support for introspect "sub" missing base URL and/or resource type wh…

…en fully-qualiied "fhirUser" is available as a fallback
OHSUCMP · Dec 2, 2024 · 6e6dd5c · 6e6dd5c
1 parent 22bdd2b
commit 6e6dd5c
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java b/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java
@@ -70,7 +70,24 @@ private IIdType authorizedUserIdFromOAuth2Principal( OAuth2AuthenticatedPrincipa
 		if (null == subject)
 			throw new AuthenticationException(Msg.code(644) + "Missing or Invalid Subject");
 
-		return idFromSubject(subject.toString());
+		IIdType subjectId = idFromSubject(subject.toString());
+
+		if ( subjectId.hasBaseUrl() && subjectId.hasResourceType() )
+			return subjectId;
+
+		Object fhirUser = oauth2Principal.getAttribute("fhirUser");
+		if (null == fhirUser)
+			throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Missing FhirUser");
+
+		IIdType fhirUserId = idFromSubject(fhirUser.toString());
+
+		if ( !fhirUserId.hasIdPart() )
+			throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Invalid FhirUser");
+
+		if ( !fhirUserId.getIdPart().equals( subjectId.getIdPart() ) )
+			throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Mismatch Between Subject And FhirUser");
+
+		return fhirUserId ;
 	}
 
 	private LaunchContext launchContextFromAuthentication(Authentication authentication) {