Use Several Clients for OAuth2

medizininformatik-initiative · Jan 23, 2025 · d0d56dd · d0d56dd
1 parent bbddb2e
commit d0d56dd
Show file tree

Hide file tree

Showing 19 changed files with 304 additions and 37 deletions.
diff --git a/.github/test/oauth2/import/fts-realm.json b/.github/test/oauth2/import/fts-realm.json
@@ -145,9 +145,112 @@
   },
   "clients": [
     {
-      "id": "34ed2b5c-6e6d-4477-bfa2-f9c36f4f6133",
+      "id": "ee7a80f4-da2f-4bc8-962b-369c9fd36b1c",
       "clientId": "fts-client",
-      "name": "FTS Client",
+      "name": "FTS CD Client",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "tIQfOvBuhyR1dw9OQ3E4tCeTvcHtiW84",
+      "redirectUris": [
+        "http://localhost:8080/*"
+      ],
+      "webOrigins": [
+        "http://localhost:8080"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "realm_client": "false",
+        "access.token.lifespan": "1800",
+        "client.secret.creation.time": "1737365263",
+        "backchannel.logout.session.required": "true",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "id": "2787d9e7-4f4a-4443-8efd-b83b392c8a2e",
+          "name": "Client IP Address",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usersessionmodel-note-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.session.note": "clientAddress",
+            "id.token.claim": "true",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "clientAddress",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "911d7a9a-0015-4e18-8f75-9b29711b23b0",
+          "name": "Client Host",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usersessionmodel-note-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.session.note": "clientHost",
+            "id.token.claim": "true",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "clientHost",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "08117557-9386-4a7e-b9b2-c5c67305ade9",
+          "name": "Client ID",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usersessionmodel-note-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.session.note": "client_id",
+            "id.token.claim": "true",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "client_id",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "profile",
+        "roles",
+        "basic",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "organization",
+        "offline_access",
+        "microprofile-jwt"
+      ],
+      "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+      }
+    },
+    {
+      "id": "34ed2b5c-6e6d-4477-bfa2-f9c36f4f6133",
+      "clientId": "cd-client",
+      "name": "FTS CD Client",
       "surrogateAuthRequired": false,
       "enabled": true,
       "alwaysDisplayInConsole": false,
@@ -246,39 +349,164 @@
         "configure": true,
         "manage": true
       }
+    },
+    {
+      "id": "f03b64d9-c57b-4061-a781-52e29bf05084",
+      "clientId": "rd-client",
+      "name": "FTS RD Client",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "tIQfOvBuhyR1dw9OQ3E4tCeTvcHtiW84",
+      "redirectUris": [
+        "http://localhost:8080/*"
+      ],
+      "webOrigins": [
+        "http://localhost:8080"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "realm_client": "false",
+        "access.token.lifespan": "1800",
+        "client.secret.creation.time": "1737365263",
+        "backchannel.logout.session.required": "true",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "id": "08f5928a-1673-4d08-bf8d-5fc52b37ea2d",
+          "name": "Client IP Address",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usersessionmodel-note-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.session.note": "clientAddress",
+            "id.token.claim": "true",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "clientAddress",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "49404a86-a5aa-4dd9-b847-a8474bbd0841",
+          "name": "Client Host",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usersessionmodel-note-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.session.note": "clientHost",
+            "id.token.claim": "true",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "clientHost",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "32165832-73ef-4a51-8a8c-75310171c9e4",
+          "name": "Client ID",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usersessionmodel-note-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.session.note": "client_id",
+            "id.token.claim": "true",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "client_id",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "profile",
+        "roles",
+        "basic",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "organization",
+        "offline_access",
+        "microprofile-jwt"
+      ],
+      "access": {
+        "view": true,
+        "configure": true,
+        "manage": true
+      }
     }
   ],
   "roles": {
     "client": {
       "fts-client": [
         {
-          "name": "client"
+          "name": "cd-client"
+        },
+        {
+          "name": "rd-client"
         }
       ]
     }
   },
   "clientScopeMappings": {
     "fts-client": [
       {
-        "client": "fts-client",
+        "client": "cd-client",
         "roles": [
-          "client"
+          "cd-client"
+        ]
+      },
+      {
+        "client": "rd-client",
+        "roles": [
+          "rd-client"
         ]
       }
     ]
   },
   "users": [
     {
-      "username": "service-account-fts-client",
+      "username": "service-account-cd-client",
+      "enabled": true,
+      "serviceAccountClientId": "cd-client",
+      "clientRoles": {
+        "fts-client": [
+          "cd-client"
+        ]
+      },
+      "realmRoles": [
+        "default-roles-cd"
+      ]
+    },
+    {
+      "username": "service-account-rd-client",
       "enabled": true,
-      "serviceAccountClientId": "fts-client",
+      "serviceAccountClientId": "rd-client",
       "clientRoles": {
         "fts-client": [
-          "client"
+          "rd-client"
         ]
       },
       "realmRoles": [
-        "default-roles-fts"
+        "default-roles-rd"
       ]
     }
   ]

diff --git a/clinical-domain-agent/application-auth:basic.yaml b/clinical-domain-agent/application-auth:basic.yaml
@@ -5,7 +5,7 @@ security:
       - username: client
         password: "{bcrypt}$2a$10$4i1TQpnBlcKOdUYO9O850.jJ8yGO8x9fQuu/l3Ki3HXgv0t9NOr4y"
         # password: "{noop}2mXA742aw7CGaLU6"
-        role: client
+        role: cd-client
 
 test:
   webclient:

diff --git a/clinical-domain-agent/application-auth:oauth2.yaml b/clinical-domain-agent/application-auth:oauth2.yaml
@@ -11,7 +11,7 @@ spring:
         registration:
           agent:
             authorization-grant-type: client_credentials
-            client-id: fts-client
+            client-id: cd-client
             client-secret: tIQfOvBuhyR1dw9OQ3E4tCeTvcHtiW84
             provider: keycloak
         provider:

diff --git a/clinical-domain-agent/src/main/resources/application.yaml b/clinical-domain-agent/src/main/resources/application.yaml
@@ -14,7 +14,7 @@ management:
 security:
   endpoints:
   - path: /api/v2/**
-    role: client
+    role: cd-client
 
 runner:
   maxSendConcurrency: 32

diff --git a/clinical-domain-agent/src/test/resources/application.yaml b/clinical-domain-agent/src/test/resources/application.yaml
@@ -34,7 +34,7 @@ test:
 security:
   endpoints:
   - path: /api/v2/**
-    role: client
+    role: cd-client
 
 logging.level:
   care.smith.fts: DEBUG

diff --git a/research-domain-agent/application-auth:basic.yaml b/research-domain-agent/application-auth:basic.yaml
@@ -5,7 +5,7 @@ security:
       - username: cd-agent
         password: "{bcrypt}$2a$10$kUT57nDMEPtigO3BtsD/UeQMLsBDsOwu4iFVAEcgucPbD1zGaHI5y"
         # password: "{noop}bdfXkmQQIQLEkvVq"
-        role: client
+        role: cd-client
 
 test:
   webclient:

diff --git a/research-domain-agent/application-auth:oauth2.yaml b/research-domain-agent/application-auth:oauth2.yaml
@@ -11,7 +11,7 @@ spring:
         registration:
           agent:
             authorization-grant-type: client_credentials
-            client-id: fts-client
+            client-id: rd-client
             client-secret: tIQfOvBuhyR1dw9OQ3E4tCeTvcHtiW84
             provider: keycloak
         provider:

diff --git a/research-domain-agent/src/test/resources/application.yaml b/research-domain-agent/src/test/resources/application.yaml
@@ -28,7 +28,7 @@ test:
 security:
   endpoints:
   - path: /api/v2/**
-    role: client
+    role: rd-client
 
 logging.level:
   care.smith.fts: DEBUG

diff --git a/test-util/src/main/java/care/smith/fts/test/TestWebClientFactory.java b/test-util/src/main/java/care/smith/fts/test/TestWebClientFactory.java
@@ -35,6 +35,9 @@ public WebClient webClient(String baseUrl) {
   }
 
   public WebClient webClient(String baseUrl, String clientName) {
+
+    log.debug("TestWebClientFactory baseurl: {}, clientName: {}", baseUrl, clientName);
+
     return config
         .findConfigurationEntry(clientName)
         .map(c -> factory.create(new HttpClientConfig(baseUrl, c.auth(), c.ssl())))

diff --git a/trust-center-agent/application-auth:basic.yaml b/trust-center-agent/application-auth:basic.yaml
@@ -5,11 +5,11 @@ security:
       - username: cd-agent
         password: "{bcrypt}$2a$10$S7FXGqbbci2YOjBAAaeC9.KaTP8sZ2Hyi5d3aub1L..oe3L2kqv/K"
         # password: "{noop}Aj6cloJYsTpu+op+"
-        role: client
+        role: cd-client
       - username: rd-agent
         password: "{bcrypt}$2a$10$m0kteW3J47snneNzGTzkzeAtGo8FfODkmPP0uLXOz8uRvkc5Lqwme"
         # password: "{noop}1J5MhEhhiGh33dgt"
-        role: client
+        role: rd-client
 
 test:
   webclient: