From 9b53a94c6473f4fb2e13da99b28d6d9bae0cb4e8 Mon Sep 17 00:00:00 2001 From: sigurdgroneng Date: Wed, 24 Jul 2024 10:21:37 +0200 Subject: [PATCH] =?UTF-8?q?Bruk=20idtyp=20for=20=C3=A5=20resolve=20userrol?= =?UTF-8?q?e=20p=C3=A5=20Azure(Entra)=20tokens?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../oidc/filter/AzureAdUserRoleResolver.java | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/auth/src/main/java/no/nav/common/auth/oidc/filter/AzureAdUserRoleResolver.java b/auth/src/main/java/no/nav/common/auth/oidc/filter/AzureAdUserRoleResolver.java index d8247f871..51d786e68 100644 --- a/auth/src/main/java/no/nav/common/auth/oidc/filter/AzureAdUserRoleResolver.java +++ b/auth/src/main/java/no/nav/common/auth/oidc/filter/AzureAdUserRoleResolver.java @@ -3,6 +3,8 @@ import com.nimbusds.jwt.JWTClaimsSet; import no.nav.common.auth.context.UserRole; +import java.util.Optional; + /** * UserRole resolver for Azure AD (Skal ikke brukes med andre OIDC providers). * Resolveren sjekker om tokenet er på vegne av en bruker (INTERN), eller om tokenet er et system-til-system (SYSTEM) token og returnerer riktig rolle. @@ -17,14 +19,13 @@ public class AzureAdUserRoleResolver implements UserRoleResolver { @Override public UserRole resolve(JWTClaimsSet jwtClaimsSet) { - var sub = jwtClaimsSet.getClaim("sub"); - var oid = jwtClaimsSet.getClaim("oid"); - - if (sub == null || oid == null) { - throw new IllegalArgumentException("Kunne ikke resolve UserRole. sub eller oid i token er null"); - } - - return sub.equals(oid) + // Skal ikke lenger bruke oid == sub for å sjekke om token er m2m + // https://docs.nais.io/auth/entra-id/reference/?h=idtyp#claims + var isMachineToMachineToken = Optional + .ofNullable(jwtClaimsSet.getClaim("idtyp")) + .map(value -> value.equals("app")) + .orElse(false); + return isMachineToMachineToken ? UserRole.SYSTEM : UserRole.INTERN; }