feat: add token exchange

Author: melanieatpace

app/build.gradle.kts

@@ -32,6 +32,20 @@ android {
         }
     }
 
+    flavorDimensions += "version"
+
+    productFlavors {
+        create("default") {
+            dimension = "version"
+            buildConfigField("boolean", "TOKEN_EXCHANGE", "false")
+        }
+
+        create("tokenExchange") {
+            dimension = "version"
+            buildConfigField("boolean", "TOKEN_EXCHANGE", "true")
+        }
+    }
+
     compileOptions {
         sourceCompatibility = JavaVersion.VERSION_17
         targetCompatibility = JavaVersion.VERSION_17

app/src/main/java/cloud/pace/sdk/app/CloudSDKApplication.kt

@@ -3,6 +3,7 @@ package cloud.pace.sdk.app
 import android.app.Application
 import cloud.pace.sdk.PACECloudSDK
 import cloud.pace.sdk.idkit.model.CustomOIDConfiguration
+import cloud.pace.sdk.idkit.model.TokenExchangeConfiguration
 import cloud.pace.sdk.utils.Configuration
 import cloud.pace.sdk.utils.Environment
 
@@ -11,6 +12,23 @@ class CloudSDKApplication : Application() {
     override fun onCreate() {
         super.onCreate()
 
+        val oidConfiguration = if (BuildConfig.TOKEN_EXCHANGE) {
+            CustomOIDConfiguration(
+                authorizationEndpoint = "https://id.dev.pace.cloud/auth/realms/MultiRealm/protocol/openid-connect/auth",
+                tokenEndpoint = "https://id.dev.pace.cloud/auth/realms/MultiRealm/protocol/openid-connect/token",
+                endSessionEndpoint = "https://id.dev.pace.cloud/auth/realms/MultiRealm/protocol/openid-connect/logout",
+                redirectUri = "cloud-sdk-example://callback",
+                clientSecret = "YIUXbpLZeN6OD1afjXwD4lFZigQAIHp7",
+                tokenExchangeConfig = TokenExchangeConfiguration(
+                    issuerId = "multi-oidc",
+                    clientId = "cloud-sdk-example-app-token-exchange",
+                    clientSecret = "IMqeEWNd91lOf9tCEnIFZyOwcnDNV6Jw"
+                )
+            )
+        } else {
+            CustomOIDConfiguration(redirectUri = "cloud-sdk-example://callback")
+        }
+
         PACECloudSDK.setup(
             this,
             Configuration(
@@ -20,7 +38,7 @@ class CloudSDKApplication : Application() {
                 clientAppBuild = BuildConfig.VERSION_CODE.toString(),
                 apiKey = "YOUR_API_KEY",
                 environment = Environment.DEVELOPMENT,
-                oidConfiguration = CustomOIDConfiguration(redirectUri = "cloud-sdk-example://callback")
+                oidConfiguration = oidConfiguration
             )
         )
     }

app/src/main/java/cloud/pace/sdk/app/ui/components/loginscreen/LoginScreen.kt

@@ -1,10 +1,7 @@
 package cloud.pace.sdk.app.ui.components.loginscreen
 
-import android.widget.Toast
 import androidx.compose.foundation.BorderStroke
-import androidx.compose.foundation.Canvas
 import androidx.compose.foundation.background
-import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.padding
@@ -21,10 +18,8 @@ import androidx.compose.material.primarySurface
 import androidx.compose.runtime.Composable
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.graphics.Color
-import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.painterResource
 import androidx.compose.ui.res.stringResource
-import androidx.compose.ui.semantics.Role
 import androidx.compose.ui.unit.dp
 import androidx.compose.ui.unit.sp
 import androidx.constraintlayout.compose.ConstraintLayout
@@ -57,8 +52,7 @@ fun ShowLoginScreen(showDialog: Boolean, onDialogDismiss: () -> Unit, openLogin:
                     .fillMaxSize()
                     .padding(it)
             ) {
-                val (infoText, loginButton, termsText, termsAndPrivacyDivider, privacyText) = createRefs()
-                val context = LocalContext.current
+                val (infoText, loginButton) = createRefs()
                 Text(
                     text = stringResource(id = R.string.short_login_screen_information),
                     modifier = Modifier
@@ -71,62 +65,13 @@ fun ShowLoginScreen(showDialog: Boolean, onDialogDismiss: () -> Unit, openLogin:
                 LoginButton(
                     modifier = Modifier.constrainAs(loginButton) {
                         top.linkTo(infoText.bottom)
-                        bottom.linkTo(termsAndPrivacyDivider.top)
+                        bottom.linkTo(parent.bottom)
                         start.linkTo(parent.start)
                         end.linkTo(parent.end)
                     },
                     openLogin = openLogin
                 )
 
-                Text(
-                    text = "Terms",
-                    color = Color(0, 102, 204),
-                    modifier = Modifier
-                        .padding(75.dp, 25.dp)
-                        .constrainAs(termsText) {
-                            bottom.linkTo(parent.bottom)
-                            start.linkTo(parent.start)
-                        }
-                        .clickable(
-                            enabled = true,
-                            role = Role.Button
-                        ) {
-                            Toast
-                                .makeText(context, "Clicked on terms", Toast.LENGTH_SHORT)
-                                .show()
-                        }
-                )
-
-                Canvas(
-                    modifier = Modifier
-                        .padding(0.dp, 32.dp)
-                        .constrainAs(termsAndPrivacyDivider) {
-                            start.linkTo(termsText.end)
-                            end.linkTo(privacyText.start)
-                            bottom.linkTo(parent.bottom)
-                        }
-                ) {
-                    drawCircle(
-                        color = Color.Black,
-                        radius = 6f
-                    )
-                }
-
-                Text(
-                    text = "Privacy",
-                    color = Color(0, 102, 204),
-                    modifier = Modifier
-                        .padding(75.dp, 25.dp)
-                        .constrainAs(privacyText) {
-                            bottom.linkTo(parent.bottom)
-                            end.linkTo(parent.end)
-                        }
-                        .clickable(
-                            enabled = true,
-                            role = Role.Button
-                        ) {}
-                )
-
                 if (showDialog) {
                     NoSupportedBrowserDialog(onDismiss = onDialogDismiss)
                 }

app/src/main/res/values-de/strings.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
     <string name="app_name">PACE Example App</string>
-    <string name="short_login_screen_information">Wilkommen in der PACE Example App.</string>
+    <string name="short_login_screen_information">Willkommen in der PACE Example App.</string>
     <string name="common_use_unknown">unbekannt</string>
     <string name="common_use_unit_meter">m</string>
     <string name="common_use_unit_kilometer">km</string>

library/src/main/java/cloud/pace/sdk/api/user/PACETokenExchangeAPI.kt

@@ -0,0 +1,70 @@
+package cloud.pace.sdk.api.user
+
+import cloud.pace.sdk.api.request.BaseRequest
+import cloud.pace.sdk.utils.URL
+import com.squareup.moshi.Json
+import retrofit2.Call
+import retrofit2.http.Field
+import retrofit2.http.FormUrlEncoded
+import retrofit2.http.HeaderMap
+import retrofit2.http.POST
+
+object PACETokenExchangeAPI {
+
+    data class TokenExchangeResponse(@Json(name = "access_token") val accessToken: String)
+
+    interface PACETokenExchangeService {
+        @FormUrlEncoded
+        @POST("/auth/realms/pace/protocol/openid-connect/token")
+        fun tokenExchange(
+            @HeaderMap headers: Map<String, String>,
+            @Field("client_id") clientId: String,
+            @Field("client_secret") clientSecret: String,
+            @Field("grant_type") grantType: String,
+            @Field("subject_issuer") subjectIssuer: String,
+            @Field("subject_token") subjectToken: String,
+            @Field("subject_token_type") subjectTokenType: String
+        ): Call<TokenExchangeResponse>
+    }
+
+    open class Request : BaseRequest() {
+        fun tokenExchange(
+            clientId: String,
+            clientSecret: String,
+            grantType: String,
+            subjectIssuer: String,
+            subjectToken: String,
+            subjectTokenType: String
+        ): Call<TokenExchangeResponse> {
+            val headers = headers(false, "application/x-www-form-urlencoded", "application/x-www-form-urlencoded")
+
+            return retrofit(URL.paceID)
+                .create(PACETokenExchangeService::class.java)
+                .tokenExchange(
+                    headers = headers,
+                    clientId = clientId,
+                    clientSecret = clientSecret,
+                    grantType = grantType,
+                    subjectIssuer = subjectIssuer,
+                    subjectToken = subjectToken,
+                    subjectTokenType = subjectTokenType
+                )
+        }
+    }
+
+    fun tokenExchange(
+        clientId: String,
+        clientSecret: String,
+        grantType: String = "urn:ietf:params:oauth:grant-type:token-exchange",
+        subjectIssuer: String,
+        subjectToken: String,
+        subjectTokenType: String = "urn:ietf:params:oauth:token-type:access_token"
+    ) = Request().tokenExchange(
+        clientId = clientId,
+        clientSecret = clientSecret,
+        grantType = grantType,
+        subjectIssuer = subjectIssuer,
+        subjectToken = subjectToken,
+        subjectTokenType = subjectTokenType
+    )
+}

library/src/main/java/cloud/pace/sdk/idkit/authorization/AuthorizationManager.kt

@@ -19,9 +19,11 @@ import androidx.lifecycle.ProcessLifecycleOwner
 import cloud.pace.sdk.PACECloudSDK
 import cloud.pace.sdk.R
 import cloud.pace.sdk.api.API
+import cloud.pace.sdk.api.user.PACETokenExchangeAPI.tokenExchange
 import cloud.pace.sdk.appkit.AppKit
 import cloud.pace.sdk.idkit.authorization.integrated.AuthorizationWebViewActivity
 import cloud.pace.sdk.idkit.model.FailedRetrievingConfigurationWhileDiscovering
+import cloud.pace.sdk.idkit.model.FailedRetrievingExchangedToken
 import cloud.pace.sdk.idkit.model.FailedRetrievingSessionWhileAuthorizing
 import cloud.pace.sdk.idkit.model.FailedRetrievingSessionWhileEnding
 import cloud.pace.sdk.idkit.model.InternalError
@@ -30,6 +32,7 @@ import cloud.pace.sdk.idkit.model.NoSupportedBrowser
 import cloud.pace.sdk.idkit.model.OIDConfiguration
 import cloud.pace.sdk.idkit.model.OperationCanceled
 import cloud.pace.sdk.idkit.model.ServiceConfiguration
+import cloud.pace.sdk.idkit.model.TokenExchangeConfiguration
 import cloud.pace.sdk.idkit.model.toAuthorizationServiceConfiguration
 import cloud.pace.sdk.idkit.userinfo.UserInfoApiClient
 import cloud.pace.sdk.idkit.userinfo.UserInfoResponse
@@ -42,6 +45,7 @@ import cloud.pace.sdk.utils.Ok
 import cloud.pace.sdk.utils.SetupLogger
 import cloud.pace.sdk.utils.Success
 import cloud.pace.sdk.utils.Theme
+import cloud.pace.sdk.utils.enqueue
 import cloud.pace.sdk.utils.getResultFor
 import cloud.pace.sdk.utils.resumeIfActive
 import kotlinx.coroutines.suspendCancellableCoroutine
@@ -68,6 +72,7 @@ internal class AuthorizationManager(
     private lateinit var clientId: String
     private lateinit var configuration: OIDConfiguration
     private lateinit var authorizationRequest: AuthorizationRequest
+    private var exchangedAccessToken: String? = null
 
     internal fun setup(clientId: String, configuration: OIDConfiguration) {
         ProcessLifecycleOwner.get().lifecycle.addObserver(this)
@@ -315,8 +320,7 @@ internal class AuthorizationManager(
                 completion(Failure(exception))
             }
             response != null -> {
-                API.addAuthorizationHeader(null)
-                sessionHolder.clearSessionAndPreferences()
+                clearSession()
                 completion(Success(Unit))
             }
             else -> {
@@ -335,7 +339,13 @@ internal class AuthorizationManager(
 
     internal fun containsException(intent: Intent) = intent.hasExtra(AuthorizationException.EXTRA_EXCEPTION)
 
-    internal fun cachedToken() = sessionHolder.cachedToken()
+    internal fun cachedToken(): String? {
+        return if (configuration.tokenExchangeConfig == null) {
+            sessionHolder.cachedToken()
+        } else {
+            exchangedAccessToken
+        }
+    }
 
     internal fun userInfo(additionalHeaders: Map<String, String>? = null, additionalParameters: Map<String, String>? = null, completion: (Completion<UserInfoResponse>) -> Unit) {
         userInfoApi.getUserInfo(additionalHeaders, additionalParameters, completion)
@@ -398,10 +408,16 @@ internal class AuthorizationManager(
                 completion(Failure(exception))
             }
             tokenResponse != null -> {
-                val accessToken = sessionHolder.cachedToken()
-                accessToken?.let { API.addAuthorizationHeader(it) }
-                completion(Success(accessToken))
-                Timber.i("Token refresh successful")
+                val tokenExchangeConfig = configuration.tokenExchangeConfig
+                if (tokenExchangeConfig == null) {
+                    val accessToken = sessionHolder.cachedToken()
+                    accessToken?.let { API.addAuthorizationHeader(it) }
+                    completion(Success(accessToken))
+                    Timber.i("Token refresh successful")
+                } else {
+                    Timber.i("Try to exchange token...")
+                    exchangeToken(sessionHolder.cachedToken(), tokenExchangeConfig, completion)
+                }
             }
             else -> {
                 val throwable = FailedRetrievingSessionWhileAuthorizing
@@ -411,6 +427,40 @@ internal class AuthorizationManager(
         }
     }
 
+    private fun exchangeToken(externalToken: String?, tokenExchangeConfiguration: TokenExchangeConfiguration, completion: (Completion<String?>) -> Unit) {
+        if (externalToken == null) {
+            val throwable = FailedRetrievingSessionWhileAuthorizing
+            Timber.w(throwable, "Failed to handle token response")
+            completion(Failure(throwable))
+            return
+        }
+
+        tokenExchange(
+            clientId = tokenExchangeConfiguration.clientId,
+            clientSecret = tokenExchangeConfiguration.clientSecret,
+            subjectIssuer = tokenExchangeConfiguration.issuerId,
+            subjectToken = externalToken
+        ).enqueue {
+            onResponse = {
+                val accessToken = it.body()?.accessToken
+                if (accessToken != null) {
+                    API.addAuthorizationHeader(accessToken)
+                    exchangedAccessToken = accessToken
+                    completion(Success(accessToken))
+                    Timber.i("Token exchange successful")
+                } else {
+                    clearSession()
+                    completion(Failure(FailedRetrievingExchangedToken))
+                }
+            }
+
+            onFailure = {
+                clearSession()
+                completion(Failure(FailedRetrievingExchangedToken))
+            }
+        }
+    }
+
     private fun showNoSupportedBrowserToast() {
         Toast.makeText(context, R.string.no_supported_browser_toast, Toast.LENGTH_LONG).show()
     }
@@ -434,6 +484,12 @@ internal class AuthorizationManager(
         return authorizationService.createCustomTabsIntentBuilder().setColorScheme(colorScheme).build()
     }
 
+    private fun clearSession() {
+        API.addAuthorizationHeader(null)
+        sessionHolder.clearSessionAndPreferences()
+        exchangedAccessToken = null
+    }
+
     override fun onDestroy(owner: LifecycleOwner) {
         // This must be called to avoid memory leaks.
         authorizationService.dispose()