Allow more than one Identity Provider in case MITREId is defined

2026-02-06 11:06:49 +00:00 · 2019-11-29 10:10:52 +01:00 · 2019-11-29 10:10:52 +01:00 · 3964a61cec
commit 3964a61cec
parent 593707ce40
3 changed files with 15 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -557,13 +557,15 @@ There are 3 API's endpoint related to webhooks:
 ## OAuth 2.0
 In order to enable an OAuth2 workflow at an instance of OBP-API backend app you need to setup next props:
 ```
-# -- OAuth 2 ---------------------------------------------------------------
+# -- OAuth 2 ---------------------------------------------------------------------------------
 # Enable/Disable OAuth 2 workflow at a server instance
 # In case isn't defined default value is false
 # allow_oauth2_login=false
 # URL of Public server JWK set used for validating bearer JWT access tokens
-# oauth2.jwk_set.url=http://localhost:8080/jwk.json
-# ----------------------------------------------------------- OAuth 2 ------
+# It can contain more than one URL i.e. list of uris. Values are comma separated.
+# If MITREId URL is present it must be at 1st place in the list.
+# oauth2.jwk_set.url=http://localhost:8080/jwk.json,https://www.googleapis.com/oauth2/v3/certs
+# ------------------------------------------------------------------------------ OAuth 2 ------

 OpenID Connect is supported.
 Tested Identity providers: Google, MITREId.
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@ -563,13 +563,15 @@ display_internal_errors=false
 # -------------------------------------- Display internal errors --


-# -- OAuth 2 ---------------------------------------------------------------
+# -- OAuth 2 ---------------------------------------------------------------------------------
 # Enable/Disable OAuth 2 workflow at a server instance
 # In case isn't defined default value is false
 # allow_oauth2_login=false
 # URL of Public server JWK set used for validating bearer JWT access tokens
-# oauth2.jwk_set.url=http://localhost:8080/jwk.json
-# ----------------------------------------------------------- OAuth 2 ------
+# It can contain more than one URL i.e. list of uris. Values are comma separated.
+# If MITREId URL is present it must be at 1st place in the list.
+# oauth2.jwk_set.url=http://localhost:8080/jwk.json,https://www.googleapis.com/oauth2/v3/certs
+# ------------------------------------------------------------------------------ OAuth 2 ------

 ## This property is used for documenting at Resource Doc. It may include the port also (but not /obp)
 ## (this needs to be a URL)
--- a/obp-api/src/main/scala/code/api/OAuth2.scala
+++ b/obp-api/src/main/scala/code/api/OAuth2.scala
@ -100,7 +100,8 @@ object OAuth2Login extends RestHelper with MdcLoggable {
    def validateAccessToken(accessToken: String): Box[JWTClaimsSet] = {
      APIUtil.getPropsValue("oauth2.jwk_set.url") match {
        case Full(url) =>
-          JwtUtil.validateAccessToken(accessToken, url)
+          val mitreIdUrl = url.toLowerCase().split(",").toList.head
+          JwtUtil.validateAccessToken(accessToken, mitreIdUrl)
        case ParamFailure(a, b, c, apiFailure : APIFailure) =>
          ParamFailure(a, b, c, apiFailure : APIFailure)
        case Failure(msg, t, c) =>
@ -252,7 +253,7 @@ object OAuth2Login extends RestHelper with MdcLoggable {
      *                }
      * @return an existing or a new consumer
      */
-    def getOrCreateConsumerFuture(idToken: String, userId: Box[String]): Box[Consumer] = {
+    def getOrCreateConsumer(idToken: String, userId: Box[String]): Box[Consumer] = {
      val azp = getClaim(name = "azp", idToken = idToken)
      val iss = getClaim(name = "iss", idToken = idToken)
      val sub = getClaim(name = "sub", idToken = idToken)
@ -279,7 +280,7 @@ object OAuth2Login extends RestHelper with MdcLoggable {
      validateIdToken(value) match {
        case Full(_) =>
          val user = Google.getOrCreateResourceUser(value)
-          val consumer = Google.getOrCreateConsumerFuture(value, user.map(_.userId))
+          val consumer = Google.getOrCreateConsumer(value, user.map(_.userId))
          (user, Some(cc.copy(consumer = consumer)))
        case ParamFailure(a, b, c, apiFailure : APIFailure) =>
          (ParamFailure(a, b, c, apiFailure : APIFailure), Some(cc))
@ -294,7 +295,7 @@ object OAuth2Login extends RestHelper with MdcLoggable {
        case Full(_) =>
          for {
            user <-  Google.getOrCreateResourceUserFuture(value)
-            consumer <-  Future{Google.getOrCreateConsumerFuture(value, user.map(_.userId))}
+            consumer <-  Future{Google.getOrCreateConsumer(value, user.map(_.userId))}
          } yield {
            (user, Some(cc.copy(consumer = consumer)))
          }