changes

app/apps/addresses/views.py

@@ -81,8 +81,9 @@ def residents_by_bag_id(self, request, bag_id):
         # nummeraanduiding_id should have been retrieved, so get BRP data
         if address.nummeraanduiding_id:
             try:
+                brp_access_token = request.GET.get("brp_access_token", None)
                 brp_data, status_code = get_brp_by_nummeraanduiding_id(
-                    request, address.nummeraanduiding_id
+                    request, address.nummeraanduiding_id, brp_access_token
                 )
                 serialized_residents = ResidentsSerializer(data=brp_data)
                 serialized_residents.is_valid(raise_exception=True)

app/apps/users/auth.py

@@ -10,36 +10,40 @@
 from .auth_dev import DevelopmentAuthenticationBackend
 
 
+class InvalidTokenError(Exception):
+    pass
+
+
 class OIDCAuthenticationBackend(OIDCAuthenticationBackend):
     def validate_issuer(self, payload):
         issuer = self.get_settings("OIDC_OP_ISSUER")
         if not issuer == payload["iss"]:
-            raise Exception(
+            raise InvalidTokenError(
                 '"iss": %r does not match configured value for OIDC_OP_ISSUER: %r'
                 % (payload["iss"], issuer)
             )
 
     def validate_audience(self, payload):
-        client_id = self.get_settings("OIDC_RP_CLIENT_ID")
+        # client_id = self.get_settings("OIDC_RP_CLIENT_ID")
         trusted_audiences = self.get_settings("OIDC_TRUSTED_AUDIENCES", [])
         trusted_audiences = set(trusted_audiences)
-        trusted_audiences.add(client_id)
+        # trusted_audiences.add(client_id)
 
         audience = payload["aud"]
-        if not isinstance(audience, list):
-            audience = [audience]
         audience = set(audience)
         distrusted_audiences = audience.difference(trusted_audiences)
         if distrusted_audiences:
-            raise Exception(
+            raise InvalidTokenError(
                 '"aud" contains distrusted audiences: %r' % distrusted_audiences
             )
 
     def validate_expiry(self, payload):
         expire_time = payload["exp"]
         now = time.time()
         if now > expire_time:
-            raise Exception("Id-token is expired %r > %r" % (now, expire_time))
+            raise InvalidTokenError(
+                "Access-token is expired %r > %r" % (now, expire_time)
+            )
 
     def validate_id_token(self, payload):
         """Validate the content of the id token as required by OpenID Connect 1.0

app/config/settings.py

@@ -298,12 +298,15 @@ def filter_traces(envelope):
 OIDC_RP_SIGN_ALGO = "RS256"
 OIDC_OP_ISSUER = os.getenv(
     "OIDC_OP_ISSUER",
-    "https://login.microsoftonline.com/72fca1b1-2c2e-4376-a445-294d80196804/v2.0",
+    "https://sts.windows.net/72fca1b1-2c2e-4376-a445-294d80196804/",
 )
 
+OIDC_TRUSTED_AUDIENCES = f"api://{OIDC_RP_CLIENT_ID}"
+
 LOCAL_DEVELOPMENT_AUTHENTICATION = (
     os.getenv("LOCAL_DEVELOPMENT_AUTHENTICATION", False) == "True"
 )
+
 DATA_UPLOAD_MAX_MEMORY_SIZE = 5242880
 DATA_UPLOAD_MAX_NUMBER_FIELDS = 6000
 
@@ -357,7 +360,7 @@ def filter_traces(envelope):
 
 BRP_API_URL = "/".join(
     [
-        os.getenv("BRP_API_URL", "https://acc.bp.data.amsterdam.nl/brp"),
+        os.getenv("BRP_API_URL", "https://acc.bp.data.amsterdam.nl/entra/brp"),
         "ingeschrevenpersonen",
     ]
 )

app/utils/api_queries_brp.py

@@ -8,15 +8,15 @@
 logger = logging.getLogger(__name__)
 
 
-def get_brp_by_nummeraanduiding_id(request, nummeraanduiding_id):
+def get_brp_by_nummeraanduiding_id(request, nummeraanduiding_id, brp_access_token):
     """Returns BRP data by bag_"""
 
     queryParams = {
         "verblijfplaats__identificatiecodenummeraanduiding": f"{nummeraanduiding_id}",
         "inclusiefoverledenpersonen": "true",
         "expand": "partners,ouders,kinderen",
     }
-    return get_brp(request, queryParams)
+    return get_brp(request, queryParams, brp_access_token)
 
 
 def get_brp_by_address(request, postal_code, number, suffix, suffix_letter):
@@ -44,7 +44,7 @@ def get_brp_by_address(request, postal_code, number, suffix, suffix_letter):
 
 
 @retry(stop=stop_after_attempt(3), after=after_log(logger, logging.ERROR))
-def get_brp(request, queryParams):
+def get_brp(request, queryParams, brp_access_token):
     """Returns BRP data"""
 
     url = f"{settings.BRP_API_URL}"
@@ -54,7 +54,7 @@ def get_brp(request, queryParams):
         params=queryParams,
         timeout=30,
         headers={
-            "Authorization": request.headers.get("Authorization"),
+            "Authorization": f"Bearer {brp_access_token}",
         },
     )
     if response.status_code == 403:

app/utils/exceptions.py

@@ -1,3 +1,4 @@
+from apps.users.auth import InvalidTokenError
 from redis.exceptions import TimeoutError as RedisTimeoutError
 from rest_framework import status
 from rest_framework.response import Response
@@ -40,6 +41,11 @@ def custom_exception_handler(exc, context):
             status=status.HTTP_403_FORBIDDEN,
         )
 
+    if isinstance(exc, InvalidTokenError):
+        return Response(
+            {"message": "Unauthorized"},
+            status=status.HTTP_403_FORBIDDEN,
+        )
     if isinstance(exc, DistrictNotFoundError):
         return Response(
             {"message": "Het stadsdeel voor dit adres is niet gevonden"},