Entra ID compatibility

Author: culka

src/main/kotlin/fi/hsl/jore4/auth/oidc/OIDCCodeExchangeService.kt

@@ -2,6 +2,7 @@ package fi.hsl.jore4.auth.oidc
 
 import com.nimbusds.oauth2.sdk.AuthorizationCode
 import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant
+import com.nimbusds.oauth2.sdk.Scope
 import com.nimbusds.oauth2.sdk.TokenRequest
 import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic
 import com.nimbusds.oauth2.sdk.auth.Secret
@@ -61,7 +62,8 @@ open class OIDCCodeExchangeService(
             TokenRequest(
                 oidcProviderMetadataSupplier.providerMetadata.tokenEndpointURI,
                 ClientSecretBasic(ClientID(oidcProperties.clientId), Secret(oidcProperties.clientSecret)),
-                AuthorizationCodeGrant(code, callbackUri)
+                AuthorizationCodeGrant(code, callbackUri),
+                Scope("openid")
             )
         val response = OIDCTokenResponseParser.parse(request.toHTTPRequest().send())
 
@@ -77,8 +79,10 @@ open class OIDCCodeExchangeService(
         val accessToken = successResponse.oidcTokens.accessToken
         val refreshToken = successResponse.oidcTokens.refreshToken
 
-        // verify token authenticity and validity
-        verificationService.parseAndVerifyAccessToken(accessToken)
+        // verify token authenticity and validity if not using Entra
+        if (!oidcProperties.providerBaseUrl.startsWith("https://login.microsoftonline.com/")) {
+            verificationService.parseAndVerifyAccessToken(accessToken)
+        }
 
         session.setAttribute(SessionKeys.USER_TOKEN_SET_KEY, UserTokenSet(accessToken, refreshToken))
 

src/main/kotlin/fi/hsl/jore4/auth/oidc/TokenVerificationService.kt

@@ -52,8 +52,10 @@ open class TokenVerificationService(
                     ClientID(oidcProperties.clientId),
                     Secret(oidcProperties.clientSecret)
                 )
-            // retry to verify the new access token
-            parseAndVerifyAccessToken(newTokenSet.accessToken)
+            // retry to verify the new access token if not using Entra
+            if (!oidcProperties.providerBaseUrl.startsWith("https://login.microsoftonline.com/")) {
+                parseAndVerifyAccessToken(newTokenSet.accessToken)
+            }
             newTokenSet
         }
 

src/main/kotlin/fi/hsl/jore4/auth/oidc/UserTokenSet.kt

@@ -1,6 +1,7 @@
 package fi.hsl.jore4.auth.oidc
 
 import com.nimbusds.oauth2.sdk.RefreshTokenGrant
+import com.nimbusds.oauth2.sdk.Scope
 import com.nimbusds.oauth2.sdk.TokenRequest
 import com.nimbusds.oauth2.sdk.TokenResponse
 import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic
@@ -39,7 +40,8 @@ class UserTokenSet(
             TokenRequest(
                 tokenEndpointURI,
                 ClientSecretBasic(clientID, clientSecret),
-                RefreshTokenGrant(refreshToken)
+                RefreshTokenGrant(refreshToken),
+                Scope("openid")
             )
 
         val response = TokenResponse.parse(request.toHTTPRequest().send())