initial support for exchaning jag tokens with access tokens

[havetisyan]

Description

This is the second PR to support Identity Assertion Authorization Grant support in ZTS #3100. We'll might be decide to include additional authorization checks in the future.

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request lays the groundwork for integrating Identity Assertion Authorization Grant (JAG) functionality into Athenz's ZTS component. It introduces the necessary infrastructure to process and validate external JWTs, allowing them to be exchanged for Athenz access tokens. This enhancement significantly broadens ZTS's interoperability by enabling it to trust and leverage tokens issued by external identity providers, streamlining authorization workflows for services that rely on external authentication mechanisms.

Highlights

• Identity Assertion Authorization Grant (JAG) Support: Introduced initial support for the Identity Assertion Authorization Grant (JAG) in ZTS, enabling the exchange of external JWTs for Athenz access tokens. This is a significant step towards ZTS Identity Assertion Authorization Grant support in ZTS #3100.
• Enhanced JWT Processing: The auth_core library now includes new constructors for AccessToken and OAuth2Token that accept a ConfigurableJWTProcessor for more flexible token validation. The JwtsHelper class has been extended with new getJWTProcessor overloads to support custom JOSEObjectTypeVerifier and a list of JwtsResolver objects.
• Configurable External JWT Issuers: A new JwtsResolver class and corresponding logic in JwtsSigningKeyResolver allow ZTS to configure and trust multiple external JWT issuers. This configuration is managed via the new athenz.zts.openid_jag_issuers property, which supports specifying issuer URLs, default JWKS URIs, and proxy URLs.
• JAG Token Validation and Exchange Logic: The ZTS server now includes processAccessTokenJAGRequest to validate incoming JAG tokens against configured external issuers, verify audience and client ID claims, and then issue Athenz access tokens based on the granted roles and the JAG token's expiry.
• New Utility Method: A getRemainingExpiryTime utility method has been added to ZTSUtils to safely calculate the remaining validity period of a token, handling potential overflow issues and expired tokens.
• Comprehensive Unit Tests: Extensive unit tests have been added across AccessTokenTest, JwtsHelperTest, JwtsResolverTest, JwtsSigningKeyResolverTest, ZTSImplAccessTokenTest, ZTSImplTest, AccessTokenRequestTest, and ZTSUtilsTest to ensure the robustness and correctness of the new JAG token processing and related functionalities.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for exchanging JWT Authorization Grant (JAG) tokens for Athenz access tokens. The changes span across the auth_core and zts-server modules, introducing new classes like JwtsResolver and extending existing ones like AccessToken and JwtsHelper to handle JWT processing with configurable processors and multiple JWKS URI resolvers. The ZTS server implementation is updated to process these new JAG requests, including validation of the assertion and authorization of the requested scopes. The test coverage for the new functionality is comprehensive.

My review includes a few suggestions for minor refactoring to improve code maintainability and fix some typos to adhere to Java naming conventions.