Merge pull request #9 from it-at-m/jwt_scopes

Jwt scopes
it-at-m · May 21, 2024 · 3e9f2ab · 3e9f2ab
2 parents cbbaf91 + aad0ddb
commit 3e9f2ab
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/src/main/java/de/muenchen/rbs/kitafindereai/api/InternalApiController.java b/src/main/java/de/muenchen/rbs/kitafindereai/api/InternalApiController.java
@@ -20,6 +20,7 @@
 
 import de.muenchen.rbs.kitafindereai.adapter.kitaplaner.data.KitafinderKitaKonfigData;
 import de.muenchen.rbs.kitafindereai.adapter.kitaplaner.data.KitafinderKitaKonfigDataRepository;
+import de.muenchen.rbs.kitafindereai.config.SecurityConfiguration;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.enums.ParameterIn;
@@ -31,7 +32,8 @@
 @CrossOrigin
 @RestController
 @PreAuthorize("@environment.acceptsProfiles('no-security') || hasAuthority('ROLE_internal-access')")
-@SecurityRequirement(name = "InternalLogin")
+@SecurityRequirement(name = "InternalLogin", scopes = { SecurityConfiguration.SCOPE_LHM_EXTENDED,
+        SecurityConfiguration.SCOPE_OPENID })
 @RequestMapping(path = "/internal/", produces = "application/json")
 public class InternalApiController {
 

diff --git a/src/main/java/de/muenchen/rbs/kitafindereai/api/KitaAppApiController.java b/src/main/java/de/muenchen/rbs/kitafindereai/api/KitaAppApiController.java
@@ -18,6 +18,7 @@
 import de.muenchen.rbs.kitafindereai.api.model.Institute;
 import de.muenchen.rbs.kitafindereai.audit.AuditService;
 import de.muenchen.rbs.kitafindereai.config.KitaAppApiErrorHandlingControllerAdvice.ErrorResponse;
+import de.muenchen.rbs.kitafindereai.config.SecurityConfiguration;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.enums.ParameterIn;
@@ -35,7 +36,8 @@
 @CrossOrigin
 @RestController
 @PreAuthorize("@environment.acceptsProfiles('no-security') || hasAuthority('ROLE_api-access')")
-@SecurityRequirement(name = "ApiClient")
+@SecurityRequirement(name = "ApiClient", scopes = { SecurityConfiguration.SCOPE_LHM_EXTENDED,
+        SecurityConfiguration.SCOPE_ROLES })
 @RequestMapping(path = "/kitaApp/v1", produces = "application/json")
 public class KitaAppApiController {
 

diff --git a/src/main/java/de/muenchen/rbs/kitafindereai/config/SecurityConfiguration.java b/src/main/java/de/muenchen/rbs/kitafindereai/config/SecurityConfiguration.java
@@ -29,8 +29,11 @@
 import de.muenchen.rbs.kitafindereai.api.InternalApiController;
 import de.muenchen.rbs.kitafindereai.api.KitaAppApiController;
 import io.swagger.v3.oas.annotations.enums.SecuritySchemeType;
+import io.swagger.v3.oas.annotations.extensions.Extension;
+import io.swagger.v3.oas.annotations.extensions.ExtensionProperty;
 import io.swagger.v3.oas.annotations.security.OAuthFlow;
 import io.swagger.v3.oas.annotations.security.OAuthFlows;
+import io.swagger.v3.oas.annotations.security.OAuthScope;
 import io.swagger.v3.oas.annotations.security.SecurityScheme;
 import lombok.extern.slf4j.Slf4j;
 
@@ -47,6 +50,10 @@ public class SecurityConfiguration {
 
     private static final String AUD_CLAIM = "aud";
 
+    public static final String SCOPE_LHM_EXTENDED = "LHM_Extended";
+    public static final String SCOPE_ROLES = "roles";
+    public static final String SCOPE_OPENID = "openid";
+
     /** Security for {@link InternalApiController} */
     @Bean
     @Order(1)
@@ -144,8 +151,10 @@ public SecurityFilterChain noSecurityFilterChain(HttpSecurity http)
     /** Swagger-API config for security */
     @Configuration
     @Profile("!no-security")
-    @SecurityScheme(name = "ApiClient", type = SecuritySchemeType.OAUTH2, flows = @OAuthFlows(clientCredentials = @OAuthFlow(tokenUrl = "${app.security.token-url}")))
-    @SecurityScheme(name = "InternalLogin", type = SecuritySchemeType.OAUTH2, flows = @OAuthFlows(authorizationCode = @OAuthFlow(tokenUrl = "${app.security.token-url}", authorizationUrl = "${app.security.authorization-url}", refreshUrl = "${app.security.token-url}")))
+    @SecurityScheme(name = "ApiClient", type = SecuritySchemeType.OAUTH2, flows = @OAuthFlows(clientCredentials = @OAuthFlow(tokenUrl = "${app.security.token-url}", scopes = {
+            @OAuthScope(name = SCOPE_LHM_EXTENDED), @OAuthScope(name = SCOPE_ROLES) })))
+    @SecurityScheme(name = "InternalLogin", type = SecuritySchemeType.OAUTH2, extensions = @Extension(properties = @ExtensionProperty(name = "tokenName", value = "id_token")), flows = @OAuthFlows(authorizationCode = @OAuthFlow(tokenUrl = "${app.security.token-url}", authorizationUrl = "${app.security.authorization-url}", refreshUrl = "${app.security.token-url}", scopes = {
+            @OAuthScope(name = SCOPE_LHM_EXTENDED), @OAuthScope(name = SCOPE_OPENID) })))
     public class SpringdocConfig {
     }