Adding logic for bearer token config and allowlist

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/JwtAuthenticator.java

@@ -39,6 +39,7 @@
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
 public class JwtAuthenticator {
 
@@ -78,8 +79,8 @@ public JwtAuthenticator(SsoConfiguration cfg, SsoClient ssoClient) {
      * @param token the JWT
      * @return <code>true</code> if token valid and not expired
      */
-    public boolean isTokenValid(String token) {
-        return isTokenValid(token, null);
+    public boolean isTokenValid(String token, boolean restrictOnClientId) {
+        return isTokenValid(token, null, restrictOnClientId);
     }
 
     /**
@@ -89,13 +90,22 @@ public boolean isTokenValid(String token) {
      * @param nonce nonce
      * @return <code>true</code> if token valid, correct nonce and not expired
      */
-    public boolean isTokenValid(String token, String nonce) {
+    public boolean isTokenValid(String token, String nonce, boolean restrictOnClientId) {
         try {
             Map<String, Object> claims = validateTokenAndGetClaims(token);
             if (claims == null) {
                 return false;
             }
 
+            if (restrictOnClientId) {
+                Set<String> allowedClientIds = cfg.getAllowedClientIds();
+                String clientId = (String) claims.get("client_id");
+                if(!allowedClientIds.contains(clientId)) {
+                    log.warn("isTokenValid ['{}', '{}'] -> clientId not in allowed list for bearer tokens", token, clientId);
+                    return false;
+                }
+            }
+
             if (nonce == null) {
                 return true;
             }

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoAuthFilter.java

@@ -66,7 +66,7 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
 
         if (token != null) {
             if (refreshToken == null){
-                boolean isValid = jwtAuthenticator.isTokenValid(token);
+                boolean isValid = jwtAuthenticator.isTokenValid(token, false);
                 if (isValid) {
                     log.info("doFilter -> found valid token in cookies, redirect to '{}'", from);
                     redirectHelper.sendRedirect(response, from);

server/plugins/pfed-sso/src/main/java/com/walmartlabs/concord/server/plugins/pfedsso/SsoHandler.java

@@ -56,14 +56,16 @@ public AuthenticationToken createToken(ServletRequest request, ServletResponse r
 
         HttpServletRequest req = WebUtils.toHttp(request);
 
-        String bearerToken = extractTokenFromRequest(req);
+        String bearerToken = cfg.getEnableBearerTokens() ? extractTokenFromRequest(req) : null;
         String token = bearerToken != null ? bearerToken : SsoCookies.getTokenCookie(req);
 
         if (token == null) {
             return null;
         }
 
-        if (!jwtAuthenticator.isTokenValid(token)) {
+        boolean restrictOnClientId = (bearerToken != null) && (!cfg.getAllowAllClientIds());
+
+        if (!jwtAuthenticator.isTokenValid(token, restrictOnClientId)) {
             return null;
         }