fixes #311 swt introspection to use request headers for clientId andd…

… clientSecret (#312)

openapi-security/src/main/java/com/networknt/openapi/SwtVerifyHandler.java

@@ -17,6 +17,7 @@
 import com.networknt.security.SecurityConfig;
 import com.networknt.utility.Constants;
 import com.networknt.utility.ModuleRegistry;
+import com.networknt.utility.StringUtils;
 import io.undertow.Handlers;
 import io.undertow.server.HttpHandler;
 import io.undertow.server.HttpServerExchange;
@@ -136,7 +137,10 @@ public boolean handleSwt(HttpServerExchange exchange, String reqPath, List<Strin
                 if (logger.isTraceEnabled())
                     logger.trace("parsed swt from authorization = " + swt.substring(0, 10));
                 try {
-                    Result<TokenInfo> tokenInfoResult = swtVerifier.verifySwt(swt, reqPath, jwkServiceIds);
+                    String swtClientId = headerMap.getFirst(config.getSwtClientIdHeader());
+                    String swtClientSecret = headerMap.getFirst(config.getSwtClientSecretHeader());
+                    if(logger.isTraceEnabled()) logger.trace("header swtClientId = " + swtClientId + ", header swtClientSecret = " + StringUtils.maskHalfString(swtClientSecret));
+                    Result<TokenInfo> tokenInfoResult = swtVerifier.verifySwt(swt, reqPath, jwkServiceIds, swtClientId, swtClientSecret);
                     if(tokenInfoResult.isFailure()) {
                         // return error status to the user.
                         setExchangeStatus(exchange, tokenInfoResult.getError());
@@ -326,7 +330,11 @@ protected boolean hasValidSecondaryScopes(HttpServerExchange exchange, String sc
             if (logger.isTraceEnabled())
                 logger.trace("start verifying scope token = " + scopeSwt.substring(0, 10));
             try {
-                Result<TokenInfo> scopeTokenInfo = swtVerifier.verifySwt(scopeSwt, reqPath, jwkServiceIds);
+                HeaderMap headerMap = exchange.getRequestHeaders();
+                String swtClientId = headerMap.getFirst(config.getSwtClientIdHeader());
+                String swtClientSecret = headerMap.getFirst(config.getSwtClientSecretHeader());
+                if(logger.isTraceEnabled()) logger.trace("header swtClientId = " + swtClientId + ", header swtClientSecret = " + StringUtils.maskHalfString(swtClientSecret));
+                Result<TokenInfo> scopeTokenInfo = swtVerifier.verifySwt(scopeSwt, reqPath, jwkServiceIds, swtClientId, swtClientSecret);
                 if(scopeTokenInfo.isFailure()) {
                     setExchangeStatus(exchange, scopeTokenInfo.getError());
                     exchange.endExchange();

openapi-security/src/main/resources/config/openapi-security.yml

@@ -15,6 +15,13 @@ enableVerifyJwt: ${openapi-security.enableVerifyJwt:true}
 # request path prefix in skipPathPrefixes.
 enableVerifySwt: ${openapi-security.enableVerifySwt:false}
 
+# swt clientId header name. When light-gateway is used and the consumer app does not want to save
+# the client secret in the configuration file, it can be passed in the header.
+swtClientIdHeader: ${openapi-security.swtClientIdHeader:swt-client}
+# swt clientSecret header name. When light-gateway is used and the consumer app does not want to save
+# the client secret in the configuration file, it can be passed in the header.
+swtClientSecretHeader: ${openapi-security.swtClientSecretHeader:swt-secret}
+
 # Extract JWT scope token from the X-Scope-Token header and validate the JWT token
 enableExtractScopeToken: ${openapi-security.enableExtractScopeToken:true}