Allow to optionally send idtokens to user-identity-server for identity replication (#111)

Signed-off-by: Jon Harper <>
Co-authored-by: sBouzols <[email protected]>

Author: jonenst

src/main/java/org/gridsuite/gateway/ServiceURIsConfig.java

@@ -113,4 +113,7 @@ public class ServiceURIsConfig {
 
     @Value("${gridsuite.services.spreadsheet-config-server.base-uri:http://spreadsheet-config-server/}")
     String spreadsheetConfigServerBaseUri;
+
+    @Value("${gridsuite.services.user-identity-server.base-uri:http://user-identity-server/}")
+    String userIdentityServerBaseUri;
 }

src/main/java/org/gridsuite/gateway/filters/TokenValidatorGlobalPreFilter.java

@@ -20,6 +20,7 @@
 import lombok.Getter;
 import org.gridsuite.gateway.GatewayService;
 import org.gridsuite.gateway.dto.TokenIntrospection;
+import org.gridsuite.gateway.services.UserIdentityService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -56,14 +57,19 @@ public class TokenValidatorGlobalPreFilter extends AbstractGlobalPreFilter {
     public static final String UNAUTHORIZED_THE_TOKEN_CANNOT_BE_TRUSTED = "{}: 401 Unauthorized, The token cannot be trusted";
     public static final String CACHE_OUTDATED = "{}: Bad JSON Object Signing and Encryption, cache outdated";
     private final GatewayService gatewayService;
+    private final UserIdentityService userIdentityService;
 
     @Value("${allowed-issuers}")
     private List<String> allowedIssuers;
 
+    @Value("${storeIdToken:false}")
+    private boolean storeIdTokens;
+
     private Map<String, JWKSet> jwkSetCache = new ConcurrentHashMap<>();
 
-    public TokenValidatorGlobalPreFilter(GatewayService gatewayService) {
+    public TokenValidatorGlobalPreFilter(GatewayService gatewayService, UserIdentityService userIdentityService) {
         this.gatewayService = gatewayService;
+        this.userIdentityService = userIdentityService;
     }
 
     @Override
@@ -159,6 +165,21 @@ private Mono<Void> validate(FilterInfos filterInfos, JWKSet jwkset) throws BadJO
         // we can safely trust the JWT
         LOGGER.debug("JWT Token verified, it can be trusted");
 
+        // TODO how do we differentiate between JWT Access Token (no user information)
+        // and JWT ID tokens with little or no user information for which we use
+        // defaults like the sub. Do we need the storage server to always accumulate
+        // the data to guard against access token clearing data from a previous id token ?
+        // or do we need an explicit endpoint where our front sends idtoken (the frontend knows
+        // whether it has requested an access token or and id token) ? but then we maybe miss
+        // some tokens if for some reason the frontend doesn't send the token, whereas here
+        // we are guaranteed that we receive the token.
+        if (storeIdTokens) {
+            userIdentityService.storeToken(filterInfos.getJwtClaimsSet().getSubject(), filterInfos.getJwtClaimsSet())
+                    // send in the background and don't wait for the result. This is the hot path on
+                    // all requests !
+                    .subscribe();
+        }
+
         //we add the subject header
         filterInfos.getExchange().getRequest()
                 .mutate()

src/main/java/org/gridsuite/gateway/services/UserIdentityService.java

@@ -0,0 +1,47 @@
+/**
+ * Copyright (c) 2024, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.gridsuite.gateway.services;
+
+import org.gridsuite.gateway.ServiceURIsConfig;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.springframework.web.reactive.function.client.WebClient;
+
+import com.nimbusds.jwt.JWTClaimsSet;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Jon Schuhmacher <jon.harper at rte-france.com>
+ */
+@Service
+public class UserIdentityService {
+
+    private static final String USER_IDENTITY_SERVER_API_VERSION = "v1";
+
+    private static final String DELIMITER = "/";
+
+    private static final String USER_IDENTITY_SERVER_STORE_PATH = DELIMITER + USER_IDENTITY_SERVER_API_VERSION + DELIMITER
+            + "users/identities/";
+
+    private final WebClient webClient;
+
+    @Autowired
+    public UserIdentityService(ServiceURIsConfig servicesURIsConfig, WebClient.Builder webClientBuilder) {
+        this.webClient = webClientBuilder.baseUrl(servicesURIsConfig.getUserIdentityServerBaseUri()).build();
+    }
+
+    // NOTE: this API actually responds with the parsed identity but we don't use it here
+    public Mono<Void> storeToken(String sub, JWTClaimsSet jwtClaimsSet) {
+        return webClient.put()
+                .uri(uriBuilder -> uriBuilder
+                        .path(USER_IDENTITY_SERVER_STORE_PATH + DELIMITER + sub)
+                        .build()
+                ).bodyValue(jwtClaimsSet.getClaims()).retrieve().bodyToMono(Void.class);
+    }
+
+}

src/main/resources/application-local.yml

@@ -67,4 +67,7 @@ gridsuite:
     state-estimation-orchestrator-server:
       base-uri: http://localhost:5041
     spreadsheet-config-server:
-      base-uri: http://localhost:5035
+      base-uri: http://localhost:5035
+    user-identity-server:
+      base-uri: http://localhost:5034
+    

src/test/java/org/gridsuite/gateway/TokenValidationTest.java

@@ -70,6 +70,7 @@
         "gridsuite.services.network-modification-server.base-uri=http://localhost:${wiremock.server.port}",
         "gridsuite.services.user-admin-server.base-uri=http://localhost:${wiremock.server.port}",
         "gridsuite.services.sensitivity-analysis-server.base-uri=http://localhost:${wiremock.server.port}",
+        "gridsuite.services.user-identity-server.base-uri=http://localhost:${wiremock.server.port}",
         "allowed-issuers=http://localhost:${wiremock.server.port}"
     })
 @AutoConfigureWireMock(port = 0)

src/test/resources/allowed-issuers.yml

@@ -1,3 +1,4 @@
 allowed-issuers: http://localhost
 client_id: gridsuite
 client_secret: secret
+storeIdToken: true