.gitlab-ci.yml

@@ -19,28 +19,16 @@ variables:
   P_NAME: "app.access-token-provider"
   P_APP_TYPE: "java"
   P_CODE_SRC_PATH: "."
+  P_MAVEN_IMAGE_TAG: "3.6.3"
 
 
 # Define jobs
 code:
   stage: build
   extends:
-    - .codeForJava
-  variables:
-    P_MAVEN_IMAGE_TAG: "3.6.3"
+    - .buildCodeForJava
 
 quality:
   stage: tests
   extends:
-    - .sonarqubeForJava
-  variables:
-    P_MAVEN_IMAGE_TAG: "3.6.3"
-    P_CODE_BINARIES: "target/classes/"
-    P_CODE_JACOCO_REPORT_PATH: "target/jacoco.exec"
-    P_CODE_JUNIT_REPORTS_PATH: "target/surefire-reports"
-    P_CODE_DYNAMIC_ANALYSIS: "reuseReports"
-    P_CODE_COVERAGE_PLUGIN: "jacoco"
-    P_CODE_SOURCE_ENCODING: "UTF-8"
-    P_CODE_LANGUAGE: "java"
-    P_CODE_DEVELOPER_EDITION: "true"
-
+    - .testQualityForJavaWithSonarqube
\ No newline at end of file

access-token-provider-api/pom.xml

@@ -11,8 +11,58 @@
     </parent>
 
     <groupId>net.ihe.gazelle</groupId>
-    <artifactId>lib.access-token-provider-api</artifactId>
+    <artifactId>app.access-token-provider-api</artifactId>
     <name>Access Token Provider Api</name>
     <version>1.0.0-SNAPSHOT</version>
 
-</project>
\ No newline at end of file
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>fully.qualified.MainClass</mainClass>
+                        </manifest>
+                    </archive>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id> <!-- this is used for inheritance merges -->
+                        <phase>package</phase> <!-- bind to the packaging phase -->
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+
+    <dependencies>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>lib.annotations</artifactId>
+            <version>1.0.0</version>
+        </dependency>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>sb.iua-standard-block</artifactId>
+            <version>1.0.0</version>
+        </dependency>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>sb.jwt-standard-block</artifactId>
+            <version>1.0.0</version>
+        </dependency>
+        <dependency>
+            <groupId>net.ihe.gazelle</groupId>
+            <artifactId>app.audience-retriever</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/AudienceRegistry.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.Credential;
+
+/**
+ * Interface to interact with the audience registry where is store all known audience with their credential
+ */
+public interface AudienceRegistry {
+
+    /**
+     * Get credential's audience
+     * @param audienceId
+     * @return credential
+     */
+    Credential getAudienceCredentials(String audienceId);
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/DummyAuthzServer.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+/**
+ * For SoapUI integration need, a simplified Authorization Server (or IDP) is required.
+ */
+public interface DummyAuthzServer {
+
+    /**
+     * get a dummy access token
+     * @param userId
+     * @param audienceId
+     * @param purposeOfUse
+     * @param resourceId
+     * @return an access token
+     */
+    byte[] getAccessToken(String userId, String audienceId, String purposeOfUse, String resourceId);
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/DummyAuthzServerSoapui.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.AccessTokenRequest;
+import net.ihe.gazelle.app.accesstokenproviderapi.business.SymmetricSignature;
+import net.ihe.gazelle.app.audienceretriever.adapter.AudienceSecretRetrieverForSoapui;
+import net.ihe.gazelle.app.audienceretriever.application.AudienceSecretRetriever;
+import net.ihe.gazelle.framework.loggerservice.application.GazelleLogger;
+import net.ihe.gazelle.framework.loggerservice.application.GazelleLoggerFactory;
+import net.ihe.gazelle.modelapi.sb.business.EncodingException;
+import net.ihe.gazelle.sb.iua.business.TokenType;
+
+import java.time.Duration;
+
+/**
+ * Dummy soapui authorization server
+ */
+public class DummyAuthzServerSoapui implements DummyAuthzServer {
+
+    private static final GazelleLogger LOGGER = GazelleLoggerFactory.getInstance().getLogger(DummyAuthzServerSoapui.class);
+
+    private static final String ALGORITHM = "HS256";
+    private static final String ISSUER = "https://ehealthsuisse.ihe-europe.net/access-token-provider";
+    private static final TokenType TOKEN_TYPE = TokenType.JWT;
+    private static final Duration DURATION = Duration.ofHours(1);
+    private AudienceSecretRetriever audienceSecretRetriever;
+
+    /**
+     * Default constructor for the class.
+     */
+    public DummyAuthzServerSoapui() {
+        //Empty
+    }
+
+    /**
+     * Constructor with the path for the class.
+     */
+    public DummyAuthzServerSoapui(String path) {
+        audienceSecretRetriever = new AudienceSecretRetrieverForSoapui(path);
+    }
+
+    /**
+     * Setter for the audienceSecretRetriever property.
+     *
+     * @param audienceSecretRetriever value to set to the property.
+     */
+    public void setAudienceSecretRetriever(AudienceSecretRetriever audienceSecretRetriever) {
+        this.audienceSecretRetriever = audienceSecretRetriever;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public byte[] getAccessToken(String userId, String audienceId, String purposeOfUse, String resourceId) {
+        //todo purposeOfUse and resourceId are not yet implemented
+
+        TokenGenerator tokenGenerator = new TokenGenerator();
+        tokenGenerator.setAudienceSecretRetriever(this.audienceSecretRetriever);
+
+        return getTokenGenerator(userId, audienceId, tokenGenerator);
+    }
+
+
+    /**
+     * get the access token
+     *
+     * @param userId     String parameter
+     * @param audienceId String parameter
+     * @return AccessTokenRequest Element
+     */
+    public AccessTokenRequest getAccessTokenRequest(String userId, String audienceId){
+        AccessTokenRequest accessTokenRequest = new AccessTokenRequest(ISSUER, userId, audienceId, DURATION, TOKEN_TYPE);
+        accessTokenRequest.setSignature(new SymmetricSignature(ALGORITHM, "secret"));
+        return accessTokenRequest;
+    }
+
+
+    /**
+     * get the generated token
+     *
+     * @param userId         String element
+     * @param audienceId     String element
+     * @param tokenGenerator TokenGenerator object
+     * @return The token as byte
+     */
+    public byte[] getTokenGenerator(String userId, String audienceId, TokenGenerator tokenGenerator){
+        byte[] token = null;
+        try {
+            token = tokenGenerator.generateAccessToken(getAccessTokenRequest(userId, audienceId)).getToken();
+        } catch (EncodingException | TokenRequestException e) {
+            LOGGER.error("Error generating Access Token", e);
+        }
+        return token;
+    }
+
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TestUserRegistry.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.testuser.TestUser;
+
+/**
+ * Interface to interact with the test-users’ database for authentication step and token content
+ */
+public interface TestUserRegistry {
+
+    /**
+     * @param userId
+     * @return TestUser
+     */
+    TestUser getTestUser(String userId);
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TokenGenerator.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+import net.ihe.gazelle.app.accesstokenproviderapi.business.AccessTokenRequest;
+import net.ihe.gazelle.app.audienceretriever.application.AudienceSecretRetriever;
+import net.ihe.gazelle.modelapi.sb.business.EncodingException;
+import net.ihe.gazelle.sb.iua.business.EncodedIUAToken;
+import net.ihe.gazelle.sb.iua.business.TokenType;
+import net.ihe.gazelle.sb.jwtstandardblock.adapter.JJWTAdapter;
+import net.ihe.gazelle.sb.jwtstandardblock.application.JWSEncoderDecoder;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jose.JOSEHeader;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwk.JSONWebKey;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwk.KeyAlgorithm;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwk.SymmetricalKey;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwt.JSONWebSignature;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwt.JSONWebToken;
+import net.ihe.gazelle.sb.jwtstandardblock.business.jwt.JSONWebTokenClaimSet;
+
+import java.nio.charset.StandardCharsets;
+import java.time.Duration;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+/**
+ * Class to generate the token
+ */
+public class TokenGenerator {
+
+    private static final String ALGORITHM = "HS256";
+    private static final String ISSUER = "https://ehealthsuisse.ihe-europe.net/access-token-provider";
+    private static final TokenType TOKEN_TYPE = TokenType.JWT;
+    private static final Duration DEFAULT_DURATION = Duration.ofMinutes(5);
+    private static final List<String> SUBJECTS = Arrays.asList("aamrein", "aerne");
+
+    private AudienceSecretRetriever audienceSecretRetriever;
+
+    /**
+     * Set an audience secret
+     *
+     * @param audienceSecretRetriever AudienceSecretRetriever element
+     */
+    public void setAudienceSecretRetriever(AudienceSecretRetriever audienceSecretRetriever) {
+        this.audienceSecretRetriever = audienceSecretRetriever;
+    }
+
+    /**
+     * Encode the IUA token
+     *
+     * @param accessTokenRequest AccessTokenRequest element
+     * @return The EncodedIUAToken
+     * @throws EncodingException
+     * @throws TokenRequestException
+     */
+    public EncodedIUAToken generateAccessToken(AccessTokenRequest accessTokenRequest) throws EncodingException, TokenRequestException {
+        if (accessTokenRequest.getSignature() == null) {
+            throw new TokenRequestException("Missing signature information");
+        }
+
+        if (accessTokenRequest.getSignature().getAlgorithm() == null || !accessTokenRequest.getSignature().getAlgorithm().equals(ALGORITHM)) {
+            throw new TokenRequestException("Unsupported Algorithm");
+        }
+
+        Duration duration = accessTokenRequest.getValidityTime() != null ? accessTokenRequest.getValidityTime() : DEFAULT_DURATION;
+
+        if (accessTokenRequest.getTokenType() == null || !accessTokenRequest.getTokenType().equals(TOKEN_TYPE)) {
+            throw new TokenRequestException("Unsupported token type");
+        }
+
+        if (accessTokenRequest.getIssuer() == null || !accessTokenRequest.getIssuer().equals(ISSUER)) {
+            throw new TokenRequestException("Unsupported issuer");
+        }
+
+        if (accessTokenRequest.getAudience() == null || accessTokenRequest.getAudience().isEmpty()) {
+            throw new TokenRequestException("Audience is null or empty");
+        }
+
+        if (accessTokenRequest.getSubject() == null || !SUBJECTS.contains(accessTokenRequest.getSubject())) {
+            throw new TokenRequestException("Unsupported subject");
+        }
+
+        String secret = audienceSecretRetriever.retrieveSecretForAudience(accessTokenRequest.getAudience());
+        if (secret == null || secret.isEmpty()) {
+            throw new TokenRequestException("Audience is not known");
+        }
+
+        JSONWebTokenClaimSet claimSet = new JSONWebTokenClaimSet();
+
+        claimSet.setSubject(accessTokenRequest.getSubject());
+        claimSet.setIssuer(ISSUER);
+        claimSet.setAudience(accessTokenRequest.getAudience());
+
+        ZonedDateTime now = ZonedDateTime.now(ZoneId.of("UTC"));
+        claimSet.setIssuedAt(String.valueOf(now.toEpochSecond()));
+        claimSet.setExpiration(String.valueOf(now.plus(duration).toEpochSecond()));
+
+        claimSet.setJwtId(UUID.randomUUID().toString());
+
+        JOSEHeader joseHeader = new JOSEHeader(false, null, KeyAlgorithm.HS256);
+        JSONWebKey jsonWebKey = new SymmetricalKey(secret, null, KeyAlgorithm.HS256);
+        JSONWebSignature jose = new JSONWebSignature(jsonWebKey, joseHeader);
+
+        JSONWebToken token = new JSONWebToken(UUID.randomUUID().toString(), "IUA", jose, claimSet); //Verify standard keyword
+
+        JWSEncoderDecoder jwsEncoderDecoder = new JWSEncoderDecoder(new JJWTAdapter());
+
+        EncodedIUAToken encodedIUAToken = new EncodedIUAToken(jwsEncoderDecoder.encode(token).getCompletePayload().getBytes(StandardCharsets.UTF_8));
+        encodedIUAToken.setTokenType(TokenType.JWT);
+
+        return encodedIUAToken;
+    }
+
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/TokenRequestException.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application;
+
+/**
+ * Class to manage token request exception
+ */
+public class TokenRequestException extends Exception {
+
+    /**
+     * Constructs a new exception with null as its detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     */
+    public TokenRequestException() {
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     */
+    public TokenRequestException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause. Note that the detail/TransactionRecordingDAO message associated with
+     * cause is not automatically incorporated in this exception's detail message.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause   the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates that the
+     *                cause is nonexistent or unknown.
+     */
+    public TokenRequestException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param cause              the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *                           that the cause is nonexistent or unknown.
+     */
+    public TokenRequestException(Throwable cause) {
+        super(cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param message            the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause              the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *                           that the cause is nonexistent or unknown.
+     * @param enableSuppression  whether or not suppression is enabled or disabled
+     * @param writableStackTrace whether or not the stack trace should be writable
+     */
+    public TokenRequestException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+        super(message, cause, enableSuppression, writableStackTrace);
+    }
+
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/exception/UnsupportedAlgorithmException.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application.exception;
+
+/**
+ * Class to manage unsupported algorithm exception
+ */
+public class UnsupportedAlgorithmException extends Exception {
+
+    /**
+     * Constructs a new exception with null as its detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     */
+    public UnsupportedAlgorithmException() {
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     */
+    public UnsupportedAlgorithmException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause. Note that the detail/TransactionRecordingDAO message associated with
+     * cause is not automatically incorporated in this exception's detail message.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause   the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates that the
+     *                cause is nonexistent or unknown.
+     */
+    public UnsupportedAlgorithmException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param cause the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *              that the cause is nonexistent or unknown.
+     */
+    public UnsupportedAlgorithmException(Throwable cause) {
+        super(cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param message            the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause              the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *                           that the cause is nonexistent or unknown.
+     * @param enableSuppression  whether or not suppression is enabled or disabled
+     * @param writableStackTrace whether or not the stack trace should be writable
+     */
+    public UnsupportedAlgorithmException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+        super(message, cause, enableSuppression, writableStackTrace);
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/application/exception/UnsupportedTokenTypeException.java

+package net.ihe.gazelle.app.accesstokenproviderapi.application.exception;
+
+/**
+ * Class to manage unsupported token exception
+ */
+public class UnsupportedTokenTypeException extends Exception {
+
+    /**
+     * Constructs a new exception with null as its detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     */
+    public UnsupportedTokenTypeException() {
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link Throwable#initCause(Throwable)}.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     */
+    public UnsupportedTokenTypeException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause. Note that the detail/TransactionRecordingDAO message associated with
+     * cause is not automatically incorporated in this exception's detail message.
+     *
+     * @param message the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause   the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates that the
+     *                cause is nonexistent or unknown.
+     */
+    public UnsupportedTokenTypeException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param cause the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *              that the cause is nonexistent or unknown.
+     */
+    public UnsupportedTokenTypeException(Throwable cause) {
+        super(cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause, suppression enabled or disabled, and writable stack trace enabled or
+     * disabled.
+     *
+     * @param message            the detail message. Can be retrieved by a later call of {@link Throwable#getMessage()} method.
+     * @param cause              the cause. Can be retrieved by a lter call to {@link Throwable#getCause()}. A null value is permitted, and indicates
+     *                           that the cause is nonexistent or unknown.
+     * @param enableSuppression  whether or not suppression is enabled or disabled
+     * @param writableStackTrace whether or not the stack trace should be writable
+     */
+    public UnsupportedTokenTypeException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+        super(message, cause, enableSuppression, writableStackTrace);
+    }
+
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/AccessTokenExtension.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Extensions for the Access Token
+ */
+public class AccessTokenExtension {
+
+    private String subjectId;
+    private List<String> subjectOrganizations = new ArrayList<>();
+    private List<String> subjectOrganizationIds = new ArrayList<>();
+    private String homeCommunityId;
+    private String nationalProviderIdentifier;
+    private List<String> providerIds = new ArrayList<>();
+    private CodedValue subjectRole;
+    private CodedValue purposeOfUse;
+    private String resourceId;
+    private String onBehalfOf;
+
+    /**
+     * constructor
+     */
+    public AccessTokenExtension() {
+        // Constructor is empty because all variables are optionals.
+    }
+
+    /**
+     * get the subjectId
+     * @return subjectId
+     */
+    public String getSubjectId() {
+        return subjectId;
+    }
+
+    /**
+     * set the subjectId
+     * @param subjectId the subjectId
+     */
+    public void setSubjectId(String subjectId) {
+        this.subjectId = subjectId;
+    }
+
+    /**
+     * get subjectOrganizations list
+     * @return subjectOrganizations
+     */
+    public List<String> getSubjectOrganizations() {
+        return subjectOrganizations;
+    }
+
+    /**
+     * add a subjectOrganization in the subjectOrganizations list
+     * @param subjectOrganization a nationalProviderIdentifier
+     */
+    public void addSubjectOrganization(String subjectOrganization) {
+        this.subjectOrganizations.add(subjectOrganization);
+    }
+
+    /**
+     * remove a subjectOrganization from the subjectOrganizations list
+     * @param subjectOrganization a nationalProviderIdentifier
+     */
+    public void removeSubjectOrganization(String subjectOrganization) {
+        this.subjectOrganizations.remove(subjectOrganization);
+    }
+
+    /**
+     * get subjectOrganizationIds list
+     * @return subjectOrganizationIds
+     */
+    public List<String> getSubjectOrganizationIds() {
+        return subjectOrganizationIds;
+    }
+
+    /**
+     * add a subjectOrganizationId in the subjectOrganizationIds list
+     * @param subjectOrganizationId a subjectOrganizationId
+     */
+    public void addSubjectOrganizationId(String subjectOrganizationId) {
+        this.subjectOrganizationIds.add(subjectOrganizationId);
+    }
+
+    /**
+     * remove a subjectOrganizationId from the subjectOrganizationIds list
+     * @param subjectOrganizationId a subjectOrganizationId
+     */
+    public void removeSubjectOrganizationId(String subjectOrganizationId) {
+        this.subjectOrganizationIds.remove(subjectOrganizationId);
+    }
+
+    /**
+     * get the homeCommunityId
+     * @return homeCommunityId
+     */
+    public String getHomeCommunityId() {
+        return homeCommunityId;
+    }
+
+    /**
+     * set the homeCommunityId
+     * @param homeCommunityId the homeCommunityId
+     */
+    public void setHomeCommunityId(String homeCommunityId) {
+        this.homeCommunityId = homeCommunityId;
+    }
+
+    /**
+     * get the nationalProviderIdentifier
+     * @return nationalProviderIdentifier
+     */
+    public String getNationalProviderIdentifier() {
+        return nationalProviderIdentifier;
+    }
+
+    /**
+     * set the nationalProviderIdentifier
+     * @param nationalProviderIdentifier the nationalProviderIdentifier
+     */
+    public void setNationalProviderIdentifier(String nationalProviderIdentifier) {
+        this.nationalProviderIdentifier = nationalProviderIdentifier;
+    }
+
+    /**
+     * get providerIds list
+     * @return providerIds
+     */
+    public List<String> getProviderIds() {
+        return providerIds;
+    }
+
+    /**
+     * add a providerId in the providerIds list
+     * @param providerId a providerId
+     */
+    public void addProviderId(String providerId) {
+        this.providerIds.add(providerId);
+    }
+
+    /**
+     * remove a providerId in the providerIds list
+     * @param providerId a providerId
+     */
+    public void removeProviderId(String providerId) {
+        this.providerIds.remove(providerId);
+    }
+
+    /**
+     * get the subjectRole
+     * @return subjectRole
+     */
+    public CodedValue getSubjectRole() {
+        return subjectRole;
+    }
+
+    /**
+     * set the subjectRole
+     * @param subjectRole the subjectRole
+     */
+    public void setSubjectRole(CodedValue subjectRole) {
+        this.subjectRole = subjectRole;
+    }
+
+    /**
+     * get the purposeOfUse
+     * @return purposeOfUse
+     */
+    public CodedValue getPurposeOfUse() {
+        return purposeOfUse;
+    }
+
+    /**
+     * set the purposeOfUse
+     * @param purposeOfUse the purposeOfUse
+     */
+    public void setPurposeOfUse(CodedValue purposeOfUse) {
+        this.purposeOfUse = purposeOfUse;
+    }
+
+    /**
+     * get the resourceId
+     * @return resourceId
+     */
+    public String getResourceId() {
+        return resourceId;
+    }
+
+    /**
+     * set the resourceId
+     * @param resourceId the resourceId
+     */
+    public void setResourceId(String resourceId) {
+        this.resourceId = resourceId;
+    }
+
+    /**
+     * get the onBehalfOf
+     * @return onBehalfOf
+     */
+    public String getOnBehalfOf() {
+        return onBehalfOf;
+    }
+
+    /**
+     * set the onBehalfOf
+     * @param onBehalfOf the onBehalfOf
+     */
+    public void setOnBehalfOf(String onBehalfOf) {
+        this.onBehalfOf = onBehalfOf;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        AccessTokenExtension that = (AccessTokenExtension) o;
+
+        if (subjectId != null ? !subjectId.equals(that.subjectId) : that.subjectId != null) return false;
+        if (subjectOrganizations != null ? !subjectOrganizations.equals(that.subjectOrganizations) : that.subjectOrganizations != null)
+            return false;
+        if (subjectOrganizationIds != null ? !subjectOrganizationIds.equals(that.subjectOrganizationIds) : that.subjectOrganizationIds != null)
+            return false;
+        if (homeCommunityId != null ? !homeCommunityId.equals(that.homeCommunityId) : that.homeCommunityId != null)
+            return false;
+        if (nationalProviderIdentifier != null ? !nationalProviderIdentifier.equals(that.nationalProviderIdentifier) : that.nationalProviderIdentifier != null)
+            return false;
+        if (providerIds != null ? !providerIds.equals(that.providerIds) : that.providerIds != null) return false;
+        if (subjectRole != null ? !subjectRole.equals(that.subjectRole) : that.subjectRole != null) return false;
+        if (purposeOfUse != null ? !purposeOfUse.equals(that.purposeOfUse) : that.purposeOfUse != null) return false;
+        if (resourceId != null ? !resourceId.equals(that.resourceId) : that.resourceId != null) return false;
+        return onBehalfOf != null ? onBehalfOf.equals(that.onBehalfOf) : that.onBehalfOf == null;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        int result = subjectId != null ? subjectId.hashCode() : 0;
+        result = 31 * result + (subjectOrganizations != null ? subjectOrganizations.hashCode() : 0);
+        result = 31 * result + (subjectOrganizationIds != null ? subjectOrganizationIds.hashCode() : 0);
+        result = 31 * result + (homeCommunityId != null ? homeCommunityId.hashCode() : 0);
+        result = 31 * result + (nationalProviderIdentifier != null ? nationalProviderIdentifier.hashCode() : 0);
+        result = 31 * result + (providerIds != null ? providerIds.hashCode() : 0);
+        result = 31 * result + (subjectRole != null ? subjectRole.hashCode() : 0);
+        result = 31 * result + (purposeOfUse != null ? purposeOfUse.hashCode() : 0);
+        result = 31 * result + (resourceId != null ? resourceId.hashCode() : 0);
+        result = 31 * result + (onBehalfOf != null ? onBehalfOf.hashCode() : 0);
+        return result;
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/AccessTokenRequest.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+import net.ihe.gazelle.sb.iua.business.TokenType;
+
+import java.time.Duration;
+
+/**
+ * The Access Token request
+ */
+public class AccessTokenRequest {
+
+    private String issuer;
+    private String subject;
+    private String audience;
+    private Duration validityTime;
+    private TokenType tokenType;
+    private Signature signature;
+    private AccessTokenExtension extension;
+
+    /**
+     * constructor
+     */
+    public AccessTokenRequest(String issuer, String subject, String audience, Duration validityTime, TokenType tokenType) {
+        this.issuer = issuer;
+        this.subject = subject;
+        this.audience = audience;
+        this.validityTime = validityTime;
+        this.tokenType = tokenType;
+    }
+
+    /**
+     * get the issuer
+     *
+     * @return issuer
+     */
+    public String getIssuer() {
+        return issuer;
+    }
+
+    /**
+     * get the subject
+     *
+     * @return subject
+     */
+    public String getSubject() {
+        return subject;
+    }
+
+    /**
+     * get the audience
+     *
+     * @return audience
+     */
+    public String getAudience() {
+        return audience;
+    }
+
+    /**
+     * get the validityTime
+     *
+     * @return validityTime
+     */
+    public Duration getValidityTime() {
+        return validityTime;
+    }
+
+    /**
+     * get the tokenType
+     *
+     * @return tokenType
+     */
+    public TokenType getTokenType() {
+        return tokenType;
+    }
+
+    /**
+     * get the signature
+     *
+     * @return signature
+     */
+    public Signature getSignature() {
+        return signature;
+    }
+
+    /**
+     * set the signature
+     *
+     * @param signature the signature
+     */
+    public void setSignature(Signature signature) {
+        this.signature = signature;
+    }
+
+    /**
+     * get the extension
+     *
+     * @return extension
+     */
+    public AccessTokenExtension getExtension() {
+        return extension;
+    }
+
+    /**
+     * set the extension
+     *
+     * @param extension the extension
+     */
+    public void setExtension(AccessTokenExtension extension) {
+        this.extension = extension;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        AccessTokenRequest that = (AccessTokenRequest) o;
+
+        if (!issuer.equals(that.issuer)) return false;
+        if (!subject.equals(that.subject)) return false;
+        if (!audience.equals(that.audience)) return false;
+        if (!validityTime.equals(that.validityTime)) return false;
+        if (tokenType != that.tokenType) return false;
+        if (signature != null ? !signature.equals(that.signature) : that.signature != null) return false;
+        return extension != null ? extension.equals(that.extension) : that.extension == null;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        int result = issuer.hashCode();
+        result = 31 * result + subject.hashCode();
+        result = 31 * result + audience.hashCode();
+        result = 31 * result + validityTime.hashCode();
+        result = 31 * result + tokenType.hashCode();
+        result = 31 * result + (signature != null ? signature.hashCode() : 0);
+        result = 31 * result + (extension != null ? extension.hashCode() : 0);
+        return result;
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/AsymmetricSignature.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+import java.util.Arrays;
+
+/**
+ * Asymmetric signature information of the access token
+ */
+public class AsymmetricSignature extends Signature {
+
+    private byte[] privateKey;
+    private String privateKeyPassword;
+
+    /**
+     * constructor
+     */
+    public AsymmetricSignature(String algorithm, byte[] privateKey, String privateKeyPassword) {
+        super(algorithm);
+        this.privateKey = privateKey.clone();
+        this.privateKeyPassword = privateKeyPassword;
+    }
+
+    /**
+     * get the privateKey
+     * @return privateKey
+     */
+    public byte[] getPrivateKey() {
+        return privateKey.clone();
+    }
+
+    /**
+     * get the privateKeyPassword
+     * @return privateKeyPassword
+     */
+    public String getPrivateKeyPassword() {
+        return privateKeyPassword;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        if (!super.equals(o)) return false;
+
+        AsymmetricSignature that = (AsymmetricSignature) o;
+
+        if (!Arrays.equals(privateKey, that.privateKey)) return false;
+        return privateKeyPassword.equals(that.privateKeyPassword);
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        int result = Arrays.hashCode(privateKey);
+        result = 31 * result + privateKeyPassword.hashCode();
+        return result;
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/CodedValue.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+/**
+ * A Coded value
+ */
+public class CodedValue {
+
+    private String code;
+    private String codeSystem;
+    private String codeSystemName;
+    private String displayName;
+
+    /**
+     * constructor
+     */
+    public CodedValue(String code, String codeSystem) {
+        this.code = code;
+        this.codeSystem = codeSystem;
+    }
+
+    /**
+     * get the code
+     *
+     * @return code
+     */
+    public String getCode() {
+        return code;
+    }
+
+    /**
+     * get the codeSystem
+     *
+     * @return codeSystem
+     */
+    public String getCodeSystem() {
+        return codeSystem;
+    }
+
+    /**
+     * get the codeSystemName
+     *
+     * @return codeSystemName
+     */
+    public String getCodeSystemName() {
+        return codeSystemName;
+    }
+
+    /**
+     * set the codeSystemName
+     *
+     * @param codeSystemName the codeSystemName
+     */
+    public void setCodeSystemName(String codeSystemName) {
+        this.codeSystemName = codeSystemName;
+    }
+
+    /**
+     * get the displayName
+     *
+     * @return displayName
+     */
+    public String getDisplayName() {
+        return displayName;
+    }
+
+    /**
+     * set the displayName
+     *
+     * @param displayName the displayName
+     */
+    public void setDisplayName(String displayName) {
+        this.displayName = displayName;
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/Credential.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+/**
+ * Credential for an audience
+ */
+public interface Credential {
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/Password.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+import java.util.Arrays;
+
+/**
+ * A password
+ */
+public class Password implements Credential {
+
+    private byte[] value;
+
+    /**
+     * constructor
+     */
+    public Password(byte[] value) {
+        this.value = value.clone();
+    }
+
+    /**
+     * get the value
+     * @return value
+     */
+    public byte[] getValue() {
+        return value.clone();
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        Password password = (Password) o;
+
+        return Arrays.equals(value, password.value);
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        return Arrays.hashCode(value);
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/PublicKey.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+import java.util.Arrays;
+
+/**
+ * A public key
+ */
+public class PublicKey implements Credential {
+    private byte[] key;
+
+    /**
+     * constructor
+     */
+    public PublicKey(byte[] key) {
+        this.key = key.clone();
+    }
+
+    /**
+     * get the key
+     * @return key
+     */
+    public byte[] getKey() {
+        return key.clone();
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        PublicKey publicKey = (PublicKey) o;
+
+        return Arrays.equals(key, publicKey.key);
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        return Arrays.hashCode(key);
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/Signature.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+
+/**
+ * Signature information of the access token
+ */
+public abstract class Signature {
+
+    private String algorithm;
+
+    /**
+     * constructor
+     */
+    public Signature(String algorithm) {
+        this.algorithm = algorithm;
+    }
+
+    /**
+     * get the algorithm
+     * @return algorithm
+     */
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        Signature signature = (Signature) o;
+
+        return algorithm.equals(signature.algorithm);
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        return algorithm.hashCode();
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/SymmetricSignature.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business;
+
+/**
+ * Symmetric signature information of the access token
+ */
+public class SymmetricSignature extends Signature {
+
+    private String secret;
+
+    /**
+     * constructor
+     */
+    public SymmetricSignature(String algorithm, String secret) {
+        super(algorithm);
+        this.secret = secret;
+    }
+
+    /**
+     * get the secret
+     * @return secret
+     */
+    public String getSecret() {
+        return secret;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        if (!super.equals(o)) return false;
+
+        SymmetricSignature that = (SymmetricSignature) o;
+
+        return secret.equals(that.secret);
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        return secret.hashCode();
+    }
+}

access-token-provider-api/src/main/java/net/ihe/gazelle/app/accesstokenproviderapi/business/testuser/TestUser.java

+package net.ihe.gazelle.app.accesstokenproviderapi.business.testuser;
+
+import java.util.*;
+
+/**
+ * Test user used for authentication and token content
+ */
+public class TestUser {
+
+    private String userId;
+    private List<String> givenNames = new ArrayList<>();
+    private String lastName;
+    private Date birthDate;
+    private String gender;
+    private Map<String, String> extensions = new HashMap<>();
+
+    /**
+     * Constructor
+     */
+    public TestUser(String userId, List<String> givenNames, String lastName) {
+        this.userId = userId;
+        this.givenNames = givenNames;
+        this.lastName = lastName;
+    }
+
+    /**
+     * get the userId
+     * @return userId
+     */
+    public String getUserId() {
+        return userId;
+    }
+
+    /**
+     * get the givenNames
+     * @return givenNames
+     */
+    public List<String> getGivenNames() {
+        return givenNames;
+    }
+
+    /**
+     * get the lastName
+     * @return lastName
+     */
+    public String getLastName() {
+        return lastName;
+    }
+
+    /**
+     * get the birthDate
+     * @return birthDate
+     */
+    public Date getBirthDate() {
+        return (Date) birthDate.clone();
+    }
+
+    /**
+     * set the birthDate
+     *
+     * @param birthDate the birthDate
+     */
+    public void setBirthDate(Date birthDate) {
+        this.birthDate = (Date) birthDate.clone();
+    }
+
+    /**
+     * get the gender
+     * @return gender
+     */
+    public String getGender() {
+        return gender;
+    }
+
+    /**
+     * set the gender
+     *
+     * @param gender the gender
+     */
+    public void setGender(String gender) {
+        this.gender = gender;
+    }
+
+    /**
+     * get the extensions
+     * @return extensions
+     */
+    public Map<String, String> getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * add an extension in the extensions map
+     * @param key key of the extension
+     * @param value value of the extension
+     */
+    public void addExtension(String key, String value) {
+        extensions.put(key, value);
+    }
+
+    /**
+     * remove an extension in the extensions map
+     * @param key key of the extension
+     */
+    public void removeExtension(String key) {
+        extensions.remove(key);
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+
+        TestUser testUser = (TestUser) o;
+
+        if (!userId.equals(testUser.userId)) return false;
+        if (!givenNames.equals(testUser.givenNames)) return false;
+        if (!lastName.equals(testUser.lastName)) return false;
+        if (birthDate != null ? !birthDate.equals(testUser.birthDate) : testUser.birthDate != null) return false;
+        if (gender != null ? !gender.equals(testUser.gender) : testUser.gender != null) return false;
+        return extensions != null ? extensions.equals(testUser.extensions) : testUser.extensions == null;
+    }
+
+    @Override
+    /**
+     * {@inheritDoc}
+     */
+    public int hashCode() {
+        int result = userId.hashCode();
+        result = 31 * result + givenNames.hashCode();
+        result = 31 * result + lastName.hashCode();
+        result = 31 * result + (birthDate != null ? birthDate.hashCode() : 0);
+        result = 31 * result + (gender != null ? gender.hashCode() : 0);
+        result = 31 * result + (extensions != null ? extensions.hashCode() : 0);
+        return result;
+    }
+}