Bruk access token fra aad response og filter på domene (#1192)

navikt · Sep 29, 2022 · 03dc589 · 03dc589
1 parent 46e430c
commit 03dc589
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/...es/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/token/impl/AzureBrukerTokenKlient.java b/...es/oidc/src/main/java/no/nav/vedtak/sikkerhet/oidc/token/impl/AzureBrukerTokenKlient.java
@@ -62,7 +62,7 @@ public OpenIDToken exhangeAuthCode(String authorizationCode, String callback, St
         var request = lagRequest(data);
         var response = GeneriskTokenKlient.hentToken(request, azureProxy);
         LOG.info("AzureBruker hentet og fikk token av type {} utløper {}", response.token_type(), response.expires_in());
-        return new OpenIDToken(OpenIDProvider.AZUREAD, response.token_type(), new TokenString(response.id_token()),
+        return new OpenIDToken(OpenIDProvider.AZUREAD, response.token_type(), new TokenString(response.access_token()),
             scopes, new TokenString(response.refresh_token()), response.expires_in());
 
     }
@@ -81,7 +81,7 @@ public Optional<OpenIDToken> refreshIdToken(OpenIDToken expiredToken, String sco
         if (response.token_type() == null || response.expires_in() == null) {
             return Optional.empty();
         }
-        var token = new OpenIDToken(OpenIDProvider.AZUREAD, response.token_type(), new TokenString(response.id_token()),
+        var token = new OpenIDToken(OpenIDProvider.AZUREAD, response.token_type(), new TokenString(response.access_token()),
             scopes, new TokenString(response.refresh_token()), response.expires_in());
         return Optional.of(token);
     }

diff --git a/felles/sikkerhet/src/main/java/no/nav/vedtak/isso/ressurs/AzureConfigProperties.java b/felles/sikkerhet/src/main/java/no/nav/vedtak/isso/ressurs/AzureConfigProperties.java
@@ -17,6 +17,7 @@ public final class AzureConfigProperties {
     // Sett = true for å aktivere
     private static final String AZURE_TRIAL_ENABLED = "fp.trial.azure.enabled";
     private static final String AZURE_TRIAL_CALLBACK = "fp.trial.azure.callback";
+    private static final String AZURE_TRIAL_DOMAIN = "fp.trial.azure.domain";
 
     private static final String OPENID_SCOPE = "openid offline_access";
 
@@ -40,4 +41,8 @@ public static String getAzureScopes() {
     public static String getAzureCallback() {
         return  Optional.ofNullable(ENV.getProperty(AZURE_TRIAL_CALLBACK)).orElseGet(() -> ServerInfo.instance().getCallbackUrl());
     }
+
+    public static String getAzureDomain() {
+        return ENV.getProperty(AZURE_TRIAL_DOMAIN);
+    }
 }
diff --git a/felles/sikkerhet/src/main/java/no/nav/vedtak/isso/ressurs/RelyingPartyCallback.java b/felles/sikkerhet/src/main/java/no/nav/vedtak/isso/ressurs/RelyingPartyCallback.java
@@ -12,7 +12,9 @@
 
 import java.net.URI;
 import java.util.Objects;
+import java.util.Optional;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -40,7 +42,7 @@ public class RelyingPartyCallback {
 
     @GET
     @Produces(MediaType.APPLICATION_JSON)
-    public Response getLogin(@QueryParam("code") String authorizationCode, @QueryParam("state") String state, @Context HttpHeaders headers) {
+    public Response getLogin(@QueryParam("code") String authorizationCode, @QueryParam("state") String state, @Context HttpHeaders headers, @Context HttpServletRequest httpServletRequest) {
         if (authorizationCode == null) {
             LOG.warn("Mangler parameter 'code' i URL");
             return status(BAD_REQUEST).build();
@@ -57,7 +59,7 @@ public Response getLogin(@QueryParam("code") String authorizationCode, @QueryPar
         }
 
         OpenIDToken token;
-        if (AzureConfigProperties.isAzureEnabled()) {
+        if (AzureConfigProperties.isAzureEnabled() && matcherAzureDomain(httpServletRequest)) {
             token = AzureADTokenProvider.exhangeAzureAuthCode(authorizationCode, AzureConfigProperties.getAzureCallback());
             if (!OidcTokenValidatorConfig.instance().getValidator(OpenIDProvider.AZUREAD).validate(token.primary()).isValid()) {
                 return status(FORBIDDEN).build();
@@ -93,6 +95,11 @@ public Response getLogin(@QueryParam("code") String authorizationCode, @QueryPar
         return builder.build();
     }
 
+    private boolean matcherAzureDomain(HttpServletRequest httpServletRequest) {
+        var domain = AzureConfigProperties.getAzureDomain();
+        return domain != null && Optional.ofNullable(httpServletRequest).map(HttpServletRequest::getRequestURI).filter(u -> u.contains(domain)).isPresent();
+    }
+
     private void cleanCookieJar(Response.ResponseBuilder builder, HttpHeaders headers) {
         String cookieDomain = ServerInfo.instance().getCookieDomain();
         String cookiePath = ServerInfo.instance().getCookiePath();