Implement the DpopAuthScheme + add testing

alextwoods · alextwoods · commit 7dc88450ba95 · 2025-10-29T13:39:34.000-07:00
diff --git a/services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java b/services/signin/src/main/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProvider.java
@@ -29,10 +29,12 @@
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.core.SdkPlugin;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.useragent.BusinessMetricFeatureId;
 import software.amazon.awssdk.services.signin.SigninClient;
 import software.amazon.awssdk.services.signin.internal.AccessTokenManager;
+import software.amazon.awssdk.services.signin.internal.DpopAuthScheme;
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.LoginCacheDirectorySystemSetting;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
@@ -159,14 +161,15 @@ private RefreshResult<AwsCredentials> refreshFromSigninService(LoginAccessToken
         log.debug(() -> "Credentials are near expiration/expired, refreshing from Signin service.");
 
         try {
+            SdkPlugin dpopAuthPlugin = DpopAuthScheme.DpopAuthPlugin.create(tokenFromDisc.getDpopKey());
             CreateOAuth2TokenRequest refreshRequest =
                 CreateOAuth2TokenRequest
                     .builder()
                     .tokenInput(t -> t
                         .clientId(tokenFromDisc.getClientId())
                         .refreshToken(tokenFromDisc.getRefreshToken())
                         .grantType("refresh_token"))
-                    .dpopProof("TODO") // TODO: This will be implemented in a separate PR
+                    .overrideConfiguration(c -> c.addPlugin(dpopAuthPlugin))
                     .build();
 
             CreateOAuth2TokenResponse createTokenResponse = signinClient.createOAuth2Token(refreshRequest);
diff --git a/services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthScheme.java b/services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopAuthScheme.java
@@ -17,15 +17,20 @@
 
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
+import java.time.Instant;
 import java.util.Collections;
 import java.util.List;
+import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
 import software.amazon.awssdk.core.SdkPlugin;
+import software.amazon.awssdk.core.SdkRequest;
 import software.amazon.awssdk.core.SdkServiceClientConfiguration;
+import software.amazon.awssdk.http.SdkHttpRequest;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthScheme;
 import software.amazon.awssdk.http.auth.spi.scheme.AuthSchemeOption;
 import software.amazon.awssdk.http.auth.spi.signer.AsyncSignRequest;
 import software.amazon.awssdk.http.auth.spi.signer.AsyncSignedRequest;
+import software.amazon.awssdk.http.auth.spi.signer.BaseSignRequest;
 import software.amazon.awssdk.http.auth.spi.signer.HttpSigner;
 import software.amazon.awssdk.http.auth.spi.signer.SignRequest;
 import software.amazon.awssdk.http.auth.spi.signer.SignedRequest;
@@ -38,6 +43,7 @@
 import software.amazon.awssdk.services.signin.auth.scheme.SigninAuthSchemeProvider;
 import software.amazon.awssdk.utils.Pair;
 import software.amazon.awssdk.utils.Validate;
+import software.amazon.awssdk.utils.http.SdkHttpUtils;
 
 public class DpopAuthScheme implements AuthScheme<DpopAuthScheme.DpopIdentity> {
     public static final String SCHEME_NAME = "DPOP";
@@ -101,7 +107,7 @@ private static class DpopSigner implements HttpSigner<DpopIdentity> {
         @Override
         public SignedRequest sign(SignRequest<? extends DpopIdentity> request) {
             return SignedRequest.builder()
-                                .request(request.request())
+                                .request(doSign(request))
                                 .payload(request.payload().orElse(null))
                                 .build();
         }
@@ -110,10 +116,37 @@ public SignedRequest sign(SignRequest<? extends DpopIdentity> request) {
         public CompletableFuture<AsyncSignedRequest> signAsync(AsyncSignRequest<? extends DpopIdentity> request) {
             return CompletableFuture.completedFuture(
                 AsyncSignedRequest.builder()
-                                  .request(request.request())
+                                  .request(doSign(request))
                                   .payload(request.payload().orElse(null))
                                   .build());
         }
+
+        /**
+         * Using {@link BaseSignRequest}, sign the request with a {@link BaseSignRequest} and re-build it.
+         */
+        private SdkHttpRequest doSign(BaseSignRequest<?, ? extends DpopIdentity> request) {
+            return request.request().toBuilder()
+                          .putHeader(
+                              "DPoP",
+                              buildDpopHeader(request))
+                          .build();
+        }
+
+        private String buildDpopHeader(BaseSignRequest<?, ? extends DpopIdentity> request) {
+            SdkHttpRequest httpRequest = request.request();
+            String endpoint = extractRequestEndpoint(httpRequest);
+            return DpopHeaderGenerator.generateDPoPProofHeader(
+                request.identity(), endpoint, httpRequest.method().name(),
+                Instant.now().getEpochSecond(), UUID.randomUUID().toString());
+        }
+
+        private static String extractRequestEndpoint(SdkHttpRequest httpRequest) {
+            // using SdkHttpRequest.getUri() results in creating a URI which is slow and we don't need the query components
+            // construct only the endpoint that we require for DPoP.
+            String portString =
+                SdkHttpUtils.isUsingStandardPort(httpRequest.protocol(), httpRequest.port()) ? "" : ":" + httpRequest.port();
+            return httpRequest.protocol() + "://" + httpRequest.host() + portString + httpRequest.encodedPath();
+        }
     }
 
     private static class DpopIdentityProvider implements IdentityProvider<DpopIdentity> {
diff --git a/services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopHeaderGenerator.java b/services/signin/src/main/java/software/amazon/awssdk/services/signin/internal/DpopHeaderGenerator.java
@@ -57,26 +57,25 @@ private DpopHeaderGenerator() {
      * <li><a href="https://datatracker.ietf.org/doc/html/rfc7517">RFC 7517 - JSON Web Key (JWK)</a></li>
      * </ul>
      *
-     * @param pemContent - EC1 / RFC 5915 ASN.1 formated PEM contents
+     * @param dpopIdentity - DpopIdentity containing ECPrivateKey and ECPublicKey
      * @param endpoint - The HTTP target URI (Section 7.1 of [RFC9110]) of the request to which the JWT is attached,
      *                 without query and fragment parts
      * @param httpMethod - the HTTP method of the request (eg: POST).
      * @param epochSeconds - creation time of the JWT in epoch seconds.
      * @param uuid - Unique identifier for the DPoP proof JWT - should be a UUID4 string.
      * @return DPoP header value
      */
-    public static String generateDPoPProofHeader(String pemContent, String endpoint, String httpMethod,
+    public static String generateDPoPProofHeader(DpopAuthScheme.DpopIdentity dpopIdentity, String endpoint, String httpMethod,
                                                  long epochSeconds, String uuid) {
-        Validate.paramNotBlank(pemContent, "pemContent");
+        Validate.paramNotNull(dpopIdentity, "dpopIdentity");
         Validate.paramNotBlank(endpoint, "endpoint");
         Validate.paramNotBlank(httpMethod, "httpMethod");
         Validate.paramNotBlank(uuid, "uuid");
 
         try {
             // Load EC public and private key from PEM
-            Pair<ECPrivateKey, ECPublicKey> keys = EcKeyLoader.loadSec1Pem(pemContent);
-            ECPrivateKey privateKey = keys.left();
-            ECPublicKey publicKey = keys.right();
+            ECPrivateKey privateKey = dpopIdentity.getPrivateKey();
+            ECPublicKey publicKey = dpopIdentity.getPublicKey();
 
             // Build JSON strings (header, payload) with JsonGenerator
             byte[] headerJson = buildHeaderJson(publicKey);
diff --git a/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProviderTest.java b/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/LoginCredentialsProviderTest.java
@@ -17,6 +17,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
@@ -25,38 +26,70 @@
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.VALID_TEST_PEM;
+import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.getJwtPayloadFromEncodedDpopHeader;
+import static software.amazon.awssdk.services.signin.auth.internal.DpopTestUtils.verifySignature;
 
+import java.io.ByteArrayInputStream;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import org.mockito.ArgumentCaptor;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
+import software.amazon.awssdk.core.SdkRequest;
 import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.interceptor.Context;
+import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
+import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
 import software.amazon.awssdk.core.useragent.BusinessMetricFeatureId;
+import software.amazon.awssdk.http.AbortableInputStream;
+import software.amazon.awssdk.http.HttpExecuteResponse;
+import software.amazon.awssdk.http.SdkHttpRequest;
+import software.amazon.awssdk.http.SdkHttpResponse;
+import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.signin.SigninClient;
 import software.amazon.awssdk.services.signin.internal.AccessTokenManager;
 import software.amazon.awssdk.services.signin.internal.LoginAccessToken;
 import software.amazon.awssdk.services.signin.internal.OnDiskTokenManager;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenRequest;
 import software.amazon.awssdk.services.signin.model.CreateOAuth2TokenResponse;
 import software.amazon.awssdk.services.signin.model.SigninException;
+import software.amazon.awssdk.testutils.service.http.MockAsyncHttpClient;
+import software.amazon.awssdk.testutils.service.http.MockSyncHttpClient;
 
 public class LoginCredentialsProviderTest {
     private static final String LOGIN_SESSION_ID = "loginSessionId";
 
     private AccessTokenManager tokenManager;
     private SigninClient signinClient;
+    private MockSyncHttpClient mockHttpClient;
+    private CaptureRequestInterceptor captureRequestInterceptor;
     private LoginCredentialsProvider loginCredentialsProvider;
 
     @TempDir
     Path tempDir;
 
     @BeforeEach
     public void setup() {
-        signinClient = mock(SigninClient.class);
+        mockHttpClient = new MockSyncHttpClient();
+        captureRequestInterceptor = new CaptureRequestInterceptor();
+        signinClient = SigninClient
+            .builder()
+            .region(Region.US_EAST_1)
+            .endpointOverride(URI.create("https://custom-signin-endpoint.com"))
+            .httpClient(mockHttpClient)
+            .overrideConfiguration(c -> c.addExecutionInterceptor(captureRequestInterceptor))
+            .build();
+
         tokenManager = OnDiskTokenManager.create(tempDir, LOGIN_SESSION_ID);
 
         loginCredentialsProvider = LoginCredentialsProvider
@@ -89,7 +122,7 @@ public void resolveCredentials_whenCredentialsFresh_usesFromDisk() {
 
         AwsCredentials resolveCredentials = loginCredentialsProvider.resolveCredentials();
 
-        verify(signinClient, never()).createOAuth2Token(any(CreateOAuth2TokenRequest.class));
+        assertEquals(0, mockHttpClient.getRequests().size());
 
         assertEquals(creds.accessKeyId(), resolveCredentials.accessKeyId());
         assertEquals(creds.secretAccessKey(), resolveCredentials.secretAccessKey());
@@ -104,19 +137,17 @@ public void resolveCredentials_whenCredentialsNearExpiration_refreshesAndUpdates
         AwsSessionCredentials creds = buildCredentials(Instant.now().plusSeconds(10));
         LoginAccessToken token = buildAccessToken(creds);
         tokenManager.storeToken(token);
-        when(signinClient.createOAuth2Token(any(CreateOAuth2TokenRequest.class))).thenReturn(
-            buildSuccessfulRefreshResponse()
-        );
-        AwsCredentials resolvedCredentials = loginCredentialsProvider.resolveCredentials();
+        stubSuccessfulRefreshResponse();
 
-        ArgumentCaptor<CreateOAuth2TokenRequest> captor =
-            ArgumentCaptor.forClass(CreateOAuth2TokenRequest.class);
+        AwsCredentials resolvedCredentials = loginCredentialsProvider.resolveCredentials();
 
         // verify the service was called with correct arguments
-        verify(signinClient, times(1)).createOAuth2Token(captor.capture());
-        assertEquals(token.getClientId(), captor.getValue().tokenInput().clientId());
-        assertEquals(token.getRefreshToken(), captor.getValue().tokenInput().refreshToken());
-        assertEquals("refresh_token", captor.getValue().tokenInput().grantType());
+        assertEquals(1, captureRequestInterceptor.requests.size());
+        assertInstanceOf(CreateOAuth2TokenRequest.class, captureRequestInterceptor.requests.get(0));
+        CreateOAuth2TokenRequest request = (CreateOAuth2TokenRequest) captureRequestInterceptor.requests.get(0);
+        assertEquals(token.getClientId(), request.tokenInput().clientId());
+        assertEquals(token.getRefreshToken(), request.tokenInput().refreshToken());
+        assertEquals("refresh_token", request.tokenInput().grantType());
         // TODO: Assert validity of DPoP header once implemented
 
         // verify that returned credentials are updated
@@ -126,28 +157,34 @@ public void resolveCredentials_whenCredentialsNearExpiration_refreshesAndUpdates
         verifyTokenCacheUpdated();
     }
 
-
-
     @Test
-    public void resolveCredentials_whenCredentialsExpired_refreshesAndUpdatesCache() {
+    public void resolveCredentials_whenCredentialsExpired_refreshesAndUpdatesCache() throws Exception {
         // within the stale time
         AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(600));
         LoginAccessToken token = buildAccessToken(creds);
         tokenManager.storeToken(token);
-        when(signinClient.createOAuth2Token(any(CreateOAuth2TokenRequest.class))).thenReturn(
-            buildSuccessfulRefreshResponse()
-        );
-        AwsCredentials resolvedCredentials = loginCredentialsProvider.resolveCredentials();
+        stubSuccessfulRefreshResponse();
 
-        ArgumentCaptor<CreateOAuth2TokenRequest> captor =
-            ArgumentCaptor.forClass(CreateOAuth2TokenRequest.class);
+        AwsCredentials resolvedCredentials = loginCredentialsProvider.resolveCredentials();
 
         // verify the service was called with correct arguments
-        verify(signinClient, times(1)).createOAuth2Token(captor.capture());
-        assertEquals(token.getClientId(), captor.getValue().tokenInput().clientId());
-        assertEquals(token.getRefreshToken(), captor.getValue().tokenInput().refreshToken());
-        assertEquals("refresh_token", captor.getValue().tokenInput().grantType());
-        // TODO: Assert validity of DPoP header once implemented
+        assertEquals(1, captureRequestInterceptor.requests.size());
+        assertInstanceOf(CreateOAuth2TokenRequest.class, captureRequestInterceptor.requests.get(0));
+        CreateOAuth2TokenRequest request = (CreateOAuth2TokenRequest) captureRequestInterceptor.requests.get(0);
+        assertEquals(token.getClientId(), request.tokenInput().clientId());
+        assertEquals(token.getRefreshToken(), request.tokenInput().refreshToken());
+        assertEquals("refresh_token", request.tokenInput().grantType());
+
+        // verify the request is correctly signed with DPoP header
+        List<String> dpopHeader = captureRequestInterceptor.httpRequests.get(0).headers().get("DPoP");
+        assertNotNull(dpopHeader);
+        assertEquals(1, dpopHeader.size());
+        assertTrue(verifySignature(dpopHeader.get(0)));
+
+        Map<String, Object> payload = getJwtPayloadFromEncodedDpopHeader(dpopHeader.get(0));
+        assertEquals("POST", payload.get("htm"));
+        assertEquals("https://custom-signin-endpoint.com/v1/token", payload.get("htu"));
+
 
         // verify that returned credentials are updated
         verifyResolvedCredentialsAreUpdated(resolvedCredentials);
@@ -162,7 +199,12 @@ public void resolveCredentials_whenCredentialsExpired_serviceCallFails_raisesExc
         AwsSessionCredentials creds = buildCredentials(Instant.now().minusSeconds(60));
         LoginAccessToken token = buildAccessToken(creds);
         tokenManager.storeToken(token);
-        when(signinClient.createOAuth2Token(any(CreateOAuth2TokenRequest.class))).thenThrow(SigninException.class);
+        mockHttpClient.stubNextResponse(
+            HttpExecuteResponse
+                .builder()
+                .response(SdkHttpResponse.builder().statusCode(500).build())
+                .build()
+        );
         assertThrows(SdkClientException.class, () -> loginCredentialsProvider.resolveCredentials());
     }
 
@@ -188,22 +230,23 @@ private void verifyTokenCacheUpdated() {
         assertEquals("new-refresh-token", updatedToken.getRefreshToken());
     }
 
-    private static CreateOAuth2TokenResponse buildSuccessfulRefreshResponse() {
-        return CreateOAuth2TokenResponse
-            .builder()
-            .tokenOutput(
-                t ->
-                    t
-                        .expiresIn(600)
-                        .refreshToken("new-refresh-token")
-                        .accessToken(
-                            c ->
-                                c
-                                    .accessKeyId("new-akid")
-                                    .secretAccessKey("new-skid")
-                                    .sessionToken("new-session-token"))
-            )
-            .build();
+    private void stubSuccessfulRefreshResponse() {
+        String jsonBody =
+            "{\"accessToken\":"
+            + "{\"accessKeyId\":\"new-akid\","
+            + "\"secretAccessKey\":\"new-skid\","
+            + "\"sessionToken\":\"new-session-token\"},"
+            + "\"tokenType\":\"aws_sigv4\","
+            + "\"expiresIn\":600,"
+            + "\"refreshToken\":\"new-refresh-token\"}";
+
+        mockHttpClient.stubNextResponse(
+            HttpExecuteResponse
+                .builder()
+                .response(SdkHttpResponse.builder().statusCode(200).build())
+                .responseBody(AbortableInputStream.create(new ByteArrayInputStream(jsonBody.getBytes(StandardCharsets.UTF_8))))
+                .build()
+        );
     }
 
     private AwsSessionCredentials buildCredentials(Instant expirationTime) {
@@ -220,12 +263,22 @@ private LoginAccessToken buildAccessToken(AwsSessionCredentials credentials) {
         return LoginAccessToken.builder()
                                .accessToken(credentials)
                                .clientId("client-123")
-                               .dpopKey("dpop-key")
+                               .dpopKey(VALID_TEST_PEM)
                                .refreshToken("refresh-token")
                                .tokenType("aws_sigv4")
                                .identityToken("id-token")
                                .build();
     }
 
+    private static class CaptureRequestInterceptor implements ExecutionInterceptor {
 
+        private List<SdkHttpRequest> httpRequests = new ArrayList<>();
+        private List<SdkRequest> requests = new ArrayList<>();
+
+        @Override
+        public void beforeTransmission(Context.BeforeTransmission context, ExecutionAttributes executionAttributes) {
+            this.httpRequests.add(context.httpRequest());
+            this.requests.add(context.request());
+        }
+    }
 }
diff --git a/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/internal/DpopHeaderGeneratorTest.java b/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/internal/DpopHeaderGeneratorTest.java
diff --git a/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/internal/DpopTestUtils.java b/services/signin/src/test/java/software/amazon/awssdk/services/signin/auth/internal/DpopTestUtils.java
