ES-1977 Individual ID is not validated with IDT auth factor

oidc-service-impl/src/main/java/io/mosip/esignet/services/AuthorizationHelperService.java

@@ -213,13 +213,15 @@ protected KycAuthResult delegateAuthenticateRequest(String transactionId, String
 
     /**
      * Method validates challenge with "IDT" auth factor
-     * @param authChallenge
-     * @param transaction
-     * @param httpServletRequest
-     * @return
+     *
+     * @param authChallenge {@link AuthChallenge}
+     * @param individualId individual id from {@link AuthRequestV2}
+     * @param transaction {@link OIDCTransaction}
+     * @param httpServletRequest {@link HttpServletRequest}
+     * @return {@link KycAuthResult}
      */
     protected KycAuthResult handleInternalAuthenticateRequest(@NonNull AuthChallenge authChallenge,
-                                                              @NonNull OIDCTransaction transaction, HttpServletRequest httpServletRequest) {
+                                                              @NotNull String individualId, @NonNull OIDCTransaction transaction, HttpServletRequest httpServletRequest) {
         try {
             JsonNode jsonNode = objectMapper.readTree(IdentityProviderUtil.b64Decode(authChallenge.getChallenge()));
             if(jsonNode.isNull() || jsonNode.get("token").isNull())
@@ -228,6 +230,12 @@ protected KycAuthResult handleInternalAuthenticateRequest(@NonNull AuthChallenge
             tokenService.verifyIdToken(token, signupIDTokenAudience);
             JWT jwt = JWTParser.parse(token);
             String subject = jwt.getJWTClaimsSet().getSubject();
+
+            //compares individual from auth request against subject from jwt token.
+            if(!individualId.equals(subject)){
+                throw new EsignetException(INVALID_INDIVIDUAL_ID);
+            }
+
             Optional<Cookie> result = Arrays.stream(httpServletRequest.getCookies())
                     .filter(x -> x.getName().equals(subject))
                     .findFirst();
@@ -244,6 +252,8 @@ protected KycAuthResult handleInternalAuthenticateRequest(@NonNull AuthChallenge
             }
             log.error("ID token in the challenge is not matching the required conditions. isCookiePresent: {}, isHaltedTransactionFound: {}",
                     result.isPresent(), haltedTransaction!=null);
+        } catch (EsignetException e) {
+            throw e;
         } catch (Exception e) {
             log.error("Failed to parse ID token as challenge", e);
         }

oidc-service-impl/src/main/java/io/mosip/esignet/services/AuthorizationServiceImpl.java

@@ -363,7 +363,7 @@ private OIDCTransaction authenticate(AuthRequest authRequest, boolean checkConse
 
         KycAuthResult kycAuthResult;
         if(authRequest.getChallengeList().size() == 1 && authRequest.getChallengeList().get(0).getAuthFactorType().equals("IDT")) {
-            kycAuthResult = authorizationHelperService.handleInternalAuthenticateRequest(authRequest.getChallengeList().get(0), transaction,
+            kycAuthResult = authorizationHelperService.handleInternalAuthenticateRequest(authRequest.getChallengeList().get(0),authRequest.getIndividualId(), transaction,
                     httpServletRequest);
             transaction.setInternalAuthSuccess(true);
         }

oidc-service-impl/src/test/java/io/mosip/esignet/services/AuthorizationHelperServiceTest.java

@@ -515,14 +515,32 @@ public void testHandleInternalAuthenticateRequest_ValidDetails_thenPass(){
         haltedTransaction.setServerNonce("subject");
         Mockito.when(cacheUtilService.getHaltedTransaction(Mockito.anyString())).thenReturn(haltedTransaction);
 
-        KycAuthResult result = authorizationHelperService.handleInternalAuthenticateRequest(authChallenge, transaction, httpServletRequest);
+        KycAuthResult result = authorizationHelperService.handleInternalAuthenticateRequest(authChallenge, "subject", transaction, httpServletRequest);
 
         Assert.assertNotNull(result);
         Assert.assertEquals("subject", result.getKycToken());
         Assert.assertEquals("subject", result.getPartnerSpecificUserToken());
         Assert.assertEquals("individualId", transaction.getIndividualId());
     }
 
+    @Test
+    public void testHandleInternalAuthenticateRequest_InvalidIndividualId_thenFail(){
+        ReflectionTestUtils.setField(authorizationHelperService, "objectMapper",objectMapper);
+
+        AuthChallenge authChallenge = new AuthChallenge();
+        authChallenge.setChallenge("eyJ0b2tlbiI6ImV5SmhiR2NpT2lKSVV6STFOaUo5LmV5SnpkV0lpT2lKemRXSnFaV04wSW4wLjl0MG5GMkNtVWZaeTlCYlA3cjM4bElhSlJSeTNaSk41MnBRNlpLSl9qVWMifQ==");
+        OIDCTransaction transaction = new OIDCTransaction();
+        transaction.setIndividualId("individualId");
+        Mockito.doNothing().when(tokenService).verifyIdToken(any(), any());
+
+        try{
+            authorizationHelperService.handleInternalAuthenticateRequest(authChallenge,
+                    "invalid_individualId", transaction, httpServletRequest);
+        }catch(EsignetException e){
+            Assert.assertEquals(INVALID_INDIVIDUAL_ID,e.getErrorCode());
+        }
+    }
+
     @Test
     public void testHandleInternalAuthenticateRequest_NoCookie_thenFail() {
 
@@ -531,7 +549,7 @@ public void testHandleInternalAuthenticateRequest_NoCookie_thenFail() {
         OIDCTransaction transaction = new OIDCTransaction();
         HttpServletRequest httpServletRequest = Mockito.mock(HttpServletRequest.class);
         try{
-            authorizationHelperService.handleInternalAuthenticateRequest(authChallenge, transaction, httpServletRequest);
+            authorizationHelperService.handleInternalAuthenticateRequest(authChallenge, "individualId", transaction, httpServletRequest);
             Assert.fail();
         }catch(EsignetException e){
             Assert.assertEquals("auth_failed",e.getErrorCode());
@@ -544,7 +562,7 @@ public void testHandleInternalAuthenticateRequest_NoHaltedTransaction_thenFail()
         authChallenge.setChallenge("base64encodedchallenge");
         OIDCTransaction transaction = new OIDCTransaction();
         try {
-            authorizationHelperService.handleInternalAuthenticateRequest(authChallenge, transaction, httpServletRequest);
+            authorizationHelperService.handleInternalAuthenticateRequest(authChallenge, "individualId", transaction, httpServletRequest);
             Assert.fail();
         }catch(EsignetException e)
         {

oidc-service-impl/src/test/java/io/mosip/esignet/services/AuthorizationServiceTest.java

@@ -1257,7 +1257,7 @@ public void authenticateV3_enableCaptcha_thenPass() throws KycAuthException {
     }
 
     @Test
-    public void authenticateV3_withIDToken_thenPass() {
+    public void authenticateV3_withIDTokenInvalidIndividualId_thenFail() {
         String transactionId = "test-transaction";
         String individualId = "23423434234";
         when(cacheUtilService.getPreAuthTransaction(transactionId)).thenReturn(createIdpTransaction(
@@ -1281,6 +1281,39 @@ public void authenticateV3_withIDToken_thenPass() {
         authChallenges.add(authChallenge);
         authRequest.setChallengeList(authChallenges);
 
+        try{
+            AuthResponseV2 authResponseV2 = authorizationServiceImpl.authenticateUserV3(authRequest, httpServletRequest);
+            Assert.assertNotNull(authResponseV2);
+        }catch (EsignetException ex){
+            Assert.assertEquals(ErrorConstants.INVALID_INDIVIDUAL_ID,ex.getErrorCode());
+        }
+    }
+
+    @Test
+    public void authenticateV3_withIDToken_thenPass() {
+        String transactionId = "test-transaction";
+        String individualId = "subject";
+        when(cacheUtilService.getPreAuthTransaction(transactionId)).thenReturn(createIdpTransaction(
+                new String[]{"mosip:idp:acr:id-token"}));
+        when(cacheUtilService.updateIndividualIdHashInPreAuthCache(transactionId, individualId)).thenReturn(createIdpTransaction(
+                new String[]{"mosip:idp:acr:id-token"}));
+
+        List<List<AuthenticationFactor>> allAuthFactors=new ArrayList<>();
+        allAuthFactors.add(getAuthFactors("mosip:idp:acr:id-token"));
+        when(authenticationContextClassRefUtil.getAuthFactors(new String[]{"mosip:idp:acr:id-token"})).thenReturn(allAuthFactors);
+
+        AuthRequestV2 authRequest = new AuthRequestV2();
+        authRequest.setTransactionId(transactionId);
+        authRequest.setIndividualId(individualId);
+        authRequest.setCaptchaToken("captcha-token");
+
+        List<AuthChallenge> authChallenges = new ArrayList<>();
+        AuthChallenge authChallenge = new AuthChallenge();
+        authChallenge.setAuthFactorType("IDT");
+        authChallenge.setChallenge("eyJ0b2tlbiI6ImV5SmhiR2NpT2lKSVV6STFOaUo5LmV5SnpkV0lpT2lKemRXSnFaV04wSW4wLjl0MG5GMkNtVWZaeTlCYlA3cjM4bElhSlJSeTNaSk41MnBRNlpLSl9qVWMifQ==");
+        authChallenges.add(authChallenge);
+        authRequest.setChallengeList(authChallenges);
+
         Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{new Cookie("subject", "subject")});
 
         OIDCTransaction haltedTransaction = new OIDCTransaction();
@@ -1294,7 +1327,6 @@ public void authenticateV3_withIDToken_thenPass() {
         Assert.assertNotNull(authResponseV2);
     }
 
-
     @Test
     public void completeSignupRedirect_withValidTransactionId_thenPass() {
         String transactionId = "validTransactionId";