From a4656c6757ee06ab75f9a1185520f208dd158637 Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Thu, 30 May 2024 13:54:01 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=90=9B=20Losing=20AUD=20in=20GA4GH?=
 =?UTF-8?q?=20AT=20modifier?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Audiences previously set in the token were lost as the current
implementation just placed ClientID over it. The fix maintains set
audiences
---
 .../oidc/server/ga4gh/Ga4ghAccessTokenModifier.java  | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghAccessTokenModifier.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghAccessTokenModifier.java
index 563c0dae9..4b7f735af 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghAccessTokenModifier.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghAccessTokenModifier.java
@@ -8,7 +8,10 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import static cz.muni.ics.oidc.server.ga4gh.Ga4ghApiClaimSource.GA4GH_SCOPE;
@@ -33,8 +36,15 @@ public class Ga4ghAccessTokenModifier implements PerunAccessTokenEnhancer.Access
 		Set<String> scopes = accessToken.getScope();
 		//GA4GH
 		if (scopes.contains(GA4GH_SCOPE)) {
+			Object originalAud = builder.getClaims().get("aud");
+			Set<String> newAud = new HashSet<>();
+			if (originalAud instanceof String) {
+				newAud.add((String) originalAud);
+			} else if (originalAud instanceof Collection) {
+				newAud.addAll((Collection<String>) originalAud);
+			}
 			log.debug("Adding claims required by GA4GH to access token");
-			builder.audience(Collections.singletonList(authentication.getOAuth2Request().getClientId()));
+			builder.audience(new ArrayList<>(newAud));
 		}
 	}
 
-- 
GitLab