Update v1.11.0

.env.example

@@ -73,48 +73,42 @@ RSD_AUTH_PROVIDERS=SURFCONEXT;HELMHOLTZAAI
 
 # SURFCONEXT - TEST ENVIRONMENT
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_SURFCONEXT_CLIENT_ID=www.research-software.nl
+SURFCONEXT_CLIENT_ID=www.research-software.nl
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_SURFCONEXT_REDIRECT=http://localhost/auth/login/surfconext
+SURFCONEXT_REDIRECT=http://localhost/auth/login/surfconext
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_SURFCONEXT_WELL_KNOWN_URL=https://connect.test.surfconext.nl/.well-known/openid-configuration
+SURFCONEXT_WELL_KNOWN_URL=https://connect.test.surfconext.nl/.well-known/openid-configuration
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_SURFCONEXT_SCOPES=openid
+SURFCONEXT_SCOPES=openid
 # consumed by: frontend/utils/loginHelpers
-NEXT_PUBLIC_SURFCONEXT_RESPONSE_MODE=form_post
-# consumed by services: authentication
-AUTH_SURFCONEXT_TOKEN_URL=https://connect.test.surfconext.nl/oidc/token
+SURFCONEXT_RESPONSE_MODE=form_post
 
 # Helmholtz AAI
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_HELMHOLTZAAI_CLIENT_ID=rsd-dev
+HELMHOLTZAAI_CLIENT_ID=rsd-dev
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_HELMHOLTZAAI_REDIRECT=http://localhost/auth/login/helmholtzaai
+HELMHOLTZAAI_REDIRECT=http://localhost/auth/login/helmholtzaai
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_HELMHOLTZAAI_WELL_KNOWN_URL=https://login-dev.helmholtz.de/oauth2/.well-known/openid-configuration
+HELMHOLTZAAI_WELL_KNOWN_URL=https://login-dev.helmholtz.de/oauth2/.well-known/openid-configuration
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_HELMHOLTZAAI_SCOPES=openid+profile+email+eduperson_principal_name
+HELMHOLTZAAI_SCOPES=openid+profile+email+eduperson_principal_name
 # consumed by: frontend/utils/loginHelpers
-NEXT_PUBLIC_HELMHOLTZAAI_RESPONSE_MODE=query
-# consumed by services: authentication
-AUTH_HELMHOLTZAAI_TOKEN_URL=https://login-dev.helmholtz.de/oauth2/token
+HELMHOLTZAAI_RESPONSE_MODE=query
 # consumed by: authentication
 # uncomment if you want to allow users from non-Helmholtz centres or social IdPs:
 #HELMHOLTZAAI_ALLOW_EXTERNAL_USERS=true
 
 # ORCID
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_ORCID_CLIENT_ID=APP-4D4D69ASWTYOI9QI
+ORCID_CLIENT_ID=APP-4D4D69ASWTYOI9QI
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_ORCID_REDIRECT=http://localhost/auth/login/orcid
+ORCID_REDIRECT=http://localhost/auth/login/orcid
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_ORCID_WELL_KNOWN_URL=https://sandbox.orcid.org/.well-known/openid-configuration
+ORCID_WELL_KNOWN_URL=https://sandbox.orcid.org/.well-known/openid-configuration
 # consumed by: authentication, frontend/utils/loginHelpers
-NEXT_PUBLIC_ORCID_SCOPES=openid
+ORCID_SCOPES=openid
 # consumed by: frontend/utils/loginHelpers
-NEXT_PUBLIC_ORCID_RESPONSE_MODE=query
-# consumed by services: authentication
-AUTH_ORCID_TOKEN_URL=https://sandbox.orcid.org/oauth/token
+ORCID_RESPONSE_MODE=query
 
 # max requests to the GitHub API per run, runs 10 times per hour
 # optional, comment out if not available, a default of 6 will be used

.github/workflows/_ghcr.yml

@@ -64,13 +64,13 @@ jobs:
           IMAGE_TAG_LASTEST=${{inputs.base_image_name}}:latest
           echo image_tag_version $IMAGE_TAG_VERSION
           docker build -t $IMAGE_TAG_VERSION -t $IMAGE_TAG_LASTEST -f ${{inputs.dockerfile}} ${{inputs.docker_context}}
-          echo "::set-output name=image_build::$IMAGE_TAG_VERSION"
+          echo "{image_build}={$IMAGE_TAG_VERSIONvalue}" >> $GITHUB_OUTPUT
       - name: push to ghcr.io
         id: push_image
         run: |
           echo login
           echo "${{secrets.token}}" | docker login https://ghcr.io -u ${{inputs.ghcr_user}} --password-stdin
           echo push auth image with all tags
           docker push ${{inputs.base_image_name}} --all-tags
-          echo "::set-output name=image_pushed::true"
+          echo "{image_build}={$IMAGE_TAG_VERSIONvalue}" >> $GITHUB_OUTPUT
 

CITATION.cff

@@ -75,5 +75,5 @@ keywords:
   - Software Impact
   - Software Reuse
 license: Apache-2.0
-version: v1.10.0
-date-released: '2022-11-04'
+version: v1.11.0
+date-released: '2022-11-15'

authentication/src/main/java/nl/esciencecenter/rsd/authentication/Config.java

@@ -65,54 +65,48 @@ public static String backendBaseUrl() {
 		return System.getenv("POSTGREST_URL");
 	}
 
+
 //	SURFconext
 	public static String surfconextRedirect() {
-		return System.getenv("NEXT_PUBLIC_SURFCONEXT_REDIRECT");
+		return System.getenv("SURFCONEXT_REDIRECT");
 	}
 
 	public static String surfconextClientId() {
-		return System.getenv("NEXT_PUBLIC_SURFCONEXT_CLIENT_ID");
+		return System.getenv("SURFCONEXT_CLIENT_ID");
 	}
 
 	public static String surfconextWellknown() {
-		return System.getenv("NEXT_PUBLIC_SURFCONEXT_WELL_KNOWN_URL");
+		return System.getenv("SURFCONEXT_WELL_KNOWN_URL");
 	}
 
 	public static String surfconextClientSecret() {
 		return System.getenv("AUTH_SURFCONEXT_CLIENT_SECRET");
 	}
 
-	public static String surfconextTokenUrl() {
-		return System.getenv("AUTH_SURFCONEXT_TOKEN_URL");
-	}
-
 	public static String surfconextScopes() {
-		return System.getenv("NEXT_PUBLIC_SURFCONEXT_SCOPES");
+		return System.getenv("SURFCONEXT_SCOPES");
 	}
 
+
 //	Helmholtz AAI
 	public static String helmholtzAaiRedirect() {
-		return System.getenv("NEXT_PUBLIC_HELMHOLTZAAI_REDIRECT");
+		return System.getenv("HELMHOLTZAAI_REDIRECT");
 	}
 
 	public static String helmholtzAaiClientId() {
-		return System.getenv("NEXT_PUBLIC_HELMHOLTZAAI_CLIENT_ID");
+		return System.getenv("HELMHOLTZAAI_CLIENT_ID");
 	}
 
 	public static String helmholtzAaiWellknown() {
-		return System.getenv("NEXT_PUBLIC_HELMHOLTZAAI_WELL_KNOWN_URL");
+		return System.getenv("HELMHOLTZAAI_WELL_KNOWN_URL");
 	}
 
 	public static String helmholtzAaiClientSecret() {
 		return System.getenv("AUTH_HELMHOLTZAAI_CLIENT_SECRET");
 	}
 
-	public static String helmholtzAaiTokenUrl() {
-		return System.getenv("AUTH_HELMHOLTZAAI_TOKEN_URL");
-	}
-
 	public static String helmholtzAaiScopes() {
-		return System.getenv("NEXT_PUBLIC_HELMHOLTZAAI_SCOPES");
+		return System.getenv("HELMHOLTZAAI_SCOPES");
 	}
 
 	public static boolean helmholtzAaiAllowExternalUsers() {
@@ -121,29 +115,26 @@ public static boolean helmholtzAaiAllowExternalUsers() {
 		);
 	}
 
+
 //	ORCID
 	public static String orcidRedirect() {
-	return System.getenv("NEXT_PUBLIC_ORCID_REDIRECT");
+	return System.getenv("ORCID_REDIRECT");
 }
 
 	public static String orcidClientId() {
-		return System.getenv("NEXT_PUBLIC_ORCID_CLIENT_ID");
+		return System.getenv("ORCID_CLIENT_ID");
 	}
 
 	public static String orcidWellknown() {
-		return System.getenv("NEXT_PUBLIC_ORCID_WELL_KNOWN_URL");
+		return System.getenv("ORCID_WELL_KNOWN_URL");
 	}
 
 	public static String orcidClientSecret() {
 		return System.getenv("AUTH_ORCID_CLIENT_SECRET");
 	}
 
-	public static String orcidTokenUrl() {
-		return System.getenv("AUTH_ORCID_TOKEN_URL");
-	}
-
 	public static String orcidScopes() {
-		return System.getenv("NEXT_PUBLIC_ORCID_SCOPES");
+		return System.getenv("ORCID_SCOPES");
 	}
 
 }

authentication/src/main/java/nl/esciencecenter/rsd/authentication/HelmholtzAaiLogin.java

@@ -135,7 +135,7 @@ public OpenIdInfo openidInfo() {
 			ClientID clientID = new ClientID(Config.helmholtzAaiClientId());
 			Secret clientSecret = new Secret(Config.helmholtzAaiClientSecret());
 			ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSecret);
-			URI tokenEndpoint = new URI(Config.helmholtzAaiTokenUrl());
+			URI tokenEndpoint = Utils.getTokenUrlFromWellKnownUrl(URI.create(Config.helmholtzAaiWellknown()));
 
 			Scope scopes = new Scope();
 
@@ -181,7 +181,7 @@ public OpenIdInfo openidInfo() {
 		if (organisation == null) {
 			// login denied by missing entitlements
 			// or external providers are not allowed
-			throw new RuntimeException("User is not allowed to login");
+			throw new RsdAuthenticationException("You are not allowed to login");
 		}
 
 		return new OpenIdInfo(

authentication/src/main/java/nl/esciencecenter/rsd/authentication/OrcidLogin.java

@@ -61,7 +61,8 @@ private Map<String, String> createForm() {
 
 	private String getTokensFromOrcidconext(Map<String, String> form) {
 		String body = formMapToxWwwFormUrlencoded(form);
-		return postForm(URI.create(Config.orcidTokenUrl()), body);
+		URI tokenEndpoint = Utils.getTokenUrlFromWellKnownUrl(URI.create(Config.orcidWellknown()));
+		return postForm(tokenEndpoint, body);
 	}
 
 	private String formMapToxWwwFormUrlencoded(Map<String, String> form) {

authentication/src/main/java/nl/esciencecenter/rsd/authentication/SurfconextLogin.java

@@ -60,7 +60,8 @@ private Map<String, String> createForm() {
 
 	private String getTokensFromSurfconext(Map<String, String> form) {
 		String body = formMapToxWwwFormUrlencoded(form);
-		return postForm(URI.create(Config.surfconextTokenUrl()), body);
+		URI tokenEndpoint = Utils.getTokenUrlFromWellKnownUrl(URI.create(Config.surfconextWellknown()));
+		return postForm(tokenEndpoint, body);
 	}
 
 	private String formMapToxWwwFormUrlencoded(Map<String, String> form) {

authentication/src/main/java/nl/esciencecenter/rsd/authentication/Utils.java

@@ -6,6 +6,15 @@
 package nl.esciencecenter.rsd.authentication;
 
 import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
 
 public class Utils {
 
@@ -14,4 +23,25 @@ public static String jsonElementToString(JsonElement elementToConvert) {
 		if (!elementToConvert.isJsonPrimitive()) return null;
 		return elementToConvert.getAsString();
 	}
+
+	public static URI getTokenUrlFromWellKnownUrl(URI wellKnownUrl) {
+		HttpClient client = HttpClient.newHttpClient();
+		HttpRequest request = HttpRequest.newBuilder(wellKnownUrl).build();
+		HttpResponse<String> response;
+
+		try {
+			response = client.send(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
+		} catch (IOException | InterruptedException e) {
+			throw new RuntimeException(e);
+		}
+
+		return extractTokenUrlFromWellKnownData(response.body());
+	}
+
+	static URI extractTokenUrlFromWellKnownData(String jsonData) {
+		JsonObject dataAsObject = JsonParser.parseString(jsonData).getAsJsonObject();
+		String tokenUrl = dataAsObject.getAsJsonPrimitive("token_endpoint").getAsString();
+		return URI.create(tokenUrl);
+	}
+
 }

authentication/src/test/java/nl/esciencecenter/rsd/authentication/UtilsTest.java

@@ -0,0 +1,79 @@
+// SPDX-FileCopyrightText: 2022 Ewan Cahen (Netherlands eScience Center) <e.cahen@esciencecenter.nl>
+// SPDX-FileCopyrightText: 2022 Netherlands eScience Center
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package nl.esciencecenter.rsd.authentication;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.net.URI;
+
+public class UtilsTest {
+
+	@Test
+	void givenValidWellKnownData_whenExtractingTokenEndpoint_correctResultReturned() {
+		String data = """
+				{
+				  "token_endpoint_auth_signing_alg_values_supported": [
+				    "RS256"
+				  ],
+				  "id_token_signing_alg_values_supported": [
+				    "RS256"
+				  ],
+				  "userinfo_endpoint": "https://sandbox.orcid.org/oauth/userinfo",
+				  "authorization_endpoint": "https://sandbox.orcid.org/oauth/authorize",
+				  "token_endpoint": "https://sandbox.orcid.org/oauth/token",
+				  "jwks_uri": "https://sandbox.orcid.org/oauth/jwks",
+				  "claims_supported": [
+				    "family_name",
+				    "given_name",
+				    "name",
+				    "auth_time",
+				    "iss",
+				    "sub"
+				  ],
+				  "scopes_supported": [
+				    "openid"
+				  ],
+				  "subject_types_supported": [
+				    "public"
+				  ],
+				  "response_types_supported": [
+				    "code",
+				    "id_token",
+				    "id_token token"
+				  ],
+				  "claims_parameter_supported": false,
+				  "token_endpoint_auth_methods_supported": [
+				    "client_secret_post"
+				  ],
+				  "grant_types_supported": [
+				    "authorization_code",
+				    "implicit",
+				    "refresh_token"
+				  ],
+				  "issuer": "https://sandbox.orcid.org"
+				}""";
+
+		URI tokenEndpoint = Utils.extractTokenUrlFromWellKnownData(data);
+
+		Assertions.assertEquals(URI.create("https://sandbox.orcid.org/oauth/token"), tokenEndpoint);
+	}
+
+	@Test
+	void givenInvalidJson_whenExtractingTokenEndpoint_thenExceptionThrown() {
+		String data = "{";
+
+		Assertions.assertThrows(RuntimeException.class, () -> Utils.extractTokenUrlFromWellKnownData(data));
+	}
+
+	@Test
+	void givenDataWithoutTokenEndpoint_whenExtractingTokenEndpoint_thenExceptionThrown() {
+		String data = "{\"token_endpoint\": null}";
+
+		Assertions.assertThrows(ClassCastException.class, () -> Utils.extractTokenUrlFromWellKnownData(data));
+	}
+
+}