Merge pull request #2475 from constantine2nd/develop

Consent Auth Header
2026-02-06 17:37:00 +00:00 · 2025-01-07 08:44:24 +01:00 · 2025-01-07 08:44:24 +01:00 · 612ba17027
commit 612ba17027
parent 82dad2e0e7 b22d9d4df0
5 changed files with 29 additions and 4 deletions
--- a/obp-api/src/main/scala/code/api/OAuth2.scala
+++ b/obp-api/src/main/scala/code/api/OAuth2.scala
@ -111,7 +111,7 @@ object OAuth2Login extends RestHelper with MdcLoggable {
        } else if (UnknownProvider.isIssuer(value)) {
          UnknownProvider.applyRulesFuture(value, cc)
        } else if (HydraUtil.integrateWithHydra) {
-          UnknownProvider.applyRulesFuture(value, cc)
+          Hydra.applyRulesFuture(value, cc)
        } else {
          Future(Failure(Oauth2IsNotRecognized), Some(cc))
        }
--- a/obp-api/src/main/scala/code/api/util/APIUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@ -2975,8 +2975,13 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
    val title = s"Request Headers for verb: $verb, URL: $url"
    surroundDebugMessage(reqHeaders.map(h => h.name + ": " + h.values.mkString(",")).mkString, title)
    val remoteIpAddress = getRemoteIpAddress()
+
+    val authHeaders = AuthorisationUtil.getAuthorisationHeaders(reqHeaders)
+
    val res =
-      if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent
+      if (authHeaders.size > 1) { // Check Authorization Headers ambiguity
+        Future { (Failure(ErrorMessages.AuthorizationHeaderAmbiguity + s"${authHeaders}"), None) }
+      } else if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent
        Consent.applyBerlinGroupRules(APIUtil.`getConsent-ID`(reqHeaders), cc)
      } else if (APIUtil.hasConsentJWT(reqHeaders)) { // Open Bank Project's Consent
        val consentValue = APIUtil.getConsentJWT(reqHeaders)
--- a/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala
@ -0,0 +1,15 @@
+package code.api.util
+
+import code.api.RequestHeader._
+import net.liftweb.http.provider.HTTPParam
+
+object AuthorisationUtil {
+  def getAuthorisationHeaders(requestHeaders: List[HTTPParam]): List[String] = {
+    requestHeaders.map(_.name).filter {
+      case `Consent-Id`| `Consent-ID` | `Consent-JWT` => true
+      case _ => false
+    }
+  }
+  
+
+}
--- a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
+++ b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
@ -263,7 +263,10 @@ object ErrorMessages {
  val Oauth2TokenEndpointAuthMethodForbidden = "OBP-20213: The Token Endpoint Auth Method is not supported at this instance: "
  val OneTimePasswordExpired = "OBP-20211: The One Time Password (OTP) has expired. "
  val Oauth2IsNotRecognized = "OBP-20214: OAuth2 Access Token is not recognised at this instance."
-  
+  val Oauth2ValidateAccessTokenError = "OBP-20215: There was a problem validating the OAuth2 access token. "
+
+  val AuthorizationHeaderAmbiguity = "OBP-20250: Request headers used for authorization are ambiguous. "
+
  // X.509
  val X509GeneralError = "OBP-20300: PEM Encoded Certificate issue."
  val X509ParsingFailed = "OBP-20301: Parsing failed for PEM Encoded Certificate."
--- a/obp-api/src/main/scala/code/api/util/JwtUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/JwtUtil.scala
@ -217,7 +217,9 @@ object JwtUtil extends MdcLoggable {
    } catch {
      case e: BadJWTException => Failure(ErrorMessages.Oauth2BadJWTException + e.getMessage, Full(e), Empty)
      case e: ParseException  => Failure(ErrorMessages.Oauth2ParseException + e.getMessage, Full(e), Empty)
-      case e: Exception       => Failure(e.getMessage, Full(e), Empty)
+      case e: Exception       =>
+        logger.debug(s"remoteJWKSetUrl: $remoteJWKSetUrl")
+        Failure(ErrorMessages.Oauth2ValidateAccessTokenError + e.getMessage, Full(e), Empty)
    }
  }