Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .docker/openid-federation-admin-server/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ COPY . /app
RUN chmod +x ./gradlew
RUN rm .env*

RUN ./gradlew :modules:openid-federation-admin-server:bootJar -x test -x allTests -x jsBrowserTest -x integrationTests --no-daemon -Dorg.gradle.jvmargs="-Xmx2g -XX:MaxMetaspaceSize=512m"
RUN ./gradlew :modules:openid-federation-admin-server:bootJar -x test -x allTests -x jvmTest -x integrationTests --no-daemon -Dorg.gradle.jvmargs="-Xmx2g -XX:MaxMetaspaceSize=512m"

FROM openjdk:21-jdk
RUN microdnf install curl
Expand Down
2 changes: 1 addition & 1 deletion .docker/openid-federation-server/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ COPY . /app
RUN chmod +x ./gradlew
RUN rm .env*

RUN ./gradlew :modules:openid-federation-server:bootJar -x test -x allTests -x jsBrowserTest -x integrationTests --no-daemon -Dorg.gradle.jvmargs="-Xmx2g -XX:MaxMetaspaceSize=512m"
RUN ./gradlew :modules:openid-federation-server:bootJar -x test -x allTests -x integrationTests -x jvmTest --no-daemon -Dorg.gradle.jvmargs="-Xmx2g -XX:MaxMetaspaceSize=512m"

FROM openjdk:21-jdk
RUN microdnf install curl
Expand Down
31 changes: 31 additions & 0 deletions .docker/prod-deployment/docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,21 @@ services:
APP_KEY: ${APP_KEY}
KMS_PROVIDER: ${KMS_PROVIDER}
ROOT_IDENTIFIER: ${ROOT_IDENTIFIER}
DEV_MODE: ${DEV_MODE}
LOGGER_SEVERITY: ${LOGGER_SEVERITY}
CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS}
CORS_ALLOWED_METHODS: ${CORS_ALLOWED_METHODS}
CORS_ALLOWED_HEADERS: ${CORS_ALLOWED_HEADERS}
CORS_MAX_AGE: ${CORS_MAX_AGE}
LOGGER_OUTPUT: ${LOGGER_OUTPUT}
AZURE_KEYVAULT_APPLICATION_ID: ${AZURE_KEYVAULT_APPLICATION_ID}
AZURE_KEYVAULT_URL: ${AZURE_KEYVAULT_URL}
AZURE_KEYVAULT_TENANT_ID: ${AZURE_KEYVAULT_TENANT_ID}
AZURE_KEYVAULT_CLIENT_ID: ${AZURE_KEYVAULT_CLIENT_ID}
AZURE_KEYVAULT_CLIENT_SECRET: ${AZURE_KEYVAULT_CLIENT_SECRET}
AZURE_KEYVAULT_MAX_RETRIES: ${AZURE_KEYVAULT_MAX_RETRIES}
AZURE_KEYVAULT_BASE_DELAY: ${AZURE_KEYVAULT_BASE_DELAY}
AZURE_KEYVAULT_MAX_DELAY: ${AZURE_KEYVAULT_MAX_DELAY}
volumes:
- ./config/openid-federation-server/application.properties:/app/application.properties
depends_on:
Expand Down Expand Up @@ -59,6 +74,22 @@ services:
APP_KEY: ${APP_KEY}
KMS_PROVIDER: ${KMS_PROVIDER}
ROOT_IDENTIFIER: ${ROOT_IDENTIFIER}
DEV_MODE: ${DEV_MODE}
OAUTH2_RESOURCE_SERVER_JWT_ISSUER_URI: ${OAUTH2_RESOURCE_SERVER_JWT_ISSUER_URI}
CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS}
CORS_ALLOWED_METHODS: ${CORS_ALLOWED_METHODS}
CORS_ALLOWED_HEADERS: ${CORS_ALLOWED_HEADERS}
CORS_MAX_AGE: ${CORS_MAX_AGE}
LOGGER_SEVERITY: ${LOGGER_SEVERITY}
LOGGER_OUTPUT: ${LOGGER_OUTPUT}
AZURE_KEYVAULT_APPLICATION_ID: ${AZURE_KEYVAULT_APPLICATION_ID}
AZURE_KEYVAULT_URL: ${AZURE_KEYVAULT_URL}
AZURE_KEYVAULT_TENANT_ID: ${AZURE_KEYVAULT_TENANT_ID}
AZURE_KEYVAULT_CLIENT_ID: ${AZURE_KEYVAULT_CLIENT_ID}
AZURE_KEYVAULT_CLIENT_SECRET: ${AZURE_KEYVAULT_CLIENT_SECRET}
AZURE_KEYVAULT_MAX_RETRIES: ${AZURE_KEYVAULT_MAX_RETRIES}
AZURE_KEYVAULT_BASE_DELAY: ${AZURE_KEYVAULT_BASE_DELAY}
AZURE_KEYVAULT_MAX_DELAY: ${AZURE_KEYVAULT_MAX_DELAY}
volumes:
- ./config/openid-federation-admin-server/application.properties:/app/application.properties
depends_on:
Expand Down
2 changes: 1 addition & 1 deletion build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ fun getNpmVersion(): String {

allprojects {
group = "com.sphereon.oid.fed"
version = "0.20.10-SNAPSHOT"
version = "0.20.11-SNAPSHOT"
val npmVersion by extra { getNpmVersion() }

configurations {
Expand Down
31 changes: 22 additions & 9 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ services:
POSTGRES_PASSWORD
POSTGRES_DB
ports:
- "5432:5432"
- "5438:5432"
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
Expand Down Expand Up @@ -52,14 +52,27 @@ services:
- path: .env.local
required: false
environment:
- DATASOURCE_URL
DATASOURCE_USER
DATASOURCE_PASSWORD
APP_KEY
KMS_PROVIDER
ROOT_IDENTIFIER
DEV_MODE
LOGGER_SEVERITY
DATASOURCE_URL: ${DATASOURCE_URL}
DATASOURCE_USER: ${DATASOURCE_USER}
DATASOURCE_PASSWORD: ${DATASOURCE_PASSWORD}
APP_KEY: ${APP_KEY}
KMS_PROVIDER: ${KMS_PROVIDER}
ROOT_IDENTIFIER: ${ROOT_IDENTIFIER}
DEV_MODE: ${DEV_MODE}
LOGGER_SEVERITY: ${LOGGER_SEVERITY}
CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS}
CORS_ALLOWED_METHODS: ${CORS_ALLOWED_METHODS}
CORS_ALLOWED_HEADERS: ${CORS_ALLOWED_HEADERS}
CORS_MAX_AGE: ${CORS_MAX_AGE}
LOGGER_OUTPUT: ${LOGGER_OUTPUT}
AZURE_KEYVAULT_APPLICATION_ID: ${AZURE_KEYVAULT_APPLICATION_ID}
AZURE_KEYVAULT_URL: ${AZURE_KEYVAULT_URL}
AZURE_KEYVAULT_TENANT_ID: ${AZURE_KEYVAULT_TENANT_ID}
AZURE_KEYVAULT_CLIENT_ID: ${AZURE_KEYVAULT_CLIENT_ID}
AZURE_KEYVAULT_CLIENT_SECRET: ${AZURE_KEYVAULT_CLIENT_SECRET}
AZURE_KEYVAULT_MAX_RETRIES: ${AZURE_KEYVAULT_MAX_RETRIES}
AZURE_KEYVAULT_BASE_DELAY: ${AZURE_KEYVAULT_BASE_DELAY}
AZURE_KEYVAULT_MAX_DELAY: ${AZURE_KEYVAULT_MAX_DELAY}
depends_on:
db:
condition: service_healthy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.core.authority.SimpleGrantedAuthority
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter
import org.springframework.security.web.SecurityFilterChain
import org.springframework.web.cors.CorsConfiguration
import org.springframework.web.cors.CorsConfigurationSource
Expand Down Expand Up @@ -66,14 +66,29 @@ class SecurityConfig {

@Bean
fun jwtAuthenticationConverter(): JwtAuthenticationConverter {
val grantedAuthoritiesConverter = JwtGrantedAuthoritiesConverter().apply {
setAuthoritiesClaimName("roles") // Matches the claim name in Keycloak
setAuthorityPrefix("ROLE_") // Prefix to align with Spring Security expectations
}
val jwtAuthenticationConverter = JwtAuthenticationConverter().apply {
setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter)
return JwtAuthenticationConverter().apply {
setJwtGrantedAuthoritiesConverter { jwt ->
val authorities = mutableListOf<SimpleGrantedAuthority>()

// Extract realm roles
val realmRoles = jwt.claims["realm_access"]?.let {
(it as Map<*, *>)["roles"] as? List<*>
} ?: listOf<String>()

// Extract client roles
val resourceAccess = jwt.claims["resource_access"] as? Map<*, *>
val clientRoles = resourceAccess?.get("openid-client")?.let {
(it as Map<*, *>)["roles"] as? List<*>
} ?: listOf<String>()

// Add all roles with ROLE_ prefix
(realmRoles + clientRoles).forEach { role ->
authorities.add(SimpleGrantedAuthority("ROLE_${role}"))
}

authorities
}
}
return jwtAuthenticationConverter
}

@Bean
Expand Down