Skip to content

Commit 8b43f20

Browse files
Viktor-KViktor-K
committed
Auth server generate M2M Admin token
1 parent 714af93 commit 8b43f20

File tree

3 files changed

+67
-22
lines changed

3 files changed

+67
-22
lines changed

packages/authorization-server/src/services/tokenService.ts

+1
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,7 @@ export function tokenServiceBuilder({
227227
const token = await tokenGenerator.generateInteropApiToken({
228228
sub: jwt.payload.sub,
229229
consumerId: key.consumerId,
230+
clientAdminId: key.adminId,
230231
});
231232

232233
logTokenGenerationInfo({

packages/commons/src/interop-token/interopTokenService.ts

+25-8
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,24 @@
1-
import crypto from "crypto";
21
import { KMSClient, SignCommand, SignCommandInput } from "@aws-sdk/client-kms";
2+
import crypto from "crypto";
33
import {
4+
ClientAssertionDigest,
45
ClientId,
56
generateId,
67
PurposeId,
78
TenantId,
8-
ClientAssertionDigest,
9+
UserId,
910
} from "pagopa-interop-models";
11+
import { systemRole } from "../auth/authData.js";
12+
import { AuthorizationServerTokenGenerationConfig } from "../config/authorizationServerTokenGenerationConfig.js";
1013
import { SessionTokenGenerationConfig } from "../config/sessionTokenGenerationConfig.js";
1114
import { TokenGenerationConfig } from "../config/tokenGenerationConfig.js";
12-
import { AuthorizationServerTokenGenerationConfig } from "../config/authorizationServerTokenGenerationConfig.js";
1315
import { dateToSeconds } from "../utils/date.js";
1416
import {
1517
CustomClaims,
16-
GENERATED_INTEROP_TOKEN_M2M_ROLE,
1718
InteropApiToken,
1819
InteropConsumerToken,
19-
InteropJwtApiPayload,
20+
InteropJwtApiOrganizationClientPayload,
21+
InteropJWTApiPayload,
2022
InteropJwtConsumerPayload,
2123
InteropJwtHeader,
2224
InteropJwtPayload,
@@ -140,9 +142,11 @@ export class InteropTokenGenerator {
140142
public async generateInteropApiToken({
141143
sub,
142144
consumerId,
145+
clientAdminId,
143146
}: {
144147
sub: ClientId;
145148
consumerId: TenantId;
149+
clientAdminId?: UserId;
146150
}): Promise<InteropApiToken> {
147151
if (
148152
!this.config.generatedInteropTokenKid ||
@@ -164,7 +168,7 @@ export class InteropTokenGenerator {
164168
kid: this.config.generatedInteropTokenKid,
165169
};
166170

167-
const payload: InteropJwtApiPayload = {
171+
const userDataPayload: InteropJwtApiOrganizationClientPayload = {
168172
jti: generateId(),
169173
iss: this.config.generatedInteropTokenIssuer,
170174
aud: this.toJwtAudience(this.config.generatedInteropTokenM2MAudience),
@@ -175,7 +179,20 @@ export class InteropTokenGenerator {
175179
exp:
176180
currentTimestamp + this.config.generatedInteropTokenM2MDurationSeconds,
177181
[ORGANIZATION_ID_CLAIM]: consumerId,
178-
[ROLE_CLAIM]: GENERATED_INTEROP_TOKEN_M2M_ROLE,
182+
};
183+
184+
const systemRolePayload = clientAdminId
185+
? {
186+
[ROLE_CLAIM]: systemRole.M2M_ADMIN_ROLE,
187+
userId: clientAdminId,
188+
}
189+
: {
190+
[ROLE_CLAIM]: systemRole.M2M_ROLE,
191+
};
192+
193+
const payload: InteropJWTApiPayload = {
194+
...userDataPayload,
195+
...systemRolePayload,
179196
};
180197

181198
const serializedToken = await this.createAndSignToken({
@@ -259,7 +276,7 @@ export class InteropTokenGenerator {
259276
| InteropJwtPayload
260277
| SessionJwtPayload
261278
| InteropJwtConsumerPayload
262-
| InteropJwtApiPayload;
279+
| InteropJWTApiPayload;
263280
keyId: string;
264281
}): Promise<string> {
265282
const serializedToken = `${b64UrlEncode(

packages/commons/src/interop-token/models.ts

+41-14
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,10 @@ import {
33
ClientId,
44
PurposeId,
55
TenantId,
6+
UserId,
67
} from "pagopa-interop-models";
78
import { z } from "zod";
9+
import { SystemRole } from "../auth/authData.js";
810

911
export const ORGANIZATION = "organization";
1012
export const UID = "uid";
@@ -18,7 +20,6 @@ export const ORGANIZATION_EXTERNAL_ID_ORIGIN_CLAIM = "origin";
1820
export const ORGANIZATION_EXTERNAL_ID_VALUE_CLAIM = "value";
1921
export const USER_ROLES = "user-roles";
2022
const PURPOSE_ID_CLAIM = "purposeId";
21-
export const GENERATED_INTEROP_TOKEN_M2M_ROLE = "m2m";
2223
export const ROLE_CLAIM = "role";
2324

2425
export interface InteropJwtHeader {
@@ -37,43 +38,69 @@ export type InteropJwtCommonPayload = {
3738
exp: number;
3839
};
3940

41+
/* ==========================================
42+
Interop CONSUMER Token
43+
========================================== */
4044
export type InteropJwtConsumerPayload = InteropJwtCommonPayload & {
4145
client_id: ClientId;
4246
sub: ClientId;
4347
[PURPOSE_ID_CLAIM]: PurposeId;
4448
digest?: ClientAssertionDigest;
4549
};
4650

47-
export type InteropJwtApiPayload = InteropJwtCommonPayload & {
51+
export type InteropConsumerToken = {
52+
header: InteropJwtHeader;
53+
payload: InteropJwtConsumerPayload;
54+
serialized: string;
55+
};
56+
57+
/* ==========================================
58+
Interop API Token
59+
========================================== */
60+
export type InteropJwtApiOrganizationClientPayload = InteropJwtCommonPayload & {
4861
client_id: ClientId;
4962
sub: ClientId;
5063
[ORGANIZATION_ID_CLAIM]: TenantId;
51-
[ROLE_CLAIM]: string;
5264
};
5365

54-
export type InteropJwtPayload = InteropJwtCommonPayload & {
55-
sub: string;
56-
role: string;
66+
export type InteropJwtApiM2MPayload = InteropJwtApiOrganizationClientPayload & {
67+
[ROLE_CLAIM]: Extract<SystemRole, "m2m">;
5768
};
5869

59-
export type InteropToken = {
70+
export type InteropJwtApiM2MAdminPayload =
71+
InteropJwtApiOrganizationClientPayload & {
72+
[ROLE_CLAIM]: Extract<SystemRole, "m2m-admin">;
73+
userId: UserId;
74+
// ^ ID of the admin user associated with the client
75+
};
76+
77+
export type InteropJWTApiPayload =
78+
| InteropJwtApiM2MAdminPayload
79+
| InteropJwtApiM2MPayload;
80+
81+
export type InteropApiToken = {
6082
header: InteropJwtHeader;
61-
payload: InteropJwtPayload;
83+
payload: InteropJWTApiPayload;
6284
serialized: string;
6385
};
6486

65-
export type InteropConsumerToken = {
66-
header: InteropJwtHeader;
67-
payload: InteropJwtConsumerPayload;
68-
serialized: string;
87+
/* ================================= =========
88+
Interop INTERNAL Token
89+
========================================== */
90+
export type InteropJwtPayload = InteropJwtCommonPayload & {
91+
sub: string;
92+
role: string;
6993
};
7094

71-
export type InteropApiToken = {
95+
export type InteropToken = {
7296
header: InteropJwtHeader;
73-
payload: InteropJwtApiPayload;
97+
payload: InteropJwtPayload;
7498
serialized: string;
7599
};
76100

101+
/* ==========================================
102+
Interop SESSION Token
103+
========================================== */
77104
const Organization = z.object({
78105
id: z.string(),
79106
name: z.string(),

0 commit comments

Comments
 (0)