WIP

runtime/guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/config/JwtOptionsConfig.java

@@ -29,6 +29,7 @@ public class JwtOptionsConfig extends OptionsConfig
     public final String audience;
     public final List<JwtKeyConfig> keys;
     public final Optional<Duration> challenge;
+    public final String identity;
     public final Optional<String> keysURL;
 
     public static JwtOptionsConfigBuilder<JwtOptionsConfig> builder()
@@ -47,12 +48,14 @@ public static <T> JwtOptionsConfigBuilder<T> builder(
         String audience,
         List<JwtKeyConfig> keys,
         Duration challenge,
+        String identity,
         String keysURL)
     {
         this.issuer = issuer;
         this.audience = audience;
         this.keys = keys;
         this.challenge = ofNullable(challenge);
+        this.identity = identity;
         this.keysURL = ofNullable(keysURL);
     }
 }

runtime/guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/config/JwtOptionsConfigBuilder.java

@@ -30,6 +30,7 @@ public class JwtOptionsConfigBuilder<T> extends ConfigBuilder<T, JwtOptionsConfi
     private String audience;
     private List<JwtKeyConfig> keys;
     private Duration challenge;
+    private String identity;
     private String keysURL;
 
     JwtOptionsConfigBuilder(
@@ -66,6 +67,13 @@ public JwtOptionsConfigBuilder<T> challenge(
         return this;
     }
 
+    public JwtOptionsConfigBuilder<T> identity(
+        String identity)
+    {
+        this.identity = identity;
+        return this;
+    }
+
     public JwtOptionsConfigBuilder<T> keys(
         List<JwtKeyConfig> keys)
     {
@@ -99,6 +107,6 @@ public JwtOptionsConfigBuilder<T> keysURL(
     @Override
     public T build()
     {
-        return mapper.apply(new JwtOptionsConfig(issuer, audience, keys, challenge, keysURL));
+        return mapper.apply(new JwtOptionsConfig(issuer, audience, keys, challenge, identity, keysURL));
     }
 }

runtime/guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtGuardContext.java

@@ -29,11 +29,13 @@ final class JwtGuardContext implements GuardContext
     private final Long2ObjectHashMap<JwtGuardHandler> handlersById;
     private final LongSupplier supplyAuthorizedId;
     private final EngineContext context;
+    private final Configuration config;
 
     JwtGuardContext(
         Configuration config,
         EngineContext context)
     {
+        this.config = config;
         this.handlersById = new Long2ObjectHashMap<>();
         this.context = context;
         this.supplyAuthorizedId = context::supplyAuthorizedId;

runtime/guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtGuardHandler.java

@@ -58,6 +58,7 @@ public class JwtGuardHandler implements GuardHandler
     private final String issuer;
     private final String audience;
     private final Duration challenge;
+    private final String identity;
     private final Map<String, JsonWebKey> keys;
     private final Long2ObjectHashMap<JwtSession> sessionsById;
     private final LongSupplier supplyAuthorizedId;
@@ -72,14 +73,15 @@ public JwtGuardHandler(
         this.issuer = options.issuer;
         this.audience = options.audience;
         this.challenge = options.challenge.orElse(null);
+        this.identity = options.identity;
 
         List<JwtKeyConfig> keysConfig = options.keys;
         if ((keysConfig == null || keysConfig.isEmpty()) && options.keysURL.isPresent())
         {
-            JsonbConfig config = new JsonbConfig()
+            JsonbConfig keyConfig = new JsonbConfig()
                     .withAdapters(new JwtKeySetConfigAdapter());
             Jsonb jsonb = JsonbBuilder.newBuilder()
-                    .withConfig(config)
+                    .withConfig(keyConfig)
                     .build();
             Path keysPath = context.resolvePath(options.keysURL.get());
             String keysText = readKeys(keysPath);
@@ -128,7 +130,7 @@ public long reauthorize(
         String credentials)
     {
         JwtSession session = null;
-        String subject = null;
+        String identity = null;
         String reason = "";
 
         authorize:
@@ -158,7 +160,7 @@ public long reauthorize(
 
             String payload = signature.getPayload();
             JwtClaims claims = JwtClaims.parse(payload);
-            subject = claims.getSubject();
+            identity = this.identity != null ? claims.getStringClaimValue(this.identity) : claims.getSubject();
             NumericDate notBefore = claims.getNotBefore();
             NumericDate notAfter = claims.getExpirationTime();
             String issuer = claims.getIssuer();
@@ -185,7 +187,7 @@ public long reauthorize(
                 .orElse(null);
 
             JwtSessionStore sessionStore = supplySessionStore(contextId);
-            session = sessionStore.supplySession(subject, roles);
+            session = sessionStore.supplySession(identity, roles);
 
             session.credentials = credentials;
             session.roles = roles;
@@ -204,7 +206,7 @@ public long reauthorize(
         }
         if (session == null)
         {
-            event.authorizationFailed(traceId, bindingId, subject, reason);
+            event.authorizationFailed(traceId, bindingId, identity, reason);
         }
         return session != null ? session.authorized : NOT_AUTHORIZED;
     }
@@ -231,7 +233,7 @@ public String identity(
         long sessionId)
     {
         JwtSession session = sessionsById.get(sessionId);
-        return session != null ? session.subject : null;
+        return session != null ? session.identity : null;
     }
 
     @Override
@@ -298,51 +300,51 @@ private JwtSessionStore supplySessionStore(
     private final class JwtSessionStore
     {
         private final long contextId;
-        private final Map<String, JwtSession> sessionsBySubject;
+        private final Map<String, JwtSession> sessionsByIdentity;
 
         private JwtSessionStore(
             long contextId)
         {
             this.contextId = contextId;
-            this.sessionsBySubject = new IdentityHashMap<>();
+            this.sessionsByIdentity = new IdentityHashMap<>();
         }
 
         private JwtSession supplySession(
-            String subject,
+            String identity,
             List<String> roles)
         {
-            String subjectKey = subject != null ? subject.intern() : null;
-            JwtSession session = sessionsBySubject.get(subjectKey);
+            String identityKey = identity != null ? identity.intern() : null;
+            JwtSession session = sessionsByIdentity.get(identityKey);
 
-            if (subjectKey == null || session != null && roles != null && !supersetOf(session, roles))
+            if (identityKey == null || session != null && roles != null && !supersetOf(session, roles))
             {
-                session = newSession(subjectKey);
+                session = newSession(identityKey);
             }
             else
             {
-                session = sessionsBySubject.computeIfAbsent(subjectKey, this::newSharedSession);
+                session = sessionsByIdentity.computeIfAbsent(identityKey, this::newSharedSession);
             }
 
             return session;
         }
 
         private JwtSession newSharedSession(
-            String subject)
+            String identity)
         {
-            return new JwtSession(supplyAuthorizedId.getAsLong(), subject, this::onUnshared);
+            return new JwtSession(supplyAuthorizedId.getAsLong(), identity, this::onUnshared);
         }
 
         private JwtSession newSession(
-            String subject)
+            String identity)
         {
-            return new JwtSession(supplyAuthorizedId.getAsLong(), subject);
+            return new JwtSession(supplyAuthorizedId.getAsLong(), identity);
         }
 
         private void onUnshared(
             JwtSession session)
         {
-            sessionsBySubject.remove(session.subject);
-            if (sessionsBySubject.isEmpty())
+            sessionsByIdentity.remove(session.identity);
+            if (sessionsByIdentity.isEmpty())
             {
                 sessionStoresByContextId.remove(contextId);
             }
@@ -352,7 +354,7 @@ private void onUnshared(
     private final class JwtSession
     {
         private final long authorized;
-        private final String subject;
+        private final String identity;
         private final Consumer<JwtSession> unshare;
 
         private String credentials;
@@ -366,26 +368,26 @@ private final class JwtSession
 
         private JwtSession(
             long authorized,
-            String subject)
+            String identity)
         {
-            this(authorized, subject, null);
+            this(authorized, identity, null);
         }
 
         private JwtSession(
             long authorized,
-            String subject,
+            String identity,
             Consumer<JwtSession> unshare)
         {
             this.authorized = authorized;
-            this.subject = subject;
+            this.identity = identity;
             this.unshare = unshare;
         }
 
         boolean challenge(
             long now)
         {
             final boolean challenge =
-                subject != null &&
+                identity != null &&
                 challengeAt <= now && now < expiresAt &&
                 challengedAt < challengeAt;
 

runtime/guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/config/JwtOptionsConfigAdapter.java

@@ -40,6 +40,7 @@ public final class JwtOptionsConfigAdapter implements OptionsConfigAdapterSpi, J
     private static final String AUDIENCE_NAME = "audience";
     private static final String KEYS_NAME = "keys";
     private static final String CHALLENGE_NAME = "challenge";
+    private static final String IDENTITY_NAME = "identity";
 
     private static final List<JwtKeyConfig> KEYS_DEFAULT = emptyList();
 
@@ -92,6 +93,11 @@ public JsonObject adaptToJson(
             object.add(CHALLENGE_NAME, jwtOptions.challenge.get().getSeconds());
         }
 
+        if (jwtOptions.identity != null)
+        {
+            object.add(IDENTITY_NAME, jwtOptions.identity);
+        }
+
         return object.build();
     }
 
@@ -149,6 +155,11 @@ public OptionsConfig adaptFromJson(
             jwtOptions.challenge(Duration.ofSeconds(object.getInt(CHALLENGE_NAME)));
         }
 
+        if (object.containsKey(IDENTITY_NAME))
+        {
+            jwtOptions.identity(object.getString(IDENTITY_NAME));
+        }
+
         return jwtOptions.build();
     }
 }

runtime/guard-jwt/src/test/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtGuardHandlerTest.java

@@ -88,6 +88,40 @@ public void shouldAuthorize() throws Exception
         assertTrue(guard.verify(sessionId, asList("read:stream", "write:stream")));
     }
 
+    @Test
+    public void shouldAuthorizeWithCustomIdentity() throws Exception
+    {
+        Duration challenge = ofSeconds(3L);
+        JwtOptionsConfig options = JwtOptionsConfig.builder()
+            .inject(identity())
+            .issuer("test issuer")
+            .audience("testAudience")
+            .key(RFC7515_RS256_CONFIG)
+            .challenge(challenge)
+            .identity("username")
+            .build();
+        JwtGuardHandler guard = new JwtGuardHandler(options, context, new MutableLong(1L)::getAndIncrement);
+
+        Instant now = Instant.now();
+
+        JwtClaims claims = new JwtClaims();
+        claims.setClaim("iss", "test issuer");
+        claims.setClaim("aud", "testAudience");
+        claims.setClaim("username", "johndoe");
+        claims.setClaim("exp", now.getEpochSecond() + 10L);
+        claims.setClaim("scope", "read:stream write:stream");
+
+        String token = sign(claims.toJson(), "test", RFC7515_RS256, "RS256");
+
+        long sessionId = guard.reauthorize(0L, 0L, 101L, token);
+
+        assertThat(sessionId, not(equalTo(0L)));
+        assertThat(guard.identity(sessionId), equalTo("johndoe"));
+        assertThat(guard.expiresAt(sessionId), equalTo(ofSeconds(now.getEpochSecond() + 10L).toMillis()));
+        assertThat(guard.expiringAt(sessionId), equalTo(ofSeconds(now.getEpochSecond() + 10L).minus(challenge).toMillis()));
+        assertTrue(guard.verify(sessionId, asList("read:stream", "write:stream")));
+    }
+
     @Test
     public void shouldChallengeDuringChallengeWindow() throws Exception
     {