From 6e6dd5c7d73175d08949ab7d46eaa20afa0d7b8c Mon Sep 17 00:00:00 2001 From: Tim Coffman <234244+timcoffman@users.noreply.github.com> Date: Mon, 2 Dec 2024 14:12:33 -0600 Subject: [PATCH] support for introspect "sub" missing base URL and/or resource type when fully-qualiied "fhirUser" is available as a fallback --- .../sds/SupplementalDataStoreAuthBase.java | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java b/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java index 4b1aeb0..6c07c24 100644 --- a/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java +++ b/src/main/java/edu/ohsu/cmp/ecp/sds/SupplementalDataStoreAuthBase.java @@ -70,7 +70,24 @@ private IIdType authorizedUserIdFromOAuth2Principal( OAuth2AuthenticatedPrincipa if (null == subject) throw new AuthenticationException(Msg.code(644) + "Missing or Invalid Subject"); - return idFromSubject(subject.toString()); + IIdType subjectId = idFromSubject(subject.toString()); + + if ( subjectId.hasBaseUrl() && subjectId.hasResourceType() ) + return subjectId; + + Object fhirUser = oauth2Principal.getAttribute("fhirUser"); + if (null == fhirUser) + throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Missing FhirUser"); + + IIdType fhirUserId = idFromSubject(fhirUser.toString()); + + if ( !fhirUserId.hasIdPart() ) + throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Invalid FhirUser"); + + if ( !fhirUserId.getIdPart().equals( subjectId.getIdPart() ) ) + throw new AuthenticationException(Msg.code(644) + "Incomplete Subject and Mismatch Between Subject And FhirUser"); + + return fhirUserId ; } private LaunchContext launchContextFromAuthentication(Authentication authentication) {