support external identity provider for issuing jag tokens

[havetisyan]

Description

Continue implementation of JWT Authorization Grant Support #3100

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances Athenz's ZTS (ZMS Token Service) by introducing robust support for external identity providers when issuing and exchanging JWT Authorization Grant (JAG) tokens. It provides a flexible mechanism for integrating with third-party identity systems, allowing for custom identity mapping and the inclusion of additional claims in issued tokens. These changes streamline the process of federating identities and extend the capabilities of Athenz's token management.

Highlights

• New TokenExchangeIdentityProvider Interface: A new interface, TokenExchangeIdentityProvider, has been introduced in auth_core. This interface allows external identity providers to define how to map an external token's principal to an Athenz identity and specify which custom claims should be included in the generated token.
• Custom Claims Support in Tokens: The AccessToken and IdToken classes now support adding custom claims to JWTs. This enhancement includes modifications to their getSignedToken methods and the addition of an isStandardClaim method to prevent accidental overwriting of standard JWT claims.
• Refactored External Identity Provider Configuration: ZTS now uses a ProviderConfigManager to load external identity provider configurations from a JSON file, replacing the previous athenz.zts.openid_jag_issuers property with athenz.zts.oauth_provider_config_file. This provides a more structured and flexible way to manage external issuer details.
• Enhanced Token Exchange Logic: The ZTS processJAGTokenIssueRequest and processJAGTokenExchangeRequest methods have been updated to leverage the new TokenExchangeIdentityProvider. This allows for dynamic mapping of external identities and inclusion of custom claims during the token issuance and exchange processes.
• Service Client ID Caching: The DataCache and DataStore components in ZTS have been extended to cache and retrieve clientId values for services. This is crucial for validating the audience of external tokens during the token exchange process, ensuring that the token is intended for the requesting service.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for external identity providers when issuing JAG tokens. The changes are well-structured, introducing a TokenExchangeIdentityProvider interface and a ProviderConfigManager to handle configurations from a JSON file. The core logic in ZTSImpl has been refactored to accommodate this new functionality, and the changes are supported by a good set of unit tests. My review includes a few suggestions for improving robustness and code clarity.

[yosrixp]

Looks good