Merge pull request #2475 from constantine2nd/develop

Consent Auth Header
OpenBankProject · Jan 7, 2025 · 612ba17 · 612ba17
2 parents 82dad2e + b22d9d4
commit 612ba17
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 4 deletions.
diff --git a/obp-api/src/main/scala/code/api/OAuth2.scala b/obp-api/src/main/scala/code/api/OAuth2.scala
@@ -111,7 +111,7 @@ object OAuth2Login extends RestHelper with MdcLoggable {
         } else if (UnknownProvider.isIssuer(value)) {
           UnknownProvider.applyRulesFuture(value, cc)
         } else if (HydraUtil.integrateWithHydra) {
-          UnknownProvider.applyRulesFuture(value, cc)
+          Hydra.applyRulesFuture(value, cc)
         } else {
           Future(Failure(Oauth2IsNotRecognized), Some(cc))
         }

diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala
@@ -2975,8 +2975,13 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{
     val title = s"Request Headers for verb: $verb, URL: $url"
     surroundDebugMessage(reqHeaders.map(h => h.name + ": " + h.values.mkString(",")).mkString, title)
     val remoteIpAddress = getRemoteIpAddress()
+
+    val authHeaders = AuthorisationUtil.getAuthorisationHeaders(reqHeaders)
+
     val res =
-      if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent
+      if (authHeaders.size > 1) { // Check Authorization Headers ambiguity
+        Future { (Failure(ErrorMessages.AuthorizationHeaderAmbiguity + s"${authHeaders}"), None) }
+      } else if (APIUtil.`hasConsent-ID`(reqHeaders)) { // Berlin Group's Consent
         Consent.applyBerlinGroupRules(APIUtil.`getConsent-ID`(reqHeaders), cc)
       } else if (APIUtil.hasConsentJWT(reqHeaders)) { // Open Bank Project's Consent
         val consentValue = APIUtil.getConsentJWT(reqHeaders)

diff --git a/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala b/obp-api/src/main/scala/code/api/util/AuthorisationUtil.scala
@@ -0,0 +1,15 @@
+package code.api.util
+
+import code.api.RequestHeader._
+import net.liftweb.http.provider.HTTPParam
+
+object AuthorisationUtil {
+  def getAuthorisationHeaders(requestHeaders: List[HTTPParam]): List[String] = {
+    requestHeaders.map(_.name).filter {
+      case `Consent-Id`| `Consent-ID` | `Consent-JWT` => true
+      case _ => false
+    }
+  }
+
+
+}
diff --git a/obp-api/src/main/scala/code/api/util/ErrorMessages.scala b/obp-api/src/main/scala/code/api/util/ErrorMessages.scala
@@ -263,7 +263,10 @@ object ErrorMessages {
   val Oauth2TokenEndpointAuthMethodForbidden = "OBP-20213: The Token Endpoint Auth Method is not supported at this instance: "
   val OneTimePasswordExpired = "OBP-20211: The One Time Password (OTP) has expired. "
   val Oauth2IsNotRecognized = "OBP-20214: OAuth2 Access Token is not recognised at this instance."
-
+  val Oauth2ValidateAccessTokenError = "OBP-20215: There was a problem validating the OAuth2 access token. "
+
+  val AuthorizationHeaderAmbiguity = "OBP-20250: Request headers used for authorization are ambiguous. "
+
   // X.509
   val X509GeneralError = "OBP-20300: PEM Encoded Certificate issue."
   val X509ParsingFailed = "OBP-20301: Parsing failed for PEM Encoded Certificate."

diff --git a/obp-api/src/main/scala/code/api/util/JwtUtil.scala b/obp-api/src/main/scala/code/api/util/JwtUtil.scala
@@ -217,7 +217,9 @@ object JwtUtil extends MdcLoggable {
     } catch {
       case e: BadJWTException => Failure(ErrorMessages.Oauth2BadJWTException + e.getMessage, Full(e), Empty)
       case e: ParseException  => Failure(ErrorMessages.Oauth2ParseException + e.getMessage, Full(e), Empty)
-      case e: Exception       => Failure(e.getMessage, Full(e), Empty)
+      case e: Exception       =>
+        logger.debug(s"remoteJWKSetUrl: $remoteJWKSetUrl")
+        Failure(ErrorMessages.Oauth2ValidateAccessTokenError + e.getMessage, Full(e), Empty)
     }
   }