artin/OBP-API
1
0
Fork 0
mirror of https://github.com/OpenBankProject/OBP-API.git synced 2026-02-06 20:27:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature/Add props oauth2.keycloak.client_ids

Browse Source
This commit is contained in:
Marko Milić 2024-12-20 12:37:37 +01:00
parent d9f28eef61
commit 1dc4ee2eb3
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
obp-api/src/main/resources/props/sample.props.template
View File

@ -769,6 +769,8 @@ display_internal_errors=false
# oauth2.keycloak.well_known=http://localhost:7070/realms/master/.well-known/openid-configuration
# Used to sync IAM of OBP-API and IAM of Keycloak
# oauth2.keycloak.source_of_truth = false
# LIst of clients allowed to sync IAM of OBP-API and IAM of Keycloak
# oauth2.keycloak.client_ids = SOME_CLIENT_ID_1, SOME_CLIENT_ID_2
# ------------------------------------------------------------------------------ OAuth 2 ------
# -- PSU Authentication methods --------------------------------------------------------------

17
obp-api/src/main/scala/code/api/OAuth2.scala
View File

@ -517,16 +517,25 @@ object OAuth2Login extends RestHelper with MdcLoggable {
private def addScopesToConsumer(token: String, consumerPrimaryKey: Long): Unit = {
val sourceOfTruth = APIUtil.getPropsAsBoolValue(nameOfProperty = "oauth2.keycloak.source_of_truth", defaultValue = false)
// Consumers allowed to use the source of truth feature
val consumerIds: List[String] =
APIUtil.getPropsValue(nameOfProperty = "oauth2.keycloak.client_ids").toList
.flatMap(_.split(",").toList)
val consumerId = getClaim(name = "azp", idToken = token).getOrElse("")
if(sourceOfTruth) {
logger.debug("Extracting roles from Access Token")
import net.liftweb.json._
val jsonString = JwtUtil.getSignedPayloadAsJson(token)
val json = parse(jsonString.getOrElse(""))
val openBankRoles: List[String] = {
(json \ "resource_access" \ consumerId \ "roles").extract[List[String]]
.filter(role => tryo(ApiRole.valueOf(role)).isDefined) // Keep only the roles OBP-API can recognise
}
val openBankRoles: List[String] =
if(consumerIds.contains(consumerId)) {
// Sync Keycloak's roles
(json \ "resource_access" \ consumerId \ "roles").extract[List[String]]
.filter(role => tryo(ApiRole.valueOf(role)).isDefined) // Keep only the roles OBP-API can recognise
} else {
// Clean up roles assigned to "consumerId"
List()
}
val scopes = Scope.scope.vend.getScopesByConsumerId(consumerPrimaryKey.toString).getOrElse(Nil)
val databaseState = scopes.map(_.roleName)
// Already exist at DB