wso2 · Kirishikesan · Apr 2, 2024 · Apr 2, 2024 · Apr 4, 2024
@@ -228,6 +228,8 @@ public void setSoapToRestSequences(List<SOAPToRestSequence> soapToRestSequences)
 
     private String audience;
 
+    private Set<String> audiences;
+
     public String getAudience() {
         return audience;
     }
@@ -236,6 +238,23 @@ public void setAudience(String audience) {
         this.audience = audience;
     }
 
+    /**
+     * To get the audiences for jwt validation
+     *
+     * @return audiences of the API
+     */
+    public Set<String> getAudiences() {
+        return audiences;
+    }
+
+    /**
+     * To set the audiences for jwt validation
+     *
+     */
+    public void setAudiences(Set<String> audiences) {
+        this.audiences = audiences;
+    }
+
     public void setEnvironmentList(Set<String> environmentList) {
         this.environmentList = environmentList;
     }

@@ -132,6 +132,11 @@ public class APIProduct implements Serializable {
      * Used to set the workflow status in lifecycle state change workflow
      */
     private String workflowStatus = null;
+
+    /**
+     * Used to set the audiences values in jwt audience validation
+     */
+    private Set<String> audiences;
     private Boolean isDefaultVersion = true;
     private boolean isPublishedDefaultVersion = false;
     public APIProduct(){}
@@ -222,6 +227,24 @@ public void setType(String type) {
             this.type = type;
         }
     }
+
+    /**
+     * To get the audiences for jwt validation
+     *
+     * @return audiences of the API
+     */
+    public Set<String> getAudiences() {
+        return audiences;
+    }
+
+    /**
+     * To set the audiences for jwt validation
+     *
+     */
+    public void setAudiences(Set<String> audiences) {
+        this.audiences = audiences;
+    }
+
     public String getBusinessOwner() {
         return businessOwner;
     }

@@ -63,11 +63,14 @@
 import org.wso2.carbon.metrics.manager.Timer;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.TreeMap;
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
@@ -94,6 +97,7 @@ public class APIAuthenticationHandler extends AbstractHandler implements Managed
     private SynapseEnvironment synapseEnvironment;
 
     private String authorizationHeader;
+    private Set<String> audiences = new HashSet<>();;
     private String apiKeyHeader;
     private String apiSecurity;
     private String apiLevelPolicy;
@@ -202,6 +206,26 @@ public void setAuthorizationHeader(String authorizationHeader) {
         this.authorizationHeader = authorizationHeader;
     }
 
+    /**
+     * To set the audiences for api.
+     *
+     * @param audiences the audiences of the API request.
+     */
+    public void setAudiences(String audiences) {
+        if (!StringUtils.isEmpty(audiences)) {
+            this.audiences = new HashSet<>(Arrays.asList(audiences.split(",")));
+        }
+    }
+
+    /**
+     * To get the audiences of an api.
+     *
+     * @return API level audiences for JWT validation.
+     */
+    public Set<String> getAudiences() {
+        return audiences;
+    }
+
     /**
      * To get the Api Key Header.
      *
@@ -343,7 +367,7 @@ protected void initializeAuthenticators() {
         }
         if (isOAuthProtected) {
             Authenticator authenticator = new OAuthAuthenticator(authorizationHeader, isOAuthBasicAuthMandatory,
-                    removeOAuthHeadersFromOutMessage);
+                    removeOAuthHeadersFromOutMessage, this.getAudiences());
             authenticator.init(synapseEnvironment);
             authenticators.add(authenticator);
         }
@@ -689,6 +713,7 @@ private void handleAuthFailure(MessageContext messageContext, APISecurityExcepti
             status = HttpStatus.SC_INTERNAL_SERVER_ERROR;
         } else if (e.getErrorCode() == APISecurityConstants.API_AUTH_INCORRECT_API_RESOURCE ||
                 e.getErrorCode() == APISecurityConstants.API_AUTH_FORBIDDEN ||
+                e.getErrorCode() == APISecurityConstants.API_OAUTH_INVALID_AUDIENCES ||
                 e.getErrorCode() == APISecurityConstants.INVALID_SCOPE) {
             status = HttpStatus.SC_FORBIDDEN;
         } else {

@@ -70,6 +70,9 @@
     public static final int API_AUTH_MISSING_OPEN_API_DEF = 900911;
     public static final String API_AUTH_MISSING_OPEN_API_DEF_ERROR_MESSAGE = "Internal Server Error";
 
+    public static final int API_OAUTH_INVALID_AUDIENCES = 900912;
+    public static final String API_OAUTH_INVALID_AUDIENCES_MESSAGE = "The access token does not allow you to access the requested resource";
+
     public static final int OAUTH_TEMPORARY_SERVER_ERROR = 900424;
     public static final String OAUTH_TEMPORARY_SERVER_ERROR_MESSAGE = "Temporary Server Error";
 
@@ -112,6 +115,9 @@
             case API_AUTH_INCORRECT_ACCESS_TOKEN_TYPE:
                 errorMessage = API_AUTH_INCORRECT_ACCESS_TOKEN_TYPE_MESSAGE;
                 break;
+            case API_OAUTH_INVALID_AUDIENCES:
+                errorMessage = API_OAUTH_INVALID_AUDIENCES_MESSAGE;
+                break;
             case API_BLOCKED:
                 errorMessage = API_BLOCKED_MESSAGE;
                 break;

@@ -68,6 +68,7 @@
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import javax.cache.Cache;
@@ -82,6 +83,7 @@
     private APIKeyValidator apiKeyValidator;
     private boolean jwtGenerationEnabled;
     private AbstractAPIMgtGatewayJWTGenerator apiMgtGatewayJWTGenerator;
+    private Set<String> audiences;
     ExtendedJWTConfigurationDto jwtConfigurationDto;
     JWTValidationService jwtValidationService;
     private static volatile long ttl = -1L;
@@ -132,6 +134,12 @@
         this.jwtValidationService = jwtValidationService;
     }
 
+    public JWTValidator(APIKeyValidator apiKeyValidator, String tenantDomain, Set<String> audiences)
+            throws APIManagementException {
+        this(apiKeyValidator, tenantDomain);
+        this.setAudiences(audiences);
+    }
+
     /**
      * Authenticates the given request with a JWT token to see if an API consumer is allowed to access
      * a particular API or not.
@@ -274,6 +282,7 @@
                 }
                 // Validate scopes
                 validateScopes(apiContext, apiVersion, matchingResource, httpMethod, jwtValidationInfo, signedJWTInfo);
+                validateAudiences(signedJWTInfo);
                 synCtx.setProperty(APIMgtGatewayConstants.SCOPES, jwtValidationInfo.getScopes().toString());
                 synCtx.setProperty(APIMgtGatewayConstants.JWT_CLAIMS, jwtValidationInfo.getClaims());
                 if (apiKeyValidationInfoDTO.isAuthorized()) {
@@ -347,6 +356,35 @@
         }
     }
 
+    public Set<String> getAudiences() {
+
+        return audiences;
+    }
+
+    public void setAudiences(Set<String> audiences) {
+
+        this.audiences = audiences;
+    }
+
+    private boolean validateAudiences(SignedJWTInfo signedJWTInfo) throws APISecurityException {
+        if (this.getAudiences() == null || this.getAudiences().isEmpty() ||
+                this.getAudiences().contains(APIConstants.ALL_AUDIENCES)) {
+            return true;
+        }
+        List<String> jwtAudienceClaim = signedJWTInfo.getJwtClaimsSet().getAudience();
+        if (jwtAudienceClaim == null) {
+            throw new APISecurityException(APISecurityConstants.API_OAUTH_INVALID_AUDIENCES,
+                    APISecurityConstants.API_OAUTH_INVALID_AUDIENCES_MESSAGE);
+        }
+        for (String aud : this.getAudiences()) {
+            if (jwtAudienceClaim.contains(aud)) {
+                return true;
+            }
+        }
+        throw new APISecurityException(APISecurityConstants.API_OAUTH_INVALID_AUDIENCES,
+                APISecurityConstants.API_OAUTH_INVALID_AUDIENCES_MESSAGE);
+    }
+
     private String generateAndRetrieveJWTToken(String tokenSignature, JWTInfoDto jwtInfoDto)
             throws APISecurityException {
 

@@ -18,6 +18,8 @@
 
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
+import org.apache.axiom.om.OMElement;
+import org.apache.axis2.AxisFault;
 import org.apache.axis2.Constants;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
@@ -27,7 +29,9 @@
 import org.apache.synapse.core.SynapseEnvironment;
 import org.apache.synapse.core.axis2.Axis2MessageContext;
 import org.apache.synapse.rest.RESTConstants;
+import org.wso2.carbon.apimgt.api.APIConsumer;
 import org.wso2.carbon.apimgt.api.APIManagementException;
+import org.wso2.carbon.apimgt.api.model.ApiTypeWrapper;
 import org.wso2.carbon.apimgt.common.gateway.constants.GraphQLConstants;
 import org.wso2.carbon.apimgt.common.gateway.dto.JWTConfigurationDto;
 import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
@@ -56,6 +60,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import javax.cache.Cache;
 
 /**
@@ -83,11 +88,18 @@ public class OAuthAuthenticator implements Authenticator {
     private boolean removeDefaultAPIHeaderFromOutMessage = true;
     private String requestOrigin;
     private boolean isMandatory;
+    private Set<String> audiences;
     private ThreadLocal<String> remainingAuthHeader = new ThreadLocal<String>();
 
     public OAuthAuthenticator() {
     }
 
+    public OAuthAuthenticator(String authorizationHeader, boolean isMandatory, boolean removeOAuthHeader,
+                              Set<String> audiences) {
+        this(authorizationHeader, isMandatory, removeOAuthHeader);
+        this.setAudiences(audiences);
+    }
+
     public OAuthAuthenticator(String authorizationHeader, boolean isMandatory, boolean removeOAuthHeader) {
         this.securityHeader = authorizationHeader;
         this.removeOAuthHeadersFromOutMessage = removeOAuthHeader;
@@ -118,7 +130,7 @@ public AuthenticationResponse authenticate(MessageContext synCtx) throws APIMana
         }
 
         if (jwtValidator == null) {
-            this.jwtValidator = new JWTValidator(this.keyValidator, tenantDomain);
+            this.jwtValidator = new JWTValidator(this.keyValidator, tenantDomain, this.getAudiences());
         }
 
         config = getApiManagerConfiguration();
@@ -471,6 +483,14 @@ private void setSecurityContextHeader(String securityContextHeader) {
         this.securityContextHeader = securityContextHeader;
     }
 
+    public void setAudiences(Set<String> audiences) {
+        this.audiences = audiences;
+    }
+
+    public Set<String> getAudiences() {
+        return audiences;
+    }
+
     private boolean isRemoveOAuthHeadersFromOutMessage() {
         String value = config.getFirstProperty(APIConstants.REMOVE_OAUTH_HEADERS_FROM_MESSAGE);
         if (value != null) {

@@ -846,6 +846,8 @@ private Permissions() {
     public static final String JWT_AUDIENCES = "JWTAudiences";
     public static final String JWT_AUDIENCE = "JWTAudience";
     public static final String AUDIENCE = "Audience";
+    public static final String AUDIENCES = "Audiences";
+    public static final String ALL_AUDIENCES = "all";
     public static final String BASEPATH = "Basepath";
     public static final String URN_CHOREO = "urn:choreo:";
     public static final String BASE_PATH = "http.base.path";

@@ -54,6 +54,7 @@ public final class APIConstants {
     public static final String API_OVERVIEW_VISIBLE_TENANTS = "overview_visibleTenants";
     public static final String API_OVERVIEW_ENVIRONMENTS = "overview_environments";
     public static final String API_OVERVIEW_AUDIENCE = "overview_audience";
+    public static final String API_OVERVIEW_AUDIENCES = "overview_audiences";
     public static final String API_PROVIDER = "Provider";
     public static final String API_NAME = "Name";
     public static final String API_VERSION_LABEL = "Version";

@@ -15,6 +15,7 @@
  */
 package org.wso2.carbon.apimgt.persistence;
 
+import com.google.gson.Gson;
 import org.apache.axiom.om.OMAttribute;
 import org.apache.axiom.om.OMElement;
 import org.apache.axiom.om.util.AXIOMUtil;
@@ -1003,6 +1004,10 @@ private PublisherAPISearchResult searchPaginatedPublisherAPIs(Registry userRegis
                 apiInfo.setThumbnail(artifact.getAttribute(APIConstants.API_OVERVIEW_THUMBNAIL_URL));
                 apiInfo.setVersion(artifact.getAttribute(APIConstants.API_OVERVIEW_VERSION));
                 apiInfo.setAudience(artifact.getAttribute(APIConstants.API_OVERVIEW_AUDIENCE));
+                String audiences = artifact.getAttribute(APIConstants.API_OVERVIEW_AUDIENCES);
+                if (StringUtils.isNotEmpty(audiences)) {
+                    apiInfo.setAudiences(new Gson().fromJson(audiences, Set.class));
+                }
                 apiInfo.setCreatedTime(String.valueOf(apiResource.getCreatedTime().getTime()));
                 apiInfo.setUpdatedTime(apiResource.getLastModified());
                 apiInfo.setUpdatedBy(apiResource.getLastUpdaterUserName());
@@ -3379,6 +3384,10 @@ public PublisherAPIProductSearchResult searchAPIProductsForPublisher(Organizatio
                 info.setVersion(artifact.getAttribute(APIConstants.API_OVERVIEW_VERSION));
                 info.setApiSecurity(artifact.getAttribute(APIConstants.API_OVERVIEW_API_SECURITY));
                 info.setThumbnail(artifact.getAttribute(APIConstants.API_OVERVIEW_THUMBNAIL_URL));
+                String audiences = artifact.getAttribute(APIConstants.API_OVERVIEW_AUDIENCES);
+                if (StringUtils.isNotEmpty(audiences)) {
+                    info.setAudiences(new Gson().fromJson(audiences, Set.class));
+                }
                 info.setBusinessOwner(artifact.getAttribute(APIConstants.API_OVERVIEW_BUSS_OWNER));
                 info.setBusinessOwnerEmail(artifact.getAttribute(APIConstants.API_OVERVIEW_BUSS_OWNER_EMAIL));
                 info.setTechnicalOwner(artifact.getAttribute(APIConstants.API_OVERVIEW_TEC_OWNER));

@@ -95,6 +95,7 @@ public class PublisherAPI extends PublisherAPIInfo {
 
     private String versionTimestamp;
     private String audience;
+    private Set<String> audiences;
     private String apiExternalProductionEndpoint;
     private String apiExternalSandboxEndpoint;
     private String redirectURL;
@@ -109,6 +110,14 @@ public void setAudience(String audience) {
         this.audience = audience;
     }
 
+    public Set<String> getAudiences() {
+        return audiences;
+    }
+
+    public void setAudiences(Set<String> audiences) {
+        this.audiences = audiences;
+    }
+
     public List<SOAPToRestSequence> getSoapToRestSequences() {
         return soapToRestSequences;
     }