From 6e6dd5c7d73175d08949ab7d46eaa20afa0d7b8c Mon Sep 17 00:00:00 2001
From: Tim Coffman <234244+timcoffman@users.noreply.github.com>
Date: Mon, 2 Dec 2024 14:12:33 -0600
Subject: [PATCH] support for introspect "sub" missing base URL and/or resource
 type when fully-qualiied "fhirUser" is available as a fallback

---
 .../sds/SupplementalDataStoreAuthBase.java    | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java b/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java
index 4b1aeb0..6c07c24 100644
--- a/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java
+++ b/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java
@@ -70,7 +70,24 @@ private IIdType authorizedUserIdFromOAuth2Principal( OAuth2AuthenticatedPrincipa
 		if (null == subject)
 			throw new AuthenticationException(Msg.code(644) + "Missing or Invalid Subject");
 
-		return idFromSubject(subject.toString());
+		IIdType subjectId = idFromSubject(subject.toString());
+
+		if ( subjectId.hasBaseUrl() && subjectId.hasResourceType() )
+			return subjectId;
+
+		Object fhirUser = oauth2Principal.getAttribute("fhirUser");
+		if (null == fhirUser)
+			throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Missing FhirUser");
+
+		IIdType fhirUserId = idFromSubject(fhirUser.toString());
+
+		if ( !fhirUserId.hasIdPart() )
+			throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Invalid FhirUser");
+
+		if ( !fhirUserId.getIdPart().equals( subjectId.getIdPart() ) )
+			throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Mismatch Between Subject And FhirUser");
+
+		return fhirUserId ;
 	}
 
 	private LaunchContext launchContextFromAuthentication(Authentication authentication) {