feat(dps): add JWT claims validation on DPS oauth2 authorization (#5689)

ndr-brt · web-flow · commit bf34fe4140d7 · 2026-04-22T11:58:15.000+02:00
diff --git a/core/common/lib/token-lib/build.gradle.kts b/core/common/lib/token-lib/build.gradle.kts
@@ -22,9 +22,12 @@ dependencies {
     api(project(":spi:common:token-spi"))
     api(project(":spi:common:jwt-spi"))
 
-    implementation(project(":core:common:lib:crypto-common-lib")) // for the CryptoConverter
-    implementation(libs.nimbus.jwt)
     api(libs.bouncyCastle.bcpkixJdk18on)
+
+    implementation(project(":core:common:lib:crypto-common-lib"))
+    implementation(libs.nimbus.jwt)
+
+    testImplementation(project(":core:common:junit"))
 }
 
 
diff --git a/core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/HasSubjectRule.java b/core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/HasSubjectRule.java
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2024 Amadeus
+ *  Copyright (c) 2026 Think-it GmbH
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -8,17 +8,16 @@
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Contributors:
- *       Amadeus - initial API and implementation
+ *       Think-it GmbH - initial API and implementation
  *
  */
 
-package org.eclipse.edc.verifiablecredentials.jwt.rules;
+package org.eclipse.edc.token.rules;
 
 import com.nimbusds.jwt.JWTClaimNames;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.token.spi.TokenValidationRule;
-import org.eclipse.edc.util.string.StringUtils;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
@@ -31,8 +30,10 @@ public class HasSubjectRule implements TokenValidationRule {
 
     @Override
     public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String, Object> additional) {
-        return StringUtils.isNullOrEmpty(toVerify.getStringClaim(JWTClaimNames.SUBJECT)) ?
-                Result.failure("The '%s' claim is mandatory and must not be null.".formatted(JWTClaimNames.SUBJECT)) :
-                Result.success();
+        var subject = toVerify.getStringClaim(JWTClaimNames.SUBJECT);
+        if (subject == null || subject.isBlank()) {
+            return Result.failure("The '%s' claim is mandatory and must not be null.".formatted(JWTClaimNames.SUBJECT));
+        }
+        return Result.success();
     }
 }
diff --git a/core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/JtiValidationRule.java b/core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/rules/JtiValidationRule.java
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *  Copyright (c) 2026 Think-it GmbH
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -8,11 +8,11 @@
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Contributors:
- *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *       Think-it GmbH - initial API and implementation
  *
  */
 
-package org.eclipse.edc.verifiablecredentials.jwt.rules;
+package org.eclipse.edc.token.rules;
 
 import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
 import org.eclipse.edc.jwt.validation.jti.JtiValidationEntry;
diff --git a/core/common/lib/token-lib/src/test/java/org/eclipse/edc/token/rules/HasSubjectRuleTest.java b/core/common/lib/token-lib/src/test/java/org/eclipse/edc/token/rules/HasSubjectRuleTest.java
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2024 Amadeus
+ *  Copyright (c) 2026 Think-it GmbH
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -8,11 +8,11 @@
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Contributors:
- *       Amadeus - initial API and implementation
+ *       Think-it GmbH - initial API and implementation
  *
  */
 
-package org.eclipse.edc.verifiablecredentials.jwt.rules;
+package org.eclipse.edc.token.rules;
 
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.junit.jupiter.api.Test;
@@ -27,21 +27,26 @@ class HasSubjectRuleTest {
 
     @Test
     void subjectClaimPresent() {
-        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("sub", "subject-test").build(), Map.of()))
-                .isSucceeded();
+        var result = rule.checkRule(ClaimToken.Builder.newInstance().claim("sub", "subject-test").build(), Map.of());
+
+        assertThat(result).isSucceeded();
     }
 
     @Test
     void subjectClaimEmpty() {
-        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().claim("sub", "").build(), Map.of()))
+        var result = rule.checkRule(ClaimToken.Builder.newInstance().claim("sub", "").build(), Map.of());
+
+        assertThat(result)
                 .isFailed()
                 .detail()
                 .isEqualTo("The 'sub' claim is mandatory and must not be null.");
     }
 
     @Test
     void subjectClaimNotPresent() {
-        assertThat(rule.checkRule(ClaimToken.Builder.newInstance().build(), Map.of()))
+        var result = rule.checkRule(ClaimToken.Builder.newInstance().build(), Map.of());
+
+        assertThat(result)
                 .isFailed()
                 .detail()
                 .isEqualTo("The 'sub' claim is mandatory and must not be null.");
diff --git a/core/common/lib/token-lib/src/test/java/org/eclipse/edc/token/rules/JtiValidationRuleTest.java b/core/common/lib/token-lib/src/test/java/org/eclipse/edc/token/rules/JtiValidationRuleTest.java
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *  Copyright (c) 2026 Think-it GmbH
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -8,11 +8,11 @@
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Contributors:
- *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *       Think-it GmbH - initial API and implementation
  *
  */
 
-package org.eclipse.edc.verifiablecredentials.jwt.rules;
+package org.eclipse.edc.token.rules;
 
 import org.eclipse.edc.jwt.validation.jti.JtiValidationEntry;
 import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
diff --git a/core/data-plane-selector/data-plane-selector-core/src/main/java/org/eclipse/edc/connector/dataplane/selector/DataPlaneSelectorManagerConfiguration.java b/core/data-plane-selector/data-plane-selector-core/src/main/java/org/eclipse/edc/connector/dataplane/selector/DataPlaneSelectorManagerConfiguration.java
diff --git a/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/build.gradle.kts b/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/build.gradle.kts
@@ -21,5 +21,7 @@ dependencies {
     api(project(":spi:common:oauth2-spi"))
     api(project(":data-protocols:data-plane-signaling:data-plane-signaling-spi"))
 
+    implementation(project(":core:common:lib:token-lib"))
+
     testImplementation(project(":core:common:junit"))
 }
diff --git a/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/src/main/java/org/eclipse/edc/signaling/oauth2/DataPlaneSignalingOauth2Extension.java b/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/src/main/java/org/eclipse/edc/signaling/oauth2/DataPlaneSignalingOauth2Extension.java
@@ -15,24 +15,43 @@
 package org.eclipse.edc.signaling.oauth2;
 
 import org.eclipse.edc.iam.oauth2.spi.client.Oauth2Client;
+import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.signaling.oauth2.logic.Oauth2CredentialsSignalingAuthorization;
 import org.eclipse.edc.signaling.spi.authorization.SignalingAuthorizationRegistry;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.token.rules.ExpirationIssuedAtValidationRule;
+import org.eclipse.edc.token.rules.HasSubjectRule;
+import org.eclipse.edc.token.rules.JtiValidationRule;
+import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
 import org.eclipse.edc.token.spi.TokenValidationService;
 
+import java.time.Clock;
+
 public class DataPlaneSignalingOauth2Extension implements ServiceExtension {
 
+    public static final String VALIDATION_RULES_CONTEXT = "signaling-api-oauth2";
+
     @Inject
     private SignalingAuthorizationRegistry signalingAuthorizationRegistry;
     @Inject
     private Oauth2Client oauth2Client;
     @Inject
     private TokenValidationService tokenValidationService;
+    @Inject
+    private TokenValidationRulesRegistry tokenValidationRulesRegistry;
+    @Inject
+    private Clock clock;
+    @Inject
+    private JtiValidationStore jtiValidationStore;
 
     @Override
     public void initialize(ServiceExtensionContext context) {
-        signalingAuthorizationRegistry.register(new Oauth2CredentialsSignalingAuthorization(oauth2Client, tokenValidationService));
+        tokenValidationRulesRegistry.addRule(VALIDATION_RULES_CONTEXT, new HasSubjectRule());
+        tokenValidationRulesRegistry.addRule(VALIDATION_RULES_CONTEXT, new JtiValidationRule(jtiValidationStore, context.getMonitor().withPrefix(VALIDATION_RULES_CONTEXT)));
+        tokenValidationRulesRegistry.addRule(VALIDATION_RULES_CONTEXT, new ExpirationIssuedAtValidationRule(clock, 0, false));
+
+        signalingAuthorizationRegistry.register(new Oauth2CredentialsSignalingAuthorization(oauth2Client, tokenValidationService, tokenValidationRulesRegistry));
     }
 }
diff --git a/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/src/main/java/org/eclipse/edc/signaling/oauth2/logic/Oauth2CredentialsSignalingAuthorization.java b/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/src/main/java/org/eclipse/edc/signaling/oauth2/logic/Oauth2CredentialsSignalingAuthorization.java
@@ -17,9 +17,11 @@
 import org.eclipse.edc.connector.dataplane.selector.spi.instance.AuthorizationProfile;
 import org.eclipse.edc.iam.oauth2.spi.client.Oauth2Client;
 import org.eclipse.edc.iam.oauth2.spi.client.SharedSecretOauth2CredentialsRequest;
+import org.eclipse.edc.signaling.oauth2.DataPlaneSignalingOauth2Extension;
 import org.eclipse.edc.signaling.spi.authorization.Header;
 import org.eclipse.edc.signaling.spi.authorization.SignalingAuthorization;
 import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
 import org.eclipse.edc.token.spi.TokenValidationService;
 
 import java.util.function.Function;
@@ -55,10 +57,12 @@ public class Oauth2CredentialsSignalingAuthorization implements SignalingAuthori
     private static final String BEARER = "Bearer ";
     private final Oauth2Client oauth2Client;
     private final TokenValidationService tokenValidationService;
+    private final TokenValidationRulesRegistry tokenValidationRulesRegistry;
 
-    public Oauth2CredentialsSignalingAuthorization(Oauth2Client oauth2Client, TokenValidationService tokenValidationService) {
+    public Oauth2CredentialsSignalingAuthorization(Oauth2Client oauth2Client, TokenValidationService tokenValidationService, TokenValidationRulesRegistry tokenValidationRulesRegistry) {
         this.oauth2Client = oauth2Client;
         this.tokenValidationService = tokenValidationService;
+        this.tokenValidationRulesRegistry = tokenValidationRulesRegistry;
     }
 
     /**
@@ -88,7 +92,9 @@ public Result<String> isAuthorized(Function<String, String> headerGetter) {
 
         var token = authorization.substring(BEARER.length());
 
-        var tokenValidation = tokenValidationService.validate(token, i -> Result.success(null));
+        var rules = tokenValidationRulesRegistry.getRules(DataPlaneSignalingOauth2Extension.VALIDATION_RULES_CONTEXT);
+
+        var tokenValidation = tokenValidationService.validate(token, i -> Result.success(null), rules);
         if (tokenValidation.failed()) {
             return tokenValidation.mapFailure();
         }
diff --git a/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/src/test/java/org/eclipse/edc/signaling/oauth2/logic/Oauth2CredentialsSignalingAuthorizationTest.java b/data-protocols/data-plane-signaling/data-plane-signaling-oauth2/src/test/java/org/eclipse/edc/signaling/oauth2/logic/Oauth2CredentialsSignalingAuthorizationTest.java
@@ -14,26 +14,26 @@
 
 package org.eclipse.edc.signaling.oauth2.logic;
 
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jwk.KeyUse;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
 import org.eclipse.edc.connector.dataplane.selector.spi.instance.AuthorizationProfile;
 import org.eclipse.edc.iam.oauth2.spi.client.Oauth2Client;
 import org.eclipse.edc.spi.iam.ClaimToken;
 import org.eclipse.edc.spi.iam.TokenRepresentation;
 import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.token.spi.TokenValidationRule;
+import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
 import org.eclipse.edc.token.spi.TokenValidationService;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 
+import java.util.List;
 import java.util.Map;
-import java.util.UUID;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyList;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.same;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -42,17 +42,9 @@ class Oauth2CredentialsSignalingAuthorizationTest {
 
     private final Oauth2Client oauth2Client = mock();
     private final TokenValidationService tokenValidationService = mock();
-    private Oauth2CredentialsSignalingAuthorization authorization;
-    private RSAKey signingKey;
-
-    @BeforeEach
-    void setUp() throws JOSEException {
-        authorization = new Oauth2CredentialsSignalingAuthorization(oauth2Client, tokenValidationService);
-        signingKey = new RSAKeyGenerator(2048)
-                .keyUse(KeyUse.SIGNATURE)
-                .keyID(UUID.randomUUID().toString())
-                .generate();
-    }
+    private final TokenValidationRulesRegistry tokenValidationRulesRegistry = mock();
+    private final Oauth2CredentialsSignalingAuthorization authorization = new Oauth2CredentialsSignalingAuthorization(
+            oauth2Client, tokenValidationService, tokenValidationRulesRegistry);
 
     @Test
     void getType_shouldReturnOauth2ClientCredentials() {
@@ -67,20 +59,22 @@ void shouldReturnSuccess_whenValidJwtWithSubClaim() {
             var callerId = "test-caller-id";
             var token = "token";
             var claimToken = ClaimToken.Builder.newInstance().claim("sub", callerId).build();
-            when(tokenValidationService.validate(any(), any())).thenReturn(Result.success(claimToken));
+            when(tokenValidationService.validate(anyString(), any(), anyList())).thenReturn(Result.success(claimToken));
+            var validationRules = List.of(mock(TokenValidationRule.class));
+            when(tokenValidationRulesRegistry.getRules(any())).thenReturn(validationRules);
 
             var result = authorization.isAuthorized(header -> "Bearer " + token);
 
             assertThat(result.succeeded()).isTrue();
             assertThat(result.getContent()).isEqualTo(callerId);
-            verify(tokenValidationService).validate(eq(token), any());
+            verify(tokenValidationService).validate(eq(token), any(), same(validationRules));
         }
 
         @Test
         void shouldReturnFailure_whenSubClaimIsNotThere() {
             var token = "token";
             var claimToken = ClaimToken.Builder.newInstance().claim("sub", null).build();
-            when(tokenValidationService.validate(any(), any())).thenReturn(Result.success(claimToken));
+            when(tokenValidationService.validate(anyString(), any(), anyList())).thenReturn(Result.success(claimToken));
 
             var result = authorization.isAuthorized(header -> "Bearer " + token);
 
@@ -89,7 +83,7 @@ void shouldReturnFailure_whenSubClaimIsNotThere() {
 
         @Test
         void shouldReturnFailure_whenTokenValidationFails() {
-            when(tokenValidationService.validate(any(), any())).thenReturn(Result.failure("validation error"));
+            when(tokenValidationService.validate(anyString(), any(), anyList())).thenReturn(Result.failure("validation error"));
 
             var result = authorization.isAuthorized(header -> "Bearer token");
 
diff --git a/extensions/common/api/management-api-configuration/src/main/resources/management-api-version.json b/extensions/common/api/management-api-configuration/src/main/resources/management-api-version.json
@@ -2,7 +2,7 @@
   {
     "version": "3.1.6",
     "urlPath": "/v3",
-    "lastUpdated": "2026-03-12T08:30:01Z",
+    "lastUpdated": "2026-04-22T08:30:01Z",
     "maturity": "deprecated"
   },
   {
diff --git a/extensions/common/crypto/jwt-verifiable-credentials/src/test/java/org/eclipse/edc/verifiablecredentials/jwt/JwtPresentationVerifierTest.java b/extensions/common/crypto/jwt-verifiable-credentials/src/test/java/org/eclipse/edc/verifiablecredentials/jwt/JwtPresentationVerifierTest.java
@@ -33,9 +33,9 @@
 import org.eclipse.edc.spi.types.TypeManager;
 import org.eclipse.edc.token.TokenValidationRulesRegistryImpl;
 import org.eclipse.edc.token.TokenValidationServiceImpl;
+import org.eclipse.edc.token.rules.HasSubjectRule;
 import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
 import org.eclipse.edc.token.spi.TokenValidationService;
-import org.eclipse.edc.verifiablecredentials.jwt.rules.HasSubjectRule;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
diff --git a/extensions/common/iam/decentralized-claims/decentralized-claims-core/src/main/java/org/eclipse/edc/iam/decentralizedclaims/core/DcpCoreExtension.java b/extensions/common/iam/decentralized-claims/decentralized-claims-core/src/main/java/org/eclipse/edc/iam/decentralizedclaims/core/DcpCoreExtension.java
@@ -45,14 +45,14 @@
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
 import org.eclipse.edc.spi.types.TypeManager;
 import org.eclipse.edc.token.rules.ExpirationIssuedAtValidationRule;
+import org.eclipse.edc.token.rules.HasSubjectRule;
+import org.eclipse.edc.token.rules.JtiValidationRule;
 import org.eclipse.edc.token.rules.NotBeforeValidationRule;
 import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
 import org.eclipse.edc.token.spi.TokenValidationService;
 import org.eclipse.edc.verifiablecredentials.jwt.JwtPresentationVerifier;
 import org.eclipse.edc.verifiablecredentials.jwt.Vcdm20JosePresentationVerifier;
-import org.eclipse.edc.verifiablecredentials.jwt.rules.HasSubjectRule;
 import org.eclipse.edc.verifiablecredentials.jwt.rules.IssuerEqualsSubjectRule;
-import org.eclipse.edc.verifiablecredentials.jwt.rules.JtiValidationRule;
 import org.eclipse.edc.verifiablecredentials.jwt.rules.SubJwkIsNullRule;
 import org.eclipse.edc.verifiablecredentials.jwt.rules.TokenNotNullRule;
 import org.eclipse.edc.verifiablecredentials.linkeddata.DidMethodResolver;
diff --git a/extensions/common/iam/decentralized-claims/decentralized-claims-core/src/test/java/org/eclipse/edc/iam/decentralizedclaims/core/DcpCoreExtensionTest.java b/extensions/common/iam/decentralized-claims/decentralized-claims-core/src/test/java/org/eclipse/edc/iam/decentralizedclaims/core/DcpCoreExtensionTest.java

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)`
	`2`	`+ * Copyright (c) 2026 Think-it GmbH`
`3`	`3`	`*`
`4`	`4`	`* This program and the accompanying materials are made available under the`
`5`	`5`	`* terms of the Apache License, Version 2.0 which is available at`
`@@ -8,11 +8,11 @@`
`8`	`8`	`* SPDX-License-Identifier: Apache-2.0`
`9`	`9`	`*`
`10`	`10`	`* Contributors:`
`11`		`- * Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation`
	`11`	`+ * Think-it GmbH - initial API and implementation`
`12`	`12`	`*`
`13`	`13`	`*/`
`14`	`14`
`15`		`-package org.eclipse.edc.verifiablecredentials.jwt.rules;`
	`15`	`+package org.eclipse.edc.token.rules;`
`16`	`16`
`17`	`17`	`import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;`
`18`	`18`	`import org.eclipse.edc.jwt.validation.jti.JtiValidationEntry;`
Original file line number	Diff line number	Diff line change
`@@ -21,5 +21,7 @@ dependencies {`
`21`	`21`	`api(project(":spi:common:oauth2-spi"))`
`22`	`22`	`api(project(":data-protocols:data-plane-signaling:data-plane-signaling-spi"))`
`23`	`23`
	`24`	`+ implementation(project(":core:common:lib:token-lib"))`
	`25`	`+`
`24`	`26`	`testImplementation(project(":core:common:junit"))`
`25`	`27`	`}`