diff --git a/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenExchangeConfig.kt b/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenExchangeConfig.kt index 5c24bcf76..54594789c 100644 --- a/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenExchangeConfig.kt +++ b/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenExchangeConfig.kt @@ -3,6 +3,7 @@ package no.nav.fo.veilarbregistrering.autentisering.tokenveksling import no.nav.common.auth.context.AuthContextHolder import no.nav.common.token_client.builder.AzureAdTokenClientBuilder import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient +import no.nav.fo.veilarbregistrering.config.requireProperty import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration @@ -11,7 +12,7 @@ class TokenExchangeConfig { @Bean fun tokenResolver(authContextHolder: AuthContextHolder): TokenResolver { - return TokenResolver(authContextHolder) + return TokenResolver(authContextHolder, TokenIssuers()) } @Bean @@ -25,4 +26,10 @@ class TokenExchangeConfig { .withNaisDefaults() .buildMachineToMachineTokenClient() } -} \ No newline at end of file +} + +class TokenIssuers( + val tokenXIssuer: String = requireProperty("TOKEN_X_ISSUER"), + val aadIssuer: String = requireProperty("AZURE_OPENID_CONFIG_ISSUER"), + val idportenIssuer: String = requireProperty("IDPORTEN_ISSUER"), +) \ No newline at end of file diff --git a/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenResolver.kt b/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenResolver.kt index 0f356068b..5e3479ba7 100644 --- a/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenResolver.kt +++ b/src/main/kotlin/no/nav/fo/veilarbregistrering/autentisering/tokenveksling/TokenResolver.kt @@ -2,35 +2,21 @@ package no.nav.fo.veilarbregistrering.autentisering.tokenveksling import no.nav.common.auth.context.AuthContextHolder -class TokenResolver(private val authContextHolder: AuthContextHolder) { +class TokenResolver(private val authContextHolder: AuthContextHolder, private val tokenIssuers: TokenIssuers) { - fun token(): String { - return authContextHolder.requireContext().idToken.serialize() - } + fun token(): String = authContextHolder.requireContext().idToken.serialize() - fun erAzureAdToken(): Boolean { - return authContextHolder.erAADToken() - } + private fun hentIssuer(): String = authContextHolder.requireIdTokenClaims().issuer + fun erAzureAdToken(): Boolean = hentIssuer() === tokenIssuers.aadIssuer - fun erAzureAdOboToken(): Boolean { - return authContextHolder.erAADToken() && !authContextHolder.erSystemTilSystemToken() - } + private fun erSystemTilSystemToken(): Boolean = + authContextHolder.subject == authContextHolder.getStringClaim(authContextHolder.idTokenClaims.get(), "oid") - fun erAzureAdSystemTilSystemToken(): Boolean { - return authContextHolder.erAADToken() && authContextHolder.erSystemTilSystemToken() - } + fun erAzureAdOboToken(): Boolean = erAzureAdToken() && !erSystemTilSystemToken() - fun erTokenXToken(): Boolean { - return authContextHolder.erTokenXToken() - } + fun erAzureAdSystemTilSystemToken(): Boolean = erAzureAdToken() && erSystemTilSystemToken() - fun erIdPortenToken(): Boolean { - return authContextHolder.erIdPortenToken() - } -} + fun erTokenXToken(): Boolean = hentIssuer() === tokenIssuers.tokenXIssuer -fun AuthContextHolder.erAADToken(): Boolean = hentIssuer().contains("login.microsoftonline.com") -private fun AuthContextHolder.erSystemTilSystemToken(): Boolean = this.subject == this.getStringClaim(this.idTokenClaims.get(),"oid") -private fun AuthContextHolder.erTokenXToken(): Boolean = hentIssuer().contains("tokendings") || hentIssuer().contains("tokenx") -private fun AuthContextHolder.erIdPortenToken(): Boolean = hentIssuer().contains("difi.no") -private fun AuthContextHolder.hentIssuer(): String = this.requireIdTokenClaims().issuer + fun erIdPortenToken(): Boolean = hentIssuer() === tokenIssuers.idportenIssuer +}