Auth server generate M2M Admin token

Author: Viktor-K

packages/authorization-server/src/services/tokenService.ts

@@ -227,6 +227,7 @@ export function tokenServiceBuilder({
           const token = await tokenGenerator.generateInteropApiToken({
             sub: jwt.payload.sub,
             consumerId: key.consumerId,
+            clientAdminId: key.adminId,
           });
 
           logTokenGenerationInfo({

packages/commons/src/interop-token/interopTokenService.ts

@@ -1,22 +1,24 @@
-import crypto from "crypto";
 import { KMSClient, SignCommand, SignCommandInput } from "@aws-sdk/client-kms";
+import crypto from "crypto";
 import {
+  ClientAssertionDigest,
   ClientId,
   generateId,
   PurposeId,
   TenantId,
-  ClientAssertionDigest,
+  UserId,
 } from "pagopa-interop-models";
+import { systemRole } from "../auth/authData.js";
+import { AuthorizationServerTokenGenerationConfig } from "../config/authorizationServerTokenGenerationConfig.js";
 import { SessionTokenGenerationConfig } from "../config/sessionTokenGenerationConfig.js";
 import { TokenGenerationConfig } from "../config/tokenGenerationConfig.js";
-import { AuthorizationServerTokenGenerationConfig } from "../config/authorizationServerTokenGenerationConfig.js";
 import { dateToSeconds } from "../utils/date.js";
 import {
   CustomClaims,
-  GENERATED_INTEROP_TOKEN_M2M_ROLE,
   InteropApiToken,
   InteropConsumerToken,
-  InteropJwtApiPayload,
+  InteropJwtApiOrganizationClientPayload,
+  InteropJWTApiPayload,
   InteropJwtConsumerPayload,
   InteropJwtHeader,
   InteropJwtPayload,
@@ -140,9 +142,11 @@ export class InteropTokenGenerator {
   public async generateInteropApiToken({
     sub,
     consumerId,
+    clientAdminId,
   }: {
     sub: ClientId;
     consumerId: TenantId;
+    clientAdminId?: UserId;
   }): Promise<InteropApiToken> {
     if (
       !this.config.generatedInteropTokenKid ||
@@ -164,7 +168,7 @@ export class InteropTokenGenerator {
       kid: this.config.generatedInteropTokenKid,
     };
 
-    const payload: InteropJwtApiPayload = {
+    const userDataPayload: InteropJwtApiOrganizationClientPayload = {
       jti: generateId(),
       iss: this.config.generatedInteropTokenIssuer,
       aud: this.toJwtAudience(this.config.generatedInteropTokenM2MAudience),
@@ -175,7 +179,20 @@ export class InteropTokenGenerator {
       exp:
         currentTimestamp + this.config.generatedInteropTokenM2MDurationSeconds,
       [ORGANIZATION_ID_CLAIM]: consumerId,
-      [ROLE_CLAIM]: GENERATED_INTEROP_TOKEN_M2M_ROLE,
+    };
+
+    const systemRolePayload = clientAdminId
+      ? {
+          [ROLE_CLAIM]: systemRole.M2M_ADMIN_ROLE,
+          userId: clientAdminId,
+        }
+      : {
+          [ROLE_CLAIM]: systemRole.M2M_ROLE,
+        };
+
+    const payload: InteropJWTApiPayload = {
+      ...userDataPayload,
+      ...systemRolePayload,
     };
 
     const serializedToken = await this.createAndSignToken({
@@ -259,7 +276,7 @@ export class InteropTokenGenerator {
       | InteropJwtPayload
       | SessionJwtPayload
       | InteropJwtConsumerPayload
-      | InteropJwtApiPayload;
+      | InteropJWTApiPayload;
     keyId: string;
   }): Promise<string> {
     const serializedToken = `${b64UrlEncode(

packages/commons/src/interop-token/models.ts

@@ -6,6 +6,7 @@ import {
   UserId,
 } from "pagopa-interop-models";
 import { z } from "zod";
+import { SystemRole } from "../auth/authData.js";
 
 export const ORGANIZATION = "organization";
 export const UID = "uid";
@@ -19,7 +20,6 @@ export const ORGANIZATION_EXTERNAL_ID_ORIGIN_CLAIM = "origin";
 export const ORGANIZATION_EXTERNAL_ID_VALUE_CLAIM = "value";
 export const USER_ROLES = "user-roles";
 const PURPOSE_ID_CLAIM = "purposeId";
-export const GENERATED_INTEROP_TOKEN_M2M_ROLE = "m2m";
 export const ROLE_CLAIM = "role";
 
 export interface InteropJwtHeader {
@@ -38,44 +38,69 @@ export type InteropJwtCommonPayload = {
   exp: number;
 };
 
+/* ========================================== 
+    Interop CONSUMER Token 
+  ========================================== */
 export type InteropJwtConsumerPayload = InteropJwtCommonPayload & {
   client_id: ClientId;
   sub: ClientId;
   [PURPOSE_ID_CLAIM]: PurposeId;
   digest?: ClientAssertionDigest;
 };
 
-export type InteropJwtApiPayload = InteropJwtCommonPayload & {
+export type InteropConsumerToken = {
+  header: InteropJwtHeader;
+  payload: InteropJwtConsumerPayload;
+  serialized: string;
+};
+
+/* ========================================== 
+    Interop API Token 
+  ========================================== */
+export type InteropJwtApiOrganizationClientPayload = InteropJwtCommonPayload & {
   client_id: ClientId;
   sub: ClientId;
   [ORGANIZATION_ID_CLAIM]: TenantId;
-  [ROLE_CLAIM]: string;
-  user_id?: UserId;
 };
 
-export type InteropJwtPayload = InteropJwtCommonPayload & {
-  sub: string;
-  role: string;
+export type InteropJwtApiM2MPayload = InteropJwtApiOrganizationClientPayload & {
+  [ROLE_CLAIM]: Extract<SystemRole, "m2m">;
 };
 
-export type InteropToken = {
+export type InteropJwtApiM2MAdminPayload =
+  InteropJwtApiOrganizationClientPayload & {
+    [ROLE_CLAIM]: Extract<SystemRole, "m2m-admin">;
+    userId: UserId;
+    // ^ ID of the admin user associated with the client
+  };
+
+export type InteropJWTApiPayload =
+  | InteropJwtApiM2MAdminPayload
+  | InteropJwtApiM2MPayload;
+
+export type InteropApiToken = {
   header: InteropJwtHeader;
-  payload: InteropJwtPayload;
+  payload: InteropJWTApiPayload;
   serialized: string;
 };
 
-export type InteropConsumerToken = {
-  header: InteropJwtHeader;
-  payload: InteropJwtConsumerPayload;
-  serialized: string;
+/* ========================================== 
+    Interop INTERNAL Token 
+  ========================================== */
+export type InteropJwtPayload = InteropJwtCommonPayload & {
+  sub: string;
+  role: string;
 };
 
-export type InteropApiToken = {
+export type InteropToken = {
   header: InteropJwtHeader;
-  payload: InteropJwtApiPayload;
+  payload: InteropJwtPayload;
   serialized: string;
 };
 
+/* ========================================== 
+    Interop SESSION Token 
+  ========================================== */
 const Organization = z.object({
   id: z.string(),
   name: z.string(),