MB-68594: [BP] Make gs2-authzid optional for OAUTHBEARER

Previously we required the gs2 header to specify no channel binding
and mandatory gs2-authzid.

This patch allows gs2-authzid to be optional and we'll pick out
the username from the returned RBAC entry from ns_server.

It is expected that *ns_server* honors the gs2-authzid as kv *WILL*
use that as the username if that's present in the request. If no
gs2-authzid is specified we'll pick the "one and only" username
specified in the returned "rbac" entry in the returned token
metadata:

In the returned payload below we would use "myusername" as the
user:

    {
      "token": {
        "exp": 1758705142,
        "rbac": {
          "myusername": {
            "buckets": {
              "default": {
                "privileges": [
                  "Read"
                ]
              }
            },
            "domain": "external",
            "privileges": []
          }
        }
      }
    }

Change-Id: Ie3ca4efd1df04ac59f962f5718750c295a6ae1cc
Reviewed-on: https://review.couchbase.org/c/kv_engine/+/238364
Well-Formed: Restriction Checker
Reviewed-by: Jim Walker <jim@couchbase.com>
Tested-by: Build Bot <build@couchbase.com>

Author: trondn

cbsasl/CMakeLists.txt

@@ -5,6 +5,8 @@ add_library(cbsasl STATIC
             mechanism.cc
             oauthbearer/oauthbearer.cc
             oauthbearer/oauthbearer.h
+            oauthbearer/parse_gs2_header.cc
+            oauthbearer/parse_gs2_header.h
             plain/check_password.cc
             plain/check_password.h
             plain/plain.cc
@@ -46,6 +48,7 @@ cb_add_test_executable(cbsasl_unit_test
                        client_server_test.cc
                        domain_test.cc
                        password_database_test.cc
+                       oauthbearer/parse_gs2_header_test.cc
                        plain/plain_test.cc
                        sasl_server_test.cc
                        scram-sha/saslprep_test.cc

cbsasl/oauthbearer/oauthbearer.cc

@@ -9,6 +9,7 @@
  */
 
 #include "oauthbearer.h"
+#include "parse_gs2_header.h"
 
 #include <cbsasl/username_util.h>
 #include <fmt/format.h>
@@ -24,33 +25,50 @@ std::pair<Error, std::string> ServerBackend::start(std::string_view input) {
         return {Error::BAD_PARAM, {}};
     }
 
-    auto gs2 = fields.front();
-    if (!gs2.starts_with("n,a=")) {
+    try {
+        username = parse_gs2_header(fields.front());
+    } catch (const std::invalid_argument&) {
         return {Error::BAD_PARAM, {}};
     }
-    username = std::string(gs2.substr(4));
-    if (username.empty()) {
-        return {Error::BAD_PARAM, {}};
-    }
-    if (username.back() == ',') {
-        username.pop_back();
+
+    std::string_view token;
+    for (std::size_t index = 1; index < fields.size(); index++) {
+        auto field = fields[index];
+        if (!field.starts_with("auth=")) {
+            continue;
+        }
+        field.remove_prefix(5);
+        auto kv = cb::string::split(field, ' ');
+        if (kv.size() != 2) {
+            return {Error::BAD_PARAM, {}};
+        }
+        std::string auth;
+        for (auto& c : kv.front()) {
+            auth.push_back(std::tolower(c));
+        }
+        if (auth != "bearer") {
+            return {Error::BAD_PARAM, {}};
+        }
+        token = kv.back();
     }
-    username = username::decode(username);
-    auto token = fields[1];
-    if (!token.starts_with("auth=Bearer ")) {
+
+    if (token.empty()) {
         return {Error::BAD_PARAM, {}};
     }
-    token.remove_prefix(12);
+
     return {context.validateUserToken(username, token), {}};
 }
 
 std::pair<Error, std::string> ClientBackend::start() {
-    std::string header = fmt::format("n,a={},", usernameCallback());
+    auto user = usernameCallback();
+    auto header = fmt::format(
+            "n,{},",
+            user.empty() ? "" : fmt::format("a={}", username::encode(user)));
     header.push_back(0x01);
     header.append(fmt::format("auth=Bearer {}", passwordCallback()));
     header.push_back(0x01);
     header.push_back(0x01);
     return {Error::OK, std::move(header)};
 }
 
-} // namespace cb::sasl::mechanism::oauthbearer
+} // namespace cb::sasl::mechanism::oauthbearer

cbsasl/oauthbearer/parse_gs2_header.cc

@@ -0,0 +1,42 @@
+/*
+ *     Copyright 2025-Present Couchbase, Inc.
+ *
+ *   Use of this software is governed by the Business Source License included
+ *   in the file licenses/BSL-Couchbase.txt.  As of the Change Date specified
+ *   in that file, in accordance with the Business Source License, use of this
+ *   software will be governed by the Apache License, Version 2.0, included in
+ *   the file licenses/APL2.txt.
+ */
+
+#include "parse_gs2_header.h"
+
+#include "cbsasl/username_util.h"
+#include <platform/split_string.h>
+#include <stdexcept>
+
+namespace cb::sasl::mechanism::oauthbearer {
+std::string parse_gs2_header(std::string_view input) {
+    const auto fields = cb::string::split(input, ',');
+    if (fields.size() != 2) {
+        throw std::invalid_argument("Invalid GS2 header");
+    }
+
+    if (fields[0] != "n") {
+        throw std::invalid_argument(
+                "Only 'n' (no channel binding) is supported");
+    }
+
+    std::string authzid;
+    if (!fields[1].empty()) {
+        if (!fields[1].starts_with("a=")) {
+            throw std::invalid_argument("Invalid GS2 header");
+        }
+        authzid = username::decode(fields[1].substr(2));
+        if (authzid.empty()) {
+            throw std::invalid_argument("Invalid saslname");
+        }
+    }
+
+    return authzid;
+}
+} // namespace cb::sasl::mechanism::oauthbearer

cbsasl/oauthbearer/parse_gs2_header.h

@@ -0,0 +1,25 @@
+/*
+ *     Copyright 2025-Present Couchbase, Inc.
+ *
+ *   Use of this software is governed by the Business Source License included
+ *   in the file licenses/BSL-Couchbase.txt.  As of the Change Date specified
+ *   in that file, in accordance with the Business Source License, use of this
+ *   software will be governed by the Apache License, Version 2.0, included in
+ *   the file licenses/APL2.txt.
+ */
+#pragma once
+
+#include <string>
+
+namespace cb::sasl::mechanism::oauthbearer {
+
+/**
+ * Parse the GS2 header and return the authzid (if any)
+ *
+ * @param input The GS2 header to parse
+ * @return authzid if present, empty string if not
+ * @throws std::invalid_argument if the input is invalid
+ */
+std::string parse_gs2_header(std::string_view input);
+
+} // namespace cb::sasl::mechanism::oauthbearer

cbsasl/oauthbearer/parse_gs2_header_test.cc

@@ -0,0 +1,56 @@
+/*
+ *     Copyright 2025-Present Couchbase, Inc.
+ *
+ *   Use of this software is governed by the Business Source License included
+ *   in the file licenses/BSL-Couchbase.txt.  As of the Change Date specified
+ *   in that file, in accordance with the Business Source License, use of this
+ *   software will be governed by the Apache License, Version 2.0, included in
+ *   the file licenses/APL2.txt.
+ */
+
+#include "parse_gs2_header.h"
+#include <folly/portability/GTest.h>
+
+using namespace cb::sasl::mechanism::oauthbearer;
+
+class GS2ParserTest : public ::testing::Test {
+protected:
+    void invalid(std::string_view input, std::string_view error) {
+        try {
+            parse_gs2_header(input);
+            FAIL() << "Expected std::invalid_argument";
+        } catch (const std::invalid_argument& e) {
+            EXPECT_EQ(error, e.what());
+        } catch (...) {
+            FAIL() << "Expected exception of type std::invalid_argument";
+        }
+    }
+};
+
+TEST_F(GS2ParserTest, ParseMinimalGS2Header) {
+    auto result = parse_gs2_header("n,,");
+    EXPECT_TRUE(result.empty());
+}
+
+TEST_F(GS2ParserTest, ParseGS2HeaderWithAuthzid) {
+    auto result = parse_gs2_header("n,a=foo,");
+    EXPECT_EQ("foo", result);
+}
+
+TEST_F(GS2ParserTest, ParseUnsupportedChannelBinding) {
+    invalid("y,,", "Only 'n' (no channel binding) is supported");
+}
+
+TEST_F(GS2ParserTest, ParseMissingTrailingComma) {
+    invalid("n,", "Invalid GS2 header");
+}
+
+TEST_F(GS2ParserTest, ParseInvalidAuthzid) {
+    // authzid should be "a=saslname"
+    invalid("n,b=foo,", "Invalid GS2 header");
+}
+
+TEST_F(GS2ParserTest, ParseInvalidAuthzidNoUsername) {
+    // saslname can't be empty
+    invalid("n,a=,", "Invalid saslname");
+}

cluster_framework/auth_provider_service.cc

@@ -366,13 +366,19 @@ static sasl::Error validateUserTokenFunction(
             return sasl::Error::BAD_PARAM;
         }
         const auto& claims = jwt->payload;
-        if (claims.value("user", "") != user) {
+        std::string user_str{user};
+        if (user.empty()) {
+            if (!claims.contains("user")) {
+                return sasl::Error::NO_USER;
+            }
+            user_str = claims["user"];
+        } else if (claims.value("user", "") != user) {
             return sasl::Error::NO_USER;
         }
 
         nlohmann::json metadata;
         if (claims.contains("cb-rbac")) {
-            metadata["rbac"][user] = nlohmann::json::parse(
+            metadata["rbac"][user_str] = nlohmann::json::parse(
                     base64url::decode(claims.value("cb-rbac", "")));
         } else {
             return sasl::Error::NO_RBAC_PROFILE;

daemon/sasl_auth_task.cc

@@ -97,6 +97,28 @@ void SaslAuthTask::successfull_external_auth(const nlohmann::json& json) {
 
     if (json.contains("token")) {
         tokenMetadata = json["token"];
+        if (getUsername().empty()) {
+            if (!json["token"].contains("rbac")) {
+                error = Error::BAD_PARAM;
+                cookie.setErrorContext("Internal error. No rbac entry");
+                return;
+            }
+
+            auto rbac = json["token"]["rbac"];
+            std::string username;
+            int count = 0;
+            for (auto it = rbac.begin(); it != rbac.end(); ++it) {
+                username = it.key();
+                ++count;
+            }
+            if (count == 1 && !username.empty()) {
+                serverContext.setUsername(std::move(username));
+            } else {
+                error = Error::BAD_PARAM;
+                cookie.setErrorContext(
+                        "Internal error. Failed to locate username");
+            }
+        }
     }
 
     externalAuthManager->login(serverContext.getUsername());

include/cbsasl/server.h

@@ -111,6 +111,10 @@ class ServerContext : public Context {
         return backend->getUsername();
     }
 
+    void setUsername(std::string user) {
+        backend->setUsername(std::move(user));
+    }
+
     void setDomain(Domain domain) {
         backend->setDomain(domain);
     }

programs/mc_program_getopt.cc

@@ -262,7 +262,7 @@ McProgramGetopt::createAuthenticatedConnection(
     ret->connect();
     if (token_auth) {
         ret->authenticateWithToken();
-    } else if (!user.empty()) {
+    } else if (!user.empty() && !password.empty()) {
         ret->authenticate(user,
                           password,
                           sasl_mechanism.empty() ? ret->getSaslMechanisms()
@@ -278,7 +278,7 @@ std::unique_ptr<MemcachedConnection> McProgramGetopt::getConnection() {
         ret->connect();
         if (token_auth) {
             ret->authenticateWithToken();
-        } else if (!user.empty()) {
+        } else if (!user.empty() && !password.empty()) {
             ret->authenticate(user,
                               password,
                               sasl_mechanism.empty() ? ret->getSaslMechanisms()

protocol/connection/client_connection.cc

@@ -1274,16 +1274,7 @@ void MemcachedConnection::setTokenBuilder(
 }
 
 void MemcachedConnection::authenticateWithToken() {
-    auto token = tokenBuilder->build();
-
-    auto parsed = cb::jwt::Token::parse(tokenBuilder->build());
-    if (!parsed->payload.contains("sub")) {
-        throw std::logic_error(
-                "MemcachedConnection::authenticateWithToken: "
-                "The token must contain a sub field");
-    }
-
-    doSaslAuthenticate(parsed->payload["sub"], token, "OAUTHBEARER");
+    doSaslAuthenticate({}, tokenBuilder->build(), "OAUTHBEARER");
 }
 
 void MemcachedConnection::authenticate(