From c5acd8e748896b13359e6b213ae6abbcb60d472b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Fri, 15 Mar 2024 09:08:48 +0100
Subject: [PATCH 01/10] docfix/Tweak function name and improve a comment

---
 .../src/main/scala/code/api/util/ConsentUtil.scala   |  2 +-
 obp-api/src/main/scala/code/views/MapperViews.scala  | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/obp-api/src/main/scala/code/api/util/ConsentUtil.scala b/obp-api/src/main/scala/code/api/util/ConsentUtil.scala
index b8a17d49e..aaa2b75f6 100644
--- a/obp-api/src/main/scala/code/api/util/ConsentUtil.scala
+++ b/obp-api/src/main/scala/code/api/util/ConsentUtil.scala
@@ -415,7 +415,7 @@ object Consent {
       // 1. Get or Create a User
       getOrCreateUser(consent.sub, consent.iss, Some(consent.toConsent().consentId), None, None) map {
         case (Full(user), newUser) =>
-          // 2. Assign entitlements to the User
+          // 2. Assign entitlements (Roles) to the User
           addEntitlements(user, consent) match {
             case Full(user) =>
               // 3. Copy Auth Context to the User
diff --git a/obp-api/src/main/scala/code/views/MapperViews.scala b/obp-api/src/main/scala/code/views/MapperViews.scala
index 9b6c46cc7..aa2e6980c 100644
--- a/obp-api/src/main/scala/code/views/MapperViews.scala
+++ b/obp-api/src/main/scala/code/views/MapperViews.scala
@@ -90,14 +90,14 @@ object MapperViews extends Views with MdcLoggable {
     Full(Permission(user, getViewsForUser(user)))
   }
   // This is an idempotent function
-  private def getOrGrantAccessToCustomView(user: User, viewDefinition: View, bankId: String, accountId: String): Box[View] = {
+  private def getOrGrantAccessToViewCommon(user: User, viewDefinition: View, bankId: String, accountId: String): Box[View] = {
     if (AccountAccess.findByUniqueIndex(
       BankId(bankId),
       AccountId(accountId), 
       viewDefinition.viewId,
       user.userPrimaryKey, 
       ALL_CONSUMERS).isEmpty) {
-      logger.debug(s"getOrGrantAccessToCustomView AccountAccess.create" +
+      logger.debug(s"getOrGrantAccessToViewCommon AccountAccess.create" +
         s"user(UserId(${user.userId}), ViewId(${viewDefinition.viewId.value}), bankId($bankId), accountId($accountId), consumerId($ALL_CONSUMERS)")
       // SQL Insert AccountAccessList
       val saved = AccountAccess.create.
@@ -115,13 +115,13 @@ object MapperViews extends Views with MdcLoggable {
         Empty ~> APIFailure("Server error adding permission", 500) //TODO: move message + code logic to api level
       }
     } else {
-      logger.debug(s"getOrGrantAccessToCustomView AccountAccess is already existing (UserId(${user.userId}), ViewId(${viewDefinition.viewId.value}), bankId($bankId), accountId($accountId))")
+      logger.debug(s"getOrGrantAccessToViewCommon AccountAccess is already existing (UserId(${user.userId}), ViewId(${viewDefinition.viewId.value}), bankId($bankId), accountId($accountId))")
       Full(viewDefinition)
     } //accountAccess already exists, no need to create one
   }
   // This is an idempotent function 
   private def getOrGrantAccessToSystemView(bankId: BankId, accountId: AccountId, user: User, view: View): Box[View] = {
-    getOrGrantAccessToCustomView(user, view, bankId.value, accountId.value)
+    getOrGrantAccessToViewCommon(user, view, bankId.value, accountId.value)
   }
   // TODO Accept the whole view as a parameter so we don't have to select it here.
   def grantAccessToCustomView(viewIdBankIdAccountId: ViewIdBankIdAccountId, user: User): Box[View] = {
@@ -136,7 +136,7 @@ object MapperViews extends Views with MdcLoggable {
         if(v.isPublic && !allowPublicViews) return Failure(PublicViewsNotAllowedOnThisInstance)
         // SQL Select Count AccountAccessList where
         // This is idempotent
-        getOrGrantAccessToCustomView(user, v, viewIdBankIdAccountId.bankId.value, viewIdBankIdAccountId.accountId.value) //accountAccess already exists, no need to create one
+        getOrGrantAccessToViewCommon(user, v, viewIdBankIdAccountId.bankId.value, viewIdBankIdAccountId.accountId.value) //accountAccess already exists, no need to create one
       }
       case _ => {
         Empty ~> APIFailure(s"View $viewIdBankIdAccountId. not found", 404) //TODO: move message + code logic to api level
@@ -168,7 +168,7 @@ object MapperViews extends Views with MdcLoggable {
         val viewDefinition = v._1
         val viewIdBankIdAccountId = v._2
         // This is idempotent 
-        getOrGrantAccessToCustomView(user, viewDefinition, viewIdBankIdAccountId.bankId.value, viewIdBankIdAccountId.accountId.value)
+        getOrGrantAccessToViewCommon(user, viewDefinition, viewIdBankIdAccountId.bankId.value, viewIdBankIdAccountId.accountId.value)
       })
       Full(viewDefinitions.map(_._1))
     }

From eb8d39e2814b3e864d2805796d5877301cbc08c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Mon, 18 Mar 2024 11:31:38 +0100
Subject: [PATCH 02/10] docfix/Fix typos

---
 obp-api/src/main/resources/props/sample.props.template | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/obp-api/src/main/resources/props/sample.props.template b/obp-api/src/main/resources/props/sample.props.template
index 1a8952ea3..2ea77fb3d 100644
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@@ -1178,12 +1178,12 @@ webui_developer_user_invitation_email_html_text=<!DOCTYPE html>\
 # List of countries where consent is not required for the collection of personal data
 personal_data_collection_consent_country_waiver_list = Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, England, Scotland, Wales, Northern Ireland
 
-# Sngle Sign On/Off
+# Single Sign On/Off
 # sso.enabled=false
 
 # Local identity provider url
 # it defaults to the hostname props value
-# local_identity_provider=strongly recomended to use top level domain name so that all nodes in the cluster share same provider name
+# local_identity_provider=strongly recommended to use top level domain name so that all nodes in the cluster share same provider name
 
 
 # enable dynamic code sandbox, default is false, this will make sandbox works for code running in Future, will make performance lower than disable

From 94a59193c073a8f5dee91425f2954fb6da75b83e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Mon, 18 Mar 2024 15:08:13 +0100
Subject: [PATCH 03/10] bugfix/Function findUserByUsernameLocally MUST use
 composite key (username, provider)

---
 .../code/model/dataAccess/AuthUser.scala      | 34 ++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
index e08a215ac..6d1fc7c9a 100644
--- a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
+++ b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
@@ -1544,12 +1544,38 @@ def restoreSomeSessions(): Unit = {
         false
       }
   }
+
+  /*
+          ┌────────────┐
+          │FIND A USER │
+          │AT MAPPER DB│
+          └──────┬─────┘
+      ___________▽___________                        ┌────────────────────────┐
+     ╱        props:         ╲                       │FIND USER BY COMPOSITE  │
+    ╱ local_identity_provider ╲______________________│KEY (username,          │
+    ╲                         ╱yes                   │local_identity_provider)│
+     ╲_______________________╱                       └────────────┬───────────┘
+                 │no                                              │
+              ___▽____     ┌────────────────────────┐             │
+             ╱ props: ╲    │FIND USER BY COMPOSITE  │             │
+            ╱ hostname ╲___│KEY (username, hostname)│             │
+            ╲          ╱yes└────────────┬───────────┘             │
+             ╲________╱                 │                         │
+                 │no                    │                         │
+              ┌──▽──┐                   │                         │
+              │ERROR│                   │                         │
+              └─────┘                   │                         │
+                                        └──────┬──────────────────┘
+                                          ┌────▽────┐
+                                          │BOX[USER]│
+                                          └─────────┘
+  */
   /**
-    * Find the authUser by author user name(authUser and resourceUser are the same).
-    * Only search for the local database. 
-    */
+   * Find the authUser by author user name(authUser and resourceUser are the same).
+   * Only search for the local database
+   */
   def findUserByUsernameLocally(name: String): Box[TheUserType] = {
-    find(By(this.username, name))
+    find(By(this.username, name), By(this.provider, Constant.localIdentityProvider))
   }
 
   def passwordResetUrl(name: String, email: String, userId: String): String = {

From ffb9919e947ca1342e45d5623afd433d4df8aca2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Tue, 19 Mar 2024 11:21:51 +0100
Subject: [PATCH 04/10] refactor/Reduce use of the function
 findAuthUserByUsernameLocally

---
 .../src/main/scala/code/api/directlogin.scala |   2 +-
 .../bankconnectors/LocalMappedConnector.scala |   4 +-
 .../code/model/dataAccess/AuthUser.scala      | 146 +++++++++---------
 .../test/scala/code/api/DirectLoginTest.scala |   2 +-
 4 files changed, 79 insertions(+), 75 deletions(-)

diff --git a/obp-api/src/main/scala/code/api/directlogin.scala b/obp-api/src/main/scala/code/api/directlogin.scala
index 62b45943c..576ce7511 100644
--- a/obp-api/src/main/scala/code/api/directlogin.scala
+++ b/obp-api/src/main/scala/code/api/directlogin.scala
@@ -114,7 +114,7 @@ object DirectLogin extends RestHelper with MdcLoggable {
   def grantEntitlementsToUseDynamicEndpointsInSpacesInDirectLogin(userId:Long) = {
     try {
       val resourceUser = UserX.findByResourceUserId(userId).openOrThrowException(s"$InvalidDirectLoginParameters can not find the resourceUser!")
-      val authUser = AuthUser.findUserByUsernameLocally(resourceUser.name).openOrThrowException(s"$InvalidDirectLoginParameters can not find the auth user!")
+      val authUser = AuthUser.findAuthUserByPrimaryKey(resourceUser.userPrimaryKey.value).openOrThrowException(s"$InvalidDirectLoginParameters can not find the auth user!")
       AuthUser.grantEntitlementsToUseDynamicEndpointsInSpaces(authUser)
       AuthUser.grantEmailDomainEntitlementsToUser(authUser)
       // User init actions
diff --git a/obp-api/src/main/scala/code/bankconnectors/LocalMappedConnector.scala b/obp-api/src/main/scala/code/bankconnectors/LocalMappedConnector.scala
index 70d8be346..631bac4fd 100644
--- a/obp-api/src/main/scala/code/bankconnectors/LocalMappedConnector.scala
+++ b/obp-api/src/main/scala/code/bankconnectors/LocalMappedConnector.scala
@@ -52,7 +52,7 @@ import code.metadata.transactionimages.TransactionImages
 import code.metadata.wheretags.WhereTags
 import code.metrics.MappedMetric
 import code.model._
-import code.model.dataAccess.AuthUser.findUserByUsernameLocally
+import code.model.dataAccess.AuthUser.findAuthUserByUsernameLocally
 import code.model.dataAccess._
 import code.productAttributeattribute.MappedProductAttribute
 import code.productattribute.ProductAttributeX
@@ -5793,7 +5793,7 @@ object LocalMappedConnector extends Connector with MdcLoggable {
   //NOTE: this method is not for mapped connector, we put it here for the star default implementation.
   //    : we call that method only when we set external authentication and provider is not OBP-API
   override def checkExternalUserExists(username: String, callContext: Option[CallContext]): Box[InboundExternalUser] = {
-    findUserByUsernameLocally(username).map( user =>
+    findAuthUserByUsernameLocally(username).map(user =>
       InboundExternalUser(aud = "",
         exp = "",
         iat = "",
diff --git a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
index 6d1fc7c9a..38e785b22 100644
--- a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
+++ b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala
@@ -591,7 +591,7 @@ import net.liftweb.util.Helpers._
    * Overridden to use the hostname set in the props file
    */
   override def sendPasswordReset(name: String) {
-    findUserByUsernameLocally(name).toList ::: findUsersByEmailLocally(name) map {
+    findAuthUserByUsernameLocally(name).toList ::: findUsersByEmailLocally(name) map {
       // reason of case parameter name is "u" instead of "user": trait AuthUser have constant mumber name is "user"
       // So if the follow case paramter name is "user" will cause compile warnings
       case u if u.validated_? =>
@@ -653,14 +653,14 @@ import net.liftweb.util.Helpers._
         generateValidationEmailBodies(user, resetLink) :::
         (bccEmail.toList.map(BCC(_))) :_* )
   }
-  
+
    def grantDefaultEntitlementsToAuthUser(user: TheUserType) = {
      tryo{getResourceUserByUsername(user.getProvider(), user.username.get).head.userId} match {
        case Full(userId)=>APIUtil.grantDefaultEntitlementsToNewUser(userId)
        case _ => logger.error("Can not getResourceUserByUsername here, so it breaks the grantDefaultEntitlementsToNewUser process.")
      }
    }
-  
+
   override def validateUser(id: String): NodeSeq = findUserByUniqueId(id) match {
     case Full(user) if !user.validated_? =>
       user.setValidated(true).resetUniqueId().save
@@ -668,7 +668,7 @@ import net.liftweb.util.Helpers._
       logUserIn(user, () => {
         S.notice(S.?("account.validated"))
         APIUtil.getPropsValue("user_account_validated_redirect_url") match {
-          case Full(redirectUrl) => 
+          case Full(redirectUrl) =>
             logger.debug(s"user_account_validated_redirect_url = $redirectUrl")
             S.redirectTo(redirectUrl)
           case _ =>
@@ -679,7 +679,7 @@ import net.liftweb.util.Helpers._
 
     case _ => S.error(S.?("invalid.validation.link")); S.redirectTo(homePage)
   }
-  
+
   override def actionsAfterSignup(theUser: TheUserType, func: () => Nothing): Nothing = {
     theUser.setValidated(skipEmailValidation).resetUniqueId()
     theUser.save
@@ -737,7 +737,7 @@ import net.liftweb.util.Helpers._
       scala.xml.Unparsed(s"""$agreeTermsHtml""")
     }
   }
-  
+
   def agreePrivacyPolicy = {
     val webUi = new WebUI
     val privacyPolicyCheckboxText = Helper.i18n("privacy_policy_checkbox_text", Some("I agree to the above Privacy Policy"))
@@ -755,7 +755,7 @@ import net.liftweb.util.Helpers._
                            |                        <hr>""".stripMargin
 
     scala.xml.Unparsed(agreePrivacyPolicy)
-  }  
+  }
   def enableDisableSignUpButton = {
     val javaScriptCode = """<script>
                                |                function enableDisableButton() {
@@ -774,7 +774,7 @@ import net.liftweb.util.Helpers._
   }
 
   def signupFormTitle = getWebUiPropsValue("webui_signup_form_title_text", S.?("sign.up"))
-  
+
   override def signupXhtml (user:AuthUser) =  {
     <div id="signup" tabindex="-1">
       <form method="post" action={ObpS.uriAndQueryString.getOrElse(ObpS.uri)}>
@@ -813,7 +813,7 @@ import net.liftweb.util.Helpers._
         </div>
       }
     }
-      
+
   }
 
   def userLoginFailed = {
@@ -840,7 +840,7 @@ import net.liftweb.util.Helpers._
 
 
   def getResourceUserId(username: String, password: String): Box[Long] = {
-    findUserByUsernameLocally(username) match {
+    findAuthUserByUsernameLocally(username) match {
       // We have a user from the local provider.
       case Full(user) if (user.getProvider() == Constant.localIdentityProvider) =>
         if (
@@ -909,8 +909,8 @@ import net.liftweb.util.Helpers._
   /**
     * This method is belong to AuthUser, it is used for authentication(Login stuff)
     * 1 get the user over connector.
-    * 2 check whether it is existing in AuthUser table in obp side. 
-    * 3 if not existing, will create new AuthUser. 
+    * 2 check whether it is existing in AuthUser table in obp side.
+    * 3 if not existing, will create new AuthUser.
     * @return Return the authUser
     */
   @deprecated("we have @checkExternalUserViaConnector method ","01-07-2020")
@@ -918,7 +918,7 @@ import net.liftweb.util.Helpers._
     Connector.connector.vend.getUser(name, password) match {
       case Full(InboundUser(extEmail, extPassword, extUsername)) => {
         val extProvider = connector
-        val user = findUserByUsernameLocally(name) match {
+        val user = findAuthUserByUsernameLocally(name) match {
           // Check if the external user is already created locally
           case Full(user) if user.validated_?
             // && user.provider == extProvider
@@ -954,14 +954,14 @@ import net.liftweb.util.Helpers._
   /**
     * This method is belong to AuthUser, it is used for authentication(Login stuff)
     * 1 get the user over connector.
-    * 2 check whether it is existing in AuthUser table in obp side. 
-    * 3 if not existing, will create new AuthUser. 
+    * 2 check whether it is existing in AuthUser table in obp side.
+    * 3 if not existing, will create new AuthUser.
     * @return Return the authUser
     */
   def checkExternalUserViaConnector(username: String, password: String):Box[AuthUser] = {
     Connector.connector.vend.checkExternalUserCredentials(username, password, None) match {
       case Full(InboundExternalUser(aud, exp, iat, iss, sub, azp, email, emailVerified, name, userAuthContexts)) =>
-        val user = findUserByUsernameLocally(sub) match { // Check if the external user is already created locally
+        val user = findAuthUserByUsernameLocally(sub) match { // Check if the external user is already created locally
           case Full(user) if user.validated_? => // Return existing user if found
             logger.debug("external user already exists locally, using that one")
             userAuthContexts match {
@@ -990,7 +990,7 @@ import net.liftweb.util.Helpers._
               // get resourceUserId from AuthUser.
               val resourceUserId = user.user.foreign.map(_.userId).getOrElse("")
               // we try to catch this exception, the createOrUpdateUserAuthContexts can not break the login process.
-              tryo {UserAuthContextProvider.userAuthContextProvider.vend.createOrUpdateUserAuthContexts(resourceUserId, authContexts)} 
+              tryo {UserAuthContextProvider.userAuthContextProvider.vend.createOrUpdateUserAuthContexts(resourceUserId, authContexts)}
                 .openOr(logger.error(s"${resourceUserId} checkExternalUserViaConnector.createOrUpdateUserAuthContexts throw exception! "))
           }
           case None => // Do nothing
@@ -1023,11 +1023,11 @@ def restoreSomeSessions(): Unit = {
 
   //overridden to allow a redirection if login fails
   /**
-    * Success cases: 
+    * Success cases:
     *  case1: user validated && user not locked && user.provider from localhost && password correct --> Login in
     *  case2: user validated && user not locked && user.provider not localhost  && password correct --> Login in
     *  case3: user from remote && checked over connector --> Login in
-    *  
+    *
     * Error cases:
     *  case1: user is locked --> UsernameHasBeenLocked
     *  case2: user.validated_? --> account.validation.error
@@ -1103,7 +1103,7 @@ def restoreSomeSessions(): Unit = {
       user.validated_? && !LoginAttempt.userIsLocked(user.getProvider(), usernameFromGui) &&
         !isObpProvider(user)
     }
-    
+
     def loginAction = {
       if (S.post_?) {
         val usernameFromGui = ObpS.param("username").getOrElse("")
@@ -1113,15 +1113,15 @@ def restoreSomeSessions(): Unit = {
         val emptyField = usernameEmptyField || passwordEmptyField
         emptyField match {
           case true =>
-            if(usernameEmptyField) 
+            if(usernameEmptyField)
               S.error("login-form-username-error", Helper.i18n("please.enter.your.username"))
-            if(passwordEmptyField) 
+            if(passwordEmptyField)
               S.error("login-form-password-error", Helper.i18n("please.enter.your.password"))
           case false =>
-            findUserByUsernameLocally(usernameFromGui) match {
+            findAuthUserByUsernameLocally(usernameFromGui) match {
               case Full(user) if !user.validated_? =>
                 S.error(S.?("account.validation.error"))
-              
+
               // Check if user comes from localhost and
               case Full(user) if obpUserIsValidatedAndNotLocked(usernameFromGui, user) =>
                 if(user.testPassword(Full(passwordFromGui))) { // if User is NOT locked and password is good
@@ -1142,7 +1142,7 @@ def restoreSomeSessions(): Unit = {
               case Full(user) if LoginAttempt.userIsLocked(user.getProvider(), usernameFromGui) =>
                 LoginAttempt.incrementBadLoginAttempts(user.getProvider(),usernameFromGui)
                 S.error(S.?(ErrorMessages.UsernameHasBeenLocked))
-    
+
               // Check if user came from kafka/obpjvm/stored_procedure and
               // if User is NOT locked. Then check username and password
               // from connector in case they changed on the south-side
@@ -1159,21 +1159,21 @@ def restoreSomeSessions(): Unit = {
                   AfterApiAuth.innerLoginUserInitAction(Full(user))
                   checkInternalRedirectAndLogUserIn(preLoginState, redirect, user)
 
-                
+
               // Error case:
               // the username exist but provider cannot be matched
               // It can happen via next scenario:
               //   - sign up user at some obp-api cluster
               //   - change a url of the cluster
-              //   - try to log on user at the cluster  
+              //   - try to log on user at the cluster
               case Full(user) if !isObpProvider(user) =>
                 S.error(S.?(s"${ErrorMessages.InvalidProviderUrl} Actual: ${Constant.localIdentityProvider}, Expected: ${user.provider}"))
-              
-                
+
+
               // If user cannot be found locally, try to authenticate user via connector
-              case Empty if (APIUtil.getPropsAsBoolValue("connector.user.authentication", false) || 
+              case Empty if (APIUtil.getPropsAsBoolValue("connector.user.authentication", false) ||
                 APIUtil.getPropsAsBoolValue("kafka.user.authentication", false) ) =>
-                
+
                 val preLoginState = capturePreLoginState()
                 logger.info("login redirect: " + loginRedirect.get)
                 val redirect = redirectUri()
@@ -1188,9 +1188,9 @@ def restoreSomeSessions(): Unit = {
                       Empty
                       S.error(Helper.i18n("invalid.login.credentials"))
                 }
-                
-              //If there is NO the username, throw the error message.  
-              case Empty => 
+
+              //If there is NO the username, throw the error message.
+              case Empty =>
                 S.error(Helper.i18n("invalid.login.credentials"))
               case unhandledCase =>
                 logger.error("------------------------------------------------------")
@@ -1204,7 +1204,7 @@ def restoreSomeSessions(): Unit = {
         }
       }
     }
-    
+
     // In this function we bind submit button to loginAction function.
     // In case that unique token of submit button cannot be paired submit action will be omitted.
     // Implemented in order to prevent a CSRF attack
@@ -1227,8 +1227,8 @@ def restoreSomeSessions(): Unit = {
       case _ => S.redirectTo(homePage)
     }
   }
-  
-  
+
+
   /**
     * The user authentications is not exciting in obp side, it need get the user via connector
     */
@@ -1246,7 +1246,7 @@ def restoreSomeSessions(): Unit = {
      }
    }
   }
-  
+
   /**
     * This method will update the views and createAccountHolder ....
     */
@@ -1266,10 +1266,10 @@ def restoreSomeSessions(): Unit = {
       } yield {
         user
       }
-    } 
+    }
   }
-  
-  
+
+
   /**
     * This method will update the views and createAccountHolder ....
     */
@@ -1284,8 +1284,8 @@ def restoreSomeSessions(): Unit = {
   }
 
   /**
-   * A Space is an alias for the OBP Bank. Each Bank / Space can contain many Dynamic Endpoints. If a User belongs to a Space, 
-   * the User can use those endpoints but not modify them. If a User creates a Bank (aka Space) the user can create 
+   * A Space is an alias for the OBP Bank. Each Bank / Space can contain many Dynamic Endpoints. If a User belongs to a Space,
+   * the User can use those endpoints but not modify them. If a User creates a Bank (aka Space) the user can create
    * and modify Dynamic Endpoints and other objects in that Bank / Space.
    *
    * @return
@@ -1333,7 +1333,7 @@ def restoreSomeSessions(): Unit = {
       }
 
       // if user's auto granted entitlement invalid, delete it.
-      // invalid happens when some dynamic endpoints are removed, so the entitlements linked to the deleted dynamic endpoints are invalid. 
+      // invalid happens when some dynamic endpoints are removed, so the entitlements linked to the deleted dynamic endpoints are invalid.
       for {
         grantedEntitlement <- entitlementsGrantedByThisProcess
         grantedEntitlementRoleName = grantedEntitlement.roleName
@@ -1350,7 +1350,7 @@ def restoreSomeSessions(): Unit = {
       }
     }
   }
-  
+
   def grantEmailDomainEntitlementsToUser(user: AuthUser) = {
     if(emailDomainToEntitlementMappings.nonEmpty){
       val createdByProcess = "grantEmailDomainEntitlementsToUser"
@@ -1378,7 +1378,7 @@ def restoreSomeSessions(): Unit = {
       }
 
       // if user's auto granted entitlement invalid, delete it.
-      // invalid happens when some dynamic endpoints are removed, so the entitlements linked to the deleted dynamic endpoints are invalid. 
+      // invalid happens when some dynamic endpoints are removed, so the entitlements linked to the deleted dynamic endpoints are invalid.
       for {
         grantedEntitlement <- entitlementsGrantedByThisProcess
         grantedEntitlementRoleName = grantedEntitlement.roleName
@@ -1395,7 +1395,7 @@ def restoreSomeSessions(): Unit = {
       }
     }
   }
-  
+
   /**
    * This method is used for onboarding bank customer to OBP.
    *  1st: we will get all the accountsHeld from CBS side.
@@ -1407,23 +1407,23 @@ def restoreSomeSessions(): Unit = {
         connectorEmptyResponse(_, callContext)
       }
       _ = logger.debug(s"--> for user($user): AuthUser.refreshUser.accountsHeld : ${accountsHeld}")
-      
+
       success = refreshViewsAccountAccessAndHolders(user, accountsHeld, callContext)
-      
+
     }yield {
       success
     }
   }
-  
+
   @deprecated("This return Box, not a future, try to use @refreshUser instead. ","08-09-2023")
   def refreshUserLegacy(user: User, callContext: Option[CallContext]) = {
     for{
-      (accountsHeld, _) <- Connector.connector.vend.getBankAccountsForUserLegacy(user.provider, user.name, callContext) 
-      
+      (accountsHeld, _) <- Connector.connector.vend.getBankAccountsForUserLegacy(user.provider, user.name, callContext)
+
       _ = logger.debug(s"--> for user($user): AuthUser.refreshUserLegacy.accountsHeld : ${accountsHeld}")
-      
+
       success = refreshViewsAccountAccessAndHolders(user, accountsHeld, callContext)
-      
+
     }yield {
       success
     }
@@ -1433,26 +1433,26 @@ def restoreSomeSessions(): Unit = {
     * This is a helper method
     * create/update/delete the views, accountAccess, accountHolders for OBP get accounts from CBS side.
     * This method can only be used by the original user(account holder).
-   *  InboundAccount return many fields, but in this method, we only need bankId, accountId and viewId so far. 
+   *  InboundAccount return many fields, but in this method, we only need bankId, accountId and viewId so far.
     */
     def refreshViewsAccountAccessAndHolders(user: User, accountsHeld: List[InboundAccount], callContext: Option[CallContext])  = {
       if(user.isOriginalUser){
-        //first, we compare the accounts in obp  and the accounts in cbs,   
+        //first, we compare the accounts in obp  and the accounts in cbs,
         val (_, privateAccountAccess) = Views.views.vend.privateViewsUserCanAccess(user)
         val obpAccountAccessBankAccountIds = privateAccountAccess.map(accountAccess =>BankIdAccountId(BankId(accountAccess.bank_id.get), AccountId(accountAccess.account_id.get))).toSet
-        
+
         // This will return all account held for the user, no mater what the source is.
         val userOwnBankAccountIds = AccountHolders.accountHolders.vend.getAccountsHeldByUser(user)
 
         //The accounts from AccountAccess may contains other users' account info, so here we filter the accounts By account holder, only show the user's own accounts
         val obpBankAccountIds = obpAccountAccessBankAccountIds.filter(bankAccountId => userOwnBankAccountIds.contains(bankAccountId)).toSet
-        
+
         //The accounts from AccountAccess may contains other users' account info, so here we filter the accounts By account holder, only show the user's own accounts
         val cbsBankAccountIds = accountsHeld.map(account =>BankIdAccountId(BankId(account.bankId),AccountId(account.accountId))).toSet
-        
+
         //cbs removed this accounts, but OBP still contains the data for them, so we need to clean data in OBP side.
         val cbsRemovedBankAccountIds = obpBankAccountIds diff cbsBankAccountIds
-        
+
         //cbs has new accounts which are not in obp yet, we need to create new data for these accounts.
         val csbNewBankAccountIds = cbsBankAccountIds diff obpBankAccountIds
 
@@ -1475,7 +1475,7 @@ def restoreSomeSessions(): Unit = {
         } yield {
           success
         }
-        
+
         //2st: create views/accountAccess/accountHolders for the new coming accounts
         for {
           newBankAccountId <- csbNewBankAccountIds
@@ -1504,7 +1504,7 @@ def restoreSomeSessions(): Unit = {
             //obpViewsForAccount = MapperViews.availableViewsForAccount(bankAccountId).map(_.viewId.value)
             obpViewsForAccount = Views.views.vend.privateViewsUserCanAccessForAccount(user, bankAccountId).map(_.viewId.value)
             _ = logger.debug("refreshViewsAccountAccessAndHolders.obpViewsForAccount-------" + obpViewsForAccount)
-            
+
             cbsViewsForAccount = accountsHeld.find(account => account.bankId.equals(bankAccountId.bankId.value) && account.accountId.equals(bankAccountId.accountId.value)).map(_.viewsToGenerate).getOrElse(Nil)
             _ = logger.debug("refreshViewsAccountAccessAndHolders.cbsViewsForAccount-------" + cbsViewsForAccount)
             //cbs removed these views, but OBP still contains the data for them, so we need to clean data in OBP side.
@@ -1512,10 +1512,10 @@ def restoreSomeSessions(): Unit = {
             _ = logger.debug("refreshViewsAccountAccessAndHolders.cbsRemovedViewsForAccount-------" + cbsRemovedViewsForAccount)
             _ = if(cbsRemovedViewsForAccount.nonEmpty){
               val cbsRemovedViewIdBankIdAccountIds = cbsRemovedViewsForAccount.map(view => ViewIdBankIdAccountId(ViewId(view), bankAccountId.bankId, bankAccountId.accountId))
-              Views.views.vend.revokeAccessToMultipleViews(cbsRemovedViewIdBankIdAccountIds, user) 
+              Views.views.vend.revokeAccessToMultipleViews(cbsRemovedViewIdBankIdAccountIds, user)
               cbsRemovedViewsForAccount.map(view =>Views.views.vend.removeCustomView(ViewId(view), bankAccountId))
               UserRefreshes.UserRefreshes.vend.createOrUpdateRefreshUser(user.userId)
-            } 
+            }
             //cbs has new views which are not in obp yet, we need to create new data for these accounts.
             csbNewViewsForAccount = cbsViewsForAccount diff obpViewsForAccount
             _ = logger.debug("refreshViewsAccountAccessAndHolders.csbNewViewsForAccount-------" + csbNewViewsForAccount)
@@ -1525,21 +1525,21 @@ def restoreSomeSessions(): Unit = {
                 _ = logger.debug("refreshViewsAccountAccessAndHolders.csbNewViewsForAccount.newViewForAccount start:-------" + newViewForAccount)
                 view <- Views.views.vend.getOrCreateSystemViewFromCbs(newViewForAccount)//TODO, only support system views so far, may add custom views later.
                 _ = UserRefreshes.UserRefreshes.vend.createOrUpdateRefreshUser(user.userId)
-                view <- if (view.isSystem) //if the view is a system view, we will call `grantAccessToSystemView` 
-                  Views.views.vend.grantAccessToSystemView(bankAccountId.bankId, bankAccountId.accountId, view, user) 
+                view <- if (view.isSystem) //if the view is a system view, we will call `grantAccessToSystemView`
+                  Views.views.vend.grantAccessToSystemView(bankAccountId.bankId, bankAccountId.accountId, view, user)
                 else //otherwise, we will call `grantAccessToCustomView`
                   Views.views.vend.grantAccessToCustomView(view.uid, user)
                 _ = logger.debug("refreshViewsAccountAccessAndHolders.csbNewViewsForAccount.newViewForAccount finish:-------" + newViewForAccount)
               }yield{
                 view
               }
-            } 
+            }
           } yield {
             success
           }
         }
         true
-      }  
+      }
       else {
         false
       }
@@ -1571,12 +1571,16 @@ def restoreSomeSessions(): Unit = {
                                           └─────────┘
   */
   /**
-   * Find the authUser by author user name(authUser and resourceUser are the same).
-   * Only search for the local database
+   * Find the Auth User by the composite key (username, provider).
+   * Only search at the local database.
+   * Please note that provider is implicitly defined i.e. not provided via a parameter
    */
-  def findUserByUsernameLocally(name: String): Box[TheUserType] = {
+  def findAuthUserByUsernameLocally(name: String): Box[TheUserType] = {
     find(By(this.username, name), By(this.provider, Constant.localIdentityProvider))
   }
+  def findAuthUserByPrimaryKey(key: Long): Box[TheUserType] = {
+    find(By(this.user, key))
+  }
 
   def passwordResetUrl(name: String, email: String, userId: String): String = {
     find(By(this.username, name)) match {
diff --git a/obp-api/src/test/scala/code/api/DirectLoginTest.scala b/obp-api/src/test/scala/code/api/DirectLoginTest.scala
index 3946d84d6..2dbbb4a1d 100644
--- a/obp-api/src/test/scala/code/api/DirectLoginTest.scala
+++ b/obp-api/src/test/scala/code/api/DirectLoginTest.scala
@@ -403,7 +403,7 @@ class DirectLoginTest extends ServerSetup with BeforeAndAfter {
         format(username, VALID_PW, KEY))
       
       // Delete the user
-      AuthUser.findUserByUsernameLocally(username).map(_.delete_!())
+      AuthUser.findAll(By(AuthUser.username, username)).map(_.delete_!())
       // Create the user
       AuthUser.create.
         email(EMAIL).

From a6598d9be5a7cc1e3e1bdeedb647a82c3d1a5f09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Tue, 19 Mar 2024 14:13:32 +0100
Subject: [PATCH 05/10] feature/Add glossary items for Client ID and Consumer
 Key

---
 obp-api/src/main/scala/code/api/util/Glossary.scala | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/obp-api/src/main/scala/code/api/util/Glossary.scala b/obp-api/src/main/scala/code/api/util/Glossary.scala
index 7a7657934..2f9219af7 100644
--- a/obp-api/src/main/scala/code/api/util/Glossary.scala
+++ b/obp-api/src/main/scala/code/api/util/Glossary.scala
@@ -742,6 +742,19 @@ object Glossary extends MdcLoggable  {
 		  |Each Consumer has a consumer key and secrect which allows it to enter into secure communication with the API server.
 		""")
 
+	  glossaryItems += GlossaryItem(
+		title = "Consumer.consumer_key (Consumer Key)",
+		description =
+		s"""
+			 |The client identifier issued to the client during the registration process. It is a unique string representing the registration information provided by the client.
+			 |At the time the consumer_key was introduced OAuth 1.0a was only available. The OAuth 2.0 counterpart for this value is client_id
+				|""".stripMargin)
+
+	glossaryItems += GlossaryItem(
+		title = "client_id (Client ID)",
+		description =
+			s"""Please take a look at a Consumer.consumer_key""".stripMargin)
+
 	  glossaryItems += GlossaryItem(
 		title = "Customer",
 		description =

From 04b70655fa46910cd9d89613c0807a94198905b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Wed, 20 Mar 2024 13:19:37 +0100
Subject: [PATCH 06/10] feature/Add props use_obp_user_at_hydra

---
 .../resources/props/sample.props.template     |  2 +
 obp-api/src/main/scala/code/api/OAuth2.scala  | 38 ++++++++++++-------
 .../src/main/scala/code/util/HydraUtil.scala  |  2 +
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/obp-api/src/main/resources/props/sample.props.template b/obp-api/src/main/resources/props/sample.props.template
index 2ea77fb3d..6ac90b4fd 100644
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@@ -1031,6 +1031,8 @@ outboundAdapterCallContext.generalContext
 # There are 2 ways of authenticating OAuth 2.0 Clients at the /oauth2/token we support: private_key_jwt and client_secret_post
 # hydra_token_endpoint_auth_method=private_key_jwt
 # hydra_supported_token_endpoint_auth_methods=client_secret_basic,client_secret_post,private_key_jwt
+## ORY Hydra login url is "obp-api-hostname/user_mgt/login" implies "true" in order to avoid creation of a new user during OIDC flow
+# use_obp_user_at_hydra=false
 # ------------------------------ Hydra oauth2 props end ------------------------------
 
 # ------------------------------ default entitlements ------------------------------
diff --git a/obp-api/src/main/scala/code/api/OAuth2.scala b/obp-api/src/main/scala/code/api/OAuth2.scala
index 5e2ec6e21..9838e6b4e 100644
--- a/obp-api/src/main/scala/code/api/OAuth2.scala
+++ b/obp-api/src/main/scala/code/api/OAuth2.scala
@@ -28,7 +28,6 @@ package code.api
 
 import java.net.URI
 import java.util
-
 import code.api.util.ErrorMessages._
 import code.api.util.{APIUtil, CallContext, JwtUtil}
 import code.consumer.Consumers
@@ -38,6 +37,7 @@ import code.model.Consumer
 import code.util.HydraUtil._
 import code.users.Users
 import code.util.Helper.MdcLoggable
+import code.util.HydraUtil
 import com.nimbusds.jwt.JWTClaimsSet
 import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet
 import com.openbankproject.commons.ExecutionContext.Implicits.global
@@ -274,13 +274,13 @@ object OAuth2Login extends RestHelper with MdcLoggable {
       * @return an existing or a new user
       */
     def getOrCreateResourceUserFuture(idToken: String): Future[Box[User]] = {
-      val subject = JwtUtil.getSubject(idToken).getOrElse("")
-      val issuer = JwtUtil.getIssuer(idToken).getOrElse("")
+      val uniqueIdGivenByProvider = JwtUtil.getSubject(idToken).getOrElse("")
+      val provider = resolveProvider(idToken)
       Users.users.vend.getOrCreateUserByProviderIdFuture(
-        provider = issuer, 
-        idGivenByProvider = subject,
+        provider = provider,
+        idGivenByProvider = uniqueIdGivenByProvider,
         consentId = None, 
-        name = getClaim(name = "given_name", idToken = idToken).orElse(Some(subject)),
+        name = getClaim(name = "given_name", idToken = idToken).orElse(Some(uniqueIdGivenByProvider)),
         email = getClaim(name = "email", idToken = idToken)
       ).map(_._1)
     }
@@ -301,14 +301,14 @@ object OAuth2Login extends RestHelper with MdcLoggable {
       * @return an existing or a new user
       */
     def getOrCreateResourceUser(idToken: String): Box[User] = {
-      val subject = JwtUtil.getSubject(idToken).getOrElse("")
-      val issuer = JwtUtil.getIssuer(idToken).getOrElse("")
-      Users.users.vend.getUserByProviderId(provider = issuer, idGivenByProvider = subject).or { // Find a user
+      val uniqueIdGivenByProvider = JwtUtil.getSubject(idToken).getOrElse("")
+      val provider = resolveProvider(idToken)
+      Users.users.vend.getUserByProviderId(provider = provider, idGivenByProvider = uniqueIdGivenByProvider).or { // Find a user
         Users.users.vend.createResourceUser( // Otherwise create a new one
-          provider = issuer,
-          providerId = Some(subject),
+          provider = provider,
+          providerId = Some(uniqueIdGivenByProvider),
           None,
-          name = getClaim(name = "given_name", idToken = idToken).orElse(Some(subject)),
+          name = getClaim(name = "given_name", idToken = idToken).orElse(Some(uniqueIdGivenByProvider)),
           email = getClaim(name = "email", idToken = idToken),
           userId = None,
           createdByUserInvitationId = None,
@@ -317,7 +317,19 @@ object OAuth2Login extends RestHelper with MdcLoggable {
         )
       }
     }
-    /** 
+
+    private def resolveProvider(idToken: String) = {
+      isIssuer(jwtToken = idToken, identityProvider = hydraPublicUrl) match {
+        case true if HydraUtil.useObpUserAtHydra => // Case that source of the truth of Hydra user management is the OBP-API mapper DB
+          // In case that ORY Hydra login url is "hostname/user_mgt/login" we MUST override hydraPublicUrl as provider
+          // in order to avoid creation of a new user
+          Constant.localIdentityProvider
+        case false => // All other cases implies a new user creation
+          JwtUtil.getIssuer(idToken).getOrElse("")
+      }
+    }
+
+    /**
       * This function creates a consumer based on "azp", "sub", "iss", "name" and "email" fields
       * Please note that a user must be created before consumer.
       * Unique criteria to decide do we create or get a consumer is pair o values: < sub : azp > i.e.
diff --git a/obp-api/src/main/scala/code/util/HydraUtil.scala b/obp-api/src/main/scala/code/util/HydraUtil.scala
index 4185c4f92..b9e522c77 100644
--- a/obp-api/src/main/scala/code/util/HydraUtil.scala
+++ b/obp-api/src/main/scala/code/util/HydraUtil.scala
@@ -25,6 +25,8 @@ object HydraUtil extends MdcLoggable{
 
   val mirrorConsumerInHydra = APIUtil.getPropsAsBoolValue("mirror_consumer_in_hydra", false)
 
+  val useObpUserAtHydra = APIUtil.getPropsAsBoolValue("use_obp_user_at_hydra", false)
+
   val clientSecretPost = "client_secret_post"
   
   val hydraTokenEndpointAuthMethod =

From 7486a20bc4b9f327bba555bc611c8b8b4a94c6b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Thu, 21 Mar 2024 11:35:21 +0100
Subject: [PATCH 07/10] feature/Add props use_obp_user_at_hydra 2

---
 obp-api/src/main/scala/code/api/OAuth2.scala     |  2 +-
 .../src/main/scala/code/api/openidconnect.scala  | 16 +++++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/obp-api/src/main/scala/code/api/OAuth2.scala b/obp-api/src/main/scala/code/api/OAuth2.scala
index 9838e6b4e..8ff4238d4 100644
--- a/obp-api/src/main/scala/code/api/OAuth2.scala
+++ b/obp-api/src/main/scala/code/api/OAuth2.scala
@@ -318,7 +318,7 @@ object OAuth2Login extends RestHelper with MdcLoggable {
       }
     }
 
-    private def resolveProvider(idToken: String) = {
+    def resolveProvider(idToken: String) = {
       isIssuer(jwtToken = idToken, identityProvider = hydraPublicUrl) match {
         case true if HydraUtil.useObpUserAtHydra => // Case that source of the truth of Hydra user management is the OBP-API mapper DB
           // In case that ORY Hydra login url is "hostname/user_mgt/login" we MUST override hydraPublicUrl as provider
diff --git a/obp-api/src/main/scala/code/api/openidconnect.scala b/obp-api/src/main/scala/code/api/openidconnect.scala
index 370257670..f05adb7eb 100644
--- a/obp-api/src/main/scala/code/api/openidconnect.scala
+++ b/obp-api/src/main/scala/code/api/openidconnect.scala
@@ -27,6 +27,8 @@ TESOBE (http://www.tesobe.com/)
 package code.api
 
 import java.net.HttpURLConnection
+
+import code.api.OAuth2Login.Hydra
 import code.api.util.APIUtil._
 import code.api.util.{APIUtil, AfterApiAuth, ErrorMessages, JwtUtil}
 import code.consumer.Consumers
@@ -38,7 +40,7 @@ import code.token.{OpenIDConnectToken, TokensOpenIDConnect}
 import code.users.Users
 import code.util.Helper.{MdcLoggable, ObpS}
 import com.openbankproject.commons.model.User
-import com.openbankproject.commons.util.{ApiVersion,ApiVersionStatus}
+import com.openbankproject.commons.util.{ApiVersion, ApiVersionStatus}
 import javax.net.ssl.HttpsURLConnection
 import net.liftweb.common._
 import net.liftweb.http._
@@ -195,14 +197,14 @@ object OpenIdConnect extends OBPRestHelper with MdcLoggable {
   }
 
   private def getOrCreateResourceUser(idToken: String): Box[User] = {
-    val subject = JwtUtil.getSubject(idToken)
-    val issuer = JwtUtil.getIssuer(idToken).getOrElse("")
-    Users.users.vend.getUserByProviderId(provider = issuer, idGivenByProvider = subject.getOrElse("")).or { // Find a user
+    val uniqueIdGivenByProvider = JwtUtil.getSubject(idToken)
+    val provider = Hydra.resolveProvider(idToken)
+    Users.users.vend.getUserByProviderId(provider = provider, idGivenByProvider = uniqueIdGivenByProvider.getOrElse("")).or { // Find a user
       Users.users.vend.createResourceUser( // Otherwise create a new one
-        provider = issuer,
-        providerId = subject,
+        provider = provider,
+        providerId = uniqueIdGivenByProvider,
         createdByConsentId = None,
-        name = subject,
+        name = uniqueIdGivenByProvider,
         email = getClaim(name = "email", idToken = idToken),
         userId = None,
         createdByUserInvitationId = None,

From 40348bd04cb2d8fd8482f1e6e357674b3bab7981 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Fri, 22 Mar 2024 11:50:05 +0100
Subject: [PATCH 08/10] feature/Tweak props hydra_uses_obp_user_credentials

---
 obp-api/src/main/resources/props/sample.props.template | 2 +-
 obp-api/src/main/scala/code/api/OAuth2.scala           | 5 +++--
 obp-api/src/main/scala/code/util/HydraUtil.scala       | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/obp-api/src/main/resources/props/sample.props.template b/obp-api/src/main/resources/props/sample.props.template
index 6ac90b4fd..e71ce467b 100644
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@@ -1032,7 +1032,7 @@ outboundAdapterCallContext.generalContext
 # hydra_token_endpoint_auth_method=private_key_jwt
 # hydra_supported_token_endpoint_auth_methods=client_secret_basic,client_secret_post,private_key_jwt
 ## ORY Hydra login url is "obp-api-hostname/user_mgt/login" implies "true" in order to avoid creation of a new user during OIDC flow
-# use_obp_user_at_hydra=false
+# hydra_uses_obp_user_credentials=true
 # ------------------------------ Hydra oauth2 props end ------------------------------
 
 # ------------------------------ default entitlements ------------------------------
diff --git a/obp-api/src/main/scala/code/api/OAuth2.scala b/obp-api/src/main/scala/code/api/OAuth2.scala
index 8ff4238d4..396cd89e1 100644
--- a/obp-api/src/main/scala/code/api/OAuth2.scala
+++ b/obp-api/src/main/scala/code/api/OAuth2.scala
@@ -320,11 +320,12 @@ object OAuth2Login extends RestHelper with MdcLoggable {
 
     def resolveProvider(idToken: String) = {
       isIssuer(jwtToken = idToken, identityProvider = hydraPublicUrl) match {
-        case true if HydraUtil.useObpUserAtHydra => // Case that source of the truth of Hydra user management is the OBP-API mapper DB
+        case true if HydraUtil.hydraUsesObpUserCredentials => // Case that source of the truth of Hydra user management is the OBP-API mapper DB
           // In case that ORY Hydra login url is "hostname/user_mgt/login" we MUST override hydraPublicUrl as provider
           // in order to avoid creation of a new user
           Constant.localIdentityProvider
-        case false => // All other cases implies a new user creation
+        case _ => // All other cases implies a new user creation
+          // TODO raise exception in case of else case
           JwtUtil.getIssuer(idToken).getOrElse("")
       }
     }
diff --git a/obp-api/src/main/scala/code/util/HydraUtil.scala b/obp-api/src/main/scala/code/util/HydraUtil.scala
index b9e522c77..f55dd0591 100644
--- a/obp-api/src/main/scala/code/util/HydraUtil.scala
+++ b/obp-api/src/main/scala/code/util/HydraUtil.scala
@@ -25,7 +25,7 @@ object HydraUtil extends MdcLoggable{
 
   val mirrorConsumerInHydra = APIUtil.getPropsAsBoolValue("mirror_consumer_in_hydra", false)
 
-  val useObpUserAtHydra = APIUtil.getPropsAsBoolValue("use_obp_user_at_hydra", false)
+  val hydraUsesObpUserCredentials = APIUtil.getPropsAsBoolValue("hydra_uses_obp_user_credentials", true)
 
   val clientSecretPost = "client_secret_post"
   

From 984515179fb9b3f5c838950c73582d4f3534b27d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Mon, 25 Mar 2024 13:49:53 +0100
Subject: [PATCH 09/10] feature/Improve consent-screen

---
 obp-api/src/main/scala/code/snippet/ConsentScreen.scala | 5 ++++-
 obp-api/src/main/webapp/consent-screen.html             | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/obp-api/src/main/scala/code/snippet/ConsentScreen.scala b/obp-api/src/main/scala/code/snippet/ConsentScreen.scala
index 91ab6ae0f..b3a0aae75 100644
--- a/obp-api/src/main/scala/code/snippet/ConsentScreen.scala
+++ b/obp-api/src/main/scala/code/snippet/ConsentScreen.scala
@@ -77,7 +77,10 @@ class ConsentScreen extends MdcLoggable {
     val username = AuthUser.getCurrentUser.map(_.name).getOrElse("")
     val clientId = getWebUiPropsValue("webui_hydra_oidc_client", "OpenID Connect Provider")
     "#username *" #> username &
-      "#client *" #> clientId &
+    "#username_2 *" #> username &
+      "#client_id_1 *" #> clientId &
+      "#client_id_2 *" #> clientId &
+      "#client_id_3 *" #> clientId &
     "form" #> {
       "#skip_consent_screen_checkbox" #> SHtml.checkbox(skipConsentScreenVar, skipConsentScreenVar(_)) &
         "#allow_access_to_consent" #> SHtml.submit(s"Allow access", () => submitAllowAction) &
diff --git a/obp-api/src/main/webapp/consent-screen.html b/obp-api/src/main/webapp/consent-screen.html
index 6954b8749..bf94c7fb4 100644
--- a/obp-api/src/main/webapp/consent-screen.html
+++ b/obp-api/src/main/webapp/consent-screen.html
@@ -35,10 +35,13 @@ Berlin 13359, Germany
             </style>
             <div id="data-area-explanation">
                 <h1>An application requests access to your data!</h1>
-                <p>Hi <span id="username" class="reset-style"></span>, application <strong><span id="client" class="reset-style"></span></strong> wants access resources on your behalf and to:</p>
+                <p>Hi <span id="username" class="reset-style"></span>, application <strong><span id="client_id_1" class="reset-style"></span></strong> wants access resources on your behalf and to:</p>
                 <ul>
                     <li>openid</li>
                 </ul>
+                <p>Confirm or Deny Applicaiton Access.</p>
+                <p>Dear <span id="username_2" class="reset-style"></span>, <span id="client_id_2" class="reset-style"></span> is requesting access to your user profile.</p>
+                <p><span id="client_id_3" class="reset-style"></span> will be able to act on your behalf.</p>
             </div>
 
             <form method="post">

From fea85b5f9c7c42f4fdc7f656643b8665153d0d4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Wed, 27 Mar 2024 14:38:29 +0100
Subject: [PATCH 10/10] feature/Tweak consent-screen variable names

---
 obp-api/src/main/scala/code/snippet/ConsentScreen.scala | 8 ++++----
 obp-api/src/main/webapp/consent-screen.html             | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/obp-api/src/main/scala/code/snippet/ConsentScreen.scala b/obp-api/src/main/scala/code/snippet/ConsentScreen.scala
index b3a0aae75..f04a543a6 100644
--- a/obp-api/src/main/scala/code/snippet/ConsentScreen.scala
+++ b/obp-api/src/main/scala/code/snippet/ConsentScreen.scala
@@ -75,12 +75,12 @@ class ConsentScreen extends MdcLoggable {
   
   def consentScreenForm = {
     val username = AuthUser.getCurrentUser.map(_.name).getOrElse("")
-    val clientId = getWebUiPropsValue("webui_hydra_oidc_client", "OpenID Connect Provider")
+    val oidcProviderDescription = getWebUiPropsValue("webui_hydra_oidc_client", "OpenID Connect Provider")
     "#username *" #> username &
     "#username_2 *" #> username &
-      "#client_id_1 *" #> clientId &
-      "#client_id_2 *" #> clientId &
-      "#client_id_3 *" #> clientId &
+      "#consumer_description_1 *" #> oidcProviderDescription &
+      "#consumer_description_2 *" #> oidcProviderDescription &
+      "#consumer_description_3 *" #> oidcProviderDescription &
     "form" #> {
       "#skip_consent_screen_checkbox" #> SHtml.checkbox(skipConsentScreenVar, skipConsentScreenVar(_)) &
         "#allow_access_to_consent" #> SHtml.submit(s"Allow access", () => submitAllowAction) &
diff --git a/obp-api/src/main/webapp/consent-screen.html b/obp-api/src/main/webapp/consent-screen.html
index bf94c7fb4..489b05afb 100644
--- a/obp-api/src/main/webapp/consent-screen.html
+++ b/obp-api/src/main/webapp/consent-screen.html
@@ -35,13 +35,13 @@ Berlin 13359, Germany
             </style>
             <div id="data-area-explanation">
                 <h1>An application requests access to your data!</h1>
-                <p>Hi <span id="username" class="reset-style"></span>, application <strong><span id="client_id_1" class="reset-style"></span></strong> wants access resources on your behalf and to:</p>
+                <p>Hi <span id="username" class="reset-style"></span>, application <strong><span id="consumer_description_1" class="reset-style"></span></strong> wants access resources on your behalf and to:</p>
                 <ul>
                     <li>openid</li>
                 </ul>
                 <p>Confirm or Deny Applicaiton Access.</p>
-                <p>Dear <span id="username_2" class="reset-style"></span>, <span id="client_id_2" class="reset-style"></span> is requesting access to your user profile.</p>
-                <p><span id="client_id_3" class="reset-style"></span> will be able to act on your behalf.</p>
+                <p>Dear <span id="username_2" class="reset-style"></span>, <span id="consumer_description_2" class="reset-style"></span> is requesting access to your user profile.</p>
+                <p><span id="consumer_description_3" class="reset-style"></span> will be able to act on your behalf.</p>
             </div>
 
             <form method="post">