Devops/tweak openid for different access url

compose_files/keycloak/realm.json

@@ -2263,7 +2263,7 @@
   },
   "users": [
     {
-      "username": "l2hectest",
+      "username": "l2hectest.1234567890",
       "enabled": true,
       "credentials": [
         {

compose_files/pki/certs/main.conf

@@ -7,3 +7,6 @@ subjectAltName = @alt_names
 DNS.1 = mike-virtual-machine
 DNS.2 = auth.test
 DNS.3 = cwms-data.test
+DNS.1 = mike-virtual-machine
+DNS.2 = auth.test
+DNS.3 = cwms-data.test

compose_files/pki/certs/main.crt

@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIID2jCCAsKgAwIBAgIUPQCM5cpWxsqeP70zLv2W97C51DMwDQYJKoZIhvcNAQEL
+MIID0DCCArigAwIBAgIUcTwoVnCdoURSpjzfy9bMqcWOGPcwDQYJKoZIhvcNAQEL
 BQAwUDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ4wDAYDVQQHDAVEYXZpczEP
-MA0GA1UECgwGSEVDTEFCMRMwEQYDVQQDDApIRUMgTEFCIENBMB4XDTIzMDUwNDE3
-MjUzNloXDTM0MDcyMTE3MjUzNlowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MA0GA1UECgwGSEVDTEFCMRMwEQYDVQQDDApIRUMgTEFCIENBMB4XDTI0MDExMTIx
+NDc0MFoXDTM1MDMzMDIxNDc0MFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
 MQ4wDAYDVQQHDAVEYXZpczEPMA0GA1UECgwGSEVDTEFCMR0wGwYDVQQDDBRtaWtl
 LXZpcnR1YWwtbWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AOyvH8CVTaVm6C1qoAhIKQmOQwlRr2bHuxvtvfVkrDEjZvirZrkEqNdXmQr4qK0h
-AHFkqtEG0MYmlgQJeJ4ZM9O+UnzTgleORJASqgyY9psTaXkHahnPFV9W8aP89PZI
-CfWHRBM+dH/Y+4y9X/wIrIfLG09tULLNkJb7hummSYO9kTPs/luxcBIZouoSndUL
-6ktXfw2AszdRaTkU6Ge21VsgtntZfTzB1GQlyj2RPlBCNW/XlBAvbR+CWloUbUCJ
-g9YlVshbopxklEZ0aJRp95PfUBfKCFMD/PBBu0HOb6kfs1Btq1HFj8T5HFVJgjkU
-rW0uwKKGdd6DXegjzJLrNI0CAwEAAaOBoTCBnjAfBgNVHSMEGDAWgBQpAvFOgbVA
-o1svtQM78HA6htjj3zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DBEBgNVHREEPTA7
-ghRtaWtlLXZpcnR1YWwtbWFjaGluZYIOYXV0aC5sb2NhbGhvc3SCE2N3bXMtZGF0
-YS5sb2NhbGhvc3QwHQYDVR0OBBYEFIPcwaJkhidzsAU3oiiMfPdV7vMSMA0GCSqG
-SIb3DQEBCwUAA4IBAQDBWiV/fJNKwGjCHloDzyWZMRZ4PHibJQhZkMHeqMxXTvhZ
-u1KQigQ70q+9IgR3DaTRKTX7pbEyShQmAyHBw6e9hj+Ojtc1aJDTV4qig3nHOGlb
-C9iDCS66gPVvvAVre6QdyF2TBrtgyj9iksrCMTB6iacLAMJVrVY/xvaYghh9fwVM
-89LrkbxwawN3tLNQA+WFSIwXi35tAu0NuxH5DAYH9RFUcQnalhv876GBP1Hujxu7
-gNr6M9QLySuAZf7I+x3El52XvN1UOighYUdrxdP0ISi4eJ4hlRIWIhrx/DD5e6dn
-KZ9Mmhh6q5nnqObugg5US6b3K6Ax5/0uvodOKZJy
+AIyO0f4NwycBqQYNUBIn+j94KJN2HlUdWUtCZTIEZhvF54ET7tSYNNNnUJv67RFz
+W1BPHamuvJigRAZlCQD1O9DgaSJl9JGB1dy1QYLBjf6GOYmRg5P5BsaxERYNDpqb
+lXnsi/yb+mnU9NDykCcI/exZIq76FJbw7mfsghu2M0OMpZyhA5AWxHTOZ/78vU33
+MQC8nsUqNygMVT65IdWtgVhq/jPed41LxBjue18cmLZyhi0xA65GygVqgHHSOw2x
+5CeuIWY6GPnHORKup7PIaZDq8/UrU1OwM2eLFNWQZ0cBP0UeDzy2DL2feU+kex1K
+cPArGdn1ezxFKAAk27lrbL0CAwEAAaOBlzCBlDAfBgNVHSMEGDAWgBQpAvFOgbVA
+o1svtQM78HA6htjj3zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DA6BgNVHREEMzAx
+ghRtaWtlLXZpcnR1YWwtbWFjaGluZYIJYXV0aC50ZXN0gg5jd21zLWRhdGEudGVz
+dDAdBgNVHQ4EFgQUjxrqi0C4iJjAOqGvDynbP9f+UQIwDQYJKoZIhvcNAQELBQAD
+ggEBAA/NqiRmH1Bvy1f5oUm8QRVP/U5OWIxAHzYUgI7cnpMuhYP8DFIKRYI/p3F1
+exz1ARp3SQxDdwLWeQf8aiWeSmAhcLofDm32aUeQZDkFHTPsO4xtYSd3QVsVa2pb
+RovEgyX8PvoBt5IsUl5FgGUwr7GxbHs2NLHwpZIExJ92PHmn4XmOWd/0uaOo5RvY
+Y1xIhVycjhm8vd12ldTqn7fFurRSuSEpHD6LB8PL5FJ2bSYu47aZJIcdnQzRxktG
+pljHQORRn8+fncWxWFNkMS2sK3Vf2F7c/wdzj6MC+I4Xg4SJVKd8T25G4BklVXmy
+HuYh6nk3sNVDKUn8BndPeLUkozQ=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDgTCCAmmgAwIBAgIUJtV2MBA9pzIs8IldHcYVQ1KQBvYwDQYJKoZIhvcNAQEL

compose_files/pki/certs/main.csr

@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ4wDAYDVQQH
 DAVEYXZpczEPMA0GA1UECgwGSEVDTEFCMR0wGwYDVQQDDBRtaWtlLXZpcnR1YWwt
-bWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOyvH8CVTaVm
-6C1qoAhIKQmOQwlRr2bHuxvtvfVkrDEjZvirZrkEqNdXmQr4qK0hAHFkqtEG0MYm
-lgQJeJ4ZM9O+UnzTgleORJASqgyY9psTaXkHahnPFV9W8aP89PZICfWHRBM+dH/Y
-+4y9X/wIrIfLG09tULLNkJb7hummSYO9kTPs/luxcBIZouoSndUL6ktXfw2AszdR
-aTkU6Ge21VsgtntZfTzB1GQlyj2RPlBCNW/XlBAvbR+CWloUbUCJg9YlVshbopxk
-lEZ0aJRp95PfUBfKCFMD/PBBu0HOb6kfs1Btq1HFj8T5HFVJgjkUrW0uwKKGdd6D
-XegjzJLrNI0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBtkXU4B7BtcGBLOo6V
-zH4u5TbtAHLK66nmfzGeURaXmHTJVcQ8bceABoIoZ2OaXCiy+dVv+yD9AClfbzNZ
-5dUDxUFaNm6Dt+RRRAVAsQM26Dua8s9hx3ZDGv6VOXOyebRAVHduQLXsTbjqovWj
-M04RRwxN/6H1sIRm8lBgFAXIkc9K9qOdllrlS+i3egrjh0Nr+efS8/19Q9tpM1gW
-CY36bHnd6O9v+d1ZizhcfFr29SPfVK43EOjrljPAmctrtDCZppmnhajk3bGRNHS8
-bUPzxV/SpTiXPyEYD/uiykJdymzk6pG8K7leEZ56371Voc7fIrkyOsnaI9cdZ/oK
-7tQH
+bWFjaGluZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIyO0f4NwycB
+qQYNUBIn+j94KJN2HlUdWUtCZTIEZhvF54ET7tSYNNNnUJv67RFzW1BPHamuvJig
+RAZlCQD1O9DgaSJl9JGB1dy1QYLBjf6GOYmRg5P5BsaxERYNDpqblXnsi/yb+mnU
+9NDykCcI/exZIq76FJbw7mfsghu2M0OMpZyhA5AWxHTOZ/78vU33MQC8nsUqNygM
+VT65IdWtgVhq/jPed41LxBjue18cmLZyhi0xA65GygVqgHHSOw2x5CeuIWY6GPnH
+ORKup7PIaZDq8/UrU1OwM2eLFNWQZ0cBP0UeDzy2DL2feU+kex1KcPArGdn1ezxF
+KAAk27lrbL0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBr9QeUbXiOQ9eX6N3I
+C9qkSpNxSTz6Io1McDjpPn6PTcCx9zGQG9CLMi5U33uvT5X6i6W3VzLSUkHcVYAB
+QFKIix0PknignCImoS9bjGliKelhLmQpQTuhF2zUaGLnt4OVbIOFK+ge9wUmZEcI
+p7KoUzDuNX+rfYmiwY2BfM9uEdRY9jHXvKCuxxygpUVjgBPxEo/VgmIvlqrzrn8p
+C2s+XN+TBpMq1oOkFQpmMRpsz6CGFlq0geS6mPtxb5S0tXMJpAPZ7TH6w/sNSZbs
+MSvZmSnlfGWbTSZC7uo4BTCeb8NrwoUqVucLD2Gu3jKY45ImBGw0WToadWZABbX1
+pAi3
 -----END CERTIFICATE REQUEST-----

compose_files/pki/certs/main.key

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDsrx/AlU2lZugt
-aqAISCkJjkMJUa9mx7sb7b31ZKwxI2b4q2a5BKjXV5kK+KitIQBxZKrRBtDGJpYE
-CXieGTPTvlJ804JXjkSQEqoMmPabE2l5B2oZzxVfVvGj/PT2SAn1h0QTPnR/2PuM
-vV/8CKyHyxtPbVCyzZCW+4bppkmDvZEz7P5bsXASGaLqEp3VC+pLV38NgLM3UWk5
-FOhnttVbILZ7WX08wdRkJco9kT5QQjVv15QQL20fglpaFG1AiYPWJVbIW6KcZJRG
-dGiUafeT31AXyghTA/zwQbtBzm+pH7NQbatRxY/E+RxVSYI5FK1tLsCihnXeg13o
-I8yS6zSNAgMBAAECggEAIOqoHVYGYvMBZlOWZyB2CJyu6QxhuwcbGCLD0O2L3xef
-2gSoeCHUQ4Ksx7BWcSGOWLbZ5NEwVuaF5ZDVpBM4OIIXIcIetgOUuH7IBJF/dojI
-Get0j5tTyxsh5x8miFvzeqCx0IVWmXM5ZNTvlPM133rZVP4Mg5mAOudHV5ZnUflW
-URACRxOuf1B+2gMJblwlVmhkk9tlXPcYTW08ocEK360tWwqiLbsMNFbE8pcoK6az
-OJ/xOn7hv1jQ6H9knLC6TUJdWOKJgztFvbV87eYKWEranDt20MfSXahIqfUzE+AQ
-aQdswt01vLWv8ieZWCPRQRKbV4CK48f0hYs0LROXEQKBgQD1rXm6NzJa1YjO1kNc
-C4/A3R/hVJB7dmZ8aYah0QrgwGGTCWn49akfK+/DimhtD7/Oegfnyy7k5SEssstk
-H0GF4woEfHjQnA4VQwNrU9v5ii1Kvfab5ViARHsOK5k82BWqruhJcDcHeV7uL7Sk
-KI8Wh2BdOL0nvxhNzNPDw9ZjaQKBgQD2oOnIxHtUzD7dlaxqoOzQTwGI5yDbxa37
-hx403agwL2Vw/MjZPrv3T84RVbJWr2o8n7EItLrBxals3mXV/r0Sxs8FE/Qqv8Hx
-tSuRbc3JDmT3dZoYrgcTMMAUprSvVrOoZuE4FE+dSu4oBztsjswFVtxZm5aKbkNa
-cHPPq/43hQKBgQCWUoL88fEZqzZ+eJPWqixXcfWjxj5xjMzAq0D5mhLx2kTZ1xTE
-hGvq6tNV7kZfFRfjmr9jkOssmxZlZzEUHhvVdEoY3KB/5DypvctFzJX4Zhe4d+uB
-EB/KvBwfW4XzuLPpMARpiwPgyt7PFtmM6FRFEKhh4em7fC2+zOl2C0oOoQKBgDcY
-0cGha3ARRQYZtvAHTYBn9g7Qm72dVvX3RJ9I2ZcSL5ZjUrd91V41vPKQc4v8Gj66
-6kDop0Q81VHWCWgaRcEZGwymXYjjV/+YmsgdgLim95V0910GG9yEqpSyfXEibHZ1
-rWDq4LJiF/xnSTZCXH/g3M9D/AinA3MD5kuBwARFAoGAUBlDUu7Dv9ZI96jkhJr4
-i02mAseYDIRR7wxCH/ZdtMT9bIQwI5Fhd9+CDYK91xvuNoaUpuuoeKMam7+MgC/1
-ayRp/TqigJA5z0gm/14o+zBVydW2oyzXzL32NYWV26bCj2L0aOnL7joQCCQqhr4p
-uQqiSBRNkj0FmBd0I+wwzO0=
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCMjtH+DcMnAakG
+DVASJ/o/eCiTdh5VHVlLQmUyBGYbxeeBE+7UmDTTZ1Cb+u0Rc1tQTx2prryYoEQG
+ZQkA9TvQ4GkiZfSRgdXctUGCwY3+hjmJkYOT+QbGsREWDQ6am5V57Iv8m/pp1PTQ
+8pAnCP3sWSKu+hSW8O5n7IIbtjNDjKWcoQOQFsR0zmf+/L1N9zEAvJ7FKjcoDFU+
+uSHVrYFYav4z3neNS8QY7ntfHJi2coYtMQOuRsoFaoBx0jsNseQnriFmOhj5xzkS
+rqezyGmQ6vP1K1NTsDNnixTVkGdHAT9FHg88tgy9n3lPpHsdSnDwKxnZ9Xs8RSgA
+JNu5a2y9AgMBAAECggEAHDqt4ZaNgHbEpdbEI1VcnOUqzwzsxB7oGWWdEdnQ0Rii
+6WlhsNhd2ax5A862UKgoqX0uQa86qPOdHeSqVYMrL4T2kIZGA3g+RbywisyJUlpO
+UXsEYFJmIj8bJaDbM0F2mJ1hswr3lMxEm/dvbKuRZeez/8zxmCwM0ZnuOpcR/imD
+we6DVx2vLXdY/7eEfjcDdu77eETiXseuC4qsJufIj18O4wJmxhqLe7nK1VyLhian
+jDxVR9IqzxFUHY8OSwtZTsNG9JmPc2FOqH53y9sgucI7ZruPrfmThHQaZ1s+gwNe
+iGxf30tbzftj8DROqww1XvT+k0IHEmf7fW7EJPOlCQKBgQC/EmhPhTB8z28VCefe
+9zJBkgKijJHWKHt4DqVWRLMxRDMB0Wgjn6cilGceVHpiV+i4Iz2WdeVxDlFM9Aw8
+9wvsSlT0+tLxdXGuQ50rsncRrombPE8qOBTP63XviFqEabJNH1RxO3GUSEd1Fcf6
+tIVV0Yo/9x7TglpM4uu9hE176QKBgQC8UiIn7OhnZPvtgJfIx4mnhg6qaA4Uf/7G
+4nMsDJm3nGC/RJZCLjMgX0hIUeTzb0aqe3r0qznggTFJLgRjvVpEvyB+RUMVi/QP
+bfgBMv0RFxCpbIQuo/o8C5a+6342QlslDRfhoLcg7v89k3mrzxT3qO1Tf9GbQWgo
+KQ7cwWaptQKBgEOCCm7GHRqL47BoPo9NgWkfYGT0C3bB+NWzPwFa5oDqmqbyyLuF
+ZfTWwBQ8Pr1OV//vG4x0fStTpq/srgJAOusyXA/uKud62j56zyYoON97bkz1ovbE
+t726cIHACFMuUPvkrN4Q5ZFBdFXO60gNzepDTXhKJI8QSD1QE4BzJTk5AoGAMooI
+SJa3uCfNxGtiUKvcMW00ul66iJ3hDhbvub6X8kKxZCNP/+rOJb3sdBwmSX5vhIkm
+8kqRecKyK2WCIBJNC24PllOYMUwh75IfoJLCf7ek7RMGVk4DdeHWTt58PKuKMmNV
+KWQsQVZigW/2kzk780sOhf4jjnr7LOv35R6yIpECgYBBRSQ0OZI8/gvsqRIK56LA
+I5MimNA6KLjXOm0jImX+y68oksofOrw9HgAheL7rGY/SMOEOg+3MH6suj6CUevV/
+OG9aJlW/H/oN7v3CUG2DLndLTvMLcl0mrdcCgB04aEQveymkHTp5U/DuxpDpU69F
+tAIBuq1aPmyfMzlLqF+Zzw==
 -----END PRIVATE KEY-----

compose_files/sql/users.sql

@@ -9,6 +9,7 @@ begin
 
 
     cwms_sec.add_cwms_user('l2hectest',NULL,'SPK');
+    cwms_sec.update_edipi('l2hectest',1234567890);
     cwms_sec.add_user_to_group('l2hectest','All Users', 'SPK');
     cwms_sec.add_user_to_group('l2hectest','CWMS Users', 'SPK');
     cwms_sec.add_user_to_group('l2hectest','TS ID Creator','SPK');

cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java

@@ -21,7 +21,6 @@
 import java.util.Set;
 import java.util.TimeZone;
 import java.util.concurrent.TimeUnit;
-import java.util.logging.Level;
 
 import javax.sql.DataSource;
 
@@ -64,6 +63,9 @@ public class AuthDao extends Dao<DataApiPrincipal>{
     private static final String CHECK_API_KEY =
         "select userid from cwms_20.at_api_keys where apikey = ?";
 
+    private static final String USER_FOR_EDIPI =
+        "select userid from cwms_20.at_sec_cwms_users where edipi = ?";
+
     public static final String CREATE_API_KEY = "insert into cwms_20.at_api_keys(userid,key_name,apikey,created,expires) values(UPPER(?),?,?,?,?)";
     public static final String REMOVE_API_KEY = "delete from cwms_20.at_api_keys where UPPER(userid) = UPPER(?) and key_name = ?";
     public static final String LIST_KEYS = "select userid,key_name,created,expires from cwms_20.at_api_keys where UPPER(userid) = UPPER(?) order by created desc";
@@ -206,6 +208,49 @@ private String checkKey(String key) throws CwmsAuthException {
         }
     }
 
+    /**
+     *
+     * @param edipi
+     * @return
+     * @throws CwmsAuthException
+     */
+    private String userForEdipi(Long edipi) throws CwmsAuthException {
+        try {
+            return dsl.connectionResult(c-> {
+                setSessionForAuthCheck(c);
+                try (PreparedStatement userForEdipi = c.prepareStatement(USER_FOR_EDIPI)) {
+                    userForEdipi.setLong(1, edipi);
+                    try (ResultSet rs = userForEdipi.executeQuery()) {
+                        if (rs.next()) {
+                            return rs.getString(1);
+                        } else {
+                            // TODO: add user to database, queue email admins to assign groups appropriately
+                            throw new CwmsAuthException("User not in database.");
+                        }
+                    }
+                }
+            });
+        } catch (DataAccessException ex) {
+            Throwable t = ex.getCause();
+            if (t instanceof CwmsAuthException) {
+                throw (CwmsAuthException)t;
+            } else {
+                throw ex;
+            }
+        }
+    }
+
+    /**
+     * Build a DataApiPrincipal from a given EDIPI value.
+     * @param edipi the Edipi value to look up.
+     * @return
+     */
+    public DataApiPrincipal getPrincipalFromEdipi(Long edipi) throws CwmsAuthException {
+        String username = userForEdipi(edipi);
+        Set<RouteRole> roles = this.getRolesForUser(username);
+        return new DataApiPrincipal(username, roles);
+    }
+
     /**
      * Retrieve roles a user has.
      * @param user

cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManager.java

@@ -29,7 +29,7 @@
 import cwms.cda.spi.CdaAccessManager;
 import cwms.cda.ApiServlet;
 import cwms.cda.data.dao.AuthDao;
-
+import cwms.cda.data.dao.JooqDao;
 import io.javalin.core.security.RouteRole;
 import io.javalin.http.Context;
 import io.javalin.http.Handler;
@@ -52,9 +52,9 @@ public class OpenIDAccessManager extends CdaAccessManager {
     private DataSource dataSource = null;
 
 
-    public OpenIDAccessManager(String wellKnownUrl, String issuer, int realmKeyTimeout) {
+    public OpenIDAccessManager(String wellKnownUrl, String issuer, int realmKeyTimeout, String authUrl) {
         try {
-            config = new OpenIDConfig(new URL(wellKnownUrl));
+            config = new OpenIDConfig(new URL(wellKnownUrl), authUrl);
             jwtParser = Jwts.parserBuilder()
                         .requireIssuer(issuer)
                         .setSigningKeyResolver(new UrlResolver(config.getJwksUrl(),realmKeyTimeout))
@@ -72,14 +72,13 @@ public void manage(Handler handler, Context ctx, Set<RouteRole> routeRoles) thro
         handler.handle(ctx);
     }
 
-
-
     private DataApiPrincipal getUserFromToken(Context ctx) throws CwmsAuthException {
         try {
             Jws<Claims> token = jwtParser.parseClaimsJws(getToken(ctx));
             String username = token.getBody().get("preferred_username",String.class);
-            // TODO: get roles from JWT and DB
-            return new DataApiPrincipal(username, new HashSet<RouteRole>());
+            AuthDao dao = AuthDao.getInstance(JooqDao.getDslContext(ctx),ctx.attribute(ApiServlet.OFFICE_ID));
+            String edipi = username.substring(username.lastIndexOf(".")+1);
+            return dao.getPrincipalFromEdipi(Long.parseLong(edipi));
         } catch (JwtException ex) {
             throw new CwmsAuthException("JWT not valid",ex,HttpServletResponse.SC_UNAUTHORIZED);
         }

cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManagerProvider.java

@@ -5,6 +5,7 @@
 
 public class OpenIDAccessManagerProvider implements AccessManagerProvider {
     public static final String WELL_KNOWN_PROPERTY = "cwms.dataapi.access.openid.wellKnownUrl";
+    public static final String ALT_AUTH_URL = "cwms.dataapi.access.openid.altAuthUrl";
     public static final String ISSUER_PROPERTY = "cwms.dataapi.access.openid.issuer";
     public static final String TIMEOUT_PROPERTY = "cwms.dataapi.access.openid.timeout";
 
@@ -18,11 +19,12 @@ public CdaAccessManager create() {
         String wellKnownUrl = System.getProperty(WELL_KNOWN_PROPERTY,System.getenv(WELL_KNOWN_PROPERTY));
         String issuer = System.getProperty(ISSUER_PROPERTY,System.getenv(ISSUER_PROPERTY));
         String timeoutStr = System.getProperty(TIMEOUT_PROPERTY,System.getenv(TIMEOUT_PROPERTY));
+        String altAuthUrl = System.getProperty(ALT_AUTH_URL, System.getenv(ALT_AUTH_URL));
         int timeout = 3600; 
         if (timeoutStr != null && !timeoutStr.isEmpty()) {
             timeout = Integer.parseInt(timeoutStr);
         }
-        return new OpenIDAccessManager(wellKnownUrl,issuer,timeout);
+        return new OpenIDAccessManager(wellKnownUrl,issuer,timeout,altAuthUrl);
     }
 
 }

cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java

@@ -2,6 +2,7 @@
 
 import java.io.IOException;
 import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
 import java.net.URL;
 
 import com.fasterxml.jackson.databind.JsonNode;
@@ -28,7 +29,7 @@ public class OpenIDConfig {
     private Scopes scopes = new Scopes();
     private OAuthFlows flows = new OAuthFlows();
 
-    public OpenIDConfig(URL wellKnown) throws IOException {
+    public OpenIDConfig(URL wellKnown, String altAuthUrl) throws IOException {
         this.wellKnown = wellKnown;
         HttpURLConnection http = null;
         try
@@ -42,10 +43,10 @@ public OpenIDConfig(URL wellKnown) throws IOException {
                 JsonNode node = mapper.readTree(http.getInputStream());
                 jwksUrl = new URL(node.get("jwks_uri").asText());
                 issuer = node.get("issuer").asText();
-                tokenUrl = new URL(node.get("token_endpoint").asText());
-                userInfoUrl = new URL(node.get("userinfo_endpoint").asText());
-                logoutUrl = new URL(node.get("end_session_endpoint").asText());
-                authUrl = new URL(node.get("authorization_endpoint").asText());
+                tokenUrl = substituteBase(new URL(node.get("token_endpoint").asText()),altAuthUrl);
+                userInfoUrl = substituteBase(new URL(node.get("userinfo_endpoint").asText()),altAuthUrl);
+                logoutUrl = substituteBase(new URL(node.get("end_session_endpoint").asText()),altAuthUrl);
+                authUrl = substituteBase(new URL(node.get("authorization_endpoint").asText()),altAuthUrl);
                 JsonNode scopes = node.get("scopes_supported");
                 for(JsonNode scope: scopes) {
                     this.scopes.addString(scope.asText(), "");
@@ -80,6 +81,15 @@ public OpenIDConfig(URL wellKnown) throws IOException {
         }
     }
 
+    private URL substituteBase(URL endPoint, String altAuthUrl) throws MalformedURLException {
+        if (altAuthUrl == null) {
+            return endPoint;
+        }
+        String originalPath = endPoint.getPath();
+
+        return new URL(altAuthUrl+"/"+originalPath);
+    }
+
     public URL getJwksUrl() {
         return jwksUrl;
     }

docker-compose.README.md

@@ -29,11 +29,11 @@ can be verified correctly.
 
 The following users and permissions are available:
 
-| User        | Password    | Office | Permissions    |
-| ----------- | ----------- | ------ | ------------   |
-| l2hectest   | l2hectest   | SPK    | General User   |
-| l1hectest   | l1hectest   | SPL    | No permissions |
-| m5hectest   | m5hectest   | SWT    | General User   |
+| User                  | Password    | Office | Permissions    |
+| --------------------- | ----------- | ------ | ------------   |
+| l2hectest.1234567890  | l2hectest   | SPK    | General User   |
+| l1hectest             | l1hectest   | SPL    | No permissions |
+| m5hectest             | m5hectest   | SWT    | General User   |
 
 
 ## Inventory of services
@@ -47,5 +47,3 @@ The following users and permissions are available:
 |[auth](./compose_files/keycloak/Dockerfile)||8080|authentication-token service (keycloak)|
 |db_install|||connects to db and installs CWMS schema|
 |db_webuser_ permissions|||connects to db and sets permissions |
-
-