Merge pull request #709 from navikt/dev/fjerner_idporten_auth

Fjerner muligheter for idporten autentisering. TokenX skal benyttes i
navikt · Oct 3, 2023 · 6ff0b5e · 6ff0b5e
2 parents 9edef12 + b82c896
commit 6ff0b5e
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 28 deletions.
diff --git a/nais/nais-dev-gcp.yaml b/nais/nais-dev-gcp.yaml
@@ -15,8 +15,6 @@ spec:
           - "NAVident"
   tokenx:
     enabled: true
-  idporten:
-    enabled: true
   envFrom:
     - secret: veilarbregistrering
   image: {{image}}

diff --git a/nais/nais-prod-gcp.yaml b/nais/nais-prod-gcp.yaml
@@ -15,8 +15,6 @@ spec:
           - "NAVident"
   tokenx:
     enabled: true
-  idporten:
-    enabled: true
   envFrom:
     - secret: veilarbregistrering
   image: {{image}}

diff --git a/.../kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenExchangeService.kt b/.../kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenExchangeService.kt
@@ -13,7 +13,6 @@ class TokenExchangeService(private val tokenResolver: TokenResolver) {
     fun exchangeToken(api: DownstreamApi): String {
         val opprinneligToken = tokenResolver.token()
         return when {
-            tokenResolver.erIdPortenToken() -> exchangeTokenXToken(api, opprinneligToken)
             tokenResolver.erTokenXToken() -> exchangeTokenXToken(api, opprinneligToken)
             tokenResolver.erAzureAdOboToken() -> exchangeAadOboToken(api, opprinneligToken)
             tokenResolver.erAzureAdSystemTilSystemToken() -> createAadMachineToMachineToken(api)

diff --git a/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenResolver.kt b/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenResolver.kt
@@ -23,14 +23,9 @@ class TokenResolver(private val authContextHolder: AuthContextHolder) {
     fun erTokenXToken(): Boolean {
         return authContextHolder.erTokenXToken()
     }
-
-    fun erIdPortenToken(): Boolean {
-        return authContextHolder.erIdPortenToken()
-    }
 }
 
 fun AuthContextHolder.erAADToken(): Boolean = hentIssuer().contains("login.microsoftonline.com")
 private fun AuthContextHolder.erSystemTilSystemToken(): Boolean = this.subject == this.getStringClaim(this.idTokenClaims.get(), "oid")
 private fun AuthContextHolder.erTokenXToken(): Boolean = hentIssuer().contains("tokenx")
-private fun AuthContextHolder.erIdPortenToken(): Boolean = hentIssuer().contains("difi.no")
 private fun AuthContextHolder.hentIssuer(): String = this.requireIdTokenClaims().issuer
diff --git a/src/main/kotlin/no/nav/fo/veilarbregistrering/config/filters/AuthStatsFilter.kt b/src/main/kotlin/no/nav/fo/veilarbregistrering/config/filters/AuthStatsFilter.kt
@@ -19,7 +19,6 @@ import javax.servlet.http.HttpServletRequest
 
 class AuthStatsFilter(private val metricsService: MetricsService) : Filter {
 
-    private val ID_PORTEN = "ID-PORTEN"
     private val AAD = "AAD"
     private val TOKEN_X = "TOKENX"
     private val STS = "STS"
@@ -39,7 +38,6 @@ class AuthStatsFilter(private val metricsService: MetricsService) : Filter {
         }
         val type = when {
             Constants.AZURE_AD_B2C_ID_TOKEN_COOKIE_NAME in cookieNames -> selvbetjeningToken?.let { checkTokenForType(it) }
-                ?: ID_PORTEN
             Constants.AZURE_AD_ID_TOKEN_COOKIE_NAME in cookieNames -> AAD
             !bearerToken.isNullOrBlank() -> checkTokenForType(bearerToken)
             else -> null
@@ -50,9 +48,6 @@ class AuthStatsFilter(private val metricsService: MetricsService) : Filter {
                 MDC.put(TOKEN_TYPE, type)
                 metricsService.registrer(Events.REGISTRERING_TOKEN, Tag.of("type", type), Tag.of("consumerId", consumerId))
                 log.info("Authentication with: [$it] request path: [${request.servletPath}] consumer: [$consumerId]")
-                if (type == ID_PORTEN) {
-                    secureLogger.info("Bruk av IDPORTEN-token mot $consumerId. Token fra Auth-header: $bearerToken")
-                }
                 if (type == STS) {
                     secureLogger.info("Bruk av STS-token mot $consumerId. Token fra cookie: $selvbetjeningToken Token fra Auth-header: $bearerToken")
                 }
@@ -68,15 +63,13 @@ class AuthStatsFilter(private val metricsService: MetricsService) : Filter {
             val jwt = JWTParser.parse(token)
             when {
                 jwt.erAzureAdToken() -> AAD
-                jwt.erIdPortenToken() -> ID_PORTEN
                 jwt.erTokenXToken() -> TOKEN_X
                 else -> STS
             }
         } catch (e: ParseException) {
             log.warn("Couldn't parse token $token")
             when {
                 token.contains("microsoftonline.com") -> AAD
-                token.contains("difi.no") -> ID_PORTEN
                 token.contains("tokendings") -> TOKEN_X
                 token.contains("tokenx") -> TOKEN_X
                 else -> STS
@@ -92,5 +85,4 @@ class AuthStatsFilter(private val metricsService: MetricsService) : Filter {
 }
 
 fun JWT.erAzureAdToken(): Boolean = this.jwtClaimsSet.issuer.contains("microsoftonline.com")
-fun JWT.erIdPortenToken(): Boolean = this.jwtClaimsSet.issuer.contains("difi.no")
 fun JWT.erTokenXToken(): Boolean = this.jwtClaimsSet.issuer.contains("tokenx")
diff --git a/src/main/kotlin/no/nav/fo/veilarbregistrering/config/filters/FilterConfig.kt b/src/main/kotlin/no/nav/fo/veilarbregistrering/config/filters/FilterConfig.kt
@@ -60,7 +60,6 @@ class FilterConfig {
         val registration = FilterRegistrationBean<OidcAuthenticationFilter>()
         val authenticationFilter = OidcAuthenticationFilter(
             OidcAuthenticator.fromConfigs(
-                createAzureAdB2CConfig(),
                 createAadTokenConfig(),
                 createTokenXConfig()
             )
@@ -71,15 +70,6 @@ class FilterConfig {
         return registration
     }
 
-    private fun createAzureAdB2CConfig(): OidcAuthenticatorConfig {
-        val discoveryUrl = requireProperty("IDPORTEN_WELL_KNOWN_URL")
-        val clientId = requireProperty("IDPORTEN_CLIENT_ID")
-        return OidcAuthenticatorConfig()
-            .withDiscoveryUrl(discoveryUrl)
-            .withClientId(clientId)
-            .withUserRole(UserRole.EKSTERN)
-    }
-
     /**
     * 24.01.2022 : This config should work for aad tokens obtained with both
     * client-credentials- and on-behalf-of flow