fix(authentication-service): added idp server controller for login and discovery endpoint (#2131)

* fix(authentication-service):  added idp server controller for login and discovery endpoint

BREAKING CHANGE:

* feat(authentication-service): added the logic for rotation of keys with database

2034

* feat(authentication-service):  added final changes for idp server

MIGRATION CHANGE:
migration-20241105074844-

BREAKING CHANGE:
JWT Asymmetric Signer and Verifier will be served from Database only. File support has been removed.

2034

---------

Co-authored-by: prernagp <prernagp90@gmail.com>
Co-authored-by: Tyagi-Sunny <sunny.tyagi@sourcefuse.com>

Author: 3 people

package-lock.json

@@ -42,5 +42,7 @@
 	"API not found !": "API not found !",
 	"User Task not found": "User Task not found",
 	"Task completion cannot be done through the PATCH API.": "Task completion cannot be done through the PATCH API.",
-	"Unauthorized": "Unauthorized"
+	"Unauthorized": "Unauthorized",
+	"No keys found": "No keys found",
+	"[{\"keyword\"": "\"type\",\"dataPath\":\".valueB\",\"schemaPath\":\"#/properties/valueB/type\",\"params\":{\"type\":\"string\"},\"message\":\"should be string\"}]"
 }

packages/core/locales/en.json

@@ -5,14 +5,14 @@
 import {Binding, Component, inject, ProviderMap} from '@loopback/core';
 import {Class, Model, Repository} from '@loopback/repository';
 import {Strategies} from 'loopback4-authentication';
+import {JwtKeysRepository} from '../../repositories';
 import {ILogger, LOGGER} from '../logger-extension';
-
 import {
   BearerVerifierBindings,
   BearerVerifierConfig,
   BearerVerifierType,
 } from './keys';
-import {RevokedToken} from './models';
+import {JwtKeys, RevokedToken} from './models';
 import {FacadesBearerAsymmetricTokenVerifyProvider} from './providers/facades-bearer-asym-token-verify.provider';
 import {FacadesBearerTokenVerifyProvider} from './providers/facades-bearer-token-verify.provider';
 import {ServicesBearerAsymmetricTokenVerifyProvider} from './providers/services-bearer-asym-token-verifier';
@@ -26,9 +26,9 @@ export class BearerVerifierComponent implements Component {
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
   ) {
     this.providers = {};
-    this.repositories = [RevokedTokenRepository];
 
-    this.models = [RevokedToken];
+    this.repositories = [RevokedTokenRepository, JwtKeysRepository];
+    this.models = [RevokedToken, JwtKeys];
 
     if (this.config && this.config.type === BearerVerifierType.service) {
       this.providers[Strategies.Passport.BEARER_TOKEN_VERIFIER.key] =

packages/core/src/components/bearer-verifier/component.ts

@@ -4,6 +4,5 @@
 // https://opensource.org/licenses/MIT
 export * from './component';
 export * from './keys';
-export * from './types';
 export * from './models';
 export * from './repositories';

packages/core/src/components/bearer-verifier/index.ts

@@ -2,4 +2,5 @@
 //
 // This software is released under the MIT License.
 // https://opensource.org/licenses/MIT
+export * from './jwt-keys.model';
 export * from './revoked-token.model';

packages/core/src/components/bearer-verifier/models/index.ts

@@ -0,0 +1,44 @@
+import {Entity, model, property} from '@loopback/repository';
+
+@model({
+  name: 'jwt_keys',
+})
+export class JwtKeys extends Entity {
+  @property({
+    type: 'number',
+    id: true,
+  })
+  id?: number;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'key_id',
+  })
+  keyId: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'public_key',
+  })
+  publicKey: string;
+
+  @property({
+    type: 'string',
+    required: true,
+    name: 'private_key',
+  })
+  privateKey: string;
+
+  @property({
+    type: 'date',
+    default: () => new Date(),
+    name: 'created_on',
+  })
+  createdOn?: Date;
+
+  constructor(data?: Partial<JwtKeys>) {
+    super(data);
+  }
+}

packages/core/src/components/bearer-verifier/models/jwt-keys.model.ts

@@ -5,15 +5,16 @@
 import {Constructor, inject, Provider} from '@loopback/context';
 import {repository} from '@loopback/repository';
 import {HttpErrors, Request} from '@loopback/rest';
-import {verify} from 'jsonwebtoken';
+import * as jwt from 'jsonwebtoken';
 import {
-  VerifyFunction,
   AuthenticationBindings,
   EntityWithIdentifier,
   IAuthUser,
+  VerifyFunction,
 } from 'loopback4-authentication';
 import moment from 'moment';
-import * as fs from 'fs/promises';
+import * as jose from 'node-jose';
+import {JwtKeysRepository} from '../../../repositories';
 import {ILogger, LOGGER} from '../../logger-extension';
 import {IAuthUserWithPermissions} from '../keys';
 import {RevokedTokenRepository} from '../repositories';
@@ -25,6 +26,8 @@ export class FacadesBearerAsymmetricTokenVerifyProvider
     @repository(RevokedTokenRepository)
     public revokedTokenRepository: RevokedTokenRepository,
     @inject(LOGGER.LOGGER_INJECT) private readonly logger: ILogger,
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
     @inject(AuthenticationBindings.USER_MODEL, {optional: true})
     public authUserModel?: Constructor<EntityWithIdentifier & IAuthUser>,
   ) {}
@@ -45,8 +48,30 @@ export class FacadesBearerAsymmetricTokenVerifyProvider
 
       let user: IAuthUserWithPermissions;
       try {
-        const publicKey = await fs.readFile(process.env.JWT_PUBLIC_KEY ?? '');
-        user = verify(token, publicKey, {
+        // Get the key that matches the token's kid
+        const decoded = jwt.decode(token.trim(), {complete: true});
+        if (!decoded) {
+          throw new Error('Token is not valid');
+        }
+        const kid = decoded?.header.kid;
+
+        // Load the JWKS
+        const key = await this.jwtKeysRepo.findOne({
+          where: {
+            keyId: kid,
+          },
+        });
+
+        if (!key) {
+          throw new Error('Key not found for verification');
+        }
+
+        // Convert the JWK to PEM format for verification
+        const jwkKey = await jose.JWK.asKey(key.publicKey, 'pem');
+        const pem = jwkKey.toPEM(false);
+
+        // Verify the token with the retrieved PEM-formatted public key
+        user = jwt.verify(token, pem, {
           issuer: process.env.JWT_ISSUER,
           algorithms: ['RS256'],
         }) as IAuthUserWithPermissions;

packages/core/src/components/bearer-verifier/providers/facades-bearer-asym-token-verify.provider.ts

@@ -3,16 +3,18 @@
 // This software is released under the MIT License.
 // https://opensource.org/licenses/MIT
 import {Constructor, inject, Provider} from '@loopback/context';
+import {repository} from '@loopback/repository';
 import {HttpErrors} from '@loopback/rest';
-import {verify} from 'jsonwebtoken';
+import * as jwt from 'jsonwebtoken';
 import {
-  VerifyFunction,
   AuthenticationBindings,
   EntityWithIdentifier,
   IAuthUser,
+  VerifyFunction,
 } from 'loopback4-authentication';
 import moment from 'moment-timezone';
-import * as fs from 'fs/promises';
+import * as jose from 'node-jose';
+import {JwtKeysRepository} from '../../../repositories';
 import {ILogger, LOGGER} from '../../logger-extension';
 import {IAuthUserWithPermissions} from '../keys';
 
@@ -21,6 +23,8 @@ export class ServicesBearerAsymmetricTokenVerifyProvider
 {
   constructor(
     @inject(LOGGER.LOGGER_INJECT) public logger: ILogger,
+    @repository(JwtKeysRepository)
+    public jwtKeysRepo: JwtKeysRepository,
     @inject(AuthenticationBindings.USER_MODEL, {optional: true})
     public authUserModel?: Constructor<EntityWithIdentifier & IAuthUser>,
   ) {}
@@ -30,8 +34,30 @@ export class ServicesBearerAsymmetricTokenVerifyProvider
       let user: IAuthUserWithPermissions;
 
       try {
-        const publicKey = await fs.readFile(process.env.JWT_PUBLIC_KEY ?? '');
-        user = verify(token, publicKey, {
+        // Get the key that matches the token's kid
+        const decoded = jwt.decode(token.trim(), {complete: true});
+        if (!decoded) {
+          throw new Error('Token is not valid');
+        }
+        const kid = decoded?.header.kid;
+
+        // Load the JWKS
+        const key = await this.jwtKeysRepo.findOne({
+          where: {
+            keyId: kid,
+          },
+        });
+
+        if (!key) {
+          throw new Error('Key not found for verification');
+        }
+
+        // Convert the JWK to PEM format for verification
+        const jwkKey = await jose.JWK.asKey(key.publicKey, 'pem');
+        const pem = jwkKey.toPEM(false);
+
+        // Verify the token with the retrieved PEM-formatted public key
+        user = jwt.verify(token, pem, {
           issuer: process.env.JWT_ISSUER,
           algorithms: ['RS256'],
         }) as IAuthUserWithPermissions;

packages/core/src/components/bearer-verifier/providers/services-bearer-asym-token-verifier.ts

@@ -0,0 +1,15 @@
+import {inject} from '@loopback/core';
+import {DefaultCrudRepository, juggler} from '@loopback/repository';
+import {AuthDbSourceName} from '../../../types';
+import {JwtKeys} from '../models';
+export class JwtKeysRepository extends DefaultCrudRepository<
+  JwtKeys,
+  typeof JwtKeys.prototype.id
+> {
+  constructor(
+    @inject(`datasources.${AuthDbSourceName}`)
+    dataSource: juggler.DataSource,
+  ) {
+    super(JwtKeys, dataSource);
+  }
+}

packages/core/src/components/bearer-verifier/repositories/jwt-keys.repository.ts

@@ -5,8 +5,8 @@
 import {inject} from '@loopback/core';
 import {DefaultKeyValueRepository, juggler} from '@loopback/repository';
 
+import {AuthCacheSourceName} from '../../../types';
 import {RevokedToken} from '../models';
-import {AuthCacheSourceName} from '../types';
 
 export class RevokedTokenRepository extends DefaultKeyValueRepository<RevokedToken> {
   constructor(