MC-32830: Do not store admin and customer tokens in DB

Author: ogorkun

app/code/Magento/JwtFrameworkAdapter/Model/JweManager.php

@@ -114,7 +114,11 @@ public function build(JweInterface $jwe, EncryptionSettingsInterface $encryption
         } else {
             foreach ($jwe->getPerRecipientUnprotectedHeaders() as $i => $header) {
                 $jwk = $encryptionSettings->getJwkSet()->getKeys()[$i];
-                $headerData = $this->extractHeaderData($header);
+                $headerData = [];
+                if ($jwk->getKeyId()) {
+                    $headerData['kid'] = $jwk->getKeyId();
+                }
+                $headerData = array_merge($headerData, $this->extractHeaderData($header));
                 $headerData['alg'] = $jwk->getAlgorithm();
                 $builder = $builder->addRecipient(new AdapterJwk($jwk->getJsonData()), $headerData);
             }

app/code/Magento/JwtFrameworkAdapter/Model/JwsManager.php

@@ -101,8 +101,11 @@ public function build(JwsInterface $jws, EncryptionSettingsInterface $encryption
             if ($jws->getPayload()->getContentType()) {
                 $protected['cty'] = $jws->getPayload()->getContentType();
             }
+            if ($jwk->getKeyId()) {
+                $protected['kid'] = $jwk->getKeyId();
+            }
             if ($jws->getProtectedHeaders()) {
-                $protected = $this->extractHeaderData($jws->getProtectedHeaders()[$i]);
+                $protected = array_merge($protected, $this->extractHeaderData($jws->getProtectedHeaders()[$i]));
             }
             $protected['alg'] = $alg;
             $unprotected = [];

app/code/Magento/JwtUserToken/Model/ConfigurableJwtSettingsProvider.php

@@ -11,6 +11,8 @@
 use Magento\Authorization\Model\UserContextInterface;
 use Magento\Framework\Jwt\EncryptionSettingsInterface;
 use Magento\Framework\Jwt\Jwe\JweEncryptionJwks;
+use Magento\Framework\Jwt\Jwk;
+use Magento\Framework\Jwt\JwkSet;
 use Magento\Framework\Jwt\Jws\JwsSignatureJwks;
 use Magento\JwtUserToken\Api\ConfigReaderInterface;
 
@@ -20,12 +22,12 @@
 class ConfigurableJwtSettingsProvider implements JwtSettingsProviderInterface
 {
     /**
-     * @var EncryptionSettingsInterface[]
+     * @var EncryptionSettingsInterface[][]
      */
     private $jwsEncryptions;
 
     /**
-     * @var EncryptionSettingsInterface[]
+     * @var EncryptionSettingsInterface[][]
      */
     private $jweEncryptions;
 
@@ -42,8 +44,8 @@ class ConfigurableJwtSettingsProvider implements JwtSettingsProviderInterface
     /**
      * @param SecretBasedJwksFactory $secretBasedJwkFactory
      * @param ConfigReaderInterface $configReader
-     * @param EncryptionSettingsInterface[] $jwsEncryptions Additional JWS settings.
-     * @param EncryptionSettingsInterface[] $jweEncryptions Additional JWE settings.
+     * @param EncryptionSettingsInterface[][] $jwsEncryptions Additional JWS settings.
+     * @param EncryptionSettingsInterface[][] $jweEncryptions Additional JWE settings.
      */
     public function __construct(
         SecretBasedJwksFactory $secretBasedJwkFactory,
@@ -62,7 +64,9 @@ public function __construct(
      */
     public function prepareSettingsFor(UserContextInterface $userContext): EncryptionSettingsInterface
     {
-        return $this->prepareAllAccepted()[0];
+        $settings = $this->prepareAllAccepted();
+
+        return array_pop($settings);
     }
 
     /**
@@ -76,27 +80,31 @@ public function prepareAllAccepted(): array
             if (!array_key_exists($algorithm, $this->jwsEncryptions)) {
                 //Try to create default settings.
                 try {
-                    $this->jwsEncryptions[$algorithm] = new JwsSignatureJwks(
+                    $this->jwsEncryptions[$algorithm] = array_map(
+                        function (Jwk $jwk) {
+                            return new JwsSignatureJwks($jwk);
+                        },
                         $this->secretBasedJwkFactory->createFor($algorithm)
                     );
                 } catch (\InvalidArgumentException $exception) {
                     //Failed to create
-                    $x=1;
                 }
             }
             if (!array_key_exists($algorithm, $this->jwsEncryptions)) {
                 throw new \RuntimeException('JWT settings for algorithm "' .$algorithm .'" not found');
             }
 
-            return [$this->jwsEncryptions[$algorithm]];
+            return $this->jwsEncryptions[$algorithm];
         } else {
             if (!array_key_exists($algorithm, $this->jweEncryptions)) {
                 //Try to create default settings.
                 try {
                     $contentAlg = $this->configReader->getJweContentAlgorithm();
-                    $this->jweEncryptions[$algorithm] = new JweEncryptionJwks(
-                        $this->secretBasedJwkFactory->createFor($algorithm),
-                        $contentAlg
+                    $this->jweEncryptions[$algorithm] = array_map(
+                        function (Jwk $jwk) use ($contentAlg) {
+                            return new JweEncryptionJwks($jwk, $contentAlg);
+                        },
+                        $this->secretBasedJwkFactory->createFor($algorithm)
                     );
                 } catch (\InvalidArgumentException $exception) {
                     //Failed to create
@@ -106,7 +114,7 @@ public function prepareAllAccepted(): array
                 throw new \RuntimeException('JWT settings for algorithm "' . $algorithm . '" not found');
             }
 
-            return [$this->jweEncryptions[$algorithm]];
+            return $this->jweEncryptions[$algorithm];
         }
     }
 }

app/code/Magento/JwtUserToken/Model/SecretBasedJwksFactory.php

@@ -43,116 +43,98 @@ public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkF
     }
 
     /**
-     * Create JWK Set for given algorithm.
+     * Create JWKs for given algorithm.
      *
      * @param string $algorithm
-     * @return JwkSet
+     * @return Jwk[]
      * @throws \InvalidArgumentException When algorithm is not recognized.
      */
-    public function createFor(string $algorithm): JwkSet
+    public function createFor(string $algorithm): array
     {
         switch ($algorithm) {
             case Jwk::ALGORITHM_HS256:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createHs256($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createHs256($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_HS384:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createHs384($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createHs384($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_HS512:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createHs512($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createHs512($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_A128KW:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createA128KW($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createA128KW($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_A192KW:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createA192KW($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createA192KW($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_A256KW:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createA256KW($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createA256KW($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_A128GCMKW:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createA128Gcmkw($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createA128Gcmkw($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_A192GCMKW:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createA192Gcmkw($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createA192Gcmkw($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             case Jwk::ALGORITHM_A256GCMKW:
-                return new JwkSet(
-                    array_map(
-                        function (string $key): Jwk {
-                            static $i = 0;
-
-                            return $this->jwkFactory->createA256Gcmkw($key, (string) $i++);
-                        },
-                        $this->keys
-                    )
+                return array_map(
+                    function (string $key): Jwk {
+                        static $i = 0;
+
+                        return $this->jwkFactory->createA256Gcmkw($key, (string) ++$i);
+                    },
+                    $this->keys
                 );
             default:
-                throw new \InvalidArgumentException('Unknown algorithm "' .$algorithm .'"');
+                throw new \InvalidArgumentException('Unknown algorithm "' . $algorithm . '"');
         }
     }
 }

dev/tests/integration/testsuite/Magento/Framework/Jwt/JwtManagerTest.php

@@ -76,6 +76,12 @@ public function testCreateRead(
         ) {
             $this->verifyAgainstHeaders([$jwt->getHeader()], $recreated->getHeader());
         }
+        if ($readEncryption instanceof JwsSignatureJwks) {
+            if ($kid = $readEncryption->getJwkSet()->getKeys()[0]->getKeyId()) {
+                $this->assertNotNull($jwt->getHeader()->getParameter('kid'));
+                $this->assertEquals($kid, $jwt->getHeader()->getParameter('kid'));
+            }
+        }
         //Verifying payload
         $this->assertEquals($jwt->getPayload()->getContent(), $recreated->getPayload()->getContent());
         if ($jwt->getPayload() instanceof ClaimsPayloadInterface) {
@@ -319,8 +325,8 @@ public function getTokenVariants(): array
             ),
             null,
             [
-                new JweHeader([new PrivateHeaderParameter('tst', 2), new KeyId('1')]),
-                new JweHeader([new PrivateHeaderParameter('test2', 3), new KeyId('2')])
+                new JweHeader([new PrivateHeaderParameter('tst', 2), new KeyId('2')]),
+                new JweHeader([new PrivateHeaderParameter('test2', 3), new KeyId('1')])
             ],
             new ClaimsPayload(
                 [
@@ -366,7 +372,7 @@ public function getTokenVariants(): array
             ],
             'jws-HS384' => [
                 $flatJws,
-                $enc = new JwsSignatureJwks($jwkFactory->createHs384($sharedSecret)),
+                $enc = new JwsSignatureJwks($jwkFactory->createHs384($sharedSecret, '3')),
                 [$enc]
             ],
             'jws-HS512' => [