From 042254c1add1d78cde0bf90d9b6154d983dec333 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=98yvind=20N=2E=20Wed=C3=B8e?=
 <oyvind.norsted.wedoe@nav.no>
Date: Tue, 8 Oct 2024 13:38:38 +0200
Subject: [PATCH 1/6] Revert "Revert "Add "nav-call-id" to client calls.""

This reverts commit adb63e9e63a98e4b0c8c20cf8ee7dfd02044d86e.
---
 build.gradle.kts                              |  3 ++
 .../klage/config/FileClientConfiguration.kt   |  1 -
 .../klage/config/PdlClientConfiguration.kt    |  2 -
 .../SafselvbetjeningClientConfiguration.kt    |  2 -
 .../nav/klage/config/WebClientCustomizer.kt   | 47 +++++++++++++++++++
 5 files changed, 50 insertions(+), 5 deletions(-)
 create mode 100644 src/main/kotlin/no/nav/klage/config/WebClientCustomizer.kt

diff --git a/build.gradle.kts b/build.gradle.kts
index 5f24d090..836d2906 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -19,6 +19,7 @@ val mockitoInlineVersion = "5.2.0"
 val testContainersVersion = "1.19.8"
 val mockkVersion = "1.13.10"
 val springMockkVersion = "4.0.2"
+val otelVersion = "1.42.1"
 
 val githubUser: String by project
 val githubPassword: String by project
@@ -52,6 +53,8 @@ dependencies {
 
     implementation("io.micrometer:micrometer-registry-prometheus")
 
+    implementation("io.opentelemetry:opentelemetry-api:$otelVersion")
+
     implementation("org.projectreactor:reactor-spring:1.0.1.RELEASE")
 
     implementation("org.flywaydb:flyway-core")
diff --git a/src/main/kotlin/no/nav/klage/config/FileClientConfiguration.kt b/src/main/kotlin/no/nav/klage/config/FileClientConfiguration.kt
index e7e40bfa..f532087a 100644
--- a/src/main/kotlin/no/nav/klage/config/FileClientConfiguration.kt
+++ b/src/main/kotlin/no/nav/klage/config/FileClientConfiguration.kt
@@ -17,6 +17,5 @@ class FileClientConfiguration(private val webClientBuilder: WebClient.Builder) {
     fun fileWebClient(): WebClient =
         webClientBuilder
             .baseUrl(url)
-            .defaultHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
             .build()
 }
diff --git a/src/main/kotlin/no/nav/klage/config/PdlClientConfiguration.kt b/src/main/kotlin/no/nav/klage/config/PdlClientConfiguration.kt
index daea8d7c..7dce0b05 100644
--- a/src/main/kotlin/no/nav/klage/config/PdlClientConfiguration.kt
+++ b/src/main/kotlin/no/nav/klage/config/PdlClientConfiguration.kt
@@ -23,8 +23,6 @@ class PdlClientConfiguration(private val webClientBuilder: WebClient.Builder) {
     fun pdlWebClient(): WebClient {
         return webClientBuilder
             .baseUrl(pdlUrl)
-            .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
-            .defaultHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
             .defaultHeader("Nav-Consumer-Id", username)
             .defaultHeader("TEMA", "KLA")
             //Fra behandlingskatalogen
diff --git a/src/main/kotlin/no/nav/klage/config/SafselvbetjeningClientConfiguration.kt b/src/main/kotlin/no/nav/klage/config/SafselvbetjeningClientConfiguration.kt
index fb30f252..0e106051 100644
--- a/src/main/kotlin/no/nav/klage/config/SafselvbetjeningClientConfiguration.kt
+++ b/src/main/kotlin/no/nav/klage/config/SafselvbetjeningClientConfiguration.kt
@@ -17,7 +17,5 @@ class SafselvbetjeningClientConfiguration(private val webClientBuilder: WebClien
     fun safselvbetjeningWebClient(): WebClient =
         webClientBuilder
             .baseUrl(url)
-            .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
-            .defaultHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
             .build()
 }
diff --git a/src/main/kotlin/no/nav/klage/config/WebClientCustomizer.kt b/src/main/kotlin/no/nav/klage/config/WebClientCustomizer.kt
new file mode 100644
index 00000000..ef3c9ddc
--- /dev/null
+++ b/src/main/kotlin/no/nav/klage/config/WebClientCustomizer.kt
@@ -0,0 +1,47 @@
+package no.nav.klage.config
+
+import io.opentelemetry.api.trace.Span
+import org.springframework.boot.web.reactive.function.client.WebClientCustomizer
+import org.springframework.http.HttpHeaders
+import org.springframework.http.MediaType
+import org.springframework.http.client.reactive.ReactorClientHttpConnector
+import org.springframework.stereotype.Component
+import org.springframework.web.reactive.function.client.ClientRequest
+import org.springframework.web.reactive.function.client.ExchangeFilterFunction
+import org.springframework.web.reactive.function.client.WebClient
+import reactor.core.publisher.Mono
+import reactor.netty.http.client.HttpClient
+
+/**
+ * Common configuration for all web clients.
+ */
+@Component
+class WebClientCustomizer : WebClientCustomizer {
+
+    override fun customize(webClientBuilder: WebClient.Builder) {
+        val headersWithTraceId = listOf(
+            "Nav-Call-Id",
+            "Nav-Callid",
+            "X-Correlation-ID",
+        )
+
+        webClientBuilder
+            .clientConnector(ReactorClientHttpConnector(HttpClient.newConnection()))
+            .defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
+            .defaultHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
+            .filter(
+                ExchangeFilterFunction.ofRequestProcessor { request ->
+                    val traceId = Span.current().spanContext.traceId
+                    Mono.just(
+                        ClientRequest.from(request)
+                            .headers { headers ->
+                                headersWithTraceId.forEach { headerName ->
+                                    headers[headerName] = traceId
+                                }
+                            }
+                            .build()
+                    )
+                }
+            )
+    }
+}
\ No newline at end of file

From 5e2e1dd7ad9bbeb84739dd7c2bc3a4c87bfeffd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=98yvind=20N=2E=20Wed=C3=B8e?=
 <oyvind.norsted.wedoe@nav.no>
Date: Tue, 8 Oct 2024 13:57:11 +0200
Subject: [PATCH 2/6] Use same token regime for file api client as the rest.

Co-authored-by: Andreas Jonsson <andreas.jonsson@nav.no>
---
 .../no/nav/klage/clients/AzureADClient.kt     | 91 -------------------
 .../kotlin/no/nav/klage/clients/FileClient.kt |  9 +-
 .../config/AzureADClientConfiguration.kt      | 23 -----
 .../kotlin/no/nav/klage/util/TokenUtil.kt     |  6 ++
 src/main/resources/application-dev-gcp.yml    |  1 +
 src/main/resources/application-prod-gcp.yml   |  1 +
 src/main/resources/application.yml            | 12 +++
 7 files changed, 25 insertions(+), 118 deletions(-)
 delete mode 100644 src/main/kotlin/no/nav/klage/clients/AzureADClient.kt
 delete mode 100644 src/main/kotlin/no/nav/klage/config/AzureADClientConfiguration.kt

diff --git a/src/main/kotlin/no/nav/klage/clients/AzureADClient.kt b/src/main/kotlin/no/nav/klage/clients/AzureADClient.kt
deleted file mode 100644
index 005ab794..00000000
--- a/src/main/kotlin/no/nav/klage/clients/AzureADClient.kt
+++ /dev/null
@@ -1,91 +0,0 @@
-package no.nav.klage.clients
-
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties
-import no.nav.klage.domain.OidcToken
-import no.nav.klage.util.getLogger
-import org.springframework.beans.factory.annotation.Value
-import org.springframework.stereotype.Component
-import org.springframework.util.LinkedMultiValueMap
-import org.springframework.web.reactive.function.client.WebClient
-import org.springframework.web.reactive.function.client.bodyToMono
-
-@Component
-class AzureADClient(
-    private val azureADWebClient: WebClient
-) {
-
-    companion object {
-        @Suppress("JAVA_CLASS_ON_COMPANION")
-        private val logger = getLogger(javaClass.enclosingClass)
-        private var cachedKlageFileApiOidcToken: OidcToken? = null
-        private var cachedOidcDiscovery: OidcDiscovery? = null
-    }
-
-    @Value("\${AZURE_APP_CLIENT_ID}")
-    private lateinit var clientId: String
-
-    @Value("\${AZURE_APP_CLIENT_SECRET}")
-    private lateinit var clientSecret: String
-
-    @Value("\${AZURE_APP_WELL_KNOWN_URL}")
-    private lateinit var discoveryUrl: String
-
-    @Value("\${KLAGE_FILE_API_APP_NAME}")
-    private lateinit var klageFileApiAppName: String
-
-    @Value("\${NAIS_CLUSTER_NAME}")
-    lateinit var naisCluster: String
-
-    @Value("\${NAIS_NAMESPACE}")
-    lateinit var naisNamespace: String
-
-    private fun oidcDiscovery(): OidcDiscovery {
-        if (cachedOidcDiscovery == null) {
-            logger.debug("getting info from oidcDiscovery")
-            cachedOidcDiscovery = azureADWebClient.get()
-                .uri(discoveryUrl)
-                .retrieve()
-                .bodyToMono<OidcDiscovery>()
-                .block()
-
-            logger.debug("Retrieved endpoint: " + cachedOidcDiscovery!!.token_endpoint)
-        }
-
-        return cachedOidcDiscovery!!
-    }
-
-    fun klageFileApiOidcToken(): String {
-        if (cachedKlageFileApiOidcToken.shouldBeRenewed()) {
-            cachedKlageFileApiOidcToken = returnUpdatedToken(getKlageFileApiScope())
-        }
-
-        return cachedKlageFileApiOidcToken!!.token
-    }
-
-    private fun returnUpdatedToken(scope: String): OidcToken {
-        val map = LinkedMultiValueMap<String, String>()
-
-        map.add("client_id", clientId)
-        map.add("client_secret", clientSecret)
-        map.add("grant_type", "client_credentials")
-        map.add("scope", "api://${scope}/.default")
-
-        logger.debug("Getting access token from OIDC for target client {}", scope)
-
-        return azureADWebClient.post()
-            .uri(oidcDiscovery().token_endpoint)
-            .bodyValue(map)
-            .retrieve()
-            .bodyToMono<OidcToken>()
-            .block()!!
-    }
-
-    private fun OidcToken?.shouldBeRenewed(): Boolean = this?.hasExpired() ?: true
-
-    private fun getKlageFileApiScope(): String = getScopeString(klageFileApiAppName)
-
-    private fun getScopeString(appName: String): String = "${naisCluster}.${naisNamespace}.${appName}"
-
-    @JsonIgnoreProperties(ignoreUnknown = true)
-    data class OidcDiscovery(val token_endpoint: String, val jwks_uri: String, val issuer: String)
-}
\ No newline at end of file
diff --git a/src/main/kotlin/no/nav/klage/clients/FileClient.kt b/src/main/kotlin/no/nav/klage/clients/FileClient.kt
index fde615e5..ead005fd 100644
--- a/src/main/kotlin/no/nav/klage/clients/FileClient.kt
+++ b/src/main/kotlin/no/nav/klage/clients/FileClient.kt
@@ -1,5 +1,6 @@
 package no.nav.klage.clients
 
+import no.nav.klage.util.TokenUtil
 import no.nav.klage.util.getLogger
 import org.springframework.http.HttpHeaders
 import org.springframework.http.client.MultipartBodyBuilder
@@ -11,7 +12,7 @@ import org.springframework.web.reactive.function.client.bodyToMono
 @Component
 class FileClient(
     private val fileWebClient: WebClient,
-    private val azureADClient: AzureADClient
+    private val tokenUtil: TokenUtil
 ) {
 
     companion object {
@@ -29,7 +30,7 @@ class FileClient(
         val response = fileWebClient
             .post()
             .uri { it.path("/attachment").build() }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${azureADClient.klageFileApiOidcToken()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
             .body(BodyInserters.fromMultipartData(bodyBuilder.build()))
             .retrieve()
             .bodyToMono<VedleggResponse>()
@@ -46,7 +47,7 @@ class FileClient(
         logger.debug("Fetching vedlegg file with vedlegg ref {}", vedleggRef)
         return fileWebClient.get()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${azureADClient.klageFileApiOidcToken()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<ByteArray>()
             .block() ?: throw RuntimeException("Attachment could not be fetched")
@@ -56,7 +57,7 @@ class FileClient(
         logger.debug("Deleting vedlegg file with vedlegg ref {}", vedleggRef)
         val deletedInFileStore = fileWebClient.delete()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${azureADClient.klageFileApiOidcToken()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<Boolean>()
             .block()!!
diff --git a/src/main/kotlin/no/nav/klage/config/AzureADClientConfiguration.kt b/src/main/kotlin/no/nav/klage/config/AzureADClientConfiguration.kt
deleted file mode 100644
index 52b95f43..00000000
--- a/src/main/kotlin/no/nav/klage/config/AzureADClientConfiguration.kt
+++ /dev/null
@@ -1,23 +0,0 @@
-package no.nav.klage.config
-
-import no.nav.klage.util.getLogger
-import org.springframework.context.annotation.Bean
-import org.springframework.context.annotation.Configuration
-import org.springframework.web.reactive.function.client.WebClient
-
-@Configuration
-class AzureADClientConfiguration(
-    private val webClientBuilder: WebClient.Builder
-) {
-
-    companion object {
-        @Suppress("JAVA_CLASS_ON_COMPANION")
-        private val logger = getLogger(javaClass.enclosingClass)
-    }
-
-    @Bean
-    fun azureADWebClient(): WebClient {
-        return webClientBuilder
-            .build()
-    }
-}
\ No newline at end of file
diff --git a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
index 1c63a0ec..611e53cd 100644
--- a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
+++ b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
@@ -72,6 +72,12 @@ class TokenUtil(
         return response.accessToken!!
     }
 
+    fun getOnBehalfOfTokenWithKlageFileApiScope(): String {
+        val clientProperties = clientConfigurationProperties.registration["klage-file-api-onbehalfof"]!!
+        val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
+        return response.accessToken!!
+    }
+
     fun getSelvbetjeningExpiry(): Long? = ctxHolder.getTokenValidationContext().getClaims(oldIssuer).expirationTime?.time
 
     fun getAppAccessTokenWithKlageFSSProxyScope(): String {
diff --git a/src/main/resources/application-dev-gcp.yml b/src/main/resources/application-dev-gcp.yml
index 6e70385b..f8fc4a33 100644
--- a/src/main/resources/application-dev-gcp.yml
+++ b/src/main/resources/application-dev-gcp.yml
@@ -11,6 +11,7 @@ SAFSELVBETJENING_BASE_URL: https://safselvbetjening.dev-fss-pub.nais.io
 PDL_AUDIENCE: dev-fss:pdl:pdl-api
 PDL_SCOPE: dev-fss.pdl.pdl-api
 SAFSELVBETJENING_AUDIENCE: dev-fss:teamdokumenthandtering:safselvbetjening
+KLAGE_FILE_API_AUDIENCE: dev-gcp:klage:klage-file-api
 FSS_CLUSTER: dev-fss
 
 #These are read from the environment:
diff --git a/src/main/resources/application-prod-gcp.yml b/src/main/resources/application-prod-gcp.yml
index 3a5a3646..7f4e4a37 100644
--- a/src/main/resources/application-prod-gcp.yml
+++ b/src/main/resources/application-prod-gcp.yml
@@ -16,6 +16,7 @@ SAFSELVBETJENING_BASE_URL: https://safselvbetjening.prod-fss-pub.nais.io
 PDL_AUDIENCE: prod-fss:pdl:pdl-api
 PDL_SCOPE: prod-fss.pdl.pdl-api
 SAFSELVBETJENING_AUDIENCE: prod-fss:teamdokumenthandtering:safselvbetjening
+KLAGE_FILE_API_AUDIENCE: prod-gcp:klage:klage-file-api
 FSS_CLUSTER: prod-fss
 
 #These are read from the environment:
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 90b6ed91..65ed2651 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -92,6 +92,18 @@ no.nav.security.jwt:
           client-auth-method: private_key_jwt
         token-exchange:
           audience: ${SAFSELVBETJENING_AUDIENCE}
+      klage-file-api-onbehalfof:
+        token-endpoint-url: ${TOKEN_X_TOKEN_ENDPOINT}
+        grant-type: urn:ietf:params:oauth:grant-type:token-exchange
+        client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
+        subject_token_type: urn:ietf:params:oauth:token-type:jwt
+        scope: api://${NAIS_CLUSTER_NAME}.${NAIS_NAMESPACE}.${KLAGE_FILE_API_APP_NAME}/.default
+        authentication:
+          client-id: ${TOKEN_X_CLIENT_ID}
+          client-jwk: ${TOKEN_X_PRIVATE_JWK}
+          client-auth-method: private_key_jwt
+        token-exchange:
+          audience: ${KLAGE_FILE_API_AUDIENCE}
       klage-fss-proxy-maskintilmaskin:
         token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
         grant-type: client_credentials

From d11bfa4ff1f576a91cabe679fd30239630bd2846 Mon Sep 17 00:00:00 2001
From: Andreas Jonsson <andreas.jonsson@nav.no>
Date: Tue, 8 Oct 2024 14:24:21 +0200
Subject: [PATCH 3/6] Adjusting token creation for klage-file-api
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Øyvind N. Wedøe <oyvind.norsted.wedoe@nav.no>
---
 src/main/resources/application.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 65ed2651..7a6e6a9d 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -94,10 +94,10 @@ no.nav.security.jwt:
           audience: ${SAFSELVBETJENING_AUDIENCE}
       klage-file-api-onbehalfof:
         token-endpoint-url: ${TOKEN_X_TOKEN_ENDPOINT}
-        grant-type: urn:ietf:params:oauth:grant-type:token-exchange
+        grant_type: urn:ietf:params:oauth:grant-type:token-exchange
         client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
         subject_token_type: urn:ietf:params:oauth:token-type:jwt
-        scope: api://${NAIS_CLUSTER_NAME}.${NAIS_NAMESPACE}.${KLAGE_FILE_API_APP_NAME}/.default
+        audience: ${KLAGE_FILE_API_AUDIENCE}
         authentication:
           client-id: ${TOKEN_X_CLIENT_ID}
           client-jwk: ${TOKEN_X_PRIVATE_JWK}

From 0cb21eb47c2d7cc394f17369f8ae6537bf1b0803 Mon Sep 17 00:00:00 2001
From: Andreas Jonsson <andreas.jonsson@nav.no>
Date: Tue, 8 Oct 2024 14:38:52 +0200
Subject: [PATCH 4/6] Debug token x exchange.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Øyvind N. Wedøe <oyvind.norsted.wedoe@nav.no>
---
 src/main/kotlin/no/nav/klage/util/TokenUtil.kt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
index 611e53cd..6c03cedf 100644
--- a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
+++ b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
@@ -74,6 +74,7 @@ class TokenUtil(
 
     fun getOnBehalfOfTokenWithKlageFileApiScope(): String {
         val clientProperties = clientConfigurationProperties.registration["klage-file-api-onbehalfof"]!!
+        secureLogger.debug("Getting clientProperties for klage-file-api-onbehalfof: {}", clientProperties)
         val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
         return response.accessToken!!
     }

From d0a54a222cdbbc31d72a3ad0f4944226ab9e8fa0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=98yvind=20N=2E=20Wed=C3=B8e?=
 <oyvind.norsted.wedoe@nav.no>
Date: Wed, 9 Oct 2024 10:52:24 +0200
Subject: [PATCH 5/6] Use system token towards klage-file-api. Access is
 ensured by checking token and klanke in this app.

---
 .../kotlin/no/nav/klage/clients/FileClient.kt    |  6 +++---
 src/main/kotlin/no/nav/klage/util/TokenUtil.kt   |  5 ++---
 src/main/resources/application.yml               | 16 ++++++----------
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/src/main/kotlin/no/nav/klage/clients/FileClient.kt b/src/main/kotlin/no/nav/klage/clients/FileClient.kt
index ead005fd..e8762087 100644
--- a/src/main/kotlin/no/nav/klage/clients/FileClient.kt
+++ b/src/main/kotlin/no/nav/klage/clients/FileClient.kt
@@ -30,7 +30,7 @@ class FileClient(
         val response = fileWebClient
             .post()
             .uri { it.path("/attachment").build() }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .body(BodyInserters.fromMultipartData(bodyBuilder.build()))
             .retrieve()
             .bodyToMono<VedleggResponse>()
@@ -47,7 +47,7 @@ class FileClient(
         logger.debug("Fetching vedlegg file with vedlegg ref {}", vedleggRef)
         return fileWebClient.get()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<ByteArray>()
             .block() ?: throw RuntimeException("Attachment could not be fetched")
@@ -57,7 +57,7 @@ class FileClient(
         logger.debug("Deleting vedlegg file with vedlegg ref {}", vedleggRef)
         val deletedInFileStore = fileWebClient.delete()
             .uri { it.path("/attachment/{id}").build(vedleggRef) }
-            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getOnBehalfOfTokenWithKlageFileApiScope()}")
+            .header(HttpHeaders.AUTHORIZATION, "Bearer ${tokenUtil.getAppAccessTokenWithKlageFileApiScope()}")
             .retrieve()
             .bodyToMono<Boolean>()
             .block()!!
diff --git a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
index 6c03cedf..7c891af8 100644
--- a/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
+++ b/src/main/kotlin/no/nav/klage/util/TokenUtil.kt
@@ -72,9 +72,8 @@ class TokenUtil(
         return response.accessToken!!
     }
 
-    fun getOnBehalfOfTokenWithKlageFileApiScope(): String {
-        val clientProperties = clientConfigurationProperties.registration["klage-file-api-onbehalfof"]!!
-        secureLogger.debug("Getting clientProperties for klage-file-api-onbehalfof: {}", clientProperties)
+    fun getAppAccessTokenWithKlageFileApiScope(): String {
+        val clientProperties = clientConfigurationProperties.registration["klage-file-api-maskintilmaskin"]!!
         val response = oAuth2AccessTokenService.getAccessToken(clientProperties)
         return response.accessToken!!
     }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 7a6e6a9d..2fa9c6b9 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -92,18 +92,14 @@ no.nav.security.jwt:
           client-auth-method: private_key_jwt
         token-exchange:
           audience: ${SAFSELVBETJENING_AUDIENCE}
-      klage-file-api-onbehalfof:
-        token-endpoint-url: ${TOKEN_X_TOKEN_ENDPOINT}
-        grant_type: urn:ietf:params:oauth:grant-type:token-exchange
-        client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
-        subject_token_type: urn:ietf:params:oauth:token-type:jwt
-        audience: ${KLAGE_FILE_API_AUDIENCE}
+      klage-file-api-maskintilmaskin:
+        token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
+        grant-type: client_credentials
+        scope: api://${NAIS_CLUSTER_NAME}.${NAIS_NAMESPACE}.${KLAGE_FILE_API_APP_NAME}/.default
         authentication:
-          client-id: ${TOKEN_X_CLIENT_ID}
-          client-jwk: ${TOKEN_X_PRIVATE_JWK}
+          client-id: ${AZURE_APP_CLIENT_ID}
+          client-jwk: ${AZURE_APP_JWK}
           client-auth-method: private_key_jwt
-        token-exchange:
-          audience: ${KLAGE_FILE_API_AUDIENCE}
       klage-fss-proxy-maskintilmaskin:
         token-endpoint-url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
         grant-type: client_credentials

From 678d1f0e8575e9a8dfe865136c7ad58eaabd6f40 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=98yvind=20N=2E=20Wed=C3=B8e?=
 <oyvind.norsted.wedoe@nav.no>
Date: Wed, 9 Oct 2024 11:14:08 +0200
Subject: [PATCH 6/6] Unused values.

---
 src/main/resources/application-dev-gcp.yml  | 1 -
 src/main/resources/application-prod-gcp.yml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/src/main/resources/application-dev-gcp.yml b/src/main/resources/application-dev-gcp.yml
index f8fc4a33..6e70385b 100644
--- a/src/main/resources/application-dev-gcp.yml
+++ b/src/main/resources/application-dev-gcp.yml
@@ -11,7 +11,6 @@ SAFSELVBETJENING_BASE_URL: https://safselvbetjening.dev-fss-pub.nais.io
 PDL_AUDIENCE: dev-fss:pdl:pdl-api
 PDL_SCOPE: dev-fss.pdl.pdl-api
 SAFSELVBETJENING_AUDIENCE: dev-fss:teamdokumenthandtering:safselvbetjening
-KLAGE_FILE_API_AUDIENCE: dev-gcp:klage:klage-file-api
 FSS_CLUSTER: dev-fss
 
 #These are read from the environment:
diff --git a/src/main/resources/application-prod-gcp.yml b/src/main/resources/application-prod-gcp.yml
index 7f4e4a37..3a5a3646 100644
--- a/src/main/resources/application-prod-gcp.yml
+++ b/src/main/resources/application-prod-gcp.yml
@@ -16,7 +16,6 @@ SAFSELVBETJENING_BASE_URL: https://safselvbetjening.prod-fss-pub.nais.io
 PDL_AUDIENCE: prod-fss:pdl:pdl-api
 PDL_SCOPE: prod-fss.pdl.pdl-api
 SAFSELVBETJENING_AUDIENCE: prod-fss:teamdokumenthandtering:safselvbetjening
-KLAGE_FILE_API_AUDIENCE: prod-gcp:klage:klage-file-api
 FSS_CLUSTER: prod-fss
 
 #These are read from the environment: