ATO-2559: Use feature flag in BaseAuthorizeValidator

cearl1 · cearl1 · commit 64aae427bcb9 · 2026-05-19T16:13:19.000+01:00
diff --git a/oidc-api/src/main/java/uk/gov/di/authentication/oidc/validators/BaseAuthorizeValidator.java b/oidc-api/src/main/java/uk/gov/di/authentication/oidc/validators/BaseAuthorizeValidator.java
@@ -26,6 +26,8 @@
 import java.util.Objects;
 import java.util.Optional;
 
+import static uk.gov.di.orchestration.shared.utils.ClientUtils.getTokenAuthMethodOrDefault;
+
 public abstract class BaseAuthorizeValidator {
 
     protected static final String VTR_PARAM = "vtr";
@@ -205,8 +207,9 @@ protected Optional<ErrorObject> errorIfIdentityLoCAndIdentityUnsupported(
 
     protected void logIdentityJourneyRequestWithInsufficientlySecureTokenAuthMethod(
             List<VectorOfTrust> vtrList, ClientRegistry client) {
-        if (requestContainsIdentityLoC(vtrList)
-                && ("client_secret_post".equals(client.getTokenAuthMethod()))) {
+        String tokenAuthMethod = getTokenAuthMethodOrDefault(client, configurationService);
+
+        if (requestContainsIdentityLoC(vtrList) && ("client_secret_post".equals(tokenAuthMethod))) {
             LOG.info(
                     "Request contains level of confidence values for an identity journey but the tokenAuthMethod is incompatible.");
         }
diff --git a/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/utils/ClientUtils.java b/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/utils/ClientUtils.java
@@ -0,0 +1,20 @@
+package uk.gov.di.orchestration.shared.utils;
+
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import uk.gov.di.orchestration.shared.entity.ClientRegistry;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
+
+import java.util.Objects;
+
+public class ClientUtils {
+    private ClientUtils() {}
+
+    public static String getTokenAuthMethodOrDefault(
+            ClientRegistry clientRegistry, ConfigurationService configurationService) {
+        var tokenAuthMethod = clientRegistry.getTokenAuthMethod();
+        if (Objects.isNull(tokenAuthMethod) && configurationService.isUseDefaultTokenAuthMethod()) {
+            tokenAuthMethod = ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue();
+        }
+        return tokenAuthMethod;
+    }
+}
diff --git a/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/utils/ClientUtilsTest.java b/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/utils/ClientUtilsTest.java
@@ -0,0 +1,60 @@
+package uk.gov.di.orchestration.shared.utils;
+
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import uk.gov.di.orchestration.shared.entity.ClientRegistry;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class ClientUtilsTest {
+    private final ConfigurationService configurationService = mock(ConfigurationService.class);
+
+    @BeforeEach
+    public void setup() {
+        when(configurationService.isUseDefaultTokenAuthMethod()).thenReturn(false);
+    }
+
+    @Test
+    void shouldDefaultToPrivateKeyJwtIfFeatureFlagIsEnabledAndTokenAuthMethodIsNull() {
+        when(configurationService.isUseDefaultTokenAuthMethod()).thenReturn(true);
+        var client = clientWithTokenAuthMethod(null);
+
+        var actualTokenAuthMethod =
+                ClientUtils.getTokenAuthMethodOrDefault(client, configurationService);
+        assertEquals(actualTokenAuthMethod, ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue());
+    }
+
+    @Test
+    void shouldNotDefaultToPrivateKeyJwtIfFeatureFlagDisabled() {
+        when(configurationService.isUseDefaultTokenAuthMethod()).thenReturn(false);
+        var client = clientWithTokenAuthMethod(null);
+
+        var actualTokenAuthMethod =
+                ClientUtils.getTokenAuthMethodOrDefault(client, configurationService);
+        assertNull(actualTokenAuthMethod);
+    }
+
+    @Test
+    void shouldNotDefaultToPrivateKeyJwtIfFeatureFlagIsEnabledAndTokenAuthMethodIsAlreadySet() {
+        when(configurationService.isUseDefaultTokenAuthMethod()).thenReturn(true);
+        var client =
+                clientWithTokenAuthMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue());
+
+        var actualTokenAuthMethod =
+                ClientUtils.getTokenAuthMethodOrDefault(client, configurationService);
+        assertEquals(
+                actualTokenAuthMethod, ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue());
+    }
+
+    private ClientRegistry clientWithTokenAuthMethod(String tokenAuthMethod) {
+        return new ClientRegistry()
+                .withClientID("client-id")
+                .withClientName("client-one")
+                .withTokenAuthMethod(tokenAuthMethod);
+    }
+}
