BREAKS: make MN HTTP compileOnly and it moves token classes to security

buildSrc/src/main/groovy/io.micronaut.build.internal.security-base.gradle

@@ -1,6 +1,5 @@
 repositories {
     mavenCentral()
-    maven { url "https://s01.oss.sonatype.org/content/repositories/snapshots/" }
 }
 
 tasks.withType(Test) {

gradle/libs.versions.toml

@@ -12,7 +12,6 @@ unboundid-ldapsdk = "6.0.8"
 bouncycastle = "1.70"
 kotlin = "1.8.21"
 bcpkix = "1.70"
-
 micronaut-test = "4.0.0-M3"
 micronaut-multitenancy = "5.0.0-M2"
 micronaut-reactor = "3.0.0-M1"

security-jwt/build.gradle

@@ -5,21 +5,21 @@ plugins {
 dependencies {
     annotationProcessor(mn.micronaut.graal)
     annotationProcessor(mnSerde.micronaut.serde.processor)
-    implementation(mnSerde.micronaut.serde.jackson)
     annotationProcessor(mnValidation.micronaut.validation.processor)
     api(mnValidation.micronaut.validation)
-    api(mn.micronaut.http)
-    api(mn.micronaut.http.server)
     api(projects.micronautSecurity)
     api(libs.managed.nimbus.jose.jwt)
-
     implementation(mnReactor.micronaut.reactor)
     testImplementation(libs.bcpkix.jdk15on)
     testImplementation(libs.bcprov.jdk15on)
 
+    compileOnly(mn.micronaut.http.server)
+    compileOnly(mn.micronaut.json.core)
+
     testImplementation(mn.micronaut.management)
     testImplementation(mn.micronaut.http.client)
     testAnnotationProcessor(mn.micronaut.inject.java)
+    testImplementation(mnSerde.micronaut.serde.jackson)
     testImplementation(mn.micronaut.http.server.netty)
     testImplementation(projects.testSuiteUtils)
     testImplementation(projects.testSuiteUtilsSecurity)

security-jwt/src/main/java/io/micronaut/security/token/jwt/endpoints/KeysController.java

@@ -40,6 +40,7 @@
  * @since 1.1.0
  * @author Sergio del Amo
  */
+@Requires(classes = { Controller.class })
 @Requires(property = KeysControllerConfigurationProperties.PREFIX + ".enabled", notEquals = StringUtils.FALSE, defaultValue = StringUtils.TRUE)
 @Requires(beans = JwkProvider.class)
 @Controller("${" + KeysControllerConfigurationProperties.PREFIX + ".path:/keys}")

security-jwt/src/main/java/io/micronaut/security/token/jwt/generator/JwtTokenGenerator.java

@@ -21,9 +21,9 @@
 import com.nimbusds.jwt.PlainJWT;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.claims.ClaimsGenerator;
 import io.micronaut.security.token.generator.TokenGenerator;
 import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
-import io.micronaut.security.token.jwt.generator.claims.ClaimsGenerator;
 import io.micronaut.security.token.jwt.signature.SignatureGeneratorConfiguration;
 import jakarta.inject.Named;
 import jakarta.inject.Singleton;

security-jwt/src/main/java/io/micronaut/security/token/jwt/generator/claims/JWTClaimsSetGenerator.java

@@ -20,6 +20,10 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.runtime.ApplicationConfiguration;
 import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.Claims;
+import io.micronaut.security.token.claims.ClaimsAudienceProvider;
+import io.micronaut.security.token.claims.ClaimsGenerator;
+import io.micronaut.security.token.claims.JtiGenerator;
 import io.micronaut.security.token.config.TokenConfiguration;
 import jakarta.inject.Singleton;
 import java.time.Instant;
@@ -43,7 +47,7 @@ public class JWTClaimsSetGenerator implements ClaimsGenerator {
     private static final String ROLES_KEY = "rolesKey";
 
     private final TokenConfiguration tokenConfiguration;
-    private final JwtIdGenerator jwtIdGenerator;
+    private final JtiGenerator jwtIdGenerator;
     private final ClaimsAudienceProvider claimsAudienceProvider;
     private final String appName;
 
@@ -54,7 +58,7 @@ public class JWTClaimsSetGenerator implements ClaimsGenerator {
      * @param applicationConfiguration The application configuration
      */
     public JWTClaimsSetGenerator(TokenConfiguration tokenConfiguration,
-                                 @Nullable JwtIdGenerator jwtIdGenerator,
+                                 @Nullable JtiGenerator jwtIdGenerator,
                                  @Nullable ClaimsAudienceProvider claimsAudienceProvider,
                                  @Nullable ApplicationConfiguration applicationConfiguration) {
         this.tokenConfiguration = tokenConfiguration;
@@ -189,7 +193,7 @@ protected void populateWithAuthentication(JWTClaimsSet.Builder builder, Authenti
     @Override
     public Map<String, Object> generateClaimsSet(Map<String, ?> oldClaims, Integer expiration) {
         JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
-        List<String> excludedClaims = Arrays.asList(JwtClaims.EXPIRATION_TIME, JwtClaims.ISSUED_AT, JwtClaims.NOT_BEFORE);
+        List<String> excludedClaims = Arrays.asList(Claims.EXPIRATION_TIME, Claims.ISSUED_AT, Claims.NOT_BEFORE);
         for (String k : oldClaims.keySet()
                 .stream()
                 .filter(p -> !excludedClaims.contains(p))

security-jwt/src/main/java/io/micronaut/security/token/jwt/generator/claims/JwtClaimsSetAdapter.java

@@ -18,15 +18,17 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
+import io.micronaut.security.token.Claims;
+
 import java.util.Set;
 
 /**
- * Adapts from {@link JWTClaimsSet} to {@link JwtClaims}.
+ * Adapts from {@link JWTClaimsSet} to {@link Claims}.
  *
  * @author Sergio del Amo
  * @since 1.1.0
  */
-public class JwtClaimsSetAdapter implements JwtClaims {
+public class JwtClaimsSetAdapter implements Claims {
 
     private final JWTClaimsSet jwtClaimsSet;
 

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/AudienceJwtClaimsValidator.java

@@ -15,14 +15,13 @@
  */
 package io.micronaut.security.token.jwt.validator;
 
+import java.util.List;
+import io.micronaut.security.token.Claims;
+import jakarta.inject.Singleton;
 import com.nimbusds.jwt.JWTClaimsSet;
 import io.micronaut.context.annotation.Requires;
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
-import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
-import jakarta.inject.Singleton;
-import java.util.List;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -32,10 +31,11 @@
  * @author Jason Schindler
  * @author Sergio del Amo
  * @since 2.4.0
+ * @param <T> Request
  */
 @Singleton
 @Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".audience")
-public class AudienceJwtClaimsValidator implements GenericJwtClaimsValidator {
+public class AudienceJwtClaimsValidator<T> implements GenericJwtClaimsValidator<T> {
 
     private static final Logger LOG = LoggerFactory.getLogger(AudienceJwtClaimsValidator.class);
 
@@ -80,8 +80,8 @@ protected boolean validate(JWTClaimsSet claimsSet) {
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims,
-                            @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims,
+                            @Nullable T request) {
         return validate(JWTClaimsSetUtils.jwtClaimsSetFromClaims(claims));
     }
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/DefaultJwtAuthenticationFactory.java

@@ -18,14 +18,15 @@
 import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
 import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.token.AbstractTokenAuthenticationFactory;
+import io.micronaut.security.token.MapClaims;
 import io.micronaut.security.token.RolesFinder;
 import io.micronaut.security.token.config.TokenConfiguration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import jakarta.inject.Singleton;
 import java.text.ParseException;
-import java.util.Map;
 import java.util.Optional;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * Extracts the JWT claims and uses the {@link AuthenticationJWTClaimsSetAdapter} to construction an {@link Authentication} object.
@@ -34,17 +35,18 @@
  * @since 1.1.0
  */
 @Singleton
-public class DefaultJwtAuthenticationFactory implements JwtAuthenticationFactory {
+public class DefaultJwtAuthenticationFactory extends AbstractTokenAuthenticationFactory<JWT> implements JwtAuthenticationFactory {
 
     private static final Logger LOG = LoggerFactory.getLogger(DefaultJwtAuthenticationFactory.class);
 
-    private final TokenConfiguration tokenConfiguration;
-    private final RolesFinder rolesFinder;
-
+    /**
+     *
+     * @param tokenConfiguration Token Configuration
+     * @param rolesFinder Utility to retrieve roles from token claims
+     */
     public DefaultJwtAuthenticationFactory(TokenConfiguration tokenConfiguration,
                                            RolesFinder rolesFinder) {
-        this.tokenConfiguration = tokenConfiguration;
-        this.rolesFinder = rolesFinder;
+        super(tokenConfiguration, rolesFinder);
     }
 
     @Override
@@ -54,11 +56,7 @@ public Optional<Authentication> createAuthentication(JWT token) {
             if (claimSet == null) {
                 return Optional.empty();
             }
-            Map<String, Object> attributes = claimSet.getClaims();
-            return usernameForClaims(claimSet).map(username ->
-                    Authentication.build(username,
-                            rolesFinder.resolveRoles(attributes),
-                            attributes));
+            return createAuthentication(claimSet.getClaims());
         } catch (ParseException e) {
             if (LOG.isErrorEnabled()) {
                 LOG.error("ParseException creating authentication", e);
@@ -71,13 +69,11 @@ public Optional<Authentication> createAuthentication(JWT token) {
      *
      * @param claimSet JWT Claims
      * @return the username defined by {@link TokenConfiguration#getNameKey()} ()} or the sub claim.
+     * @deprecated Use {@link AbstractTokenAuthenticationFactory#usernameForClaims(io.micronaut.security.token.Claims)} instead.
      * @throws ParseException might be thrown parsing claims
      */
+    @Deprecated
     protected Optional<String> usernameForClaims(JWTClaimsSet claimSet) throws ParseException {
-        String username = claimSet.getStringClaim(tokenConfiguration.getNameKey());
-        if (username == null) {
-            return Optional.ofNullable(claimSet.getSubject());
-        }
-        return Optional.of(username);
+        return super.usernameForClaims(new MapClaims(claimSet.getClaims()));
     }
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/ExpirationJwtClaimsValidator.java

@@ -20,22 +20,22 @@
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.core.util.StringUtils;
-import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
-import jakarta.inject.Singleton;
-import java.util.Date;
+import io.micronaut.security.token.Claims;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import jakarta.inject.Singleton;
+import java.util.Date;
 
 /**
  * Validate JWT is not expired.
  *
  * @author Sergio del Amo
  * @since 1.1.0
+ * @param <T> Request
  */
 @Singleton
 @Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".expiration", notEquals = StringUtils.FALSE)
-public class ExpirationJwtClaimsValidator implements GenericJwtClaimsValidator {
+public class ExpirationJwtClaimsValidator<T> implements GenericJwtClaimsValidator<T> {
 
     private static final Logger LOG = LoggerFactory.getLogger(ExpirationJwtClaimsValidator.class);
 
@@ -59,7 +59,7 @@ protected boolean validate(@NonNull JWTClaimsSet claimsSet) {
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims, @Nullable T request) {
         return validate(JWTClaimsSetUtils.jwtClaimsSetFromClaims(claims));
     }
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/GenericJwtClaimsValidator.java

@@ -20,6 +20,7 @@
  *
  * @author Sergio del Amo
  * @since 1.1.0
+ * @param <T> Request
  */
-public interface GenericJwtClaimsValidator extends JwtClaimsValidator {
+public interface GenericJwtClaimsValidator<T> extends JwtClaimsValidator<T> {
 }

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/IssuerJwtClaimsValidator.java

@@ -18,8 +18,7 @@
 import io.micronaut.context.annotation.Requires;
 import io.micronaut.core.annotation.NonNull;
 import io.micronaut.core.annotation.Nullable;
-import io.micronaut.http.HttpRequest;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 import jakarta.inject.Singleton;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -30,10 +29,11 @@
  * @author Jason Schindler
  * @author Sergio del Amo
  * @since 2.4.0
+ * @param <T> Request
  */
 @Singleton
 @Requires(property = IssuerJwtClaimsValidator.ISSUER_PROP)
-public class IssuerJwtClaimsValidator implements GenericJwtClaimsValidator {
+public class IssuerJwtClaimsValidator<T> implements GenericJwtClaimsValidator<T> {
 
     public static final String ISSUER_PROP = JwtClaimsValidatorConfigurationProperties.PREFIX + ".issuer";
 
@@ -54,11 +54,11 @@ public IssuerJwtClaimsValidator(JwtClaimsValidatorConfiguration jwtClaimsValidat
     }
 
     @Override
-    public boolean validate(@NonNull JwtClaims claims, @Nullable HttpRequest<?> request) {
+    public boolean validate(@NonNull Claims claims, @Nullable T request) {
         if (expectedIssuer == null) {
             return true;
         }
-        Object issuerObject = claims.get(JwtClaims.ISSUER);
+        Object issuerObject = claims.get(Claims.ISSUER);
         if (issuerObject == null) {
             if (LOG.isTraceEnabled()) {
                 LOG.trace("Expected JWT issuer claim of '{}', but the token did not include an issuer.", expectedIssuer);

security-jwt/src/main/java/io/micronaut/security/token/jwt/validator/JWTClaimsSetUtils.java

@@ -16,7 +16,7 @@
 package io.micronaut.security.token.jwt.validator;
 
 import com.nimbusds.jwt.JWTClaimsSet;
-import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
+import io.micronaut.security.token.Claims;
 
 /**
  * Utils class to instantiate a JWClaimsSet give a map of claims.
@@ -34,7 +34,7 @@ private JWTClaimsSetUtils() {
      * @param claims JWT claims
      * @return A JWTClaimsSet
      */
-    public static JWTClaimsSet jwtClaimsSetFromClaims(JwtClaims claims) {
+    public static JWTClaimsSet jwtClaimsSetFromClaims(Claims claims) {
         JWTClaimsSet.Builder claimsSetBuilder = new JWTClaimsSet.Builder();
         for (String k : claims.names()) {
             claimsSetBuilder.claim(k, claims.get(k));