Giter Club home page Giter Club logo

service-auth-provider-java-client's Introduction

service-auth-provider-java-client

This is the client library for the service-auth-provider api microservice. The tool provides a method to generate s2s auth token for a microservice and, optionally, caches it.

Getting started

Prerequisites

Building

The project uses Gradle as a build tool, but you don't have to install it locally since there is a ./gradlew wrapper script.

To build the project run the following command:

./gradlew build

Configuration

The following values must be provided:

idam:
  s2s-auth:
    url: http://localhost:4502
    totp_secret: AAAAAAAAAAAAAAAC
    microservice: ccd_gw

A spring bean:

@Configuration
public class ServiceTokenGeneratorConfiguration {
   @Bean
   public AuthTokenGenerator serviceAuthTokenGenerator(
           @Value("${idam.s2s-auth.totp_secret}") final String secret,
           @Value("${idam.s2s-auth.microservice}") final String microService,
           final ServiceAuthorisationApi serviceAuthorisationApi
   ) {
       return AuthTokenGeneratorFactory.createDefaultGenerator(secret, microService, serviceAuthorisationApi);
   }
}

Configuration for Service Authentication filter

The following values must be provided to enable a ServiceAuthFilter bean:

idam:
  s2s-authorised:
    services: microservice1, microservice2

ServiceAuthFilter bean is a OncePerRequestFilter filter that you can add to your filter chain to authorise a service request. The filter will expect a header with 'ServiceAuthorization: Bearer <token>' as part of the request header that it will consume to approve the request. Any requests from services that are not in your authorised services list will deny access to your service and return an HTTP response status code 403 (forbidden) and for any other reasons if the token is missing, invalid or failure to verify will result in 401(unauthorized).

Running without Spring

You might want to use this client when not running in a spring context, i.e. a scheduled job possibly.

class ServiceTokenGenerator {
    private static AuthTokenGenerator getAuthTokenGenerator(String s2sURL, String clientId, String clientSecret) {
        HttpMessageConverter<?> jsonConverter = new MappingJackson2HttpMessageConverter(new ObjectMapper());
        ObjectFactory<HttpMessageConverters> converter = () -> new HttpMessageConverters(jsonConverter);
    
        ServiceAuthorisationApi serviceAuthorisationApi = Feign.builder()
                .contract(new SpringMvcContract())
                .encoder(new SpringEncoder(converter))
                .decoder(new StringDecoder())
                .target(ServiceAuthorisationApi.class, s2sURL);
    
        return AuthTokenGeneratorFactory
                .createDefaultGenerator(clientSecret, clientId, serviceAuthorisationApi);
    }
}

Developing

Unit tests

To run all unit tests execute the following command:

./gradlew test

Coding style tests

To run all checks (including unit tests) execute the following command:

./gradlew check

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

To release a new version add a tag with the version number and push this up to the origin repository. This will then build and publish the release to maven.

License

This project is licensed under the MIT License - see the LICENSE.md file for details.

service-auth-provider-java-client's People

Contributors

adusumillipraveen avatar amoriartymoj avatar davejones74 avatar daveoh avatar dependabot[bot] avatar dharmendrak avatar doncem avatar gbstan92 avatar hannah38 avatar karoljastrzebski avatar kevinjcross avatar lgonczar avatar linusnorton avatar mdayican avatar michael1142 avatar mokainos avatar mrganeshraja avatar nitinprabhu avatar renovate[bot] avatar rkondratowicz avatar rlewan avatar ruban72 avatar sabahirfan avatar timja avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

uk-gov-mirror

service-auth-provider-java-client's Issues

JWT not being re-generated by default

What would you like to change?

We had some issues regarding JWT not being re-generated when our JWT didn't contain the "exp" property in the payload.
Since this is used in conjunction with a one-time password, I believe that in the case of the JWT not containing the "exp" property, we should always re-generate it (i.e. re-generating should be the default behaviour).
My fear is that if we ever handle a payload that doesn't have an "exp" property, we'll be always returning the same token until spring is restarted.

I'd like to know what the team thinks about it. This is only my interpretation.

References:
One-time password:

service-auth-provider-java-client/src/main/java/uk/gov/hmcts/reform/authorisation/generators/ServiceAuthTokenGenerator.java

Line 36 in a3deb2b

signInDetails.put("oneTimePassword", oneTimePassword);

Re-generation logic:

service-auth-provider-java-client/src/main/java/uk/gov/hmcts/reform/authorisation/generators/AutorefreshingJwtAuthTokenGenerator.java

Line 57 in a3deb2b

return expDate != null && Date.from(now().plus(refreshTimeDelta)).after(expDate);

How do you think that would improve the project?

I think it could prevent problems in production and make functional testing less dependant on testers using the "exp" property.

If this entry is related to a bug, please provide the steps to reproduce it

  1. Mock the return of the "/lease" endpoint to be a valid JWT with no "exp" property.
  2. Generate the token (AuthTokenGenerator.generate())
  3. Reset the mock
  4. Mock it again with another valid JWT token also with no "exp" property.
  5. Generate the token (AuthTokenGenerator.generate())
    You will see that steps 2 and 5 will generate the same token (i.e. the service no longer queries the "/lease" endpoint.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/changelog.yml
  • release-drafter/release-drafter v6
.github/workflows/gradle.yml
  • actions/checkout v4
  • actions/setup-java v4
.github/workflows/jitpack_build.yml
  • actions/checkout v4
gradle
settings.gradle
build.gradle
  • io.spring.dependency-management 1.1.4
  • org.springframework.boot 3.2.4
  • org.owasp.dependencycheck 9.1.0
  • com.github.ben-manes.versions 0.51.0
  • se.patrikerdes.use-latest-versions 0.2.18
  • au.com.dius.pact 4.1.11
  • checkstyle 10.15.0
  • pmd 6.55.0
  • org.springframework.cloud:spring-cloud-starter-openfeign 4.1.1
  • io.github.openfeign:feign-jackson 13.2.1
  • com.warrenstrange:googleauth 1.5.0
  • com.auth0:java-jwt 4.4.0
  • jakarta.servlet:jakarta.servlet-api 6.0.0
  • junit:junit 4.13.2
  • org.assertj:assertj-core 3.25.3
  • org.mockito:mockito-core 5.11.0
  • org.springframework.cloud:spring-cloud-contract-wiremock 4.1.2
  • au.com.dius.pact.consumer:junit5 4.1.11
  • au.com.dius.pact.consumer:junit5 4.1.11
  • org.junit.jupiter:junit-jupiter-api 5.10.2
  • org.junit.jupiter:junit-jupiter-engine 5.10.2
  • org.junit.jupiter:junit-jupiter-api 5.10.2
gradle-wrapper
gradle/wrapper/gradle-wrapper.properties
  • gradle 8.7
  • Check this box to trigger a request for Renovate to run again on this repository

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.