OpenBankProject
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/main/scala/com/tesobe/oidc/auth/AuthService.scala‎
Lines changed: 7 additions & 0 deletions b/‎src/main/scala/com/tesobe/oidc/auth/AuthService.scala‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main/scala/com/tesobe/oidc/auth/CodeService.scala‎
Lines changed: 5 additions & 2 deletions b/‎src/main/scala/com/tesobe/oidc/auth/CodeService.scala‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎src/main/scala/com/tesobe/oidc/auth/HybridAuthService.scala‎
Lines changed: 57 additions & 5 deletions b/‎src/main/scala/com/tesobe/oidc/auth/HybridAuthService.scala‎
Lines changed: 57 additions & 5 deletions
diff --git a/‎src/main/scala/com/tesobe/oidc/auth/ObpApiClientService.scala‎
Lines changed: 33 additions & 21 deletions b/‎src/main/scala/com/tesobe/oidc/auth/ObpApiClientService.scala‎
Lines changed: 33 additions & 21 deletions
@@ -224,7 +224,7 @@ OBP-OIDC supports two modes for verifying users, clients, and listing providers,
 - Verifies clients via `GET /obp/v6.0.0/oidc/clients/CLIENT_ID`
 - Lists providers via `GET /obp/v6.0.0/providers`
 - Useful when you don't want to grant direct database access to OBP-OIDC
-- Requires `OBP_API_USERNAME` to have `CanVerifyUserCredentials`, `CanGetOidcClient` and `CanGetConsumers` roles
+- Requires `OBP_API_USERNAME` to have `CanVerifyUserCredentials`, `CanGetAnyUser`, `CanGetOidcClient` and `CanGetConsumers` roles
 - When combined with `OIDC_SKIP_CLIENT_BOOTSTRAP=true`, no database connection is needed at all
 
 **Configuration:**
@@ -236,7 +236,7 @@ USE_VERIFY_ENDPOINTS=false
 # Alternative: Use OBP API endpoints
 USE_VERIFY_ENDPOINTS=true
 OBP_API_URL=http://localhost:8080
-OBP_API_USERNAME=admin_user          # Needs CanVerifyUserCredentials + CanGetOidcClient + CanGetConsumers roles
+OBP_API_USERNAME=admin_user          # Needs CanVerifyUserCredentials + CanGetAnyUser + CanGetOidcClient + CanGetConsumers roles
 OBP_API_PASSWORD=admin_password
 OBP_API_CONSUMER_KEY=your_consumer_key
 ```
 
@@ -39,6 +39,13 @@ trait AuthService[F[_]] {
     */
   def getUserById(sub: String): F[Option[User]]
 
+  /** Get user information by subject ID and provider.
+    * When a provider is available, this can use the OBP API
+    * (GET /obp/v6.0.0/users/provider/PROVIDER/username/USERNAME)
+    * instead of requiring a database connection.
+    */
+  def getUserBySubAndProvider(sub: String, provider: String): F[Option[User]]
+
   /** Get available authentication providers
     */
   def getAvailableProviders(): F[List[String]]
 
@@ -36,7 +36,8 @@ trait CodeService[F[_]] {
       sub: String,
       scope: String,
       state: Option[String] = None,
-      nonce: Option[String] = None
+      nonce: Option[String] = None,
+      provider: Option[String] = None
   ): F[String]
   def validateAndConsumeCode(
       code: String,
@@ -58,7 +59,8 @@ class InMemoryCodeService(
       sub: String,
       scope: String,
       state: Option[String] = None,
-      nonce: Option[String] = None
+      nonce: Option[String] = None,
+      provider: Option[String] = None
   ): IO[String] = {
     for {
       code <- IO(UUID.randomUUID().toString.replace("-", ""))
@@ -75,6 +77,7 @@ class InMemoryCodeService(
         scope = scope,
         state = state,
         nonce = nonce,
+        provider = provider,
         exp = exp
       )
 
 
@@ -19,7 +19,7 @@
 
 package com.tesobe.oidc.auth
 
-import cats.effect.{IO, Resource}
+import cats.effect.{IO, Ref, Resource}
 import cats.implicits._
 import com.tesobe.oidc.config.{DatabaseConfig, DbVendor, ListProvidersMethod, OidcConfig, VerifyCredentialsMethod, VerifyClientMethod}
 import com.tesobe.oidc.models.{User, UserInfo, OidcError, OidcClient}
@@ -50,7 +50,8 @@ class HybridAuthService(
     adminTransactor: Option[Transactor[IO]] = None,
     config: OidcConfig,
     obpApiCredentialsService: Option[ObpApiCredentialsService] = None,
-    obpApiClientService: Option[ObpApiClientService] = None
+    obpApiClientService: Option[ObpApiClientService] = None,
+    userCacheRef: Option[Ref[IO, Map[String, User]]] = None
 ) extends AuthService[IO] {
 
   private val logger = LoggerFactory.getLogger(getClass)
@@ -150,7 +151,7 @@ class HybridAuthService(
     )
 
     // Check which credential validation method to use
-    config.verifyCredentialsMethod match {
+    val result = config.verifyCredentialsMethod match {
       case VerifyCredentialsMethod.ViaApiEndpoint =>
         logger.info(
           s"Using OBP API endpoint for credential verification (verify_credentials_endpoint)"
@@ -186,6 +187,20 @@ class HybridAuthService(
         )
         authenticateViaDatabase(username, password, provider)
     }
+
+    // Cache the user on successful authentication (for getUserById in API-only mode)
+    result.flatMap {
+      case Right(user) =>
+        userCacheRef match {
+          case Some(ref) =>
+            ref.update(_ + (user.sub -> user)) *>
+              IO(logger.info(s"Cached authenticated user: ${user.sub}")) *>
+              IO.pure(Right(user))
+          case None =>
+            IO.pure(Right(user))
+        }
+      case left => IO.pure(left)
+    }
   }
 
   /** Authenticate a user via the v_oidc_users database view
@@ -323,7 +338,42 @@ class HybridAuthService(
   /** Get user by ID (for UserInfo endpoint) - required by AuthService interface
     */
   def getUserById(sub: String): IO[Option[User]] = {
-    findUserByUserId(sub).map(_.map(_.toUser))
+    // When database is available, query it directly
+    if (transactor.isDefined) {
+      findUserByUserId(sub).map(_.map(_.toUser))
+    } else {
+      // In API-only mode, use the user cache populated during authentication
+      userCacheRef match {
+        case Some(ref) =>
+          ref.get.map(_.get(sub)).flatTap {
+            case Some(_) => IO(logger.info(s"getUserById: Found user '$sub' in cache"))
+            case None => IO(logger.warn(s"getUserById: User '$sub' not found in cache"))
+          }
+        case None =>
+          IO(logger.warn(s"getUserById: No database and no user cache available for '$sub'")) *>
+            IO.pure(None)
+      }
+    }
+  }
+
+  /** Get user by subject ID and provider.
+    * Uses OBP API when in API-only mode, falls back to database otherwise.
+    */
+  def getUserBySubAndProvider(sub: String, provider: String): IO[Option[User]] = {
+    if (transactor.isDefined) {
+      // Database mode: query directly
+      findUserByUserId(sub).map(_.map(_.toUser))
+    } else {
+      // API-only mode: call OBP API GET /obp/v6.0.0/users/provider/PROVIDER/username/USERNAME
+      obpApiCredentialsService match {
+        case Some(service) =>
+          logger.info(s"getUserBySubAndProvider: Looking up user '$sub' with provider '$provider' via OBP API")
+          service.getUserByProviderAndUsername(provider, sub)
+        case None =>
+          logger.warn(s"getUserBySubAndProvider: No OBP API credentials service available for user '$sub'")
+          IO.pure(None)
+      }
+    }
   }
 
   /** Get user information by username (for UserInfo endpoint)
@@ -1585,12 +1635,14 @@ object HybridAuthService {
           ) *>
             Resource.pure[IO, Option[ObpApiClientService]](None)
       }
+      userCache <- Resource.eval(Ref.of[IO, Map[String, User]](Map.empty))
       service = new HybridAuthService(
         readTransactor,
         adminTransactor,
         config,
         obpApiService,
-        obpApiClientService
+        obpApiClientService,
+        Some(userCache)
       )
       _ <- Resource.eval(
         IO(logger.info("HybridAuthService created successfully"))
 
@@ -305,9 +305,14 @@ class ObpApiClientService(
           case Right(token) =>
             val endpoint =
               s"${baseUrl.stripSuffix("/")}/obp/v6.0.0/oidc/clients/verify"
+            val maskedSecret = if (clientSecret.length <= 4) "****"
+              else clientSecret.take(2) + "*" * (clientSecret.length - 4) + clientSecret.takeRight(2)
             logger.info(
               s"Verifying client via OBP API: $endpoint for client_id: $clientId"
             )
+            logger.info(
+              s"Client secret being sent: length=${clientSecret.length}, masked=$maskedSecret"
+            )
 
             val requestBody = VerifyClientRequest(
               client_id = clientId,
@@ -512,28 +517,35 @@ class ObpApiClientService(
               .use { response =>
                 response.status match {
                   case Status.Ok =>
-                    response.as[Json].flatMap { json =>
-                      json.as[ConsumersResponse] match {
-                        case Right(consumersResp) =>
-                          val clients = consumersResp.consumers.map { c =>
-                            OidcClient(
-                              client_id = c.consumer_key,
-                              client_secret = None,
-                              consumer_id = c.consumer_id,
-                              client_name = c.app_name,
-                              redirect_uris = c.redirect_url.split("[,\\s]+").map(_.trim).filter(_.nonEmpty).toList,
-                              grant_types = List("authorization_code", "refresh_token"),
-                              response_types = List("code"),
-                              scopes = List("openid", "profile", "email"),
-                              token_endpoint_auth_method = "client_secret_basic",
-                              created_at = c.created
-                            )
+                    response.as[String].flatMap { rawBody =>
+                      logger.info(s"OBP API consumers response (raw): $rawBody")
+                      io.circe.parser.parse(rawBody) match {
+                        case Right(json) =>
+                          json.as[ConsumersResponse] match {
+                            case Right(consumersResp) =>
+                              val clients = consumersResp.consumers.map { c =>
+                                OidcClient(
+                                  client_id = c.consumer_key,
+                                  client_secret = None,
+                                  consumer_id = c.consumer_id,
+                                  client_name = c.app_name,
+                                  redirect_uris = c.redirect_url.split("[,\\s]+").map(_.trim).filter(_.nonEmpty).toList,
+                                  grant_types = List("authorization_code", "refresh_token"),
+                                  response_types = List("code"),
+                                  scopes = List("openid", "profile", "email"),
+                                  token_endpoint_auth_method = "client_secret_basic",
+                                  created_at = c.created
+                                )
+                              }
+                              logger.info(s"Found ${clients.size} consumers via OBP API")
+                              IO.pure(Right(clients))
+                            case Left(error) =>
+                              logger.error(s"Failed to parse consumers response: ${error.getMessage}. Raw body: $rawBody")
+                              IO.pure(Left(OidcError("server_error", Some(s"Failed to parse OBP API response: $rawBody"))))
                           }
-                          logger.info(s"Found ${clients.size} consumers via OBP API")
-                          IO.pure(Right(clients))
-                        case Left(error) =>
-                          logger.error(s"Failed to parse consumers response: ${error.getMessage}")
-                          IO.pure(Left(OidcError("server_error", Some(s"Failed to parse response: ${error.getMessage}"))))
+                        case Left(parseError) =>
+                          logger.error(s"OBP API returned non-JSON response: $rawBody")
+                          IO.pure(Left(OidcError("server_error", Some(s"OBP API returned non-JSON: $rawBody"))))
                       }
                     }