Skip to content

Commit d8a12c8

Browse files
committed
CGDMF-73: Make use of ZGW client id/secrets so we can get rid of if case in auth-jwt
1 parent b262730 commit d8a12c8

3 files changed

Lines changed: 13 additions & 26 deletions

File tree

.bruno/CG-DMF/environments/CI.bru

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,10 @@ vars {
44
catalogusBaseUrl: https://openzaak.dev.baseflow.com/catalogi/api/v1
55
storage.defaultRepo: minio-local
66
storage.secondaryRepo: minio-archive
7-
jwt.clientId: gzac
8-
oidc.clientId: cg-dmf
7+
jwt.clientId: cg-dmf-integration-test
8+
oidc.authUrl: https://auth.gzac.baseflow.com/realms/cg-dmf/protocol/openid-connect/auth
9+
oidc.tokenUrl: https://auth.gzac.baseflow.com/realms/cg-dmf/protocol/openid-connect/token
910
}
1011
vars:secret [
1112
jwt.clientSecret
1213
]
13-

docker-compose.integration-test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ services:
6868
BESTANDSDELEN_CHUNK_SIZE: ${BESTANDSDELEN_CHUNK_SIZE:-100000}
6969
ENCRYPTION_SECRET_KEY: ${ENCRYPTION_SECRET_KEY:-changeme-use-a-strong-key-in-production}
7070
ENCRYPTION_SALT: ${ENCRYPTION_SALT:-deadbeefcafe0123456789abcdef0123}
71-
OIDC_JWT_SECRET: ${JWT_CLIENT_SECRET:-your-secret}
71+
ZGW_CLIENT_SECRETS: cg-dmf-integration-test:${JWT_CLIENT_SECRET:-your-secret}
7272
WOPI_ENABLED: true
7373
WOPI_SLAT_SECRET: ${WOPI_SLAT_SECRET:-changeme-use-a-strong-key-in-production}
7474
healthcheck:

src/main/kotlin/config/AuthenticationModule.kt

Lines changed: 9 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@ import java.util.concurrent.TimeUnit
2525
fun Application.authenticationModule() {
2626
val logger = LoggerFactory.getLogger("AuthenticationModule")
2727
val issuer = AuthenticationConfig.issuer
28-
val jwtSecret = AuthenticationConfig.jwtSecret
2928
val zgwClientSecrets = AuthenticationConfig.zgwClientSecrets
3029

3130
install(Authentication) {
@@ -35,28 +34,16 @@ fun Application.authenticationModule() {
3534
header?.let { parseAuthorizationHeader(it) }
3635
}
3736

38-
if (jwtSecret != null) {
39-
// HS256 verification using a shared secret (e.g. local dev or symmetric key setup).
40-
logger.info("[JWT] Using HS256 secret verification for auth-jwt")
41-
verifier(
42-
JWT.require(Algorithm.HMAC256(jwtSecret))
43-
.withIssuer(issuer)
44-
.acceptLeeway(3)
45-
.build(),
46-
)
47-
} else {
48-
// Configure JWK provider to fetch signing keys from Keycloak.
49-
// Only used when OIDC_JWT_SECRET is not set.
50-
val jwkProvider = JwkProviderBuilder(URI("$issuer/protocol/openid-connect/certs").toURL())
51-
.cached(10, 24, TimeUnit.HOURS)
52-
.rateLimited(10, 1, TimeUnit.MINUTES)
53-
.build()
37+
// Configure JWK provider to fetch signing keys from Keycloak.
38+
val jwkProvider = JwkProviderBuilder(URI("$issuer/protocol/openid-connect/certs").toURL())
39+
.cached(10, 24, TimeUnit.HOURS)
40+
.rateLimited(10, 1, TimeUnit.MINUTES)
41+
.build()
5442

55-
// RS256 verification via Keycloak's JWK endpoint (production default).
56-
logger.info("[JWT] Using JWK/RS256 verification for auth-jwt (issuer={})", issuer)
57-
verifier(jwkProvider, issuer) {
58-
acceptLeeway(3)
59-
}
43+
// RS256 verification via Keycloak's JWK endpoint (production default).
44+
logger.info("[JWT] Using JWK/RS256 verification for auth-jwt (issuer={})", issuer)
45+
verifier(jwkProvider, issuer) {
46+
acceptLeeway(3)
6047
}
6148

6249
validate { credential ->

0 commit comments

Comments
 (0)