ATO-2559: Use feature flag in ClientSecretPostClientAuthValidator

cearl1 · cearl1 · commit ee689fb80f90 · 2026-05-19T16:13:19.000+01:00
diff --git a/oidc-api/src/main/java/uk/gov/di/authentication/oidc/lambda/TokenHandler.java b/oidc-api/src/main/java/uk/gov/di/authentication/oidc/lambda/TokenHandler.java
@@ -137,7 +137,8 @@ public TokenHandler(ConfigurationService configurationService) {
         this.tokenClientAuthValidatorFactory =
                 new TokenClientAuthValidatorFactory(
                         new DynamoClientService(configurationService),
-                        new ClientSignatureValidationService(configurationService));
+                        new ClientSignatureValidationService(configurationService),
+                        configurationService);
         this.metrics = new Metrics(configurationService);
         this.auditService = new AuditService(configurationService);
     }
diff --git a/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/ClientSecretPostClientAuthValidator.java b/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/ClientSecretPostClientAuthValidator.java
@@ -9,6 +9,7 @@
 import uk.gov.di.orchestration.shared.entity.ClientRegistry;
 import uk.gov.di.orchestration.shared.exceptions.TokenAuthInvalidException;
 import uk.gov.di.orchestration.shared.helpers.Argon2MatcherHelper;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
 import uk.gov.di.orchestration.shared.services.DynamoClientService;
 
 import java.util.Map;
@@ -17,11 +18,16 @@
 import static uk.gov.di.orchestration.shared.helpers.InstrumentationHelper.addAnnotation;
 import static uk.gov.di.orchestration.shared.helpers.LogLineHelper.LogFieldName.CLIENT_ID;
 import static uk.gov.di.orchestration.shared.helpers.LogLineHelper.attachLogFieldToLogs;
+import static uk.gov.di.orchestration.shared.utils.ClientUtils.getTokenAuthMethodOrDefault;
 
 public class ClientSecretPostClientAuthValidator extends TokenClientAuthValidator {
 
-    public ClientSecretPostClientAuthValidator(DynamoClientService dynamoClientService) {
+    private final ConfigurationService configurationService;
+
+    public ClientSecretPostClientAuthValidator(
+            DynamoClientService dynamoClientService, ConfigurationService configurationService) {
         super(dynamoClientService);
+        this.configurationService = configurationService;
     }
 
     @Override
@@ -56,10 +62,10 @@ public ClientRegistry validateTokenAuthAndReturnClientRegistryIfValid(
 
     private void validateTokenAuthMethod(ClientRegistry clientRegistry)
             throws TokenAuthInvalidException {
-        if (Objects.isNull(clientRegistry.getTokenAuthMethod())
-                || !clientRegistry
-                        .getTokenAuthMethod()
-                        .equals(ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue())) {
+        var tokenAuthMethod = getTokenAuthMethodOrDefault(clientRegistry, configurationService);
+        if (Objects.isNull(tokenAuthMethod)
+                || !tokenAuthMethod.equals(
+                        ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue())) {
             LOG.warn("Client is not registered to use client_secret_post");
             throw generateExceptionWithInvalidClientCode(
                     "Client is not registered to use client_secret_post",
diff --git a/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/TokenClientAuthValidatorFactory.java b/orchestration-shared/src/main/java/uk/gov/di/orchestration/shared/validation/TokenClientAuthValidatorFactory.java
@@ -3,6 +3,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import uk.gov.di.orchestration.shared.services.ClientSignatureValidationService;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
 import uk.gov.di.orchestration.shared.services.DynamoClientService;
 
 import java.util.Map;
@@ -12,13 +13,16 @@
 public class TokenClientAuthValidatorFactory {
     private final DynamoClientService dynamoClientService;
     private final ClientSignatureValidationService clientSignatureValidationService;
+    private final ConfigurationService configurationService;
     private static final Logger LOG = LogManager.getLogger(TokenClientAuthValidatorFactory.class);
 
     public TokenClientAuthValidatorFactory(
             DynamoClientService dynamoClientService,
-            ClientSignatureValidationService clientSignatureValidationService) {
+            ClientSignatureValidationService clientSignatureValidationService,
+            ConfigurationService configurationService) {
         this.clientSignatureValidationService = clientSignatureValidationService;
         this.dynamoClientService = dynamoClientService;
+        this.configurationService = configurationService;
     }
 
     public Optional<TokenClientAuthValidator> getTokenAuthenticationValidator(
@@ -36,7 +40,9 @@ public Optional<TokenClientAuthValidator> getTokenAuthenticationValidator(
 
         if (requestBody.containsKey("client_secret") && requestBody.containsKey("client_id")) {
             LOG.info("Client auth method is: client_secret_post");
-            return Optional.of(new ClientSecretPostClientAuthValidator(dynamoClientService));
+            return Optional.of(
+                    new ClientSecretPostClientAuthValidator(
+                            dynamoClientService, configurationService));
         }
         return Optional.empty();
     }
diff --git a/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/validation/ClientSecretPostClientAuthValidatorTest.java b/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/validation/ClientSecretPostClientAuthValidatorTest.java
@@ -9,9 +9,12 @@
 import com.nimbusds.oauth2.sdk.util.URLUtils;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import uk.gov.di.orchestration.shared.entity.ClientRegistry;
 import uk.gov.di.orchestration.shared.exceptions.TokenAuthInvalidException;
 import uk.gov.di.orchestration.shared.helpers.Argon2EncoderHelper;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
 import uk.gov.di.orchestration.shared.services.DynamoClientService;
 
 import java.util.Objects;
@@ -30,6 +33,7 @@
 class ClientSecretPostClientAuthValidatorTest {
 
     private final DynamoClientService dynamoClientService = mock(DynamoClientService.class);
+    private final ConfigurationService configurationService = mock(ConfigurationService.class);
     private ClientSecretPostClientAuthValidator clientSecretPostClientAuthValidator;
 
     private static final ClientID CLIENT_ID = new ClientID();
@@ -38,7 +42,7 @@ class ClientSecretPostClientAuthValidatorTest {
     @BeforeEach
     void setUp() {
         clientSecretPostClientAuthValidator =
-                new ClientSecretPostClientAuthValidator(dynamoClientService);
+                new ClientSecretPostClientAuthValidator(dynamoClientService, configurationService);
     }
 
     @Test
@@ -80,13 +84,17 @@ requestString, emptyMap()),
         assertThat(tokenAuthInvalidException.getErrorObject(), equalTo(OAuth2Error.INVALID_CLIENT));
     }
 
-    @Test
-    void shouldThrowIfClientRegistryDoesNotSupportClientSecretPost() {
+    @ParameterizedTest
+    @ValueSource(booleans = {true, false})
+    void shouldThrowIfClientRegistryDoesNotSupportClientSecretPost(
+            boolean useDefaultTokenAuthMethod) {
         var expectedClientRegistry =
                 generateClientRegistry(
                         null, Argon2EncoderHelper.argon2Hash(CLIENT_SECRET.getValue()));
         when(dynamoClientService.getClient(CLIENT_ID.getValue()))
                 .thenReturn(Optional.of(expectedClientRegistry));
+        when(configurationService.isUseDefaultTokenAuthMethod())
+                .thenReturn(useDefaultTokenAuthMethod);
         var clientSecretPost = new ClientSecretPost(CLIENT_ID, CLIENT_SECRET);
         var requestString = URLUtils.serializeParameters(clientSecretPost.toParameters());
 
diff --git a/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/validation/TokenClientAuthValidatorFactoryTest.java b/orchestration-shared/src/test/java/uk/gov/di/orchestration/shared/validation/TokenClientAuthValidatorFactoryTest.java
@@ -11,6 +11,7 @@
 import com.nimbusds.oauth2.sdk.util.URLUtils;
 import org.junit.jupiter.api.Test;
 import uk.gov.di.orchestration.shared.services.ClientSignatureValidationService;
+import uk.gov.di.orchestration.shared.services.ConfigurationService;
 import uk.gov.di.orchestration.shared.services.DynamoClientService;
 import uk.gov.di.orchestration.sharedtest.utils.KeyPairUtils;
 
@@ -23,11 +24,12 @@ class TokenClientAuthValidatorFactoryTest {
     private final DynamoClientService dynamoClientService = mock(DynamoClientService.class);
     private final ClientSignatureValidationService clientSignatureValidationService =
             mock(ClientSignatureValidationService.class);
+    private final ConfigurationService configurationService = mock(ConfigurationService.class);
     private static final ClientID CLIENT_ID = new ClientID();
     private static final Secret CLIENT_SECRET = new Secret();
     private final TokenClientAuthValidatorFactory tokenClientAuthValidatorFactory =
             new TokenClientAuthValidatorFactory(
-                    dynamoClientService, clientSignatureValidationService);
+                    dynamoClientService, clientSignatureValidationService, configurationService);
 
     @Test
     void shouldReturnPrivateKeyJwtClientAuthValidator() throws JOSEException {
