Replace policies endpoint with hardcoded policies, fix sandbox OAuth flow

antspriggs · claude · antspriggs · commit 177ccdb1972d · 2026-05-06T13:26:43.000-04:00
- Remove broken /api/public/v3/policies endpoint; replace with hardcoded
  Login, NIST AAL2/IAL2, and Military policies in AuthViewModel
- Add LOGIN and NIST_AAL2_IAL2 scopes to IDmeScope enum
- Read sandbox client ID and client_secret from local.properties via
  BuildConfig fields injected in demo/build.gradle.kts
- Include client_secret in token exchange body (ID.me sandbox requires it
  even for PKCE flows — only client_secret_post/basic auth methods supported)
- Include scope in token exchange request body
- Fix HTTP POST body writing to use explicit byte array + Content-Length header
- Remove deprecated policies() method from IDmeAuth and APIEndpoint
- Remove isLoadingPolicies state and LaunchedEffect policy fetch from LoginScreen

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -33,3 +33,6 @@ local.properties
 # Signing files
 *.jks
 *.keystore
+
+# Claude
+CLAUDE.md
diff --git a/demo/build.gradle.kts b/demo/build.gradle.kts
@@ -1,8 +1,14 @@
 import com.android.build.gradle.internal.dsl.BaseAppModuleExtension
+import java.util.Properties
 
 apply(plugin = "com.android.application")
 apply(plugin = "kotlin-android")
 
+val localProps = Properties().also { props ->
+    val f = rootProject.file("local.properties")
+    if (f.exists()) props.load(f.inputStream())
+}
+
 configure<BaseAppModuleExtension> {
     namespace = "com.idme.auth.demo"
     compileSdk = 34
@@ -15,6 +21,11 @@ configure<BaseAppModuleExtension> {
         versionName = "1.0.0"
 
         manifestPlaceholders["idmeRedirectScheme"] = "idmedemo"
+
+        buildConfigField("String", "SANDBOX_CLIENT_ID",
+            "\"${localProps.getProperty("idme.sandbox.client_id", "")}\"")
+        buildConfigField("String", "SANDBOX_CLIENT_SECRET",
+            "\"${localProps.getProperty("idme.sandbox.client_secret", "")}\"")
     }
 
     buildTypes {
@@ -34,6 +45,7 @@ configure<BaseAppModuleExtension> {
 
     buildFeatures {
         compose = true
+        buildConfig = true
     }
 
     composeOptions {
diff --git a/demo/src/main/kotlin/com/idme/auth/demo/AuthViewModel.kt b/demo/src/main/kotlin/com/idme/auth/demo/AuthViewModel.kt
@@ -7,6 +7,7 @@ import androidx.compose.runtime.mutableStateOf
 import androidx.compose.runtime.setValue
 import androidx.lifecycle.AndroidViewModel
 import androidx.lifecycle.viewModelScope
+import com.idme.auth.demo.BuildConfig
 import com.idme.auth.IDmeAuth
 import com.idme.auth.configuration.IDmeAuthMode
 import com.idme.auth.configuration.IDmeConfiguration
@@ -18,6 +19,12 @@ import com.idme.auth.models.Credentials
 import com.idme.auth.models.Policy
 import kotlinx.coroutines.launch
 
+private val STANDARD_POLICIES = listOf(
+    Policy(name = "Login", handle = "login", active = true, groups = emptyList()),
+    Policy(name = "NIST AAL2 / IAL2", handle = "http://idmanagement.gov/ns/assurance/ial/2/aal/2", active = true, groups = emptyList()),
+    Policy(name = "Military", handle = "military", active = true, groups = emptyList())
+)
+
 class AuthViewModel(application: Application) : AndroidViewModel(application) {
 
     // MARK: - Configuration Inputs
@@ -26,15 +33,14 @@ class AuthViewModel(application: Application) : AndroidViewModel(application) {
         private set
 
     var authMode by mutableStateOf(IDmeAuthMode.OAUTH_PKCE)
-    var environment by mutableStateOf(IDmeEnvironment.PRODUCTION)
+    var environment by mutableStateOf(IDmeEnvironment.SANDBOX)
         private set
 
     var verificationType by mutableStateOf(IDmeVerificationType.SINGLE)
 
     // MARK: - State
 
-    var policies by mutableStateOf(listOf<Policy>())
-        private set
+    val policies: List<Policy> = STANDARD_POLICIES
 
     var credentials by mutableStateOf<Credentials?>(null)
         private set
@@ -45,9 +51,6 @@ class AuthViewModel(application: Application) : AndroidViewModel(application) {
     var isLoading by mutableStateOf(false)
         private set
 
-    var isLoadingPolicies by mutableStateOf(false)
-        private set
-
     var errorMessage by mutableStateOf<String?>(null)
 
     val hasPayload: Boolean get() = payloadClaims.isNotEmpty()
@@ -60,13 +63,13 @@ class AuthViewModel(application: Application) : AndroidViewModel(application) {
     private val clientId: String
         get() = when (environment) {
             IDmeEnvironment.PRODUCTION -> "YOUR_PRODUCTION_CLIENT_ID"
-            IDmeEnvironment.SANDBOX -> "YOUR_SANDBOX_CLIENT_ID"
+            IDmeEnvironment.SANDBOX -> BuildConfig.SANDBOX_CLIENT_ID
         }
 
     private val clientSecret: String
         get() = when (environment) {
             IDmeEnvironment.PRODUCTION -> "YOUR_PRODUCTION_CLIENT_SECRET"
-            IDmeEnvironment.SANDBOX -> "YOUR_SANDBOX_CLIENT_SECRET"
+            IDmeEnvironment.SANDBOX -> BuildConfig.SANDBOX_CLIENT_SECRET
         }
 
     // MARK: - Private
@@ -84,32 +87,7 @@ class AuthViewModel(application: Application) : AndroidViewModel(application) {
     }
 
     fun updateEnvironment(env: IDmeEnvironment) {
-        if (env != environment) {
-            environment = env
-            viewModelScope.launch { fetchPolicies() }
-        }
-    }
-
-    // MARK: - Policies
-
-    fun fetchPolicies() {
-        viewModelScope.launch {
-            isLoadingPolicies = true
-
-            try {
-                val auth = buildAuth(listOf(IDmeScope.MILITARY))
-                val fetched = auth.policies()
-                policies = fetched.filter { it.active }
-                // Clear selections that no longer exist
-                val validHandles = policies.map { it.handle }.toSet()
-                selectedPolicies = selectedPolicies.intersect(validHandles)
-            } catch (e: Exception) {
-                android.util.Log.e("AuthViewModel", "Failed to fetch policies", e)
-                policies = emptyList()
-            }
-
-            isLoadingPolicies = false
-        }
+        environment = env
     }
 
     // MARK: - Actions
@@ -197,9 +175,7 @@ class AuthViewModel(application: Application) : AndroidViewModel(application) {
             finalScopes.add(0, IDmeScope.OPENID)
         }
 
-        // Client secret is only applicable for server-side OAuth flows; never embed in PKCE or OIDC.
-        // TODO: Load credentials from local.properties via BuildConfig rather than hardcoding.
-        val secret = if (authMode == IDmeAuthMode.OAUTH) clientSecret else null
+        val secret = clientSecret.ifBlank { null }
 
         val config = IDmeConfiguration(
             clientId = clientId,
diff --git a/demo/src/main/kotlin/com/idme/auth/demo/ui/LoginScreen.kt b/demo/src/main/kotlin/com/idme/auth/demo/ui/LoginScreen.kt
@@ -10,7 +10,6 @@ import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.height
 import androidx.compose.foundation.layout.padding
-import androidx.compose.foundation.layout.size
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
 import androidx.compose.foundation.shape.RoundedCornerShape
@@ -27,7 +26,6 @@ import androidx.compose.material3.Surface
 import androidx.compose.material3.Switch
 import androidx.compose.material3.Text
 import androidx.compose.runtime.Composable
-import androidx.compose.runtime.LaunchedEffect
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.platform.LocalContext
@@ -40,12 +38,6 @@ import com.idme.auth.demo.AuthViewModel
 fun LoginScreen(viewModel: AuthViewModel, modifier: Modifier = Modifier) {
     val activity = LocalContext.current as? Activity
 
-    LaunchedEffect(Unit) {
-        if (viewModel.policies.isEmpty()) {
-            viewModel.fetchPolicies()
-        }
-    }
-
     Box(modifier = modifier.fillMaxSize()) {
         LazyColumn(
             modifier = Modifier
@@ -105,55 +97,16 @@ fun LoginScreen(viewModel: AuthViewModel, modifier: Modifier = Modifier) {
                     )
                 }
 
-                if (viewModel.isLoadingPolicies) {
-                    item {
-                        Row(
-                            verticalAlignment = Alignment.CenterVertically,
-                            horizontalArrangement = Arrangement.spacedBy(8.dp)
-                        ) {
-                            CircularProgressIndicator(modifier = Modifier.size(20.dp))
-                            Text(
-                                "Loading policies...",
-                                color = MaterialTheme.colorScheme.onSurfaceVariant
-                            )
-                        }
-                    }
-                } else if (viewModel.policies.isEmpty()) {
-                    item {
-                        Text(
-                            "No policies available. Check your credentials.",
-                            color = MaterialTheme.colorScheme.onSurfaceVariant
-                        )
-                    }
-                } else {
-                    items(viewModel.policies, key = { it.handle }) { policy ->
-                        Row(
-                            modifier = Modifier.fillMaxWidth(),
-                            verticalAlignment = Alignment.CenterVertically,
-                            horizontalArrangement = Arrangement.SpaceBetween
-                        ) {
-                            Column(modifier = Modifier.weight(1f)) {
-                                Text(policy.name)
-                                if (policy.groups.isNotEmpty()) {
-                                    Text(
-                                        policy.groups.joinToString(", ") { it.name },
-                                        style = MaterialTheme.typography.bodySmall,
-                                        color = MaterialTheme.colorScheme.onSurfaceVariant
-                                    )
-                                }
-                            }
-                            Switch(
-                                checked = policy.handle in viewModel.selectedPolicies,
-                                onCheckedChange = { viewModel.togglePolicy(policy.handle) }
-                            )
-                        }
-                    }
-
-                    item {
-                        Text(
-                            "Policies are fetched from /api/public/v3/policies. The handle is used as the OAuth scope.",
-                            style = MaterialTheme.typography.bodySmall,
-                            color = MaterialTheme.colorScheme.onSurfaceVariant
+                items(viewModel.policies, key = { it.handle }) { policy ->
+                    Row(
+                        modifier = Modifier.fillMaxWidth(),
+                        verticalAlignment = Alignment.CenterVertically,
+                        horizontalArrangement = Arrangement.SpaceBetween
+                    ) {
+                        Text(policy.name)
+                        Switch(
+                            checked = policy.handle in viewModel.selectedPolicies,
+                            onCheckedChange = { viewModel.togglePolicy(policy.handle) }
                         )
                     }
                 }
diff --git a/sdk/src/main/kotlin/com/idme/auth/IDmeAuth.kt b/sdk/src/main/kotlin/com/idme/auth/IDmeAuth.kt
@@ -18,7 +18,6 @@ import com.idme.auth.jwt.JWTDecoder
 import com.idme.auth.jwt.JWTValidator
 import com.idme.auth.models.AttributeResponse
 import com.idme.auth.models.Credentials
-import com.idme.auth.models.Policy
 import com.idme.auth.models.UserInfo
 import com.idme.auth.networking.APIEndpoint
 import com.idme.auth.networking.DefaultHTTPClient
@@ -110,6 +109,7 @@ class IDmeAuth(
         this.lastNonce = nonce
 
         Log.info("Starting auth session: ${configuration.verificationType.value} mode")
+        Log.debug("Authorize URL: $authURL")
 
         val callbackURL = IDmeAuthManager.launchAuth(activity, authURL, state)
 
@@ -144,42 +144,6 @@ class IDmeAuth(
         return tokenManager.validCredentials(minTTL)
     }
 
-    // MARK: - Policies
-
-    /**
-     * Fetches the available verification policies for the organization.
-     *
-     * Uses the client credentials (client_id and client_secret) to authenticate via HTTP Basic Auth.
-     * The policy `handle` can be used as the OAuth `scope` parameter.
-     *
-     * @return A list of available policies.
-     */
-    suspend fun policies(): List<Policy> {
-        val url = APIEndpoint.policies(configuration.environment)
-        val credentials = "${configuration.clientId}:${configuration.clientSecret ?: ""}"
-        val encoded = java.util.Base64.getEncoder()
-            .encodeToString(credentials.toByteArray(Charsets.UTF_8))
-        val headers = mapOf("Authorization" to "Basic $encoded")
-
-        val response = try {
-            httpClient.get(url, headers)
-        } catch (e: IDmeAuthError) {
-            throw e
-        } catch (e: Exception) {
-            throw IDmeAuthError.NetworkError(e.localizedMessage ?: "Unknown error")
-        }
-
-        if (response.statusCode !in 200..299) {
-            throw IDmeAuthError.UnexpectedResponse(response.statusCode)
-        }
-
-        return try {
-            json.decodeFromString<List<Policy>>(response.body)
-        } catch (e: Exception) {
-            throw IDmeAuthError.DecodingFailed(e.localizedMessage ?: "Unknown error")
-        }
-    }
-
     // MARK: - User Info
 
     /**
diff --git a/sdk/src/main/kotlin/com/idme/auth/auth/TokenExchangeRequest.kt b/sdk/src/main/kotlin/com/idme/auth/auth/TokenExchangeRequest.kt
@@ -1,11 +1,13 @@
 package com.idme.auth.auth
 
 import com.idme.auth.configuration.IDmeConfiguration
+import com.idme.auth.configuration.IDmeScope
 import com.idme.auth.errors.IDmeAuthError
 import com.idme.auth.models.TokenResponse
 import com.idme.auth.networking.APIEndpoint
 import com.idme.auth.networking.DefaultHTTPClient
 import com.idme.auth.networking.HTTPClient
+import com.idme.auth.utilities.Log
 import kotlinx.serialization.json.Json
 
 /** Handles the OAuth token exchange (authorization code -> tokens). */
@@ -23,7 +25,8 @@ class TokenExchangeRequest(
             "grant_type" to "authorization_code",
             "code" to code,
             "redirect_uri" to configuration.redirectURI,
-            "client_id" to configuration.clientId
+            "client_id" to configuration.clientId,
+            "scope" to IDmeScope.authorizeString(configuration.scopes)
         )
 
         if (codeVerifier != null) {
@@ -34,6 +37,9 @@ class TokenExchangeRequest(
             body["client_secret"] = configuration.clientSecret
         }
 
+        Log.debug("Token exchange URL: $tokenURL")
+        Log.debug("Token exchange body: $body")
+
         val response = try {
             httpClient.postForm(tokenURL, body)
         } catch (e: IDmeAuthError) {
diff --git a/sdk/src/main/kotlin/com/idme/auth/configuration/IDmeScope.kt b/sdk/src/main/kotlin/com/idme/auth/configuration/IDmeScope.kt
@@ -7,6 +7,10 @@ enum class IDmeScope(val value: String) {
     PROFILE("profile"),
     EMAIL("email"),
 
+    // Standard verification scopes
+    LOGIN("login"),
+    NIST_AAL2_IAL2("http://idmanagement.gov/ns/assurance/ial/2/aal/2"),
+
     // ID.me verification scopes
     MILITARY("military"),
     FIRST_RESPONDER("first_responder"),
diff --git a/sdk/src/main/kotlin/com/idme/auth/models/Policy.kt b/sdk/src/main/kotlin/com/idme/auth/models/Policy.kt
@@ -2,12 +2,7 @@ package com.idme.auth.models
 
 import kotlinx.serialization.Serializable
 
-/**
- * A verification policy available for the organization.
- *
- * Returned by the `/api/public/v3/policies` endpoint.
- * The policy `handle` is used as the OAuth `scope` parameter.
- */
+/** A verification policy. The `handle` is used as the OAuth `scope` parameter. */
 @Serializable
 data class Policy(
     /** Human-readable name (e.g. "Military Verification"). */
diff --git a/sdk/src/main/kotlin/com/idme/auth/networking/APIEndpoint.kt b/sdk/src/main/kotlin/com/idme/auth/networking/APIEndpoint.kt
@@ -25,10 +25,6 @@ object APIEndpoint {
     fun attributes(environment: IDmeEnvironment): String =
         "${environment.apiBaseURL}api/public/v3/attributes.json"
 
-    /** Policies endpoint. */
-    fun policies(environment: IDmeEnvironment): String =
-        "${environment.apiBaseURL}api/public/v3/policies"
-
     /** OIDC discovery endpoint. */
     fun discovery(environment: IDmeEnvironment): String =
         environment.discoveryURL
diff --git a/sdk/src/main/kotlin/com/idme/auth/networking/HTTPClient.kt b/sdk/src/main/kotlin/com/idme/auth/networking/HTTPClient.kt
@@ -52,10 +52,9 @@ class DefaultHTTPClient : HTTPClient {
                     "${java.net.URLEncoder.encode(key, "UTF-8")}=${java.net.URLEncoder.encode(value, "UTF-8")}"
                 }
 
-                OutputStreamWriter(connection.outputStream).use { writer ->
-                    writer.write(bodyString)
-                    writer.flush()
-                }
+                val bodyBytes = bodyString.toByteArray(Charsets.UTF_8)
+                connection.setRequestProperty("Content-Length", bodyBytes.size.toString())
+                connection.outputStream.write(bodyBytes)
 
                 readResponse(connection)
             } catch (e: IDmeAuthError) {
