feat(auth-admin): Allow non super users to publish super user fields (#…

…17290)

apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts

@@ -431,23 +431,26 @@ describe('MeClientsController with auth', () => {
         slidingRefreshTokenLifetime:
           typeSpecificDefaults.slidingRefreshTokenLifetime ??
           clientBaseAttributes.slidingRefreshTokenLifetime,
-        accessTokenLifetime: clientBaseAttributes.accessTokenLifetime,
+        accessTokenLifetime:
+          typeSpecificDefaults.accessTokenLifetime ??
+          clientBaseAttributes.accessTokenLifetime,
         allowOfflineAccess: clientBaseAttributes.allowOfflineAccess,
         redirectUris: [],
         postLogoutRedirectUris: [],
         requireApiScopes: false,
         requireConsent: false,
-        requirePkce: true,
-        supportTokenExchange: false,
+        requirePkce:
+          typeSpecificDefaults.requirePkce ?? clientBaseAttributes.requirePkce,
+        supportTokenExchange: typeSpecificDefaults.supportTokenExchange,
         supportsCustomDelegation: false,
         supportsLegalGuardians: false,
         supportsPersonalRepresentatives: false,
         supportsProcuringHolders: false,
         promptDelegations: false,
-        customClaims: [],
+        customClaims: typeSpecificDefaults.customClaims ?? [],
         singleSession: false,
         supportedDelegationTypes: [],
-        allowedAcr: [defaultAcrValue],
+        allowedAcr: typeSpecificDefaults.allowedAcr ?? [defaultAcrValue],
       })
 
       // Assert - db record
@@ -468,9 +471,14 @@ describe('MeClientsController with auth', () => {
         absoluteRefreshTokenLifetime:
           typeSpecificDefaults.absoluteRefreshTokenLifetime ??
           clientBaseAttributes.absoluteRefreshTokenLifetime,
-        accessTokenLifetime: clientBaseAttributes.accessTokenLifetime,
-        allowOfflineAccess: clientBaseAttributes.allowOfflineAccess,
-        requirePkce: clientBaseAttributes.requirePkce,
+        accessTokenLifetime:
+          typeSpecificDefaults.accessTokenLifetime ??
+          clientBaseAttributes.accessTokenLifetime,
+        allowOfflineAccess:
+          typeSpecificDefaults.allowOfflineAccess ??
+          clientBaseAttributes.allowOfflineAccess,
+        requirePkce:
+          typeSpecificDefaults.requirePkce ?? clientBaseAttributes.requirePkce,
         refreshTokenExpiration: translateRefreshTokenExpiration(
           typeSpecificDefaults.refreshTokenExpiration,
         ),

libs/auth-api-lib/src/lib/clients/admin/admin-clients.service.ts

@@ -173,21 +173,6 @@ export class AdminClientsService {
       throw new BadRequestException('Invalid client id')
     }
 
-    // If user is not super admin, we remove the super admin fields from the input to default to the client base attributes
-    if (!this.isSuperAdmin(user)) {
-      clientDto = {
-        clientId: clientDto.clientId,
-        clientType: clientDto.clientType,
-        clientName: clientDto.clientName,
-        // Remove defined super admin fields
-        ...omit(clientDto, superUserFields),
-        // Remove personal representative from delegation types since it is not allowed for non-super admins
-        supportedDelegationTypes: delegationTypeSuperUserFilter(
-          clientDto.supportedDelegationTypes ?? [],
-        ),
-      }
-    }
-
     const {
       customClaims,
       displayName,
@@ -600,7 +585,7 @@ export class AdminClientsService {
         client.supportedDelegationTypes?.map(
           (clientDelegationType) => clientDelegationType.delegationType,
         ) ?? [],
-      allowedAcr: client.allowedAcr ?? [],
+      allowedAcr: client.allowedAcr.map((v) => v.toString()) ?? [],
     }
   }