diff --git a/obp-api/src/main/scala/code/api/OAuth2.scala b/obp-api/src/main/scala/code/api/OAuth2.scala index b61da0dc4..e2e593caf 100644 --- a/obp-api/src/main/scala/code/api/OAuth2.scala +++ b/obp-api/src/main/scala/code/api/OAuth2.scala @@ -111,7 +111,7 @@ object OAuth2Login extends RestHelper with MdcLoggable { } else if (UnknownProvider.isIssuer(value)) { UnknownProvider.applyRulesFuture(value, cc) } else if (HydraUtil.integrateWithHydra) { - UnknownProvider.applyRulesFuture(value, cc) + Hydra.applyRulesFuture(value, cc) } else { Future(Failure(Oauth2IsNotRecognized), Some(cc)) } diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala index 086e97849..8f5ed0c80 100644 --- a/obp-api/src/main/scala/code/api/util/APIUtil.scala +++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala @@ -2975,8 +2975,13 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{ val title = s"Request Headers for verb: $verb, URL: $url" surroundDebugMessage(reqHeaders.map(h => h.name + ": " + h.values.mkString(",")).mkString, title) val remoteIpAddress = getRemoteIpAddress() + + val authHeaders = AuthorisationUtil.getAuthorisationHeaders(reqHeaders) + val res = - if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent + if (authHeaders.size > 1) { // Check Authorization Headers ambiguity + Future { (Failure(ErrorMessages.AuthorizationHeaderAmbiguity + s"${authHeaders}"), None) } + } else if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent Consent.applyBerlinGroupRules(APIUtil.`getConsent-ID`(reqHeaders), cc) } else if (APIUtil.hasConsentJWT(reqHeaders)) { // Open Bank Project's Consent val consentValue = APIUtil.getConsentJWT(reqHeaders) diff --git a/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala b/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala new file mode 100644 index 000000000..ebc7a961c --- /dev/null +++ b/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala @@ -0,0 +1,15 @@ +package code.api.util + +import code.api.RequestHeader._ +import net.liftweb.http.provider.HTTPParam + +object AuthorisationUtil { + def getAuthorisationHeaders(requestHeaders: List[HTTPParam]): List[String] = { + requestHeaders.map(_.name).filter { + case `Consent-Id`| `Consent-ID` | `Consent-JWT` => true + case _ => false + } + } + + +} diff --git a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala index 0b72bca60..014ed1f7d 100644 --- a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala +++ b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala @@ -263,7 +263,10 @@ object ErrorMessages { val Oauth2TokenEndpointAuthMethodForbidden = "OBP-20213: The Token Endpoint Auth Method is not supported at this instance: " val OneTimePasswordExpired = "OBP-20211: The One Time Password (OTP) has expired. " val Oauth2IsNotRecognized = "OBP-20214: OAuth2 Access Token is not recognised at this instance." - + val Oauth2ValidateAccessTokenError = "OBP-20215: There was a problem validating the OAuth2 access token. " + + val AuthorizationHeaderAmbiguity = "OBP-20250: Request headers used for authorization are ambiguous. " + // X.509 val X509GeneralError = "OBP-20300: PEM Encoded Certificate issue." val X509ParsingFailed = "OBP-20301: Parsing failed for PEM Encoded Certificate." diff --git a/obp-api/src/main/scala/code/api/util/JwtUtil.scala b/obp-api/src/main/scala/code/api/util/JwtUtil.scala index d7591f7f1..2300ecf4e 100644 --- a/obp-api/src/main/scala/code/api/util/JwtUtil.scala +++ b/obp-api/src/main/scala/code/api/util/JwtUtil.scala @@ -217,7 +217,9 @@ object JwtUtil extends MdcLoggable { } catch { case e: BadJWTException => Failure(ErrorMessages.Oauth2BadJWTException + e.getMessage, Full(e), Empty) case e: ParseException => Failure(ErrorMessages.Oauth2ParseException + e.getMessage, Full(e), Empty) - case e: Exception => Failure(e.getMessage, Full(e), Empty) + case e: Exception => + logger.debug(s"remoteJWKSetUrl: $remoteJWKSetUrl") + Failure(ErrorMessages.Oauth2ValidateAccessTokenError + e.getMessage, Full(e), Empty) } }