From 380ed9015673538a7abcec30eaa34ad43db4d644 Mon Sep 17 00:00:00 2001
From: Thomas Richner <thomas.richner@oviva.com>
Date: Mon, 12 Feb 2024 12:26:21 +0100
Subject: [PATCH] ARC-1269: Minor fixes

---
 .../java/com/oviva/ehealthid/relyingparty/ConfigReader.java | 6 +++++-
 .../com/oviva/ehealthid/relyingparty/ws/OpenIdEndpoint.java | 2 +-
 .../oviva/ehealthid/relyingparty/ws/OpenIdEndpointTest.java | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ConfigReader.java b/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ConfigReader.java
index 803e557..594807e 100644
--- a/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ConfigReader.java
+++ b/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ConfigReader.java
@@ -72,8 +72,12 @@ public Config read() {
             .appName(appName)
             .federationMaster(fedmaster)
             .entitySigningKey(federationSigJwksPath.getKeys().get(0).toECKey())
+
+            // safety, remove the private key as we don't need it here
             .entitySigningKeys(federationSigJwksPath.toPublicJWKSet())
-            .relyingPartyEncKeys(federationEncJwksPath.toPublicJWKSet())
+
+            // _MUST NOT_ be public. We need it for decryption.
+            .relyingPartyEncKeys(federationEncJwksPath)
             .ttl(entityStatementTtl)
             .scopes(getScopes())
             .redirectUris(List.of(baseUri.resolve("/auth/callback").toString()))
diff --git a/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpoint.java b/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpoint.java
index d7af575..957ef8b 100644
--- a/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpoint.java
+++ b/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpoint.java
@@ -35,7 +35,7 @@ public Response openIdConfiguration() {
         new OpenIdConfiguration(
             baseUri.toString(),
             baseUri.resolve("/auth").toString(),
-            baseUri.resolve("/token").toString(),
+            baseUri.resolve("/auth/token").toString(),
             baseUri.resolve("/jwks.json").toString(),
             List.of("openid"),
             relyingPartyConfig.supportedResponseTypes(),
diff --git a/ehealthid-rp/src/test/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpointTest.java b/ehealthid-rp/src/test/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpointTest.java
index cdc9e53..c2fad88 100644
--- a/ehealthid-rp/src/test/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpointTest.java
+++ b/ehealthid-rp/src/test/java/com/oviva/ehealthid/relyingparty/ws/OpenIdEndpointTest.java
@@ -33,7 +33,7 @@ void openIdConfiguration() {
     assertEquals(BASE_URI.toString(), body.issuer());
     assertEquals(BASE_URI.resolve("/auth").toString(), body.authorizationEndpoint());
     assertEquals(BASE_URI.resolve("/jwks.json").toString(), body.jwksUri());
-    assertEquals(BASE_URI.resolve("/token").toString(), body.tokenEndpoint());
+    assertEquals(BASE_URI.resolve("/auth/token").toString(), body.tokenEndpoint());
     assertEquals(List.of("ES256"), body.idTokenSigningAlgValuesSupported());
   }