navikt · jan-olaveide · Jan 3, 2024 · Dec 4, 2023 · Dec 5, 2023 · Dec 5, 2023
@@ -18,10 +18,10 @@ jobs:
       - name: Checkout latest code
         uses: actions/checkout@v4
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: 21
           distribution: temurin
       - name: Setup build cache
         uses: actions/cache@v3

@@ -27,10 +27,10 @@ jobs:
             -   name: Checkout repository
                 uses: actions/checkout@v4
 
-            -   name: Setter opp Java 17
+            -   name: Setter opp Java 21
                 uses: actions/setup-java@v4
                 with:
-                    java-version: 17
+                    java-version: 21
                     distribution: temurin
                     cache: maven
 
@@ -50,4 +50,4 @@ jobs:
             -   name: Perform CodeQL Analysis
                 uses: github/codeql-action/analyze@v3
                 with:
-                    category: "/language:${{matrix.language}}"
+                    category: "/language:${{matrix.language}}"
@@ -12,10 +12,10 @@ jobs:
       - name: Checkout latest code
         uses: actions/checkout@v4
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: 21
           distribution: temurin
           cache: maven
 
@@ -51,4 +51,4 @@ jobs:
     #    run: |
     #      git config user.email "[email protected]"
     #      git config user.name "GitHub Actions release"
-    #    ./mvnw  --settings .github/settings.xml -Pgithub --batch-mode -Dmaven.main.skip=true -Dmaven.test.skip=true  deploy
+    #    ./mvnw  --settings .github/settings.xml -Pgithub --batch-mode -Dmaven.main.skip=true -Dmaven.test.skip=true  deploy
@@ -11,10 +11,10 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
-          java-version: 17
+          java-version: 21
           distribution: temurin
 
       - name: Setup build cache
@@ -30,5 +30,4 @@ jobs:
           GITHUB_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           GITHUB_TOKEN:  ${{ secrets.GITHUB_TOKEN }}
-        run: mvn  -B test
-
+        run: mvn  -B test
@@ -1 +1 @@
-17
+21.0.1
@@ -33,7 +33,6 @@
         <module>token-validation-spring-test</module>
         <module>token-validation-jaxrs</module>
         <module>token-validation-spring-demo</module>
-        <module>token-validation-ktor</module>
         <module>token-validation-ktor-v2</module>
         <module>token-validation-ktor-demo</module>
         <module>token-client-spring</module>
@@ -42,6 +41,7 @@
         <module>token-client-core</module>
     </modules>
     <properties>
+        <kotlin.version>1.9.22</kotlin.version>
         <kotlin-coroutines.version>1.6.2</kotlin-coroutines.version>
         <doclint>none</doclint>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
@@ -55,63 +55,26 @@
         <spring-boot.version>3.2.1</spring-boot.version>
         <oauth2-oidc-sdk.version>11.9</oauth2-oidc-sdk.version>
         <validation-api.version>2.0.1.Final</validation-api.version>
-        <rest-assured.version>5.4.0</rest-assured.version>
         <mockwebserver.version>4.12.0</mockwebserver.version>
         <caffeine.version>3.1.8</caffeine.version>
         <okhttp3.version>4.12.0</okhttp3.version>
-        <ktor.version>1.6.8</ktor.version>
+        <ktor.version>2.3.6</ktor.version>
         <kotlin.code.style>official</kotlin.code.style>
         <kotlin.version>1.9.22</kotlin.version>
         <mock-oauth2-server.version>2.1.0</mock-oauth2-server.version>
         <nimbus.jose.jwt.version>9.37.3</nimbus.jose.jwt.version>
         <kotest.version>5.8.0</kotest.version>
         <kotlin.compiler.jvmTarget>17</kotlin.compiler.jvmTarget>
     </properties>
-
     <scm>
         <url>https://github.com/navikt/token-support</url>
         <connection>scm:git:[email protected]:navikt/token-support.git</connection>
         <developerConnection>scm:git:[email protected]:navikt/token-support.git</developerConnection>
         <tag>HEAD</tag>
     </scm>
     <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.2.3</version>
-            </plugin>
-            <plugin>
-                <groupId>org.jacoco</groupId>
-                <artifactId>jacoco-maven-plugin</artifactId>
-                <version>0.8.11</version>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>prepare-agent</goal>
-                        </goals>
-                    </execution>
-                    <execution>
-                        <id>report</id>
-                        <goals>
-                            <goal>report</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-        </plugins>
         <pluginManagement>
             <plugins>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.12.1</version>
-                    <configuration>
-                        <compilerArgs>
-                            <arg>-parameters</arg>
-                        </compilerArgs>
-                    </configuration>
-                </plugin>
                 <plugin>
                     <groupId>org.jetbrains.kotlin</groupId>
                     <artifactId>kotlin-maven-plugin</artifactId>
@@ -262,6 +225,13 @@
     </profiles>
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>org.jetbrains.kotlin</groupId>
+                <artifactId>kotlin-bom</artifactId>
+                <version>${kotlin.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>
@@ -432,6 +402,12 @@
             <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito.kotlin</groupId>
+            <artifactId>mockito-kotlin</artifactId>
+            <version>5.2.1</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>
@@ -442,4 +418,4 @@
             <artifactId>nimbus-jose-jwt</artifactId>
         </dependency>
     </dependencies>
-</project>
+</project>
@@ -1,4 +1,4 @@
-package no.nav.security.token.support.client.core;
+package no.nav.security.token.support.client.core
 
 import com.nimbusds.jose.jwk.RSAKey
 import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod
@@ -43,5 +43,5 @@ class ClientAuthenticationProperties @JvmOverloads constructor(val clientId: Str
 class ClientAuthenticationPropertiesBuilder @JvmOverloads constructor(private val clientId: String, private val clientAuthMethod: ClientAuthenticationMethod, private var clientSecret: String? = null, private var clientJwk: String? = null) {
     fun  clientSecret(clientSecret: String)= this.also { it.clientSecret = clientSecret }
     fun  clientJwk(clientJwk: String)= this.also { it.clientJwk = clientJwk }
-    fun  build() = ClientAuthenticationProperties(clientId, clientAuthMethod, clientSecret, clientJwk);
+    fun  build() = ClientAuthenticationProperties(clientId, clientAuthMethod, clientSecret, clientJwk)
 }
@@ -1,11 +1,15 @@
-package no.nav.security.token.support.client.core;
+package no.nav.security.token.support.client.core
 
-import com.nimbusds.jose.util.DefaultResourceRetriever;
+import com.nimbusds.jose.util.DefaultResourceRetriever
 import com.nimbusds.oauth2.sdk.GrantType
+import com.nimbusds.oauth2.sdk.GrantType.CLIENT_CREDENTIALS
+import com.nimbusds.oauth2.sdk.GrantType.JWT_BEARER
+import com.nimbusds.oauth2.sdk.GrantType.TOKEN_EXCHANGE
 import com.nimbusds.oauth2.sdk.ParseException
 import com.nimbusds.oauth2.sdk.`as`.AuthorizationServerMetadata
 import java.io.IOException
 import java.net.URI
+
 class ClientProperties @JvmOverloads constructor(var tokenEndpointUrl: URI? = null,
                                                  private val wellKnownUrl: URI? = null,
                                                  val grantType: GrantType,
@@ -16,8 +20,8 @@ class ClientProperties @JvmOverloads constructor(var tokenEndpointUrl: URI? = nu
 
 
     init {
+        tokenEndpointUrl = tokenEndpointUrl ?: endpointUrlFromMetadata(requireNotNull(wellKnownUrl))
         require(grantType in GRANT_TYPES) { "Unsupported grantType $grantType, must be one of $GRANT_TYPES" }
-        tokenEndpointUrl = tokenEndpointUrl ?: endpointUrlFromMetadata(wellKnownUrl)
     }
 
 
@@ -30,34 +34,38 @@ class ClientProperties @JvmOverloads constructor(var tokenEndpointUrl: URI? = nu
             .tokenExchange(tokenExchange)
 
     companion object {
-        private val GRANT_TYPES = listOf(GrantType.JWT_BEARER, GrantType.CLIENT_CREDENTIALS, GrantType.TOKEN_EXCHANGE)
+        private val GRANT_TYPES = listOf(JWT_BEARER, CLIENT_CREDENTIALS, TOKEN_EXCHANGE)
 
        @JvmStatic
         fun builder(grantType: GrantType, authentication: ClientAuthenticationProperties) = ClientPropertiesBuilder(grantType, authentication)
 
         private fun endpointUrlFromMetadata(wellKnown: URI?) =
             runCatching {
                 wellKnown?.let { AuthorizationServerMetadata.parse(DefaultResourceRetriever().retrieveResource(wellKnown.toURL()).content).tokenEndpointURI }
-                    ?: throw OAuth2ClientException("Well knowcn url cannot be null, please check your configuration")
+                    ?: throw OAuth2ClientException("Well-known url cannot be null, please check your configuration")
             }.getOrElse {
                 when(it) {
                     is ParseException-> throw OAuth2ClientException("Unable to parse response from $wellKnown", it)
-                    is IOException -> throw OAuth2ClientException("Unable to read from  $wellKnown", it)
+                    is IOException -> throw OAuth2ClientException("Unable to read from $wellKnown", it)
                     is OAuth2ClientException -> throw it
                     else -> throw OAuth2ClientException("Unexpected error reading from $wellKnown", it)
                 }
             }
     }
 
-    class ClientPropertiesBuilder @JvmOverloads constructor(private val grantType: GrantType, val authentication: ClientAuthenticationProperties,
+    class ClientPropertiesBuilder @JvmOverloads constructor(private val grantType: GrantType,
+                                                            val authentication: ClientAuthenticationProperties,
                                                             private var tokenEndpointUrl: URI? = null,
                                                             private var wellKnownUrl: URI? = null,
                                                             private var scope: List<String> = emptyList(),
                                                             private var resourceUrl: URI? = null,
                                                             private var tokenExchange: TokenExchangeProperties? = null) {
 
+        fun tokenEndpointUrl(endpointURI: String?) = endpointURI?.let { tokenEndpointUrl(URI.create(it)) } ?: this
         fun tokenEndpointUrl(endpointURI: URI?) = this.also { it.tokenEndpointUrl = endpointURI }
+        fun wellKnownUrl(wellKnownURI: String?) = wellKnownURI?.let { wellKnownUrl(URI.create(it)) } ?: this
         fun wellKnownUrl(wellKnownURI: URI?) = this.also { it.wellKnownUrl = wellKnownURI }
+        fun scopes(vararg scopes:  String) =   scope(scopes.toList())
         fun scope(scope: List<String>) =  this.also { it.scope = scope}
         fun resourceUrl(resourceUrl: URI?) = this.also { it.resourceUrl = resourceUrl }
         fun tokenExchange(tokenExchange: TokenExchangeProperties?) = this.also { it.tokenExchange = tokenExchange }

@@ -1,20 +1,19 @@
 package no.nav.security.token.support.client.core
 
 import com.nimbusds.oauth2.sdk.GrantType
+import kotlin.DeprecationLevel.WARNING
 
-@Deprecated("Use GrantType from nimbus instead", ReplaceWith("GrantType"), DeprecationLevel.WARNING)
-data class OAuth2GrantType(@JvmField val value : String) {
-     fun value() = value
-
+@Deprecated("Use GrantType from nimbus instead", ReplaceWith("GrantType"), WARNING)
+data class OAuth2GrantType(val value : String) {
     companion object {
        @JvmField
-       @Deprecated("Use GrantType.JWT_BEARER from nimbus instead")
-       val JWT_BEARER = OAuth2GrantType(GrantType.JWT_BEARER.value)
+       @Deprecated("Use com.nimbusds.oauth2.sdk.GrantType instead", ReplaceWith("GrantType.JWT_BEARER"), WARNING)
+       val JWT_BEARER = GrantType(GrantType.JWT_BEARER.value)
         @JvmField
-        @Deprecated("Use GrantType.CLIENT_CREDENTIALS from nimbus instead")
-        val CLIENT_CREDENTIALS = OAuth2GrantType(GrantType.CLIENT_CREDENTIALS.value)
+        @Deprecated("Use com.nimbusds.oauth2.sdk.GrantType instead", ReplaceWith("GrantType.CLIENT_CREDENTIALS"), WARNING)
+        val CLIENT_CREDENTIALS = GrantType(GrantType.CLIENT_CREDENTIALS.value)
         @JvmField
-        @Deprecated("Use GrantType.TOKEN_EXCHANGE from nimbus instead")
-        val TOKEN_EXCHANGE = OAuth2GrantType(GrantType.TOKEN_EXCHANGE.value)
+        @Deprecated("Use com.nimbusds.oauth2.sdk.GrantType instead", ReplaceWith("GrantType.TOKEN_EXCHANGE"), WARNING)
+        val TOKEN_EXCHANGE = GrantType(GrantType.TOKEN_EXCHANGE.value)
     }
 }
@@ -1,40 +1,42 @@
 package no.nav.security.token.support.client.core.auth
 
-import com.nimbusds.jose.JOSEObjectType.*
-import com.nimbusds.jose.JWSAlgorithm.*
+import com.nimbusds.jose.JOSEObjectType.JWT
+import com.nimbusds.jose.JWSAlgorithm.RS256
 import com.nimbusds.jose.JWSHeader
 import com.nimbusds.jose.crypto.RSASSASigner
 import com.nimbusds.jose.jwk.RSAKey
+import com.nimbusds.jwt.JWTClaimNames.JWT_ID
 import com.nimbusds.jwt.JWTClaimsSet
 import com.nimbusds.jwt.JWTClaimsSet.Builder
 import com.nimbusds.jwt.SignedJWT
-import com.nimbusds.oauth2.sdk.auth.JWTAuthentication.*
+import com.nimbusds.oauth2.sdk.auth.JWTAuthentication.CLIENT_ASSERTION_TYPE
 import java.net.URI
-import java.time.Instant.*
+import java.time.Instant.now
 import java.util.Date
 import java.util.UUID
+import kotlin.DeprecationLevel.WARNING
 import no.nav.security.token.support.client.core.ClientAuthenticationProperties
 
-class ClientAssertion(private val tokenEndpointUrl : URI, private val clientId : String, private val rsaKey : RSAKey, private val expiryInSeconds : Int) {
-    constructor(tokenEndpointUrl: URI, auth :  ClientAuthenticationProperties) : this(tokenEndpointUrl, auth.clientId, auth.clientRsaKey!!, EXPIRY_IN_SECONDS)
+class ClientAssertion(private val tokenEndpointUrl : URI?, private val clientId : String, private val rsaKey : RSAKey, private val expiryInSeconds : Int) {
+    constructor(tokenEndpointUrl: URI?, auth :  ClientAuthenticationProperties) : this(tokenEndpointUrl, auth.clientId, auth.clientRsaKey!!, EXPIRY_IN_SECONDS)
 
     fun assertion()  =
         now().run {
             createSignedJWT(rsaKey, Builder()
-                .audience(tokenEndpointUrl.toString())
+                .audience("$tokenEndpointUrl")
                 .expirationTime(Date.from(plusSeconds(expiryInSeconds.toLong())))
                 .issuer(clientId)
                 .subject(clientId)
-                .claim("jti", UUID.randomUUID().toString())
+                .claim(JWT_ID, "${UUID.randomUUID()}")
                 .notBeforeTime(Date.from(this))
                 .issueTime(Date.from(this))
                 .build()).serialize()
         }
 
+    @Deprecated("Use com.nimbusds.oauth2.sdk.auth.JWTAuthentication instead", ReplaceWith("JWTAuthentication.CLIENT_ASSERTION_TYPE"), WARNING)
     fun assertionType() = CLIENT_ASSERTION_TYPE
 
     private fun createSignedJWT(rsaJwk : RSAKey, claimsSet : JWTClaimsSet) =
-
         runCatching {
             SignedJWT(JWSHeader.Builder(RS256)
                 .keyID(rsaJwk.keyID)

@@ -1,7 +1,6 @@
 package no.nav.security.token.support.client.core.context
 
-import java.util.Optional
-
 fun interface JwtBearerTokenResolver {
-    fun token() : Optional<String>
+
+    fun token() : String?
 }
@@ -3,6 +3,5 @@ package no.nav.security.token.support.client.core.http
 import no.nav.security.token.support.client.core.oauth2.OAuth2AccessTokenResponse
 
 interface OAuth2HttpClient {
-
-    fun post(oAuth2HttpRequest : OAuth2HttpRequest) : OAuth2AccessTokenResponse?
+    fun post(request : OAuth2HttpRequest) : OAuth2AccessTokenResponse?
 }
@@ -15,7 +15,7 @@ class OAuth2HttpHeaders (val headers : Map<String, List<String>>) {
 
     override fun hashCode() = Objects.hash(headers)
 
-    override fun toString() = javaClass.getSimpleName() + " [headers=" + headers + "]"
+    override fun toString() = "${javaClass.getSimpleName()} [headers=$headers]"
 
     class Builder(private val headers : TreeMap<String, MutableList<String>> =  TreeMap(CASE_INSENSITIVE_ORDER)) {