fix: provide a settings to mitigate the breaking change introduce in …

…4.3. fixes AM-4404 (cherry picked from commit 176ab86)
gravitee-io · Dec 5, 2024 · 185190c · 185190c
1 parent c1dbe20
commit 185190c
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 2 deletions.
diff --git a/...dc/src/main/java/io/gravitee/am/gateway/handler/oauth2/service/request/OAuth2Request.java b/...dc/src/main/java/io/gravitee/am/gateway/handler/oauth2/service/request/OAuth2Request.java
@@ -287,6 +287,10 @@ public void setConfirmationMethodX5S256(String confirmationMethodX5S256) {
     }
 
     public boolean shouldGenerateIDToken() {
+        return shouldGenerateIDToken(false);
+    }
+
+    public boolean shouldGenerateIDToken(boolean acceptOpenidForServiceApp) {
         if (getResponseType() != null && ResponseType.CODE_TOKEN.equals(getResponseType())) {
             return false;
         }
@@ -295,7 +299,9 @@ public boolean shouldGenerateIDToken() {
             return true;
         }
         if (getScopes() != null && getScopes().contains(Scope.OPENID.getKey())) {
-            if (isClientOnly()) {
+            if (isClientOnly() && acceptOpenidForServiceApp) {
+                return false;
+            } else if (isClientOnly()) {
                 throw new InvalidScopeException("Invalid scope: " + Scope.OPENID);
             } else {
                 return true;

diff --git a/...main/java/io/gravitee/am/gateway/handler/oauth2/service/token/impl/TokenEnhancerImpl.java b/...main/java/io/gravitee/am/gateway/handler/oauth2/service/token/impl/TokenEnhancerImpl.java
@@ -26,6 +26,7 @@
 import io.gravitee.gateway.api.ExecutionContext;
 import io.reactivex.rxjava3.core.Single;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -39,10 +40,19 @@ public class TokenEnhancerImpl implements TokenEnhancer {
     @Autowired
     private IDTokenService idTokenService;
 
+    /**
+     * Option introduce to mitigate the breaking change introduced in 4.3.0
+     * This option will be available at least to 4.8.0
+     * Probably will be removed in 4.9.0
+     */
+    @Deprecated(forRemoval = true)
+    @Value("${legacy.openid.accept_openid_for_service_app:false}")
+    private Boolean acceptOpenidForServiceApp = Boolean.FALSE;
+
     @Override
     public Single<Token> enhance(Token accessToken, OAuth2Request oAuth2Request, Client client, User endUser, ExecutionContext executionContext) {
         // enhance token with ID token
-        return Single.fromCallable(oAuth2Request::shouldGenerateIDToken).flatMap(generate -> {
+        return Single.fromCallable(() -> oAuth2Request.shouldGenerateIDToken(this.acceptOpenidForServiceApp)).flatMap(generate -> {
             if (Boolean.TRUE.equals(generate)) {
                 return enhanceIDToken(accessToken, client, endUser, oAuth2Request, executionContext);
             } else {

diff --git a/...rc/test/java/io/gravitee/am/gateway/handler/oauth2/service/request/OAuth2RequestTest.java b/...rc/test/java/io/gravitee/am/gateway/handler/oauth2/service/request/OAuth2RequestTest.java
@@ -0,0 +1,63 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gravitee.am.gateway.handler.oauth2.service.request;
+
+
+import io.gravitee.am.common.oidc.Scope;
+import io.gravitee.am.gateway.handler.oauth2.exception.InvalidScopeException;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.DisplayNameGeneration;
+import org.junit.jupiter.api.DisplayNameGenerator;
+import org.junit.jupiter.api.Test;
+
+import java.util.Set;
+import java.util.UUID;
+
+/**
+ * @author Eric LELEU (eric.leleu at graviteesource.com)
+ * @author GraviteeSource Team
+ */
+@DisplayNameGeneration(DisplayNameGenerator.ReplaceUnderscores.class)
+public class OAuth2RequestTest {
+
+    @Test
+    public void userApp_should_accept_openID_Scope_and_provide_idtoken() {
+        final var request = new OAuth2Request();
+        request.setScopes(Set.of(Scope.OPENID.getKey()));
+        request.setSubject(UUID.randomUUID().toString());
+
+        Assertions.assertTrue(request.shouldGenerateIDToken(false));
+    }
+
+    @Test
+    public void clientOnly_should_reject_openID_Scope() {
+        final var request = new OAuth2Request();
+        request.setScopes(Set.of(Scope.OPENID.getKey()));
+        request.setSubject(null);
+
+        Assertions.assertThrows(InvalidScopeException.class, () -> request.shouldGenerateIDToken(false));
+    }
+
+    @Test
+    public void clientOnly_should_ignore_IDToken_but_accept_OpenID_Scope() {
+        final var request = new OAuth2Request();
+        request.setScopes(Set.of(Scope.OPENID.getKey()));
+        request.setSubject(null);
+
+        Assertions.assertFalse(request.shouldGenerateIDToken(true));
+    }
+}