ProgrammeVitam · Regzox · Dec 5, 2025 · Jan 5, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/api/api-iam/iam-client/pom.xml b/api/api-iam/iam-client/pom.xml
@@ -14,14 +14,11 @@
     </parent>
 
     <properties>
-        <!-- make iam-client on jdk 17 temporarily -->
-        <!-- current Cas version use an incompatible Spring boot version 2.7.18 with java 21,
-        that's why we keep CAS in JAVA 17, and all dependencies as iam-client and commons that are compiled in Java 21 with target java 17-->
         <java.version>21</java.version>
-        <java.release>17</java.release>
+        <java.release>21</java.release>
         <maven.compiler.source>21</maven.compiler.source>
-        <maven.compiler.target>17</maven.compiler.target>
-        <maven.compiler.release>17</maven.compiler.release>
+        <maven.compiler.target>21</maven.compiler.target>
+        <maven.compiler.release>21</maven.compiler.release>
     </properties>
 
     <build>

diff --git a/api/api-iam/iam-client/src/main/java/fr/gouv/vitamui/iam/openapiclient/IamApiClient.java b/api/api-iam/iam-client/src/main/java/fr/gouv/vitamui/iam/openapiclient/IamApiClient.java
@@ -29,16 +29,22 @@
 
 import fr.gouv.vitamui.commons.api.CommonConstants;
 import fr.gouv.vitamui.commons.rest.client.HttpContext;
+import fr.gouv.vitamui.commons.rest.client.HttpContextHolder;
 import fr.gouv.vitamui.iam.openapiclient.invoker.ApiClient;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpHeaders;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestTemplate;
 
-import java.util.Collections;
+import java.util.Arrays;
+import java.util.Optional;
+import java.util.function.Supplier;
 
+@Slf4j
 public class IamApiClient extends ApiClient {
 
     public IamApiClient(RestTemplate restTemplate) {
@@ -52,48 +58,85 @@ protected void updateParamsForAuth(
         HttpHeaders headerParams,
         MultiValueMap<String, String> cookieParams
     ) {
-        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication != null) {
-            final HttpContext context;
-            if (authentication instanceof PreAuthenticatedAuthenticationToken) {
-                // Needed for the initial call to usersApi.getMe() during authentication
-                context = (HttpContext) authentication.getPrincipal();
-            } else {
-                // The other calls get normal authentication credentials
-                context = (HttpContext) authentication.getCredentials();
-            }
-            updateParamsForAuth(headerParams, context);
-        }
+        resolveContext()
+            .ifPresentOrElse(
+                context -> {
+                    applyHeaders(context, headerParams);
+                    log.debug("IAM headers applied. Context={}", context);
+                },
+                () -> log.warn("No HttpContext available for authNames={}", Arrays.toString(authNames))
+            );
     }
 
-    private void updateParamsForAuth(HttpHeaders headerParams, HttpContext context) {
-        final Integer tenantIdentifier = context.getTenantIdentifier();
-        final String userToken = context.getUserToken();
-        final String applicationId = context.getApplicationId();
-        final String identity = context.getIdentity();
-        final String requestId = context.getRequestId();
-        final String accessContractId = context.getAccessContract();
-        headerParams.set(CommonConstants.X_ORIGIN_HEADER_NAME, CommonConstants.X_ORIGIN_HEADER_INTERNAL);
-        if (tenantIdentifier != null) {
-            headerParams.put(
-                CommonConstants.X_TENANT_ID_HEADER,
-                Collections.singletonList(String.valueOf(tenantIdentifier))
-            );
-        }
-        if (userToken != null) {
-            headerParams.put(CommonConstants.X_USER_TOKEN_HEADER, Collections.singletonList(userToken));
-        }
-        if (applicationId != null) {
-            headerParams.put(CommonConstants.X_APPLICATION_ID_HEADER, Collections.singletonList(applicationId));
+    private Optional<HttpContext> resolveContext() {
+        return resolveFromHolder().or(this::resolveFromSecurityContext);
+    }
+
+    /**
+     * First priority: context manually set in HttpContextHolder.
+     */
+    private Optional<HttpContext> resolveFromHolder() {
+        return HttpContextHolder.get();
+    }
+
+    /**
+     * Fallback: try to resolve HttpContext from Spring Security.
+     */
+    private Optional<HttpContext> resolveFromSecurityContext() {
+        Authentication authentication = Optional.ofNullable(SecurityContextHolder.getContext())
+            .map(SecurityContext::getAuthentication)
+            .orElse(null);
+
+        if (authentication == null) {
+            return Optional.empty();
         }
-        if (identity != null) {
-            headerParams.put(CommonConstants.X_IDENTITY_HEADER, Collections.singletonList(identity));
+
+        // Special case: initial usersApi.getMe() call during authentication
+        if (
+            authentication instanceof PreAuthenticatedAuthenticationToken &&
+            authentication.getPrincipal() instanceof HttpContext context
+        ) {
+            return Optional.of(context);
         }
-        if (requestId != null) {
-            headerParams.put(CommonConstants.X_REQUEST_ID_HEADER, Collections.singletonList(requestId));
+
+        // Standard case: HttpContext stored in credentials
+        if (authentication.getCredentials() instanceof HttpContext context) {
+            return Optional.of(context);
         }
-        if (accessContractId != null) {
-            headerParams.put(CommonConstants.X_ACCESS_CONTRACT_ID_HEADER, Collections.singletonList(accessContractId));
+
+        return Optional.empty();
+    }
+
+    /**
+     * Apply IAM-related headers based on the resolved HttpContext.
+     */
+    private void applyHeaders(HttpContext context, HttpHeaders headers) {
+        headers.set(CommonConstants.X_ORIGIN_HEADER_NAME, CommonConstants.X_ORIGIN_HEADER_INTERNAL);
+
+        putIfNotNull(
+            headers,
+            CommonConstants.X_TENANT_ID_HEADER,
+            () -> Optional.ofNullable(context.getTenantIdentifier()).map(String::valueOf).orElse(null)
+        );
+
+        putIfNotNull(headers, CommonConstants.X_USER_TOKEN_HEADER, context::getUserToken);
+
+        putIfNotNull(headers, CommonConstants.X_APPLICATION_ID_HEADER, context::getApplicationId);
+
+        putIfNotNull(headers, CommonConstants.X_IDENTITY_HEADER, context::getIdentity);
+
+        putIfNotNull(headers, CommonConstants.X_REQUEST_ID_HEADER, context::getRequestId);
+
+        putIfNotNull(headers, CommonConstants.X_ACCESS_CONTRACT_ID_HEADER, context::getAccessContract);
+    }
+
+    /**
+     * Add header only if the supplied value is not null.
+     */
+    private void putIfNotNull(HttpHeaders headers, String headerName, Supplier<String> valueSupplier) {
+        String value = valueSupplier.get();
+        if (value != null) {
+            headers.set(headerName, value);
         }
     }
 }
diff --git a/api/api-iam/iam-client/src/main/resources/swagger.yaml b/api/api-iam/iam-client/src/main/resources/swagger.yaml
@@ -2526,7 +2526,7 @@ paths:
                     content:
                         '*/*':
                             schema:
-                                $ref: "#/components/schemas/UserDto"
+                                $ref: "#/components/schemas/AuthUserDto"
                             example: null
     /iam/v1/cas/subrogations:
         get:

diff --git a/...api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/dto/IdentityProviderDto.java b/...api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/dto/IdentityProviderDto.java
@@ -1,38 +1,28 @@
-/**
- * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2019-2020)
- * and the signatories of the "VITAM - Accord du Contributeur" agreement.
+/*
+ * Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2022)
  *
- * contact@programmevitam.fr
+ * contact.vitam@culture.gouv.fr
  *
- * This software is a computer program whose purpose is to implement
- * implement a digital archiving front-office system for the secure and
- * efficient high volumetry VITAM solution.
+ * This software is a computer program whose purpose is to implement a digital archiving back-office system managing
+ * high volumetry securely and efficiently.
  *
- * This software is governed by the CeCILL-C license under French law and
- * abiding by the rules of distribution of free software.  You can  use,
- * modify and/ or redistribute the software under the terms of the CeCILL-C
- * license as circulated by CEA, CNRS and INRIA at the following URL
- * "http://www.cecill.info".
+ * This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free
+ * software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as
+ * circulated by CEA, CNRS and INRIA at the following URL "https://cecill.info".
  *
- * As a counterpart to the access to the source code and  rights to copy,
- * modify and redistribute granted by the license, users are provided only
- * with a limited warranty  and the software's author,  the holder of the
- * economic rights,  and the successive licensors  have only  limited
- * liability.
+ * As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license,
+ * users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the
+ * successive licensors have only limited liability.
  *
- * In this respect, the user's attention is drawn to the risks associated
- * with loading,  using,  modifying and/or developing or reproducing the
- * software by the user in light of its specific status of free software,
- * that may mean  that it is complicated to manipulate,  and  that  also
- * therefore means  that it is reserved for developers  and  experienced
- * professionals having in-depth computer knowledge. Users are therefore
- * encouraged to load and test the software's suitability as regards their
- * requirements in conditions enabling the security of their systems and/or
- * data to be ensured and,  more generally, to use and operate it in the
- * same conditions as regards security.
+ * In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or
+ * developing or reproducing the software by the user in light of its specific status of free software, that may mean
+ * that it is complicated to manipulate, and that also therefore means that it is reserved for developers and
+ * experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the
+ * software's suitability as regards their requirements in conditions enabling the security of their systems and/or data
+ * to be ensured and, more generally, to use and operate it in the same conditions as regards security.
  *
- * The fact that you are presently reading this means that you have had
- * knowledge of the CeCILL-C license and that you accept its terms.
+ * The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you
+ * accept its terms.
  */
 package fr.gouv.vitamui.iam.common.dto;
 

diff --git a/...-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomOidcOpMetadataResolver.java b/...-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomOidcOpMetadataResolver.java
@@ -0,0 +1,18 @@
+package fr.gouv.vitamui.iam.common.utils;
+
+import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.metadata.OidcOpMetadataResolver;
+import org.pac4j.oidc.profile.creator.TokenValidator;
+
+/** Custom OIDC metadata resolver. */
+public class CustomOidcOpMetadataResolver extends OidcOpMetadataResolver {
+
+    public CustomOidcOpMetadataResolver(final OidcConfiguration configuration) {
+        super(configuration);
+    }
+
+    @Override
+    protected TokenValidator createTokenValidator() {
+        return new CustomTokenValidator(configuration, this.loaded);
+    }
+}
diff --git a/...-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidator.java b/...-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidator.java
@@ -42,6 +42,7 @@
 import com.nimbusds.jwt.proc.BadJWTException;
 import com.nimbusds.openid.connect.sdk.Nonce;
 import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 import org.pac4j.oidc.config.OidcConfiguration;
 import org.pac4j.oidc.profile.creator.TokenValidator;
 
@@ -57,8 +58,11 @@ public class CustomTokenValidator extends TokenValidator {
 
     private static final List<String> AGENTCONNECT_ACR_VALUES = Arrays.asList("eidas1", "eidas2", "eidas3");
 
-    public CustomTokenValidator(final OidcConfiguration configuration) {
-        super(configuration);
+    private final OidcConfiguration configuration;
+
+    public CustomTokenValidator(final OidcConfiguration configuration, final OIDCProviderMetadata metadata) {
+        super(configuration, metadata);
+        this.configuration = configuration;
     }
 
     public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce)

diff --git a/...am/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java b/...am/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java
@@ -102,6 +102,22 @@ public Optional<IdentityProviderDto> findByUserIdentifierAndCustomerId(
             .findFirst();
     }
 
+    public Optional<IdentityProviderDto> findAutoProvisioningProviderByEmail(
+        final List<IdentityProviderDto> providers,
+        final String email
+    ) {
+        for (final IdentityProviderDto provider : providers) {
+            if (provider.isAutoProvisioningEnabled()) {
+                for (final String pattern : provider.getPatterns()) {
+                    if (Pattern.compile(pattern, Pattern.CASE_INSENSITIVE).matcher(email).matches()) {
+                        return Optional.of(provider);
+                    }
+                }
+            }
+        }
+        return Optional.empty();
+    }
+
     public boolean identifierMatchProviderPattern(
         final List<IdentityProviderDto> providers,
         final String userEmail,

diff --git a/...pi-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java b/...pi-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java
@@ -45,6 +45,7 @@
 import jakarta.validation.constraints.NotNull;
 import lombok.Getter;
 import lombok.Setter;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.pac4j.core.client.IndirectClient;
@@ -53,26 +54,19 @@
 import org.pac4j.oidc.config.OidcConfiguration;
 import org.pac4j.saml.client.SAML2Client;
 import org.pac4j.saml.config.SAML2Configuration;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ByteArrayResource;
 
 import java.util.Base64;
 import java.util.Map;
 import java.util.Optional;
 
-/**
- * A pac4j client builder.
- *
- *
- */
+/** A pac4j client builder. */
 @Getter
 @Setter
+@Slf4j
 public class Pac4jClientBuilder {
 
-    private static final Logger LOGGER = LoggerFactory.getLogger(Pac4jClientBuilder.class);
-
     @Value("${login.url}")
     @NotNull
     private String casLoginUrl;
@@ -153,13 +147,14 @@ public Optional<IndirectClient> buildClient(final IdentityProviderDto provider)
                     oidcConfiguration.setUseNonce(useNonce != null ? useNonce : true);
                     final Boolean usePkce = provider.getUsePkce();
                     oidcConfiguration.setDisablePkce(usePkce != null ? !usePkce : true);
-                    oidcConfiguration.setStateGenerator((context, store) -> new Nonce().toString());
-                    oidcConfiguration.setTokenValidator(new CustomTokenValidator(oidcConfiguration));
+                    oidcConfiguration.setStateGenerator(ctx -> new Nonce().toString());
+                    oidcConfiguration.setOpMetadataResolver(new CustomOidcOpMetadataResolver(oidcConfiguration));
 
                     final OidcClient oidcClient = new OidcClient(oidcConfiguration);
                     setCallbackUrl(oidcClient, technicalName);
 
                     oidcClient.init();
+                    oidcClient.getConfiguration().getOpMetadataResolver().load();
                     return Optional.of(oidcClient);
                 }
             }
@@ -172,7 +167,7 @@ public Optional<IndirectClient> buildClient(final IdentityProviderDto provider)
             } else if (message.equals("Error parsing idp Metadata")) {
                 throw new InvalidFormatException(message, ErrorsConstants.ERRORS_VALID_IDP_METADATA);
             }
-            LOGGER.error("Cannot build pac4j client with provider identifier: " + provider.getIdentifier(), e);
+            log.error("Cannot build pac4j client with provider identifier: " + provider.getIdentifier(), e);
         }
         return Optional.empty();
     }