Merge pull request #32 from rglauco/main

Distinction between core and fed keys, updated compatibility with spid-cie-oidc-django v1.4.0

Author: rglauco

README.md

@@ -105,7 +105,7 @@ Sample projects using the library can be executed as docker or docker-compose. S
 
 ### SpringBoot Relying Party example
 
-A simple [SpringBoot](examples/relying-party-spring-boot) web application using the starter-kit to implement a Relying Party.
+A simple [SpringBoot](examples/relying-party-spring-boot) web application using the starter-kit to implement a Relying Party, as well to perform the complete onboarding and login/logout test within the CIE Federation.
 
 This application is for demo purpose only, please don't use it in production or critical environment.
 

coverage/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>it.spid.cie.oidc</groupId>
 		<artifactId>starter-kit-parent</artifactId>
-		<version>0.4.1-SNAPSHOT</version>
+		<version>1.0.0-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

examples/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>it.spid.cie.oidc</groupId>
 		<artifactId>starter-kit-parent</artifactId>
-		<version>0.4.1-SNAPSHOT</version>
+		<version>1.0.0-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

examples/relying-party-spring-boot/README.md

@@ -15,7 +15,7 @@ Run the provider [federation](https://github.com/italia/spid-cie-oidc-django)
 - the project should run on [http://127.0.0.1:8000](http://127.0.0.1:8000), keep it running
 
 
-Clone this repository and install all the lement inside the MavenLocal registry
+Clone this repository and install all the elements inside the MavenLocal registry
 ```
 git clone https://github.com/italia/spid-cie-oidc-java
 
@@ -39,9 +39,10 @@ this will start the relying party server on [http://127.0.0.1:8080](http://127.0
 Do the on-boarding process
 - generate the relying party jwks
   - go [here](http://127.0.0.1:8080/) to auto-generate it
-  - jwks are exposed on the page and inside application log
-  - create the file `${user.home}/oidc-rp-jwk.json` with the jwks
-  - use "reload" link to proceed with next step
+  - federation jwks and core jwks are exposed on the page and inside application log
+  - create the file `${user.home}/oidc-rp-jwk.json` with the federation jwks
+  - create the file `${user.home}/oidc-rp-core-jwk.json` with the core jwks
+  - - use "reload" link to proceed with next step
 - show on-boarding datas
   - go [here](http://127.0.0.1:8080/) to see it
 - register the relying party [here](http://127.0.0.1:8000/admin/spid_cie_oidc_authority/federationdescendant/add)
@@ -76,10 +77,32 @@ A docker image containing this example can be built a run:
 - visit `http://relying-party.org:8080/`
 
 Some hints:
-- we are using [federation](https://github.com/italia/spid-cie-oidc-django) v1.2.0
+- we are using [federation](https://github.com/italia/spid-cie-oidc-django) v1.4.0
 - docker images currently sets a proxy of the exposed ports on the localhost interface, so you could use
 previous chapter instructions replacing `127.0.0.1` with the right hostname
-- docker image mounts the folder `./docker/data-java` as `/data` inside spring-boot container to externalize `jwk` and `trust-marks` configuration
+- docker image mounts the folder `./docker/data-java` as `/data` inside spring-boot container to externalize federation and core `jwks` and `trust-marks` configuration
 
 
 [Docker Compose in action on YouTube](https://www.youtube.com/watch?v=U2Ec0No2EKg)
+
+**To be onboarded into CIE Federation**:
+- use always appropriate and valid TLS Certificates
+- use IP from Italian networks for server [CIE Federation servers uses geoblocking]
+- as contact use the same institutional email address as stated into the administrative part [do not use PEC]
+- when copy the federation public key please follow this pattern:
+  - ```
+    {
+    "keys": [
+        {
+          "alg": "RS256",
+          "kid": "....",
+          "kty": "RSA",
+          "n": ".....",
+          "e": "AQAB",
+          "use": "sig"
+        }
+      ]
+    }
+    ```
+- when onboarded, please retrieve the Trust Mark form TA fetch endpoint like this example for preproduction: `https://preprod.oidc.registry.servizicie.interno.gov.it/fetch?sub={your_client_id}` 
+- remember to (put `[` `]` around the Trust Mark when writing the appropriate file

examples/relying-party-spring-boot/docker/Dockerfile-cie.django

@@ -2,7 +2,7 @@ FROM python:3.11-slim
 
 RUN apt update && apt -y install git
 
-RUN git clone --depth=1 --branch v1.2.0 https://github.com/italia/spid-cie-oidc-django && \
+RUN git clone --depth=1 --branch v1.4.0 https://github.com/italia/spid-cie-oidc-django && \
 	cd spid-cie-oidc-django && \
 	pip install --upgrade pip && \
 	pip install -e . && \

examples/relying-party-spring-boot/docker/Dockerfile.django

@@ -2,7 +2,7 @@ FROM python:3.11-slim
 
 RUN apt update && apt -y install git
 
-RUN git clone --depth=1 --branch v1.2.0 https://github.com/italia/spid-cie-oidc-django && \
+RUN git clone --depth=1 --branch v1.4.0 https://github.com/italia/spid-cie-oidc-django && \
 	cd spid-cie-oidc-django && \
 	pip install --upgrade pip && \
 	pip install -e . && \

examples/relying-party-spring-boot/docker/Dockerfile.java-rp

@@ -13,7 +13,8 @@ VOLUME ["/data"]
 ENV OIDC_HOSTS_TRUST_ANCHOR="trust-anchor.org"
 ENV OIDC_HOSTS_CIE_PROVIDER="cie-provider.org"
 ENV OIDC_HOSTS_RELYING_PARTY="relying-party.org"
-ENV OIDC_RELYING_PARTY_JWK_FILE_PATH="/data/oidc-rp-jwk.json"
+ENV OIDC_RELYING_PARTY_JWK_FED_FILE_PATH="/data/oidc-rp-jwk.json"
+ENV OIDC_RELYING_PARTY_CORE_JWK_CORE_FILE_PATH="/data/oidc-rp-core-jwk.json"
 ENV OIDC_RELYING_PARTY_TRUST_MARKS_FILE_PATH="/data/oidc-rp-trust-marks.json"
 ENV SPRING_H2_CONSOLE_SETTINGS_WEB_ALLOW_OTHERS="true"
 

examples/relying-party-spring-boot/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>it.spid.cie.oidc</groupId>
 		<artifactId>it.spid.cie.oidc.examples</artifactId>
-		<version>0.4.1-SNAPSHOT</version>
+		<version>1.0.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>it.spid.cie.oidc.relying.party.spring-boot-sample</artifactId>

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/RelyingPartyWrapper.java

@@ -48,10 +48,10 @@ public JSONObject getUserInfo(String state, String code)
 	}
 
 	public String getUserKey(JSONObject userInfo) {
-		String userKey = userInfo.optString("email");
+		String userKey = userInfo.optString("sub");
 
 		if (Validator.isNullOrEmpty(userKey)) {
-			userKey = userInfo.optString("email", "");
+			userKey = userInfo.optString("sub", "");
 		}
 
 		return userKey;
@@ -83,11 +83,12 @@ public void reloadHandler() throws OIDCException {
 
 	@PostConstruct
 	private void postConstruct() throws OIDCException {
-		String jwk = readFile(oidcConfig.getRelyingParty().getJwkFilePath());
+		String jwkFed = readFile(oidcConfig.getRelyingParty().getJwkFedFilePath());
+		String jwkCore = readFile(oidcConfig.getRelyingParty().getJwkCoreFilePath());
 		String trustMarks = readFile(
 			oidcConfig.getRelyingParty().getTrustMarksFilePath());
 
-		logger.info("final jwk: " + jwk);
+		logger.info("final jwkFed: " + jwkFed);
 		logger.info("final trust_marks: " + trustMarks);
 
 		RelyingPartyOptions options = new RelyingPartyOptions()
@@ -110,7 +111,8 @@ private void postConstruct() throws OIDCException {
 				.setLogoUri(oidcConfig.getRelyingParty().getLogoUri())
 				.setPolicyUri(oidcConfig.getRelyingParty().getPolicyUri())
 				.setFederationContacts(oidcConfig.getRelyingParty().getFederationContacts())
-				.setJWK(jwk)
+				.setJWKFed(jwkFed)
+				.setJWKCore(jwkCore)
 				.setTrustMarks(trustMarks);
 
 		relyingPartyHandler = new RelyingPartyHandler(options, persistenceImpl);

examples/relying-party-spring-boot/src/main/java/it/spid/cie/oidc/spring/boot/relying/party/config/OidcConfig.java

@@ -208,10 +208,12 @@ public Set<String> getRedirectUris() {
 //			return jwk;
 //		}
 
-		public String getJwkFilePath() {
-			return jwkFilePath;
+		public String getJwkFedFilePath() {
+			return jwkFedFilePath;
+		}
+		public String getJwkCoreFilePath() {
+			return jwkCoreFilePath;
 		}
-
 //		public String getTrustMarks() {
 //			return trustMarks;
 //		}
@@ -271,10 +273,13 @@ public void setFederationContacts(Set<String> federationContacts) {
 //			this.jwk = jwk;
 //		}
 
-		public void setJwkFilePath(String jwkFilePath) {
-			this.jwkFilePath = jwkFilePath;
+		public void setJwkFedFilePath(String jwkFedFilePath) {
+			this.jwkFedFilePath = jwkFedFilePath;
 		}
 
+		public void setJwkCoreFilePath(String jwkCoreFilePath) {
+			this.jwkCoreFilePath = jwkCoreFilePath;
+		}
 //		public void setTrustMarks(String trustMarks) {
 //			this.trustMarks = trustMarks;
 //		}
@@ -305,7 +310,8 @@ public JSONObject toJSON() {
 			json.put("clientId", clientId);
 			json.put("redirectUris", redirectUris);
 			//json.put("jwk", jwk);
-			json.put("jwkFilePath", jwkFilePath);
+			json.put("jwkFilePath", jwkFedFilePath);
+			json.put("jwkCoreFilePath", jwkCoreFilePath);
 			//json.put("trustMarks", trustMarks);
 			json.put("trustMarksFilePath", trustMarksFilePath);
 
@@ -319,7 +325,8 @@ public JSONObject toJSON() {
 		private String clientId;
 		private Set<String> redirectUris = new HashSet<>();
 		//private String jwk;
-		private String jwkFilePath;
+		private String jwkFedFilePath;
+		private String jwkCoreFilePath;
 		//private String trustMarks;
 		private String trustMarksFilePath;