Use system token towards klage-file-api. Access is ensured by checkin…

…g token and klanke in this app.

src/main/kotlin/no/nav/klage/clients/FileClient.kt

@@ -30,7 +30,7 @@ class FileClient(
         val response = fileWebClient
             .post()
             .uri { it.path("/attachment").build() }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .body(BodyInserters.fromMultipartData(bodyBuilder.build()))
             .retrieve()
             .bodyToMono<VedleggResponse>()
@@ -47,7 +47,7 @@ class FileClient(
         logger.debug("Fetching vedlegg file with vedlegg ref {}", vedleggRef)
         return fileWebClient.get()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<ByteArray>()
             .block() ?: throw RuntimeException("Attachment could not be fetched")
@@ -57,7 +57,7 @@ class FileClient(
         logger.debug("Deleting vedlegg file with vedlegg ref {}", vedleggRef)
         val deletedInFileStore = fileWebClient.delete()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<Boolean>()
             .block()!!

src/main/kotlin/no/nav/klage/util/TokenUtil.kt

@@ -72,9 +72,8 @@ class TokenUtil(
         return response.accessToken!!
     }
 
-    fun getOnBehalfOfTokenWithKlageFileApiScope(): String {
-        val clientProperties = clientConfigurationProperties.registration["klage-file-api-onbehalfof"]!!
-        secureLogger.debug("Getting clientProperties for klage-file-api-onbehalfof: {}", clientProperties)
+    fun getAppAccessTokenWithKlageFileApiScope(): String {
+        val clientProperties = clientConfigurationProperties.registration["klage-file-api-maskintilmaskin"]!!
         val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
         return response.accessToken!!
     }

src/main/resources/application.yml

@@ -92,18 +92,14 @@ no.nav.security.jwt:
           client-auth-method: private_key_jwt
         token-exchange:
           audience: ${SAFSELVBETJENING_AUDIENCE}
-      klage-file-api-onbehalfof:
-        token-endpoint-url: ${TOKEN_X_TOKEN_ENDPOINT}
-        grant_type: urn:ietf:params:oauth:grant-type:token-exchange
-        client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
-        subject_token_type: urn:ietf:params:oauth:token-type:jwt
-        audience: ${KLAGE_FILE_API_AUDIENCE}
+      klage-file-api-maskintilmaskin:
+        token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
+        grant-type: client_credentials
+        scope: api://${NAIS_CLUSTER_NAME}.${NAIS_NAMESPACE}.${KLAGE_FILE_API_APP_NAME}/.default
         authentication:
-          client-id: ${TOKEN_X_CLIENT_ID}
-          client-jwk: ${TOKEN_X_PRIVATE_JWK}
+          client-id: ${AZURE_APP_CLIENT_ID}
+          client-jwk: ${AZURE_APP_JWK}
           client-auth-method: private_key_jwt
-        token-exchange:
-          audience: ${KLAGE_FILE_API_AUDIENCE}
       klage-fss-proxy-maskintilmaskin:
         token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
         grant-type: client_credentials