artin/OBP-API
1
0
Fork 0
mirror of https://github.com/OpenBankProject/OBP-API.git synced 2026-02-06 18:46:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor/Add props hydra_supported_token_endpoint_auth_methods

Browse Source
This commit is contained in:
Marko Milić 2023-05-23 15:06:48 +02:00
parent f0e3bb425a
commit 465157bb81
4 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
obp-api/src/main/resources/props/sample.props.template
View File

@ -1005,6 +1005,7 @@ outboundAdapterCallContext.generalContext
#mirror_consumer_in_hydra=true
# There are 2 ways of authenticating OAuth 2.0 Clients at the /oauth2/token we support: private_key_jwt and client_secret_post
# hydra_token_endpoint_auth_method=private_key_jwt
# hydra_supported_token_endpoint_auth_methods=client_secret_basic,client_secret_post,private_key_jwt
# ------------------------------ Hydra oauth2 props end ------------------------------
# ------------------------------ default entitlements ------------------------------

8
obp-api/src/main/scala/code/api/OAuth2.scala
View File

@ -115,7 +115,8 @@ object OAuth2Login extends RestHelper with MdcLoggable {
private def applyAccessTokenRules(value: String, cc: CallContext): (Box[User], Some[CallContext]) = {
// In case of Hydra issued access tokens are not self-encoded/self-contained like JWT tokens are.
// It implies the access token can be revoked at any time.
val introspectOAuth2Token: OAuth2TokenIntrospection = hydraAdmin.introspectOAuth2Token(value, null);
val introspectOAuth2Token: OAuth2TokenIntrospection = hydraAdmin.introspectOAuth2Token(value, null)
val hydraClient = hydraAdmin.getOAuth2Client(introspectOAuth2Token.getClientId())
var consumer: Box[Consumer] = consumers.vend.getConsumerByConsumerKey(introspectOAuth2Token.getClientId)
logger.debug("introspectOAuth2Token.getIss: " + introspectOAuth2Token.getIss)
logger.debug("introspectOAuth2Token.getActive: " + introspectOAuth2Token.getActive)
@ -128,6 +129,11 @@ object OAuth2Login extends RestHelper with MdcLoggable {
if (!introspectOAuth2Token.getActive) {
return (Failure(Oauth2IJwtCannotBeVerified), Some(cc.copy(consumer = Failure(Oauth2IJwtCannotBeVerified))))
}
if (!hydraSupportedTokenEndpointAuthMethods.contains(hydraClient.getTokenEndpointAuthMethod())) {
logger.debug("hydraClient.getTokenEndpointAuthMethod(): " + hydraClient.getTokenEndpointAuthMethod().toLowerCase())
val errorMessage = Oauth2TokenEndpointAuthMethodForbidden + hydraClient.getTokenEndpointAuthMethod()
return (Failure(errorMessage), Some(cc.copy(consumer = Failure(errorMessage))))
}
// check access token binding with client certificate
{

1
obp-api/src/main/scala/code/api/util/ErrorMessages.scala
View File

@ -220,6 +220,7 @@ object ErrorMessages {
val Oauth2CannotMatchIssuerAndJwksUriException = "OBP-20208: Cannot match the issuer and JWKS URI at this server instance. "
val Oauth2TokenHaveNoConsumer = "OBP-20209: The token have no linked consumer. "
val Oauth2TokenMatchCertificateFail = "OBP-20210: The token is linked with a different client certificate. "
val Oauth2TokenEndpointAuthMethodForbidden = "OBP-20213: The Token Endpoint Auth Method is not supported at this instance: "
val OneTimePasswordExpired = "OBP-20211: The One Time Password (OTP) has expired. "

4
obp-api/src/main/scala/code/util/HydraUtil.scala
View File

@ -28,7 +28,9 @@ object HydraUtil extends MdcLoggable{
val clientSecretPost = "client_secret_post"
val hydraTokenEndpointAuthMethod =
APIUtil.getPropsValue("hydra_token_endpoint_auth_method", "private_key_jwt")
APIUtil.getPropsValue("hydra_token_endpoint_auth_method", "private_key_jwt")
val hydraSupportedTokenEndpointAuthMethods =
APIUtil.getPropsValue("hydra_supported_token_endpoint_auth_methods", "client_secret_basic,client_secret_post,private_key_jwt")
lazy val hydraPublicUrl = APIUtil.getPropsValue("hydra_public_url")
.openOrThrowException(s"If props $INTEGRATE_WITH_HYDRA is true, hydra_public_url value should not be blank")