Update jwt auth to use hmac secret

Author: Dilhasha

components/org.wso2.micro.integrator.initializer/pom.xml

@@ -117,6 +117,10 @@
             <groupId>org.wso2.integration.transaction.counter</groupId>
             <artifactId>transaction-count-handler</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.orbit.com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
@@ -138,6 +142,10 @@
                             org.wso2.micro.integrator.initializer.*;version="${project.version}"
                         </Export-Package>
                         <Import-Package>
+                            com.nimbusds.jose;version="${nimbus-jose.orbit.imp.pkg.version}",
+                            com.nimbusds.jose.jwk;version="${nimbus-jose.orbit.imp.pkg.version}",
+                            com.nimbusds.jose.crypto;version="${nimbus-jose.orbit.imp.pkg.version}",
+                            com.nimbusds.jwt;version="${nimbus-jose.orbit.imp.pkg.version}",
                             org.wso2.micro.integrator.core.*;version="${project.version}",
                             *;resolution:=optional
                         </Import-Package>

components/org.wso2.micro.integrator.initializer/src/main/java/org/wso2/micro/integrator/initializer/dashboard/Constants.java

@@ -24,21 +24,21 @@ private Constants() {
     public static final String ICP_CONFIG_ENABLED = "icp_config.enabled";
 
     // JWT Configuration
-    public static final String ICP_JWT_KEYSTORE_PATH = "icp_config.jwt_keystore_path";
-    public static final String ICP_JWT_KEYSTORE_PASSWORD = "icp_config.jwt_keystore_password";
-    public static final String ICP_JWT_KEY_ALIAS = "icp_config.jwt_key_alias";
-    public static final String ICP_JWT_KEY_PASSWORD = "icp_config.jwt_key_password";
     public static final String ICP_JWT_ISSUER = "icp_config.jwt_issuer";
     public static final String ICP_JWT_AUDIENCE = "icp_config.jwt_audience";
+    public static final String ICP_JWT_SCOPE = "icp_config.jwt_scope";
     public static final String ICP_JWT_EXPIRY_SECONDS = "icp_config.jwt_expiry_seconds";
+    public static final String ICP_JWT_HMAC_SECRET = "icp_config.jwt_hmac_secret";
 
     // Default ICP Configuration
     public static final String DEFAULT_ENVIRONMENT = "production";
     public static final String DEFAULT_PROJECT = "default";
     public static final String DEFAULT_COMPONENT = "default";
     public static final String DEFAULT_JWT_ISSUER = "icp-runtime-jwt-issuer";
     public static final String DEFAULT_JWT_AUDIENCE = "icp-server";
+    public static final String DEFAULT_JWT_SCOPE = "runtime_agent";
     public static final long DEFAULT_JWT_EXPIRY_SECONDS = 3600;
+    public static final String DEFAULT_JWT_HMAC_SECRET = "default-secret-key-at-least-32-characters-long-for-hs256";
     public static final String RUNTIME_TYPE_MI = "MI";
     public static final String RUNTIME_STATUS_RUNNING = "RUNNING";
 

components/org.wso2.micro.integrator.initializer/src/main/java/org/wso2/micro/integrator/initializer/dashboard/HMACJWTTokenGenerator.java

@@ -0,0 +1,56 @@
+package org.wso2.micro.integrator.initializer.dashboard;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.MACSigner;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Date;
+
+public class HMACJWTTokenGenerator {
+
+    private final String hmacSecret;
+
+    public HMACJWTTokenGenerator(String hmacSecret) {
+        if (hmacSecret == null || hmacSecret.getBytes(StandardCharsets.UTF_8).length < 32) {
+            throw new IllegalArgumentException("HMAC secret must be at least 256 bits (32 bytes)");
+        }
+        this.hmacSecret = hmacSecret;
+    }
+
+    /**
+     * Generate JWT Token with HMAC SHA256
+     */
+    public String generateToken(String issuer, String audience, String scope, long expiryTimeSeconds)
+            throws JOSEException {
+
+        // Calculate expiry
+        long expiryMillis = System.currentTimeMillis() + (expiryTimeSeconds * 1000);
+
+        // Build claims
+        JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+                .issuer(issuer)
+                .audience(audience)
+                .expirationTime(new Date(expiryMillis))
+                .issueTime(new Date())
+                .claim("scope", scope)
+                .build();
+
+        // Create HMAC signer
+        JWSSigner signer = new MACSigner(hmacSecret.getBytes(StandardCharsets.UTF_8));
+
+        // Create and sign JWT
+        SignedJWT signedJWT = new SignedJWT(
+                new JWSHeader.Builder(JWSAlgorithm.HS256).build(),
+                claimsSet
+        );
+
+        signedJWT.sign(signer);
+        return signedJWT.serialize();
+    }
+
+}

components/org.wso2.micro.integrator.initializer/src/main/java/org/wso2/micro/integrator/initializer/dashboard/ICPHeartBeatComponent.java

@@ -564,77 +564,20 @@ private static String calculateHash(JsonObject payload) {
      */
     private static String generateOrGetCachedJwtToken() throws Exception {
         long currentTime = System.currentTimeMillis();
-        
         // Return cached token if it's still valid (with 5 minute buffer)
         if (cachedJwtToken != null && currentTime < (jwtTokenExpiry - 300000)) {
             return cachedJwtToken;
         }
-        
-        // Generate new token
-        cachedJwtToken = generateJwtToken();
-        jwtTokenExpiry = currentTime + (getJwtExpirySeconds() * 1000);
-        
-        return cachedJwtToken;
-    }
-
-    /**
-     * Generates a JWT token signed with RS256 algorithm using built-in Java libraries.
-     */
-    private static String generateJwtToken() throws Exception {
-        String keystorePath = getConfigValue(ICP_JWT_KEYSTORE_PATH, 
-                "repository/resources/security/wso2carbon.jks");
-        String keystorePassword = getConfigValue(ICP_JWT_KEYSTORE_PASSWORD, "ballerina");
-        String keyAlias = getConfigValue(ICP_JWT_KEY_ALIAS, "ballerina");
-        String keyPassword = getConfigValue(ICP_JWT_KEY_PASSWORD, keystorePassword);
+        String jwtHmacSecret = getConfigValue(ICP_JWT_HMAC_SECRET, DEFAULT_JWT_HMAC_SECRET);
+        HMACJWTTokenGenerator hmacJWTTokenGenerator = new HMACJWTTokenGenerator(jwtHmacSecret);
         String issuer = getConfigValue(ICP_JWT_ISSUER, DEFAULT_JWT_ISSUER);
         String audience = getConfigValue(ICP_JWT_AUDIENCE, DEFAULT_JWT_AUDIENCE);
+        String scope = getConfigValue(ICP_JWT_SCOPE, DEFAULT_JWT_SCOPE);
         long expirySeconds = getJwtExpirySeconds();
-        
-        // Resolve keystore path relative to carbon.home if not absolute
-        if (!keystorePath.startsWith("/")) {
-            String carbonHome = System.getProperty("carbon.home");
-            keystorePath = carbonHome + "/" + keystorePath;
-        }
-        
-        // Load keystore
-        KeyStore keyStore = KeyStore.getInstance("JKS");
-        try (FileInputStream fis = new FileInputStream(keystorePath)) {
-            keyStore.load(fis, keystorePassword.toCharArray());
-        }
-        
-        // Get private key
-        PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword.toCharArray());
-        
-        // Create JWT manually using built-in Java (matching Ballerina jwt:issue() output)
-        long currentTimeSeconds = System.currentTimeMillis() / 1000;
-        long expirationTime = currentTimeSeconds + expirySeconds;
-        
-        // JWT Header
-        JsonObject header = new JsonObject();
-        header.addProperty("alg", "RS256");
-        header.addProperty("typ", "JWT");
-        String encodedHeader = Base64.getUrlEncoder().withoutPadding()
-                .encodeToString(header.toString().getBytes("UTF-8"));
-        
-        // JWT Payload (matching Ballerina structure)
-        JsonObject payload = new JsonObject();
-        payload.addProperty("iss", issuer);
-        payload.addProperty("aud", audience);
-        payload.addProperty("scope", "runtime_agent");
-        payload.addProperty("iat", currentTimeSeconds);
-        payload.addProperty("exp", expirationTime);
-        String encodedPayload = Base64.getUrlEncoder().withoutPadding()
-                .encodeToString(payload.toString().getBytes("UTF-8"));
-        
-        // Create signature
-        String signingInput = encodedHeader + "." + encodedPayload;
-        java.security.Signature signature = java.security.Signature.getInstance("SHA256withRSA");
-        signature.initSign(privateKey);
-        signature.update(signingInput.getBytes("UTF-8"));
-        byte[] signatureBytes = signature.sign();
-        String encodedSignature = Base64.getUrlEncoder().withoutPadding().encodeToString(signatureBytes);
-        
-        return signingInput + "." + encodedSignature;
+        // Generate new token
+        cachedJwtToken = hmacJWTTokenGenerator.generateToken(issuer, audience, scope, expirySeconds);
+        jwtTokenExpiry = currentTime + (expirySeconds * 1000);
+        return cachedJwtToken;
     }
 
     /**
@@ -1437,14 +1380,14 @@ private static JsonArray collectListeners() {
             // HTTP Listener
             JsonObject httpListener = new JsonObject();
             httpListener.addProperty("protocol", "http");
-            httpListener.addProperty("port", Integer.toString(ConfigurationLoader.getInternalInboundHttpPort()));
+            httpListener.addProperty("port", ConfigurationLoader.getInternalInboundHttpPort());
             httpListener.addProperty("host", "0.0.0.0");
             listeners.add(httpListener);
 
             // HTTPS Listener
             JsonObject httpsListener = new JsonObject();
             httpsListener.addProperty("protocol", "https");
-            httpsListener.addProperty("port", Integer.toString(ConfigurationLoader.getInternalInboundHttpsPort()));
+            httpsListener.addProperty("port", ConfigurationLoader.getInternalInboundHttpsPort());
             httpsListener.addProperty("host", "0.0.0.0");
             listeners.add(httpsListener);
         } catch (Exception e) {

deployment-icp-sample.toml

@@ -47,7 +47,7 @@ project = "sample_project"
 
 # Component Identification
 # Specific component or service area within the project
-component = "sample_mi_component"
+component = "sample-mi-component"
 
 # Heartbeat Configuration
 # Interval between heartbeat transmissions (in seconds)
@@ -57,18 +57,12 @@ heartbeat_interval = 10
 # ----------------------------------------
 # JWT Authentication Configuration
 # ----------------------------------------
-# Keystore Configuration
-# Path can be relative to $MI_HOME or absolute
-jwt_keystore_path = "repository/resources/security/wso2carbon.jks"
-jwt_keystore_password = "wso2carbon"
-jwt_key_alias = "wso2carbon"
-jwt_key_password = "wso2carbon"
-
-# JWT Token Settings
 jwt_issuer = "icp-runtime-jwt-issuer"
 jwt_audience = "icp-server"
+jwt_scope = "runtime_agent"
 # Token validity in seconds (default: 3600 = 1 hour)
 jwt_expiry_seconds = 3600
+jwt_hmac_secret = "default-secret-key-at-least-32-characters-long-for-hs256"
 
 # ----------------------------------------
 # Legacy Dashboard Configuration (Optional)