Update sample application to function with updated OIDC platform at c…

…urrent-environment

README.md

@@ -2,33 +2,38 @@
 This is a Java based test application for authenticating a user with BankID OpenID Connect Server (BID OIDC) developed for BankID Norge AS.
 When the user is authenticated you will see the result from a call to UserInfo RESTful service and the contents of the id_token which was returned from BID OIDC.
 
+## NOTE
+This client uses the stable CURRENT-environment, which is set up with the BankID Preprod user-database.
+New test-users can be created self-serviced at https://ra-preprod.bankidnorge.no/
+
+
 ## Process flow
 The application examplifies all steps of the OIDC authentication process.
 
 1. Fetch configuration from OIDC. GET to a non protected URL, such as 
-   https://preprod.bankidapis.no/oidc/oauth/.well-known/openid-configuration
+   https://oidc-current.bankidapis.no/auth/realms/current/.well-known/openid-configuration
    The configuration contains information such as relevant endpoints, and public key for the id_token (JWT).
 
 2. Redirect to the authentication URL.
 
-3. Handle the callback from UIDC. The callback contains an attribute *access_code* which needs to be exchanged with the *access_token* (POST to OIDC)
+3. Handle the callback from OIDC. The callback contains an attribute *access_code* which needs to be exchanged with the *access_token* (POST to OIDC)
 
 4. Fetch user info. Finally we use the *access_token* to fetch a protected resource, in this case the user info provided by BID OIDC.
 
 ## Build and run
-To be able to run the application you will need to edit the client_id and client_password in the source code.
-Contact BankID Norge ([email protected]) to retrieve the appropriate settings.
+To be able to run the application you will need to edit the client_id and client_secret in the Configuration.class.
+See https://confluence.bankidnorge.no/confluence/pdoidcl/release-notes/provisioning for details on how to receive this.
+
 
 ```
 class Configuration {
 
     /**
-     * Client_id and password must be inseted here for the appliction to work.
-     * <p>
-     * Make contact with BankID Norge ([email protected]) to retrieve the information needed.
+     * Client_id and secret must be inseted here for the appliction to work.
+     * 
      */
     public static final String CLIENT_ID = "<insert client_id>";
-    public static final String CLIENT_PWD = "<insert client password>";
+    public static final String CLIENT_SECRET = "<insert client password>";
 }
 ```
 
@@ -53,7 +58,7 @@ This example application uses the following libraries
 
 **nimbus-jose-jwt** for handling the json web token
 
-**jetty-maven-plugin** for running the application locally
+**jetty-maven-plugin** for running the application locally with a dynamically created ssl-certificate.
 
 
 

pom.xml

@@ -46,11 +46,45 @@
         </dependency>
     </dependencies>
     <build>
+
         <plugins>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>keytool-maven-plugin</artifactId>
+                <version>1.5</version>
+                <executions>
+                    <execution>
+                        <phase>generate-resources</phase>
+                        <id>clean</id>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <phase>generate-resources</phase>
+                        <id>genkey</id>
+                        <goals>
+                            <goal>generateKeyPair</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <keystore>${project.build.directory}/jetty-ssl.keystore</keystore>
+                    <dname>cn=127.0.0.1</dname>
+                    <keypass>bankid-jetty-changeit</keypass>
+                    <storepass>bankid-jetty-changeit</storepass>
+                    <alias>jetty</alias>
+                    <keyalg>RSA</keyalg>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-maven-plugin</artifactId>
                 <version>9.4.0.v20161208</version>
+                <configuration>
+                    <jettyXml>src/main/resources/jetty.xml,src/main/resources/jetty-ssl.xml,src/main/resources/jetty-https.xml</jettyXml>
+                </configuration>
+
             </plugin>
             <plugin>
                 <artifactId>maven-war-plugin</artifactId>

src/main/java/no/bankid/oidc/BankIdOIDCClient.java

@@ -1,7 +1,5 @@
 package no.bankid.oidc;
 
-import org.glassfish.jersey.client.ClientConfig;
-import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature;
 import org.glassfish.jersey.client.oauth2.OAuth2ClientSupport;
 import org.json.JSONObject;
 
@@ -78,30 +76,23 @@ private static String encoded(String s) {
      * This will be done with a POST against the token_endpoint.
      * the 'code' is attached in the body (x-www-form-urlencoded)
      * The endpoint requires basic auth.
+     * https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/rest-api/token
      * <p>
      * Finally, we put the access_token and id_token in a User object. It may typically be stored on the session.
      */
     public User endAuthentication(String code) {
-        HttpAuthenticationFeature basicAuth =
-                HttpAuthenticationFeature
-                        .basicBuilder()
-                        .nonPreemptive()
-                        .credentials(CLIENT_ID, CLIENT_PWD)
-                        .build();
-
-        ClientConfig clientConfig = new ClientConfig();
-        clientConfig.register(basicAuth);
-
-        Client client = ClientBuilder.newClient(clientConfig);
+        Client client = ClientBuilder.newClient();
 
         WebTarget target = client.target(token_endpoint);
 
         MultivaluedMap<String, String> formData = new MultivaluedHashMap<String, String>();
-        formData.add("code", code);
         formData.add("grant_type", "authorization_code");
+        formData.add("code", code);
         formData.add("redirect_uri", CALLBACK_URL);
 
-        Response response = target.request().post(Entity.form(formData));
+        Response response = target.request()
+                .header("Authorization", "Basic " + java.util.Base64.getEncoder().encodeToString((CLIENT_ID + ":" + CLIENT_SECRET).getBytes()))
+                .post(Entity.form(formData));
 
         JSONObject json = new JSONObject(response.readEntity(String.class));
 
@@ -124,6 +115,7 @@ public JSONObject getUserInfo(User user) {
 
         Response response = client.target(userinfo_endpoint).request().get();
 
-        return new JSONObject(response.readEntity(String.class));
+        return JWTHandler.getPayload(response.readEntity(String.class));
     }
+
 }

src/main/java/no/bankid/oidc/Configuration.java

@@ -2,16 +2,16 @@
 
 class Configuration {
 
-    public static final String CONFIG_URL = "https://preprod.bankidapis.no/oidc/oauth/.well-known/openid-configuration";
-    public static final String CALLBACK_URL = "http://localhost:8080/callback";
+    public static final String CONFIG_URL = "https://oidc-current.bankidapis.no/auth/realms/current/.well-known/openid-configuration";
+    public static final String CALLBACK_URL = "https://localhost:8443/callback";
 
-    public static final String SCOPE = "openid";
+    public static final String SCOPE = "openid profile";
 
     /**
-     * Client_id and password must be inserted here for the application to work.
+     * Client_id and secret must be inserted here for the application to work.
      * <p>
-     * Make contact with BankID Norge ([email protected]) to retrieve the information needed.
+     * See https://confluence.bankidnorge.no/confluence/pdoidcl/release-notes/provisioning for details on how to receive this.
      */
     public static final String CLIENT_ID = "<insert client_id>";
-    public static final String CLIENT_PWD = "<insert client password>";
+    public static final String CLIENT_SECRET = "<insert client password>";
 }

src/main/java/no/bankid/oidc/JWTHandler.java

@@ -38,6 +38,7 @@ public JSONObject getPayload(String id_token) {
                 System.out.println("Signature in jwk could not be verified.");
                 // TODO Should be handled
             }
+
             return new JSONObject(jwsObject.getPayload().toString());
 
         } catch (ParseException e) {

src/main/java/no/bankid/oidc/User.java

@@ -20,7 +20,6 @@ public JSONObject getIdTokenPayload() {
         return idTokenPayload;
     }
 
-    public String getUsername() {
-        return idTokenPayload.getString("preferred_username");
-    }
+    public String getPreferredUsername() { return idTokenPayload.getString("preferred_username"); }
+
 }

src/main/java/no/bankid/oidc/web/WelcomeServlet.java

@@ -39,7 +39,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
             JSONObject idTokenPayload = user.getIdTokenPayload();
 
             response.getWriter()
-                    .append(String.format("<p>Du er logget inn som</p><p>%s</p>", user.getUsername()))
+                    .append(String.format("<p>Du er logget inn som</p><p>%s</p>", user.getPreferredUsername()))
                     .append("<h2>Access token</h2>")
                     .append(String.format("<p>%s</p>", user.getAccessToken()))
                     .append("<h2>Id token</h2>")