From c958fbf949bb12ccfc719f32ecc25b99105d982f Mon Sep 17 00:00:00 2001
From: Steve Hu <stevehu@gmail.com>
Date: Wed, 2 Aug 2023 09:39:13 -0400
Subject: [PATCH] fixes #311 swt introspection to use request headers for
 clientId andd clientSecret (#312)

---
 .../java/com/networknt/openapi/SwtVerifyHandler.java | 12 ++++++++++--
 .../src/main/resources/config/openapi-security.yml   |  7 +++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/openapi-security/src/main/java/com/networknt/openapi/SwtVerifyHandler.java b/openapi-security/src/main/java/com/networknt/openapi/SwtVerifyHandler.java
index f8db1256..16f76914 100644
--- a/openapi-security/src/main/java/com/networknt/openapi/SwtVerifyHandler.java
+++ b/openapi-security/src/main/java/com/networknt/openapi/SwtVerifyHandler.java
@@ -17,6 +17,7 @@
 import com.networknt.security.SecurityConfig;
 import com.networknt.utility.Constants;
 import com.networknt.utility.ModuleRegistry;
+import com.networknt.utility.StringUtils;
 import io.undertow.Handlers;
 import io.undertow.server.HttpHandler;
 import io.undertow.server.HttpServerExchange;
@@ -136,7 +137,10 @@ public boolean handleSwt(HttpServerExchange exchange, String reqPath, List<Strin
                 if (logger.isTraceEnabled())
                     logger.trace("parsed swt from authorization = " + swt.substring(0, 10));
                 try {
-                    Result<TokenInfo> tokenInfoResult = swtVerifier.verifySwt(swt, reqPath, jwkServiceIds);
+                    String swtClientId = headerMap.getFirst(config.getSwtClientIdHeader());
+                    String swtClientSecret = headerMap.getFirst(config.getSwtClientSecretHeader());
+                    if(logger.isTraceEnabled()) logger.trace("header swtClientId = " + swtClientId + ", header swtClientSecret = " + StringUtils.maskHalfString(swtClientSecret));
+                    Result<TokenInfo> tokenInfoResult = swtVerifier.verifySwt(swt, reqPath, jwkServiceIds, swtClientId, swtClientSecret);
                     if(tokenInfoResult.isFailure()) {
                         // return error status to the user.
                         setExchangeStatus(exchange, tokenInfoResult.getError());
@@ -326,7 +330,11 @@ protected boolean hasValidSecondaryScopes(HttpServerExchange exchange, String sc
             if (logger.isTraceEnabled())
                 logger.trace("start verifying scope token = " + scopeSwt.substring(0, 10));
             try {
-                Result<TokenInfo> scopeTokenInfo = swtVerifier.verifySwt(scopeSwt, reqPath, jwkServiceIds);
+                HeaderMap headerMap = exchange.getRequestHeaders();
+                String swtClientId = headerMap.getFirst(config.getSwtClientIdHeader());
+                String swtClientSecret = headerMap.getFirst(config.getSwtClientSecretHeader());
+                if(logger.isTraceEnabled()) logger.trace("header swtClientId = " + swtClientId + ", header swtClientSecret = " + StringUtils.maskHalfString(swtClientSecret));
+                Result<TokenInfo> scopeTokenInfo = swtVerifier.verifySwt(scopeSwt, reqPath, jwkServiceIds, swtClientId, swtClientSecret);
                 if(scopeTokenInfo.isFailure()) {
                     setExchangeStatus(exchange, scopeTokenInfo.getError());
                     exchange.endExchange();
diff --git a/openapi-security/src/main/resources/config/openapi-security.yml b/openapi-security/src/main/resources/config/openapi-security.yml
index 369387f3..f9cd2996 100644
--- a/openapi-security/src/main/resources/config/openapi-security.yml
+++ b/openapi-security/src/main/resources/config/openapi-security.yml
@@ -15,6 +15,13 @@ enableVerifyJwt: ${openapi-security.enableVerifyJwt:true}
 # request path prefix in skipPathPrefixes.
 enableVerifySwt: ${openapi-security.enableVerifySwt:false}
 
+# swt clientId header name. When light-gateway is used and the consumer app does not want to save
+# the client secret in the configuration file, it can be passed in the header.
+swtClientIdHeader: ${openapi-security.swtClientIdHeader:swt-client}
+# swt clientSecret header name. When light-gateway is used and the consumer app does not want to save
+# the client secret in the configuration file, it can be passed in the header.
+swtClientSecretHeader: ${openapi-security.swtClientSecretHeader:swt-secret}
+
 # Extract JWT scope token from the X-Scope-Token header and validate the JWT token
 enableExtractScopeToken: ${openapi-security.enableExtractScopeToken:true}