From e2e00469e15bc13e029b025e087af2274bd4487c Mon Sep 17 00:00:00 2001
From: Sampo Tawast <sampo.tawast@gmail.com>
Date: Tue, 18 Jun 2024 22:28:11 +0300
Subject: [PATCH] fix: determine correct audience based on
 HELSINKI_PROFILE_API_URL

---
 backend/shared/shared/helsinki_profile/hp_client.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/backend/shared/shared/helsinki_profile/hp_client.py b/backend/shared/shared/helsinki_profile/hp_client.py
index d81782935d..fd067e597b 100644
--- a/backend/shared/shared/helsinki_profile/hp_client.py
+++ b/backend/shared/shared/helsinki_profile/hp_client.py
@@ -112,11 +112,21 @@ def get_api_access_token_tunnistus(self, oidc_access_token):
         """
         Exchanges OIDC access token for API access token using Tunnistus Keycloak
         """
+
+        if "test" in settings.HELSINKI_PROFILE_API_URL:
+            audience = "-test"
+        elif "stage" in settings.HELSINKI_PROFILE_API_URL:
+            audience = "-stage"
+        else:
+            audience = ""  # production
+
+        audience = settings.HELSINKI_PROFILE_API_URL
+
         try:
             response = requests.post(
                 settings.TUNNISTUS_API_TOKENS_ENDPOINT,
                 data={
-                    "audience": "profile-api-test",  # TODO: use setting
+                    "audience": f"profile-api{audience}",  # TODO: use setting
                     "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
                     "permission": "#access",
                 },