Release/saml nav ident (#41)

* fix: use NAVident claim as saml NameId if present * fix: add navIdent claim to jwtClaimSetSpec2 * Deploy dev Co-authored-by: Nicklas Utgaard <nutgaard@gmail.com>
navikt · Jun 8, 2021 · 4cf3899 · 4cf3899
1 parent fb2db10
commit 4cf3899
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
 kotlin.code.style=official
 group=no.nav.gandalf
-version=0.1.8
+version=0.1.9
 name=security-token-service
diff --git a/src/main/kotlin/no/nav/gandalf/accesstoken/AccessTokenIssuer.kt b/src/main/kotlin/no/nav/gandalf/accesstoken/AccessTokenIssuer.kt
@@ -192,7 +192,7 @@ class AccessTokenIssuer(
         val samlObj = SamlObject(toZonedDateTime(now))
         samlObj.issuer = SAML_ISSUER
         samlObj.setDuration((oidcObj.expirationTime.time - now.time) / 1000 + EXCHANGE_TOKEN_EXTENDED_TIME)
-        samlObj.nameID = oidcObj.subject
+        samlObj.nameID = oidcObj.navIdent ?: oidcObj.subject
         val idpIssoIssuer = filterIssoInternIssuer()
         when {
             oidcObj.authLevel != null -> {

diff --git a/src/main/kotlin/no/nav/gandalf/accesstoken/OidcObject.kt b/src/main/kotlin/no/nav/gandalf/accesstoken/OidcObject.kt
@@ -33,6 +33,7 @@ class OidcObject {
     var expirationTime: Date
     private var authTime: Long? = null
     var auditTrackingId: String? = null
+    var navIdent: String? = null
     private var signedJWT: SignedJWT? = null
     private val log: Logger = LoggerFactory.getLogger(javaClass)
 
@@ -62,6 +63,7 @@ class OidcObject {
         version = claimSet.getStringClaim(VERSION_CLAIM)
         id = claimSet.jwtid
         subject = claimSet.subject
+        navIdent = claimSet.getStringClaim(NAV_IDENT_CLAIM)
         audience = claimSet.audience
         azp = claimSet.getStringClaim(AZP_CLAIM)
         authLevel = claimSet.getStringClaim(AUTHLEVEL_CLAIM)
@@ -145,6 +147,9 @@ class OidcObject {
             if (orgno != null) {
                 clBuilder.claim(CLIENT_ORGNO_CLAIM, orgno)
             }
+            if (navIdent != null) {
+                clBuilder.claim(NAV_IDENT_CLAIM, navIdent)
+            }
             return clBuilder.build()
         }
 
@@ -168,6 +173,9 @@ class OidcObject {
             if (authLevel != null) {
                 clBuilder.claim(AUTHLEVEL_CLAIM, authLevel)
             }
+            if (navIdent != null) {
+                clBuilder.claim(NAV_IDENT_CLAIM, navIdent)
+            }
             return clBuilder.build()
         }
 
@@ -251,6 +259,7 @@ class OidcObject {
         var UTY_CLAIM: String = "uty"
         var TRACKING_CLAIM: String = "auditTrackingId"
         var CLIENT_ORGNO_CLAIM = "client_orgno"
+        var NAV_IDENT_CLAIM = "NAVident"
         fun toDate(d: ZonedDateTime?): Date {
             return Date.from(d!!.toInstant())
         }