openidconnect security scheme swagger/openapi fix + test

krowvin · MikeNeilson · commit 9d046255baeb · 2026-04-08T07:17:27.000-07:00
diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java
@@ -56,25 +56,28 @@ public URL getJwksUrl() {
         return jwksUrl;
     }
 
-    public SecurityScheme getScheme() {
-
-        
+    static SecurityScheme buildScheme(String wellKnownUrl, String clientId, String idpHint) {
         SecurityScheme scheme =  new SecurityScheme().type(Type.OPENIDCONNECT)
-                                                    .openIdConnectUrl(wellKnown.toString())
-                                                    .scheme("openid");
-        if (idp_hint != null)
+                                                    .openIdConnectUrl(wellKnownUrl);
+        if (idpHint != null)
         {
             Map<String, Object> hint = new HashMap<>();
             hint.put("query-parameter", "kc_idp_hint");
             ArrayList<String> values = new ArrayList<>();
-            for (String value: idp_hint.split(",")) {
+            for (String value: idpHint.split(",")) {
                 values.add(value.trim());
             }
             hint.put("values", values);
             scheme.addExtension("x-kc_idp_hint", hint);
         }
 
-        scheme.addExtension("x-oidc-client-id", client_id);
+        scheme.addExtension("x-oidc-client-id", clientId);
+        return scheme;
+    }
+
+    public SecurityScheme getScheme() {
+        
+        SecurityScheme scheme = buildScheme(wellKnown.toString(), client_id, idp_hint);
         return scheme;
     }
 }
diff --git a/cwms-data-api/src/test/java/cwms/cda/security/OpenIDConfigTest.java b/cwms-data-api/src/test/java/cwms/cda/security/OpenIDConfigTest.java
@@ -0,0 +1,42 @@
+package cwms.cda.security;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import java.util.List;
+import java.util.Map;
+import org.junit.jupiter.api.Test;
+
+class OpenIDConfigTest {
+
+    @Test
+    void buildSchemeUsesWellKnownDiscoveryUrlWithoutHttpAuthScheme() {
+        SecurityScheme scheme = OpenIDConfig.buildScheme(
+            "https://identityc.sec.usace.army.mil/auth/realms/cwbi/.well-known/openid-configuration",
+            "cwms",
+            "federation-eams, login.gov"
+        );
+
+        assertEquals(SecurityScheme.Type.OPENIDCONNECT, scheme.getType());
+        assertEquals(
+            "https://identityc.sec.usace.army.mil/auth/realms/cwbi/.well-known/openid-configuration",
+            scheme.getOpenIdConnectUrl()
+        );
+        assertTrue(scheme.getScheme() == null || scheme.getScheme().isEmpty());
+        assertNotNull(scheme.getExtensions());
+        assertEquals("cwms", scheme.getExtensions().get("x-oidc-client-id"));
+
+        @SuppressWarnings("unchecked")
+        Map<String, Object> hint = (Map<String, Object>) scheme.getExtensions().get("x-kc_idp_hint");
+        assertNotNull(hint);
+        assertEquals("kc_idp_hint", hint.get("query-parameter"));
+
+        @SuppressWarnings("unchecked")
+        List<String> values = (List<String>) hint.get("values");
+        assertEquals(List.of("federation-eams", "login.gov"), values);
+        assertFalse(scheme.getExtensions().containsKey("flows"));
+    }
+}
