v29.0.2

README.md

@@ -52,7 +52,7 @@ or use docker compose:
 
 ```console
 $ mvn clean install -pl idp-server -am -Dskip.unittests -Dskip.inttests
-$ export appVersion=29.0.1
+$ export appVersion=29.0.2
 $ export serverLoglevel=info (default)
 $ docker-compose --project-name myidp -f docker-compose-ref.yml up -d
 ```

ReleaseNotes.md

@@ -1,8 +1,15 @@
+# Release 29.0.2
+
+- add organizationIk claim to token
+- fix in acr/amr to work with erp-fd without any change on their end
+- update dependencies
+
 # Release 29.0.1
 
 - Java 21
 - switch to docker base image eclipse-temurin:21-jre
-- replace hard coded values for ACR/AMR in access and id token with dynamic values by reading them from authentication
+- replace hard coded values for ACR/AMR in access and id token with dynamic values by reading them
+  from authentication
   token
 
 # Release 28.0.2

idp-client/pom.xml

@@ -7,13 +7,13 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>29.0.1</version>
+    <version>29.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <groupId>de.gematik.idp</groupId>
   <artifactId>idp-client</artifactId>
 
-  <version>29.0.1</version>
+  <version>29.0.2</version>
   <packaging>jar</packaging>
 
   <dependencies>

idp-commons/pom.xml

@@ -6,12 +6,12 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>29.0.1</version>
+    <version>29.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <artifactId>idp-commons</artifactId>
 
-  <version>29.0.1</version>
+  <version>29.0.2</version>
 
   <dependencies>
 

idp-commons/src/main/java/de/gematik/idp/field/ClaimName.java

@@ -26,6 +26,7 @@ public enum ClaimName {
   GIVEN_NAME("given_name"),
   FAMILY_NAME("family_name"),
   ORGANIZATION_NAME("organizationName"),
+  ORGANIZATION_IK("organizationIK"),
   PROFESSION_OID("professionOID"),
   ID_NUMBER("idNummer"),
   DISPLAY_NAME("display_name"),

idp-commons/src/main/java/de/gematik/idp/token/AccessTokenBuilder.java

@@ -34,6 +34,7 @@
 import static de.gematik.idp.field.ClaimName.ISSUED_AT;
 import static de.gematik.idp.field.ClaimName.ISSUER;
 import static de.gematik.idp.field.ClaimName.JWT_ID;
+import static de.gematik.idp.field.ClaimName.ORGANIZATION_IK;
 import static de.gematik.idp.field.ClaimName.ORGANIZATION_NAME;
 import static de.gematik.idp.field.ClaimName.PROFESSION_OID;
 import static de.gematik.idp.field.ClaimName.SCOPE;
@@ -73,14 +74,15 @@ public class AccessTokenBuilder {
           ID_NUMBER,
           CLIENT_ID,
           SCOPE,
+          ORGANIZATION_IK,
           AUTH_TIME);
   private final IdpJwtProcessor jwtProcessor;
   private final String issuerUrl;
   private final String serverSubjectSalt;
   private final Map<String, String> scopeToAudienceUrl;
 
   private final ClaimName[] nonPairingClaims =
-      new ClaimName[] {PROFESSION_OID, GIVEN_NAME, FAMILY_NAME, ORGANIZATION_NAME};
+      new ClaimName[] {PROFESSION_OID, GIVEN_NAME, FAMILY_NAME, ORGANIZATION_NAME, ORGANIZATION_IK};
 
   public JsonWebToken buildAccessToken(final JsonWebToken authenticationToken) {
     final ZonedDateTime now = ZonedDateTime.now();
@@ -111,9 +113,7 @@ public JsonWebToken buildAccessToken(final JsonWebToken authenticationToken) {
 
     claimsMap.put(ISSUED_AT.getJoseName(), now.toEpochSecond());
     claimsMap.put(ISSUER.getJoseName(), issuerUrl);
-    claimsMap.put(
-        AUTHENTICATION_CLASS_REFERENCE.getJoseName(),
-        authenticationToken.getBodyClaim(AUTHENTICATION_CLASS_REFERENCE).orElse(EIDAS_LOA_HIGH));
+    claimsMap.put(AUTHENTICATION_CLASS_REFERENCE.getJoseName(), EIDAS_LOA_HIGH);
     claimsMap.put(
         AUDIENCE.getJoseName(),
         determineAudienceBasedOnScope(authenticationToken.getScopesBodyClaim()));
@@ -130,9 +130,13 @@ public JsonWebToken buildAccessToken(final JsonWebToken authenticationToken) {
             serverSubjectSalt));
     claimsMap.put(AUTHORIZED_PARTY.getJoseName(), clientId);
     claimsMap.put(JWT_ID.getJoseName(), Nonce.getNonceAsHex(IdpConstants.JTI_LENGTH));
-    claimsMap.put(
-        AUTHENTICATION_METHODS_REFERENCE.getJoseName(),
-        authenticationToken.getBodyClaim(AUTHENTICATION_METHODS_REFERENCE).orElse(getAmrString()));
+    Object amrValue =
+        authenticationToken.getBodyClaim(AUTHENTICATION_METHODS_REFERENCE).orElse(getAmrString());
+    // workaround for authenticator with substantial, TIIAM-178
+    if (amrValue.equals("urn:telematik:auth:mEW")) {
+      amrValue = new String[] {"mfa"};
+    }
+    claimsMap.put(AUTHENTICATION_METHODS_REFERENCE.getJoseName(), amrValue);
     claimsMap.put(
         EXPIRES_AT.getJoseName(),
         NumericDate.fromSeconds(now.plusMinutes(5).toEpochSecond()).getValue());

idp-commons/src/main/java/de/gematik/idp/token/IdTokenBuilder.java

@@ -34,6 +34,7 @@
 import static de.gematik.idp.field.ClaimName.ISSUER;
 import static de.gematik.idp.field.ClaimName.JWT_ID;
 import static de.gematik.idp.field.ClaimName.NONCE;
+import static de.gematik.idp.field.ClaimName.ORGANIZATION_IK;
 import static de.gematik.idp.field.ClaimName.ORGANIZATION_NAME;
 import static de.gematik.idp.field.ClaimName.PROFESSION_OID;
 import static de.gematik.idp.field.ClaimName.SUBJECT;
@@ -64,7 +65,14 @@ public class IdTokenBuilder {
 
   private static final List<ClaimName> CLAIMS_TO_TAKE_FROM_AUTHENTICATION_TOKEN =
       List.of(
-          GIVEN_NAME, FAMILY_NAME, ORGANIZATION_NAME, PROFESSION_OID, ID_NUMBER, AUTH_TIME, NONCE);
+          GIVEN_NAME,
+          FAMILY_NAME,
+          ORGANIZATION_NAME,
+          PROFESSION_OID,
+          ID_NUMBER,
+          AUTH_TIME,
+          NONCE,
+          ORGANIZATION_IK);
 
   private final IdpJwtProcessor jwtProcessor;
   private final String issuerUrl;
@@ -111,13 +119,8 @@ public JsonWebToken buildIdToken(
                         "Missing '" + AUTHORIZED_PARTY.getJoseName() + "' claim!")));
     claimsMap.put(
         AUTHENTICATION_METHODS_REFERENCE.getJoseName(),
-        authenticationToken
-            .getBodyClaim(AUTHENTICATION_METHODS_REFERENCE)
-            .or(() -> accessToken.getBodyClaim(AUTHENTICATION_METHODS_REFERENCE))
-            .orElseThrow());
-    claimsMap.put(
-        AUTHENTICATION_CLASS_REFERENCE.getJoseName(),
-        authenticationToken.getBodyClaim(AUTHENTICATION_CLASS_REFERENCE).orElse(EIDAS_LOA_HIGH));
+        accessToken.getBodyClaim(AUTHENTICATION_METHODS_REFERENCE).orElseThrow());
+    claimsMap.put(AUTHENTICATION_CLASS_REFERENCE.getJoseName(), EIDAS_LOA_HIGH);
     claimsMap.put(ACCESS_TOKEN_HASH.getJoseName(), atHashValue);
     claimsMap.put(
         SUBJECT.getJoseName(),

idp-crypto/pom.xml

@@ -6,12 +6,12 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>29.0.1</version>
+    <version>29.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 
   <artifactId>idp-crypto</artifactId>
-  <version>29.0.1</version>
+  <version>29.0.2</version>
 
   <dependencies>
     <dependency>

idp-crypto/src/main/java/de/gematik/idp/crypto/X509ClaimExtraction.java

@@ -23,6 +23,7 @@
 import static de.gematik.idp.crypto.model.CertificateExtractedFieldEnum.FAMILY_NAME;
 import static de.gematik.idp.crypto.model.CertificateExtractedFieldEnum.GIVEN_NAME;
 import static de.gematik.idp.crypto.model.CertificateExtractedFieldEnum.ID_NUMMER;
+import static de.gematik.idp.crypto.model.CertificateExtractedFieldEnum.IK_NUMMER;
 import static de.gematik.idp.crypto.model.CertificateExtractedFieldEnum.ORGANIZATION_NAME;
 import static de.gematik.idp.crypto.model.CertificateExtractedFieldEnum.PROFESSION_OID;
 
@@ -76,7 +77,12 @@ public static Map<String, Object> extractClaimsFromCertificate(
     claimMap.put(
         FAMILY_NAME.getFieldname(),
         getNameValueFromDn(certificate, certificateType, RFC4519Style.sn));
-
+    claimMap.put(
+        IK_NUMMER.getFieldname(),
+        getAllValuesFromDn(certificate.getSubjectX500Principal(), RFC4519Style.ou).stream()
+            .filter(ou -> ou.matches("\\d{9}"))
+            .findFirst()
+            .orElse(null));
     if (certificateType == HBA) {
       claimMap.put(ORGANIZATION_NAME.getFieldname(), null);
     } else if (certificateType == SMCB) {

idp-crypto/src/main/java/de/gematik/idp/crypto/model/CertificateExtractedFieldEnum.java

@@ -21,6 +21,7 @@ public enum CertificateExtractedFieldEnum {
   GIVEN_NAME("given_name"),
   FAMILY_NAME("family_name"),
   ORGANIZATION_NAME("organizationName"),
+  IK_NUMMER("organizationIK"),
   ID_NUMMER("idNummer");
 
   private final String fieldname;

idp-crypto/src/test/java/de/gematik/idp/crypto/X509ClaimExtractionTest.java

@@ -49,7 +49,8 @@ void extractFromEgk() throws IOException, CertificateEncodingException {
         .containsEntry("family_name", "Fuchs")
         .containsEntry("organizationName", "AOK Plus")
         .containsEntry("professionOID", "1.2.276.0.76.4.49")
-        .containsEntry("idNummer", "X114428530");
+        .containsEntry("idNummer", "X114428530")
+        .containsEntry("organizationIK", "109500969");
   }
 
   @Test

idp-report/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>29.0.1</version>
+    <version>29.0.2</version>
   </parent>
   <artifactId>idp-report</artifactId>
 

idp-sektoral/pom.xml

@@ -7,12 +7,12 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>29.0.1</version>
+    <version>29.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 
   <artifactId>idp-sektoral</artifactId>
-  <version>29.0.1</version>
+  <version>29.0.2</version>
   <packaging>jar</packaging>
 
   <properties>

idp-server/pom.xml

@@ -7,19 +7,19 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>29.0.1</version>
+    <version>29.0.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 
   <artifactId>idp-server</artifactId>
-  <version>29.0.1</version>
+  <version>29.0.2</version>
   <packaging>jar</packaging>
 
   <properties>
     <commit_hash>undefined</commit_hash>
     <version.jaxb-api>2.4.0-b180830.0359</version.jaxb-api>
     <version.jaxb-impl>4.0.5</version.jaxb-impl>
-    <version.tiger-rbel>3.1.3</version.tiger-rbel>
+    <version.tiger-rbel>3.4.2</version.tiger-rbel>
   </properties>
 
   <dependencies>

idp-server/src/main/java/de/gematik/idp/server/FlowBeanCreation.java

@@ -182,7 +182,8 @@ public FederationIdpList fedIdpList() {
             .idpIss("https://gsi.dev.gematik.solutions")
             .idpName("gematik sektoraler IDP")
             .idpSek2(true)
-            .idpLogo("https://gsi.dev.gematik.solutions/noLogoYet")
+            .idpLogo(
+                "https://raw.githubusercontent.com/gematik/zero-lab/main/static/images/GID_App_light_mode.svg")
             .idpPkv(true)
             .build());
     theFederationIdpList.add(

idp-server/src/test/java/de/gematik/idp/server/TokenRetrievalTest.java

@@ -795,7 +795,8 @@ void verifyUserConsent() throws UnirestException {
                   "idNummer",
                   "given_name",
                   "family_name",
-                  "display_name");
+                  "display_name",
+                  "organizationIK");
         });
 
     idpClient.login(egkUserIdentity);