ATO-2559: Use feature flag in PrivateKeyJwtClientAuthValidator

cearl1 · cearl1 · commit 980b81e25b38 · 2026-05-19T16:07:28.000+01:00
diff --git a/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/PrivateKeyJwtClientAuthValidator.java b/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/PrivateKeyJwtClientAuthValidator.java
@@ -15,6 +15,7 @@
 import uk.gov.di.orchestration.shared.exceptions.TokenAuthInvalidException;
 import uk.gov.di.orchestration.shared.helpers.NowHelper;
 import uk.gov.di.orchestration.shared.services.ClientSignatureValidationService;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
 import uk.gov.di.orchestration.shared.services.DynamoClientService;
 
 import java.util.Date;
@@ -24,17 +25,21 @@
 import static uk.gov.di.orchestration.shared.helpers.InstrumentationHelper.addAnnotation;
 import static uk.gov.di.orchestration.shared.helpers.LogLineHelper.LogFieldName.CLIENT_ID;
 import static uk.gov.di.orchestration.shared.helpers.LogLineHelper.attachLogFieldToLogs;
+import static uk.gov.di.orchestration.shared.utils.ClientUtils.getTokenAuthMethodOrDefault;
 
 public class PrivateKeyJwtClientAuthValidator extends TokenClientAuthValidator {
 
     private final ClientSignatureValidationService clientSignatureValidationService;
+    private final ConfigurationService configurationService;
     private static final String UNKNOWN_CLIENT_ID = "unknown";
 
     public PrivateKeyJwtClientAuthValidator(
             DynamoClientService dynamoClientService,
-            ClientSignatureValidationService clientSignatureValidationService) {
+            ClientSignatureValidationService clientSignatureValidationService,
+            ConfigurationService configurationService) {
         super(dynamoClientService);
         this.clientSignatureValidationService = clientSignatureValidationService;
+        this.configurationService = configurationService;
     }
 
     @Override
@@ -51,10 +56,10 @@ public ClientRegistry validateTokenAuthAndReturnClientRegistryIfValid(
             var clientRegistry = getClientRegistryFromTokenAuth(privateKeyJWT.getClientID());
             attachLogFieldToLogs(CLIENT_ID, clientRegistry.getClientID());
             addAnnotation("client_id", clientRegistry.getClientID());
-            if (Objects.nonNull(clientRegistry.getTokenAuthMethod())
-                    && !clientRegistry
-                            .getTokenAuthMethod()
-                            .equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue())) {
+            var tokenAuthMethod = getTokenAuthMethodOrDefault(clientRegistry, configurationService);
+            if (Objects.nonNull(tokenAuthMethod)
+                    && !tokenAuthMethod.equals(
+                            ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue())) {
                 LOG.warn("Client is not registered to use private_key_jwt");
                 throw new TokenAuthInvalidException(
                         new ErrorObject(
diff --git a/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/TokenClientAuthValidatorFactory.java b/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/TokenClientAuthValidatorFactory.java
@@ -35,7 +35,9 @@ public Optional<TokenClientAuthValidator> getTokenAuthenticationValidator(
             checkAssertionType(requestBody);
             return Optional.of(
                     new PrivateKeyJwtClientAuthValidator(
-                            dynamoClientService, clientSignatureValidationService));
+                            dynamoClientService,
+                            clientSignatureValidationService,
+                            configurationService));
         }
 
         if (requestBody.containsKey("client_secret") && requestBody.containsKey("client_id")) {
diff --git a/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/validation/PrivateKeyJwtClientAuthValidatorTest.java b/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/validation/PrivateKeyJwtClientAuthValidatorTest.java
@@ -21,6 +21,7 @@
 import uk.gov.di.orchestration.shared.exceptions.TokenAuthInvalidException;
 import uk.gov.di.orchestration.shared.helpers.NowHelper;
 import uk.gov.di.orchestration.shared.services.ClientSignatureValidationService;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
 import uk.gov.di.orchestration.shared.services.DynamoClientService;
 
 import java.net.URI;
@@ -46,6 +47,7 @@ class PrivateKeyJwtClientAuthValidatorTest {
     private final DynamoClientService dynamoClientService = mock(DynamoClientService.class);
     private final ClientSignatureValidationService clientSignatureValidationService =
             mock(ClientSignatureValidationService.class);
+    private final ConfigurationService configurationService = mock(ConfigurationService.class);
     private OidcAPI oidcAPI = mock(OidcAPI.class);
     private static final URI OIDC_TOKEN_URL = URI.create("https://example.com/token");
     private static final ClientID CLIENT_ID = new ClientID();
@@ -57,7 +59,9 @@ void setUp() {
         when(oidcAPI.tokenURI()).thenReturn(OIDC_TOKEN_URL);
         privateKeyJwtClientAuthValidator =
                 new PrivateKeyJwtClientAuthValidator(
-                        dynamoClientService, clientSignatureValidationService);
+                        dynamoClientService,
+                        clientSignatureValidationService,
+                        configurationService);
     }
 
     private static Stream<JWSAlgorithm> supportedAlgorithms() {
