recommend "copying" that data to the same place it is currently being referenced (this will minimize changes for other areas of the application that are trying to reference it). This is also the approach we took for our Javascript applications (connect / community-app). The approach we took there was to "search" the token for the fields and then copy the data. For example - we'd search the token to find which key contained "roles" then copy it to the same place it would be in an HS256 token. I'd like to use this search approach here as well (rather than referencing it directly at "https://topcoder.com/claims/roles"). This will allow that path to change in the future without re-coding that part.
Please make sure the AuthUser object is still be populated by the data from the JWT Token.
In order to properly test the changes, you can use the tech.core.sample.dropwizard codebase, which has built the sample restful APIs. Please get the test JWT token from locally.
1. Since JWT Token is required, you can login our dev environment (https://connect-auth0.topcoder-dev.com/) to get the new JWT Token in the v3jwt cookie.
2. The public cert should be cached periodically, you can reference tc-core-library-js logic.
Final Submission Guidelines
- Code Change For the CORE API- Verification Steps Showing that the New RS256 JWT Token can be properly handled in the new version of CORE API