feat(jans-auth-server): allow to use openidSubAttribute for localAcco…

…untId for pairwise identifier look up #9696 (#10269) Signed-off-by: YuriyZ <[email protected]>
JanssenProject · Nov 26, 2024 · c2bbedd · c2bbedd
1 parent 777760b
commit c2bbedd
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 8 deletions.
diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java
@@ -590,6 +590,9 @@ public class AppConfiguration implements Configuration {
     @DocProperty(description = "When true, clients with the same Sector ID also share the same Subject ID", defaultValue = "false")
     private Boolean shareSubjectIdBetweenClientsWithSameSectorId = false;
 
+    @DocProperty(description = "Use openidSubAttribute value of user as local account id for algorithmic pairwise look up", defaultValue = "false")
+    private Boolean useOpenidSubAttributeValueForPairwiseLocalAccountId = false;
+
     @DocProperty(description = "Web Key Storage Type")
     private WebKeyStorage webKeysStorage;
 
@@ -944,6 +947,16 @@ public class AppConfiguration implements Configuration {
     @DocProperty(description = "Lock message Pub configuration", defaultValue = "false")
     private LockMessageConfig lockMessageConfig;
 
+    public Boolean getUseOpenidSubAttributeValueForPairwiseLocalAccountId() {
+        if (useOpenidSubAttributeValueForPairwiseLocalAccountId == null) useOpenidSubAttributeValueForPairwiseLocalAccountId = false;
+        return useOpenidSubAttributeValueForPairwiseLocalAccountId;
+    }
+
+    public AppConfiguration setUseOpenidSubAttributeValueForPairwiseLocalAccountId(Boolean useOpenidSubAttributeValueForPairwiseLocalAccountId) {
+        this.useOpenidSubAttributeValueForPairwiseLocalAccountId = useOpenidSubAttributeValueForPairwiseLocalAccountId;
+        return this;
+    }
+
     public int getArchivedJwkLifetimeInSeconds() {
         return archivedJwkLifetimeInSeconds;
     }

diff --git a/...auth-server/server/src/main/java/io/jans/as/server/service/PairwiseIdentifierService.java b/...auth-server/server/src/main/java/io/jans/as/server/service/PairwiseIdentifierService.java
@@ -15,13 +15,15 @@
 import io.jans.orm.model.base.SimpleBranch;
 import io.jans.orm.search.filter.Filter;
 import io.jans.util.StringHelper;
-import org.slf4j.Logger;
-
 import jakarta.ejb.Stateless;
 import jakarta.inject.Inject;
 import jakarta.inject.Named;
+import org.slf4j.Logger;
+
 import java.util.List;
 
+import static org.apache.commons.lang3.BooleanUtils.isTrue;
+
 /**
  * @author Javier Rojas Blum
  * @version May 7, 2019
@@ -65,7 +67,7 @@ public void prepareBranch(final String userInum) {
         }
     }
 
-    public PairwiseIdentifier findPairWiseIdentifier(String userInum, String sectorIdentifier, String clientId) throws Exception {
+    public PairwiseIdentifier findPairWiseIdentifier(String userInum, String sectorIdentifier, String clientId, String openidSubValue) throws Exception {
         PairwiseIdType pairwiseIdType = PairwiseIdType.fromString(appConfiguration.getPairwiseIdType());
 
         if (PairwiseIdType.PERSISTENT == pairwiseIdType) {
@@ -74,7 +76,7 @@ public PairwiseIdentifier findPairWiseIdentifier(String userInum, String sectorI
             String baseDnForPairwiseIdentifiers = getBaseDnForPairwiseIdentifiers(userInum);
 
             final Filter filter;
-            if (appConfiguration.isShareSubjectIdBetweenClientsWithSameSectorId()) {
+            if (isTrue(appConfiguration.isShareSubjectIdBetweenClientsWithSameSectorId())) {
                 Filter sectorIdentifierFilter = Filter.createEqualityFilter("jansSectorIdentifier", sectorIdentifier);
                 Filter userInumFilter = Filter.createEqualityFilter("jansUsrId", userInum);
 
@@ -91,7 +93,7 @@ public PairwiseIdentifier findPairWiseIdentifier(String userInum, String sectorI
             if (entries != null && !entries.isEmpty()) {
                 // if more then one entry then it's problem, non-deterministic behavior, id must be unique
                 if (entries.size() > 1) {
-                    log.error("Found more then one pairwise identifier by sector identifier: {}" + sectorIdentifier);
+                    log.error("Found more then one pairwise identifier by sector identifier: {}", sectorIdentifier);
                     for (PairwiseIdentifier pairwiseIdentifier : entries) {
                         log.error("PairwiseIdentifier: {}", pairwiseIdentifier);
                     }
@@ -101,8 +103,11 @@ public PairwiseIdentifier findPairWiseIdentifier(String userInum, String sectorI
         } else { // PairwiseIdType.ALGORITHMIC
             String key = appConfiguration.getPairwiseCalculationKey();
             String salt = appConfiguration.getPairwiseCalculationSalt();
-            String localAccountId = appConfiguration.isShareSubjectIdBetweenClientsWithSameSectorId() ?
+            String localAccountId = isTrue(appConfiguration.isShareSubjectIdBetweenClientsWithSameSectorId()) ?
                     userInum : userInum + clientId;
+            if (isTrue(appConfiguration.getUseOpenidSubAttributeValueForPairwiseLocalAccountId())) {
+                localAccountId = openidSubValue;
+            }
 
             String calculatedSub = SubjectIdentifierGenerator.generatePairwiseSubjectIdentifier(
                     sectorIdentifier, localAccountId, key, salt, appConfiguration);

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/SectorIdentifierService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/SectorIdentifierService.java
@@ -108,6 +108,8 @@ public String getSub(Client client, User user, boolean isCibaGrant) {
             return "";
         }
 
+        final String openidSubValue = getOpenidSubValue(client, user);
+
         final boolean isClientPairwise = SubjectType.PAIRWISE.equals(client.getSubjectType());
         if (isClientPairwise) {
             final String sectorIdentifierUri;
@@ -133,7 +135,7 @@ public String getSub(Client client, User user, boolean isCibaGrant) {
                     String sectorIdentifier = URI.create(sectorIdentifierUri).getHost();
 
                     PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum,
-                            sectorIdentifier, client.getClientId());
+                            sectorIdentifier, client.getClientId(), openidSubValue);
                     if (pairwiseIdentifier == null) {
                         pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifier, client.getClientId(), userInum);
                         pairwiseIdentifier.setId(UUID.randomUUID().toString());
@@ -142,14 +144,18 @@ public String getSub(Client client, User user, boolean isCibaGrant) {
                     }
                     return pairwiseIdentifier.getId();
                 } else {
-                    log.trace("Sector identifier uri is blank for client: " + client.getClientId());
+                    log.trace("Sector identifier uri is blank for client: {}", client.getClientId());
                 }
             } catch (Exception e) {
                 log.error("Failed to get sub claim. PairwiseIdentifierService failed to find pair wise identifier.", e);
                 return "";
             }
         }
 
+        return openidSubValue;
+    }
+
+    private String getOpenidSubValue(Client client, User user) {
         String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
         if (Boolean.TRUE.equals(appConfiguration.getPublicSubjectIdentifierPerClientEnabled())
                 && StringUtils.isNotBlank(client.getAttributes().getPublicSubjectIdentifierAttribute())) {