[TT-15359]: Added extra jwt validation (#7269)

<details open>
<summary><a href="https://tyktech.atlassian.net/browse/TT-15359"
title="TT-15359" target="_blank">TT-15359</a></summary>
  <br />
  <table>
    <tr>
      <th>Summary</th>
      <td> Core Registered Claims Validation</td>
    </tr>
    <tr>
      <th>Type</th>
      <td>
<img alt="Story"
src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10315?size=medium"
/>
        Story
      </td>
    </tr>
    <tr>
      <th>Status</th>
      <td>In Dev</td>
    </tr>
    <tr>
      <th>Points</th>
      <td>N/A</td>
    </tr>
    <tr>
      <th>Labels</th>
<td><a
href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC"
title="jira_escalated">jira_escalated</a></td>
    </tr>
  </table>
</details>
<!--
  do not remove this marker as it will break jira-lint's functionality.
  added_by_jira_lint
-->

---

<!-- Provide a general summary of your changes in the Title above -->

## Description
[TT-15359](https://tyktech.atlassian.net/browse/TT-15359)

<!-- Describe your changes in detail -->

## Related Issue

<!-- This project only accepts pull requests related to open issues. -->
<!-- If suggesting a new feature or change, please discuss it in an
issue first. -->
<!-- If fixing a bug, there should be an issue describing it with steps
to reproduce. -->
<!-- OSS: Please link to the issue here. Tyk: please create/link the
JIRA ticket. -->

## Motivation and Context

<!-- Why is this change required? What problem does it solve? -->

## How This Has Been Tested

<!-- Please describe in detail how you tested your changes -->
<!-- Include details of your testing environment, and the tests -->
<!-- you ran to see how your change affects other areas of the code,
etc. -->
<!-- This information is helpful for reviewers and QA. -->

## Screenshots (if appropriate)

## Types of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Refactoring or add test (improvements in base code or adds test
coverage to functionality)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->

- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why


[TT-15359]:
https://tyktech.atlassian.net/browse/TT-15359?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Author: kofoworola

apidef/oas/authentication.go

@@ -484,6 +484,11 @@ type Scopes struct {
 	// - For JWT: `scopes.jwt.scope_claim_name`
 	ClaimName string `bson:"claimName,omitempty" json:"claimName,omitempty"`
 
+	// Claims contains a list of claims that contains the claim name.
+	// The first match from the list of claims in the token is used.
+	// OAS only field applied to OAS apis.
+	Claims []string `bson:"claims,omitempty" json:"claims,omitempty"`
+
 	// ScopeToPolicyMapping contains the mappings of scopes to policy IDs.
 	//
 	// Tyk classic API definition:
@@ -495,6 +500,9 @@ type Scopes struct {
 // Fill fills *Scopes from *apidef.ScopeClaim.
 func (s *Scopes) Fill(scopeClaim *apidef.ScopeClaim) {
 	s.ClaimName = scopeClaim.ScopeClaimName
+	if s.ClaimName != "" {
+		s.Claims = []string{scopeClaim.ScopeClaimName}
+	}
 
 	s.ScopeToPolicyMapping = []ScopeToPolicy{}
 

apidef/oas/authentication_test.go

@@ -22,15 +22,41 @@ func TestAuthentication(t *testing.T) {
 }
 
 func TestScopes(t *testing.T) {
-	var emptyScopes Scopes
+	t.Run("default", func(t *testing.T) {
+		var emptyScopes Scopes
 
-	scopeClaim := apidef.ScopeClaim{}
-	emptyScopes.ExtractTo(&scopeClaim)
+		scopeClaim := apidef.ScopeClaim{}
+		emptyScopes.ExtractTo(&scopeClaim)
 
-	var resultScopes Scopes
-	resultScopes.Fill(&scopeClaim)
+		var resultScopes Scopes
+		resultScopes.Fill(&scopeClaim)
+
+		assert.Equal(t, emptyScopes, resultScopes)
+	})
+	t.Run("fill scope claim", func(t *testing.T) {
+		var emptyScopes Scopes
+
+		scopeClaim := apidef.ScopeClaim{
+			ScopeClaimName: "test",
+		}
+
+		emptyScopes.Fill(&scopeClaim)
+
+		assert.Equal(t, emptyScopes.Claims, []string{scopeClaim.ScopeClaimName})
+	})
+
+	t.Run("extract scope claim", func(t *testing.T) {
+		var emptydefScopeClaim apidef.ScopeClaim
+
+		scope := Scopes{
+			Claims:    []string{"test", "second"},
+			ClaimName: "test",
+		}
+
+		scope.ExtractTo(&emptydefScopeClaim)
+		assert.Equal(t, emptydefScopeClaim.ScopeClaimName, "test")
+	})
 
-	assert.Equal(t, emptyScopes, resultScopes)
 }
 
 func TestAuthSources(t *testing.T) {

apidef/oas/schema/x-tyk-api-gateway.json

@@ -218,6 +218,10 @@
         "claimName": {
           "type": "string"
         },
+        "claims": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
         "scopeToPolicyMapping": {
           "type": "array",
           "items": [
@@ -1612,12 +1616,36 @@
         "identityBaseField": {
           "type": "string"
         },
+        "subjectClaims": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
         "skipKid": {
           "type": "boolean"
         },
         "policyFieldName": {
           "type": "string"
         },
+        "basePolicyClaims": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "allowedIssuers": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "allowedAudiences": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "jtiValidation": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "allowedSubjects": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
         "clientBaseField": {
           "type": "string"
         },

apidef/oas/schema/x-tyk-api-gateway.strict.json

@@ -229,6 +229,12 @@
         "claimName": {
           "type": "string"
         },
+        "claims": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "scopeToPolicyMapping": {
           "type": "array",
           "items": [
@@ -1678,12 +1684,48 @@
         "identityBaseField": {
           "type": "string"
         },
+        "subjectClaims": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "skipKid": {
           "type": "boolean"
         },
         "policyFieldName": {
           "type": "string"
         },
+        "basePolicyClaims": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "allowedIssuers": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "allowedAudiences": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "jtiValidation": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "allowedSubjects": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "clientBaseField": {
           "type": "string"
         },

apidef/oas/security.go

@@ -122,6 +122,10 @@ type JWT struct {
 	// Tyk classic API definition: `jwt_identity_base_field`
 	IdentityBaseField string `bson:"identityBaseField,omitempty" json:"identityBaseField,omitempty"`
 
+	// SubjectClaims specifies a list of claims that can be used to identity the subject of the JWT.
+	// The field is an OAS only field and is only used in OAS APIs.
+	SubjectClaims []string `bson:"subjectClaims,omitempty" json:"subjectClaims,omitempty"`
+
 	// SkipKid controls skipping using the `kid` claim from a JWT (default behaviour).
 	// When this is true, the field configured in IdentityBaseField is checked first.
 	//
@@ -134,6 +138,11 @@ type JWT struct {
 	// Tyk classic API definition: `jwt_policy_field_name`
 	PolicyFieldName string `bson:"policyFieldName,omitempty" json:"policyFieldName,omitempty"`
 
+	// BasePolicyClaims specifies a list of claims from which the base PolicyID is extracted.
+	// The policy is applied to the session as a base policy.
+	// The field is an OAS only field and is only used in OAS APIs.
+	BasePolicyClaims []string `bson:"basePolicyClaims,omitempty" json:"basePolicyClaims,omitempty"`
+
 	// ClientBaseField is used when PolicyFieldName is not provided. It will get
 	// a session key and use the policies from that. The field ensures that requests
 	// use the same session.
@@ -164,6 +173,21 @@ type JWT struct {
 	// Tyk classic API definition: `jwt_expires_at_validation_skew`.
 	ExpiresAtValidationSkew uint64 `bson:"expiresAtValidationSkew,omitempty" json:"expiresAtValidationSkew,omitempty"`
 
+	// AllowedIssuers contains a list of accepted issuers for JWT validation.
+	// When configured, the JWT's issuer claim must match one of these values.
+	AllowedIssuers []string `bson:"allowedIssuers,omitempty" json:"allowedIssuers,omitempty"`
+
+	// AllowedAudiences contains a list of accepted audiences for JWT validation.
+	// When configured, the JWT's audience claim must match one of these values.
+	AllowedAudiences []string `bson:"allowedAudiences,omitempty" json:"allowedAudiences,omitempty"`
+
+	// JTIValidation contains the configuration for the validation of the JWT ID.
+	JTIValidation JTIValidation `bson:"jtiValidation,omitempty" json:"jtiValidation,omitempty"`
+
+	// AllowedSubjects contains a list of accepted subjects for JWT validation.
+	// When configured, the subject from kid/identityBaseField/sub must match one of these values.
+	AllowedSubjects []string `bson:"allowedSubjects,omitempty" json:"allowedSubjects,omitempty"`
+
 	// IDPClientIDMappingDisabled prevents Tyk from automatically detecting the use of certain IDPs based on standard claims
 	// that they include in the JWT: `client_id`, `cid`, `clientId`. Setting this flag to `true` disables the mapping and avoids
 	// accidentally misidentifying the use of one of these IDPs if one of their standard values is configured in your JWT.
@@ -172,6 +196,13 @@ type JWT struct {
 	IDPClientIDMappingDisabled bool `bson:"idpClientIdMappingDisabled,omitempty" json:"idpClientIdMappingDisabled,omitempty"`
 }
 
+// JTIValidation contains the configuration for the validation of the JWT ID.
+type JTIValidation struct {
+	// Enabled indicates whether JWT ID claim is required.
+	// When true, tokens must include a 'jti' claim.
+	Enabled bool `bson:"enabled" json:"enabled"`
+}
+
 // Import populates *JWT based on arguments.
 func (j *JWT) Import(enable bool) {
 	j.Enabled = enable
@@ -212,8 +243,14 @@ func (s *OAS) fillJWT(api apidef.APIDefinition) {
 	jwt.JwksURIs = api.JWTJwksURIs
 	jwt.SigningMethod = api.JWTSigningMethod
 	jwt.IdentityBaseField = api.JWTIdentityBaseField
+	if jwt.IdentityBaseField != "" {
+		jwt.SubjectClaims = []string{jwt.IdentityBaseField}
+	}
 	jwt.SkipKid = api.JWTSkipKid
 	jwt.PolicyFieldName = api.JWTPolicyFieldName
+	if jwt.PolicyFieldName != "" {
+		jwt.BasePolicyClaims = []string{api.JWTPolicyFieldName}
+	}
 	jwt.ClientBaseField = api.JWTClientIDBaseField
 
 	if jwt.Scopes == nil {
@@ -845,6 +882,18 @@ func (s *OAS) extractSecurityTo(api *apidef.APIDefinition) {
 	}
 }
 
+func (s *OAS) GetJWTConfiguration() *JWT {
+	for keyName := range s.getTykSecuritySchemes() {
+		if _, ok := s.Security[0][keyName]; ok {
+			v := s.Components.SecuritySchemes[keyName].Value
+			if v.Type == typeHTTP && v.Scheme == schemeBearer && v.BearerFormat == bearerFormatJWT {
+				return s.getTykJWTAuth(keyName)
+			}
+		}
+	}
+	return nil
+}
+
 func resetSecuritySchemes(api *apidef.APIDefinition) {
 	api.AuthConfigs = nil
 

apidef/oas/security_test.go

@@ -10,6 +10,84 @@ import (
 	"github.com/TykTechnologies/tyk/apidef"
 )
 
+func TestGetJWTConfiguration(t *testing.T) {
+	t.Run("should retrieve successfully", func(t *testing.T) {
+		var api apidef.APIDefinition
+		api.EnableJWT = true
+		api.AuthConfigs = map[string]apidef.AuthConfig{
+			apidef.JWTType: {
+				Name:           "jwtAuth",
+				AuthHeaderName: "Authorization",
+			},
+		}
+
+		var oas OAS
+		oas.SetTykExtension(&XTykAPIGateway{})
+		oas.fillSecurity(api)
+
+		j := oas.GetTykExtension().Server.Authentication.SecuritySchemes["jwtAuth"].(*JWT)
+		j.AllowedIssuers = []string{"issuer_one", "issuer_two"}
+		j.AllowedAudiences = []string{"audience_one", "audience_two"}
+		j.BasePolicyClaims = []string{"policy"}
+		j.SubjectClaims = []string{"new_sub"}
+
+		oas.GetTykExtension().Server.Authentication.SecuritySchemes["jwtAuth"] = j
+		gotten := oas.GetJWTConfiguration()
+
+		assert.Equal(t, j.AllowedIssuers, gotten.AllowedIssuers)
+		assert.Equal(t, []string{"new_sub"}, gotten.SubjectClaims)
+		assert.Equal(t, []string{"policy"}, gotten.BasePolicyClaims)
+		assert.Equal(t, j.AllowedAudiences, gotten.AllowedAudiences)
+	})
+
+	t.Run("should successfully convert identity and policy and return", func(t *testing.T) {
+		var api apidef.APIDefinition
+		api.EnableJWT = true
+		api.AuthConfigs = map[string]apidef.AuthConfig{
+			apidef.JWTType: {
+				Name:           "jwtAuth",
+				AuthHeaderName: "Authorization",
+			},
+		}
+		api.JWTIdentityBaseField = "new_sub"
+		api.JWTPolicyFieldName = "policy"
+
+		var oas OAS
+		oas.Fill(api)
+
+		j := oas.GetJWTConfiguration()
+		assert.Equal(t, j.IdentityBaseField, "new_sub")
+		assert.Equal(t, []string{"new_sub"}, j.SubjectClaims)
+		assert.Equal(t, j.PolicyFieldName, "policy")
+		assert.Equal(t, []string{"policy"}, j.BasePolicyClaims)
+
+		var newAPIDef apidef.APIDefinition
+		oas.GetJWTConfiguration().PolicyFieldName = "policy"
+		oas.GetJWTConfiguration().IdentityBaseField = "subject"
+		oas.ExtractTo(&newAPIDef)
+
+		assert.Equal(t, "policy", newAPIDef.JWTPolicyFieldName)
+		assert.Equal(t, "subject", newAPIDef.JWTIdentityBaseField)
+	})
+
+	t.Run("should return nil", func(t *testing.T) {
+		var auth apidef.AuthConfig
+		Fill(t, &auth, 0)
+		auth.DisableHeader = false
+
+		var api apidef.APIDefinition
+		api.AuthConfigs = map[string]apidef.AuthConfig{
+			apidef.AuthTokenType: auth,
+		}
+
+		var oas OAS
+		oas.SetTykExtension(&XTykAPIGateway{})
+		oas.fillSecurity(api)
+
+		assert.Nil(t, oas.GetJWTConfiguration())
+	})
+}
+
 func TestOAS_Security(t *testing.T) {
 	var auth apidef.AuthConfig
 	Fill(t, &auth, 0)
@@ -342,6 +420,14 @@ func TestOAS_JWT(t *testing.T) {
 	convertedOAS.SetTykExtension(&XTykAPIGateway{Server: Server{Authentication: &Authentication{SecuritySchemes: SecuritySchemes{}}}})
 	convertedOAS.fillJWT(api)
 
+	// set OAS only fields since they will not be converted
+	convertedOAS.GetJWTConfiguration().AllowedAudiences = oas.GetJWTConfiguration().AllowedAudiences
+	convertedOAS.GetJWTConfiguration().AllowedIssuers = oas.GetJWTConfiguration().AllowedIssuers
+	convertedOAS.GetJWTConfiguration().AllowedSubjects = oas.GetJWTConfiguration().AllowedSubjects
+	convertedOAS.GetJWTConfiguration().SubjectClaims = oas.GetJWTConfiguration().SubjectClaims
+	convertedOAS.GetJWTConfiguration().BasePolicyClaims = oas.GetJWTConfiguration().BasePolicyClaims
+	convertedOAS.GetJWTConfiguration().Scopes.Claims = oas.GetJWTConfiguration().Scopes.Claims
+	convertedOAS.GetJWTConfiguration().JTIValidation.Enabled = true
 	assert.Equal(t, oas, convertedOAS)
 }
 
@@ -568,6 +654,8 @@ func TestOAS_OIDC(t *testing.T) {
 	convertedOAS.SetTykExtension(&XTykAPIGateway{Server: Server{Authentication: &Authentication{}}})
 	convertedOAS.getTykAuthentication().Fill(api)
 
+	// set scope claims cause it is OAS only
+	convertedOAS.Extensions[ExtensionTykAPIGateway].(*XTykAPIGateway).Server.Authentication.OIDC.Scopes.Claims = oidc.Scopes.Claims
 	assert.Equal(t, oas, convertedOAS)
 }