move back access token and audience retriever module from iua validator service project

access-token-provider-api/pom.xml

@@ -15,6 +15,33 @@
     <name>Access Token Provider Api</name>
     <version>1.0.0-SNAPSHOT</version>
 
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>fully.qualified.MainClass</mainClass>
+                        </manifest>
+                    </archive>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id> <!-- this is used for inheritance merges -->
+                        <phase>package</phase> <!-- bind to the packaging phase -->
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
 
     <dependencies>
         <dependency>
@@ -27,6 +54,15 @@
             <artifactId>sb.iua-standard-block</artifactId>
             <version>1.0.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>sb.jwt-standard-block</artifactId>
+            <version>1.0.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>app.audience-retriever</artifactId>
+        </dependency>
     </dependencies>
 
 </project>

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/adapter/webservice/TokenGenerator.java

-package net.ihe.gazelle.app.accesstokenproviderapi.adapter.webservice;
-
-import net.ihe.gazelle.app.accesstokenproviderapi.business.AccessTokenRequest;
-import net.ihe.gazelle.sb.iua.business.EncodedIUAToken;
-
-/**
- * Interface to interact with the access token generator
- */
-public interface TokenGenerator {
-
-    /**
-     * generate an access token from an access token request
-     * @param accessTokenRequest
-     * @return EncodedIUAToken
-     */
-    EncodedIUAToken generateAccessToken(AccessTokenRequest accessTokenRequest);
-
-}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/adapter/webservice/AudienceRegistry.java → access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/AudienceRegistry.java

-package net.ihe.gazelle.app.accesstokenproviderapi.adapter.webservice;
+package net.ihe.gazelle.app.accesstokenproviderapi.application;
 
 import net.ihe.gazelle.app.accesstokenproviderapi.business.Credential;
 

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/adapter/webservice/DummyAuthzServer.java → access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/DummyAuthzServer.java

-package net.ihe.gazelle.app.accesstokenproviderapi.adapter.webservice;
+package net.ihe.gazelle.app.accesstokenproviderapi.application;
 
 /**
  * For SoapUI integration need, a simplified Authorization Server (or IDP) is required.
@@ -9,10 +9,10 @@ public interface DummyAuthzServer {
      * get a dummy access token
      * @param userId
      * @param audienceId
-     * @param purposeOfUser
+     * @param purposeOfUse
      * @param resourceId
      * @return an access token
      */
-    byte[] getAccessToken(String userId, String audienceId, String purposeOfUser, String resourceId);
+    byte[] getAccessToken(String userId, String audienceId, String purposeOfUse, String resourceId);
 
 }

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/DummyAuthzServerSoapui.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.AccessTokenRequest;
+import net.ihe.gazelle.app.accesstokenproviderapi.business.SymmetricSignature;
+import net.ihe.gazelle.app.audienceretriever.adapter.AudienceSecretRetrieverForSoapui;
+import net.ihe.gazelle.app.audienceretriever.adapter.AudienceSecretRetrieverImpl;
+import net.ihe.gazelle.modelapi.sb.business.EncodingException;
+import net.ihe.gazelle.sb.iua.business.TokenType;
+
+import java.time.Duration;
+
+public class DummyAuthzServerSoapui implements  DummyAuthzServer {
+
+    private static final String ALGORITHM = "HS256";
+    private static final String SUBJECT = "aamrein";
+    private static final String AUDIENCE = "audience";
+    private static final String ISSUER = "https://ehealthsuisse.ihe-europe.net/access-token-provider";
+    private static final TokenType TOKEN_TYPE = TokenType.JWT;
+    private static final Duration DURATION = Duration.ofHours(1);
+
+
+    @Override
+    public byte[] getAccessToken(String userId, String audienceId, String purposeOfUse, String resourceId) {
+        //todo purposeOfUse and resourceId are not yet implemented
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, userId, audienceId, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(new AudienceSecretRetrieverForSoapui());
+
+        byte[] token = null;
+        try {
+            token = tokenGenerator.generateAccessToken(accessTokenRequest).getToken();
+        } catch (EncodingException e) {
+            e.printStackTrace();
+        } catch (TokenRequestException e) {
+            e.printStackTrace();
+        } finally {
+            return token;
+        }
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/adapter/webservice/TestUserRegistry.java → access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TestUserRegistry.java

-package net.ihe.gazelle.app.accesstokenproviderapi.adapter.webservice;
+package net.ihe.gazelle.app.accesstokenproviderapi.application;
 
 import net.ihe.gazelle.app.accesstokenproviderapi.business.testuser.TestUser;
 

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TokenGenerator.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.AccessTokenRequest;
+import net.ihe.gazelle.app.audienceretriever.application.AudienceSecretRetriever;
+import net.ihe.gazelle.modelapi.sb.business.EncodingException;
+import net.ihe.gazelle.sb.iua.business.EncodedIUAToken;
+import net.ihe.gazelle.sb.iua.business.TokenType;
+import net.ihe.gazelle.sb.jwtstandardblock.adapter.JJWTAdapter;
+import net.ihe.gazelle.sb.jwtstandardblock.application.JWSEncoderDecoder;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jose.JOSEHeader;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwk.JSONWebKey;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwk.KeyAlgorithm;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwk.SymmetricalKey;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwt.JSONWebSignature;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwt.JSONWebToken;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwt.JSONWebTokenClaimSet;
+
+import javax.inject.Inject;
+import java.nio.charset.StandardCharsets;
+import java.time.Duration;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.UUID;
+
+public class TokenGenerator {
+
+    private static final String ALGORITHM = "HS256";
+    private static final String ISSUER = "https://ehealthsuisse.ihe-europe.net/access-token-provider";
+    private static final TokenType TOKEN_TYPE = TokenType.JWT;
+    private static final Duration DEFAULT_DURATION = Duration.ofMinutes(5);
+
+    private AudienceSecretRetriever audienceSecretRetriever;
+
+    @Inject
+    public void setAudienceSecretRetriever(AudienceSecretRetriever audienceSecretRetriever) {
+        this.audienceSecretRetriever = audienceSecretRetriever;
+    }
+
+    public EncodedIUAToken generateAccessToken(AccessTokenRequest accessTokenRequest) throws EncodingException, TokenRequestException {
+        if (accessTokenRequest.getSignature() == null) {
+            throw new TokenRequestException("Missing signature information");
+        }
+
+        if (accessTokenRequest.getSignature().getAlgorithm() == null || !accessTokenRequest.getSignature().getAlgorithm().equals(ALGORITHM)) {
+            throw new TokenRequestException("Unsupported Algorithm");
+        }
+
+        Duration duration = !accessTokenRequest.getValidityTime().equals(null) ? accessTokenRequest.getValidityTime() : DEFAULT_DURATION;
+
+        if (accessTokenRequest.getTokenType() == null || !accessTokenRequest.getTokenType().equals(TOKEN_TYPE)) {
+            throw new TokenRequestException("Unsupported token type");
+        }
+
+        if (accessTokenRequest.getIssuer() == null || !accessTokenRequest.getIssuer().equals(ISSUER)) {
+            throw new TokenRequestException("Unsupported issuer");
+        }
+
+        if (accessTokenRequest.getAudience() ==null || accessTokenRequest.getAudience().isEmpty()) {
+            throw new TokenRequestException("Audience is null or empty");
+        }
+
+        if (accessTokenRequest.getSubject() == null || !accessTokenRequest.getSubject().equals("aamrein")) {
+            throw new TokenRequestException("Unsupported subject");
+        }
+
+        String secret = audienceSecretRetriever.retrieveSecretForAudience(accessTokenRequest.getAudience());
+        if (secret == null || secret.isEmpty()) {
+            throw new TokenRequestException("Audience is not known");
+        }
+
+        JSONWebTokenClaimSet claimSet = new JSONWebTokenClaimSet();
+
+        claimSet.setSubject(accessTokenRequest.getSubject());
+        claimSet.setIssuer(ISSUER);
+        claimSet.setAudience(accessTokenRequest.getAudience());
+
+        ZonedDateTime now = ZonedDateTime.now(ZoneId.of("UTC"));
+        claimSet.setIssuedAt(String.valueOf(now.toEpochSecond()));
+        claimSet.setExpiration(String.valueOf(now.plus(duration).toEpochSecond()));
+
+        claimSet.setJwtId(UUID.randomUUID().toString());
+
+        JOSEHeader joseHeader = new JOSEHeader(false, null, KeyAlgorithm.HS256);
+        JSONWebKey jsonWebKey = new SymmetricalKey(secret, null, KeyAlgorithm.HS256);
+        JSONWebSignature jose = new JSONWebSignature(jsonWebKey, joseHeader);
+
+        JSONWebToken token = new JSONWebToken(UUID.randomUUID().toString(), "IUA", jose, claimSet); //Verify standard keyword
+
+        JWSEncoderDecoder jwsEncoderDecoder = new JWSEncoderDecoder(new JJWTAdapter());
+
+        EncodedIUAToken encodedIUAToken = new EncodedIUAToken(jwsEncoderDecoder.encode(token).getCompletePayload().getBytes(StandardCharsets.UTF_8));
+        encodedIUAToken.setTokenType(TokenType.JWT);
+
+        return encodedIUAToken;
+    }
+
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TokenRequestException.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+public class TokenRequestException extends Exception {
+
+    /**
+     * Constructs a new exception with null as its detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     */
+    public TokenRequestException() {
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     */
+    public TokenRequestException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause. Note that the detail/TransactionRecordingDAO message associated with
+     * cause is not automatically incorporated in this exception's detail message.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause   the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates that the
+     *                cause is nonexistent or unknown.
+     */
+    public TokenRequestException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param cause              the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *                           that the cause is nonexistent or unknown.
+     */
+    public TokenRequestException(Throwable cause) {
+        super(cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param message            the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause              the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *                           that the cause is nonexistent or unknown.
+     * @param enableSuppression  whether or not suppression is enabled or disabled
+     * @param writableStackTrace whether or not the stack trace should be writable
+     */
+    public TokenRequestException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+        super(message, cause, enableSuppression, writableStackTrace);
+    }
+
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/exception/UnsupportedAlgorithmException.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application.exception;
+
+public class UnsupportedAlgorithmException extends Exception {
+
+
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/exception/UnsupportedTokenTypeException.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application.exception;
+
+public class UnsupportedTokenTypeException extends Exception {
+}

access-token-provider-api/src/main/resources/getToken-soapui-project.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<con:soapui-project id="4527283c-83fc-419a-9fa3-d9c072053eac" activeEnvironment="Default" name="getToken" resourceRoot="" soapui-version="5.6.0" abortOnError="false" runType="SEQUENTIAL" xmlns:con="http://eviware.com/soapui/config"><con:settings/><con:testSuite id="a7dd34e8-2441-4bf8-b2bc-3ea43c3b0f42" name="getToken"><con:settings/><con:runType>SEQUENTIAL</con:runType><con:testCase id="f8ac5a96-e7e9-4a60-9e9c-84f80664db91" failOnError="true" failTestCaseOnErrors="true" keepSession="false" maxResults="0" name="getToken" searchProperties="true"><con:settings/><con:testStep type="groovy" name="exemple" id="c65c443d-1476-4c4a-b9e6-b63eac62939f"><con:settings/><con:config><script>import net.ihe.gazelle.app.accesstokenproviderapi.application.DummyAuthzServerSoapui
+
+def server = new DummyAuthzServerSoapui();
+def token = server.getAccessToken("aamrein", "audience", null, null);
+log.info new String(token)</script></con:config></con:testStep><con:properties/></con:testCase><con:properties/></con:testSuite><con:properties/><con:wssContainer/><con:oAuth2ProfileContainer/><con:oAuth1ProfileContainer/><con:sensitiveInformation/></con:soapui-project>
\ No newline at end of file

access-token-provider-api/src/test/java/net/ihe/gazelle/app/accesstokenproviderapi/application/AudienceSecretRetrieverTestImpl.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.audienceretriever.application.AudienceSecretRetriever;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class AudienceSecretRetrieverTestImpl implements AudienceSecretRetriever {
+
+    private Map<String, String> registry = new HashMap<>();
+
+    public AudienceSecretRetrieverTestImpl() {
+    }
+
+    public void addAudience(String audience, String secret){
+        registry.put(audience, secret);
+    }
+
+    @Override
+    public String retrieveSecretForAudience(String audience) {
+        return registry.get(audience);
+    }
+}

access-token-provider-api/src/test/java/net/ihe/gazelle/app/accesstokenproviderapi/application/DummyAuthzServerSoapuiTest.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+class DummyAuthzServerSoapuiTest {
+
+    private static final String SUBJECT = "aamrein";
+    private static final String AUDIENCE = "audience";
+
+    @Test
+    public void test() {
+        DummyAuthzServerSoapui dummyAuthzServer = new DummyAuthzServerSoapui();
+        assertNotNull(dummyAuthzServer.getAccessToken(SUBJECT, AUDIENCE, null, null));
+    }
+
+}

access-token-provider-api/src/test/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TokenGeneratorTest.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.AccessTokenRequest;
+import net.ihe.gazelle.app.accesstokenproviderapi.business.SymmetricSignature;
+import net.ihe.gazelle.modelapi.sb.business.EncodingException;
+import net.ihe.gazelle.sb.iua.business.EncodedIUAToken;
+import net.ihe.gazelle.sb.iua.business.TokenType;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.time.Duration;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class TokenGeneratorTest {
+
+    private static final String ALGORITHM = "HS256";
+    private static final String SUBJECT = "aamrein";
+    private static final String AUDIENCE = "audience";
+    private static final String ISSUER = "https://ehealthsuisse.ihe-europe.net/access-token-provider";
+    private static final TokenType TOKEN_TYPE = TokenType.JWT;
+    private static final Duration DURATION = Duration.ofMinutes(5);
+    private static AudienceSecretRetrieverTestImpl AUDIENCE_RETRIEVER = new AudienceSecretRetrieverTestImpl();
+
+    @BeforeEach
+    public void initAudience() {
+        AUDIENCE_RETRIEVER.addAudience(AUDIENCE, "secret");
+    }
+
+    @Test
+    public void generateAccessTokenTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        EncodedIUAToken encodedIUAToken = tokenGenerator.generateAccessToken(accessTokenRequest);
+        assertNotNull(encodedIUAToken);
+    }
+
+
+    @Test
+    public void generateAccessTokenNullSignatureTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(null, SUBJECT, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(null);
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenUnsupportedIssuerTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest("blabla", SUBJECT, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenNullIssuerTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(null, SUBJECT, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenUnsupportedSubjectTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, "subject", AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenNullSubjectTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, null, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenUnsupportedTokenTypeTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, AUDIENCE, DURATION, TokenType.SAML);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenNullTokenTypeTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, AUDIENCE, DURATION, null);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenUnsupportedAlgoTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature("algo", "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenNullAlgoTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, AUDIENCE, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(null, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenNullAudienceTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, null, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+    @Test
+    public void generateAccessTokenUnknownAudienceTest() throws EncodingException, TokenRequestException {
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, SUBJECT, "pouet", DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(AUDIENCE_RETRIEVER);
+
+        assertThrows(TokenRequestException.class, () -> tokenGenerator.generateAccessToken(accessTokenRequest), "Unsupported issuer");
+    }
+
+
+}

audience-retriever/pom.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <artifactId>app.access-token-provider</artifactId>
+        <groupId>net.ihe.gazelle</groupId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <groupId>net.ihe.gazelle</groupId>
+    <artifactId>app.audience-retriever</artifactId>
+    <name>Audience Retriever</name>
+    <version>1.0.0-SNAPSHOT</version>
+
+    <dependencies>
+        <dependency>
+            <groupId>javax</groupId>
+            <artifactId>javaee-api</artifactId>
+            <version>8.0.1</version>
+        </dependency>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>framework.logger-service</artifactId>
+            <version>1.0.0</version>
+        </dependency>
+        <!-- Preferences API -->
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>framework.preferences-model-api</artifactId>
+            <version>1.0.0</version>
+        </dependency>
+    </dependencies>
+
+</project>

audience-retriever/src/main/java/net/ihe/gazelle/app/audienceretriever/adapter/AudienceSecretRetrieverForSoapui.java

+package net.ihe.gazelle.app.audienceretriever.adapter;
+
+import net.ihe.gazelle.app.audienceretriever.application.AudienceSecretRetriever;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.util.Properties;
+
+public class AudienceSecretRetrieverForSoapui implements AudienceSecretRetriever {
+
+    private String propertiesFile = "/opt/simulators/audience.properties";
+
+    public AudienceSecretRetrieverForSoapui() {
+    }
+
+    public AudienceSecretRetrieverForSoapui(String propertiesFile) {
+        this.propertiesFile = propertiesFile;
+    }
+
+    public static Properties readPropertiesFile(String fileName) throws IOException {
+        FileInputStream fis = null;
+        Properties prop = null;
+        try {
+            fis = new FileInputStream(fileName);
+            prop = new Properties();
+            prop.load(fis);
+        } catch(FileNotFoundException fnfe) {
+            fnfe.printStackTrace();
+        } catch(IOException ioe) {
+            ioe.printStackTrace();
+        } finally {
+            fis.close();
+        }
+        return prop;
+    }
+
+    @Override
+    public String retrieveSecretForAudience(String audience) {
+        String secret = null;
+        try {
+            Properties prop = readPropertiesFile(propertiesFile);
+            secret = prop.getProperty(audience);
+        } catch (IOException e) {
+            e.printStackTrace();
+        } finally {
+            return secret;
+        }
+    }
+}

audience-retriever/src/main/java/net/ihe/gazelle/app/audienceretriever/adapter/AudienceSecretRetrieverImpl.java

+package net.ihe.gazelle.app.audienceretriever.adapter;
+
+import net.ihe.gazelle.app.audienceretriever.application.AudienceSecretRetriever;
+import net.ihe.gazelle.framework.loggerservice.application.GazelleLogger;
+import net.ihe.gazelle.framework.loggerservice.application.GazelleLoggerFactory;
+import net.ihe.gazelle.framework.preferencesmodelapi.application.NamespaceException;
+import net.ihe.gazelle.framework.preferencesmodelapi.application.OperationalPreferencesService;
+import net.ihe.gazelle.framework.preferencesmodelapi.application.PreferenceException;
+
+import javax.inject.Inject;
+
+/**
+ * AudienceSecretRetriever implementation
+ */
+public class AudienceSecretRetrieverImpl implements AudienceSecretRetriever {
+
+    private static final GazelleLogger LOGGER = GazelleLoggerFactory.getInstance().getLogger(AudienceSecretRetrieverImpl.class);
+    private static final String AUDIENCE_JNDI_NAMESPACE = "java:app/gazelle/chiua-validator-service/operational-preferences";
+
+    @Inject
+    private OperationalPreferencesService preferencesService;
+
+    /**
+     * {@inheritDoc}
+     */
+    public AudienceSecretRetrieverImpl() {
+        //Empty constructor for injection
+    }
+
+    /**
+     * Setter for the preferencesService property.
+     *
+     * @param preferencesService value to set to the property.
+     */
+    public void setPreferencesService(OperationalPreferencesService preferencesService) {
+        this.preferencesService = preferencesService;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public String retrieveSecretForAudience(String audience) {
+        try {
+            return preferencesService.getStringValue(AUDIENCE_JNDI_NAMESPACE, audience);
+        } catch (NamespaceException e) {
+            LOGGER.warn(e, "The JNDI namespace is not configured for Audiences !");
+        } catch (PreferenceException e) {
+            LOGGER.warn(e, String.format("The Audience [%s] is not correctly defined  in namespace !", audience));
+
+        }
+        return null;
+    }
+}

audience-retriever/src/main/java/net/ihe/gazelle/app/audienceretriever/adapter/README.txt

+Put here classes from adapter layer :
+Data transformers, adapters, presenters or DAO. Abstraction of external libraries for
+application or business use.
+Web-services point, sockets, database connection and pool, GUI, file system, framework,
+external libraries.
\ No newline at end of file

audience-retriever/src/main/java/net/ihe/gazelle/app/audienceretriever/application/AudienceSecretRetriever.java

+package net.ihe.gazelle.app.audienceretriever.application;
+
+/**
+ * classe to retrieve the audience secret
+ */
+public interface AudienceSecretRetriever {
+
+    /**
+     * retrieve secret linked to an audience
+     * @param audience the audience
+     * @return the secret
+     */
+    String retrieveSecretForAudience(String audience);
+}

audience-retriever/src/main/java/net/ihe/gazelle/app/audienceretriever/application/README.txt

+Put here classes from application layer :
+Use cases. Business elements applied in an application context or scenario.
\ No newline at end of file