From ea27d00f28f20abb7711c170499b89f14f84ec85 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Wed, 14 Aug 2024 12:31:54 +0530 Subject: [PATCH 1/9] Add app token configs to oauth apps. --- .../identity/oauth/common/OAuthConstants.java | 9 ++++ .../src/main/resources/OAuthAdminService.wsdl | 2 + .../identity/oauth/OAuthAdminServiceImpl.java | 23 ++++++++++- .../wso2/carbon/identity/oauth/OAuthUtil.java | 2 + .../identity/oauth/dao/OAuthAppDAO.java | 41 +++++++++++++++++-- .../carbon/identity/oauth/dao/OAuthAppDO.java | 23 +++++++++++ .../oauth/dto/OAuthConsumerAppDTO.java | 22 ++++++++++ 7 files changed, 118 insertions(+), 4 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java index 5928e485f4e..555d18f8a6c 100644 --- a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java +++ b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java @@ -623,6 +623,15 @@ public static class OIDCConfigProperties { public static final String TOKEN_REVOCATION_WITH_IDP_SESSION_TERMINATION = "tokenRevocationWithIDPSessionTermination"; public static final String TOKEN_BINDING_VALIDATION = "tokenBindingValidation"; + public static final String USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS = "useClientIdAsSubClaimForAppTokens"; + public static final boolean USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_OLD_APP_DEFAULT_VALUE = false; + public static final boolean USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE = true; + public static final String OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN = + "omitUsernameInIntrospectionRespForAppTokens"; + public static final boolean OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_OLD_APP_DEFAULT_VALUE = + false; + public static final boolean OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE = + true; public static final String TOKEN_BINDING_TYPE_NONE = "None"; public static final String TOKEN_AUTH_METHOD = "tokenEndpointAuthMethod"; public static final String TOKEN_EP_ALLOW_REUSE_PVT_KEY_JWT = "tokenEndpointAllowReusePvtKeyJwt"; diff --git a/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl b/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl index a1b5a188711..b07fc78c7a7 100755 --- a/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl +++ b/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl @@ -414,6 +414,7 @@ + @@ -437,6 +438,7 @@ + diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java index 3129f554594..842c086e8a1 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java @@ -105,6 +105,8 @@ import static org.wso2.carbon.identity.oauth.Error.INVALID_SUBJECT_TYPE_UPDATE; import static org.wso2.carbon.identity.oauth.OAuthUtil.handleError; import static org.wso2.carbon.identity.oauth.OAuthUtil.handleErrorWithExceptionType; +import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE; +import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_ACTIVE; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_DELETED; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.PRIVATE_KEY_JWT; @@ -421,6 +423,23 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO app.setTokenBindingValidationEnabled(application.isTokenBindingValidationEnabled()); app.setTokenRevocationWithIDPSessionTerminationEnabled( application.isTokenRevocationWithIDPSessionTerminationEnabled()); + /* If the value is not sent at the request, set the default value for new apps, this ensures + for new apps, the USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS property is never null. */ + if (application.isUseClientIdAsSubClaimForAppTokens() != null) { + app.setUseClientIdAsSubClaimForAppTokens(application.isUseClientIdAsSubClaimForAppTokens()); + } else { + app.setUseClientIdAsSubClaimForAppTokens( + USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE); + } + /* If the value is not sent at the request, set the default value for new apps, this ensures + for new apps, the OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN property is never null. */ + if (application.isOmitUsernameInIntrospectionRespForAppTokens() != null) { + app.setOmitUsernameInIntrospectionRespForAppTokens( + application.isOmitUsernameInIntrospectionRespForAppTokens()); + } else { + app.setOmitUsernameInIntrospectionRespForAppTokens( + OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE); + } String tokenEndpointAuthMethod = application.getTokenEndpointAuthMethod(); if (StringUtils.isNotEmpty(tokenEndpointAuthMethod)) { if (isFAPIConformanceEnabled) { @@ -852,7 +871,9 @@ void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO, boolean enabl oAuthAppDO.setTokenRevocationWithIDPSessionTerminationEnabled(consumerAppDTO .isTokenRevocationWithIDPSessionTerminationEnabled()); oAuthAppDO.setTokenBindingValidationEnabled(consumerAppDTO.isTokenBindingValidationEnabled()); - + oAuthAppDO.setUseClientIdAsSubClaimForAppTokens(consumerAppDTO.isUseClientIdAsSubClaimForAppTokens()); + oAuthAppDO.setOmitUsernameInIntrospectionRespForAppTokens( + consumerAppDTO.isOmitUsernameInIntrospectionRespForAppTokens()); String tokenEndpointAuthMethod = consumerAppDTO.getTokenEndpointAuthMethod(); if (StringUtils.isNotEmpty(tokenEndpointAuthMethod)) { if (isFAPIConformanceEnabled) { diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java index b1b91df704f..f62babbccdd 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java @@ -547,6 +547,8 @@ public static OAuthConsumerAppDTO buildConsumerAppDTO(OAuthAppDO appDO) { dto.setTokenRevocationWithIDPSessionTerminationEnabled(appDO .isTokenRevocationWithIDPSessionTerminationEnabled()); dto.setTokenBindingValidationEnabled(appDO.isTokenBindingValidationEnabled()); + dto.setUseClientIdAsSubClaimForAppTokens(appDO.isUseClientIdAsSubClaimForAppTokens()); + dto.setOmitUsernameInIntrospectionRespForAppTokens(appDO.isOmitUsernameInIntrospectionRespForAppTokens()); dto.setTokenEndpointAuthMethod(appDO.getTokenEndpointAuthMethod()); dto.setTokenEndpointAllowReusePvtKeyJwt(appDO.isTokenEndpointAllowReusePvtKeyJwt()); dto.setTokenEndpointAuthSignatureAlgorithm(appDO.getTokenEndpointAuthSignatureAlgorithm()); diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDAO.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDAO.java index ef4f4773eaf..d883bfa0aa4 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDAO.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDAO.java @@ -88,6 +88,7 @@ import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.IS_FAPI_CONFORMANT_APP; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.IS_PUSH_AUTH; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.IS_SUBJECT_TOKEN_ENABLED; +import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.RENEW_REFRESH_TOKEN; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.REQUEST_OBJECT_ENCRYPTION_ALGORITHM; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.REQUEST_OBJECT_ENCRYPTION_METHOD; @@ -106,6 +107,7 @@ import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.TOKEN_EP_ALLOW_REUSE_PVT_KEY_JWT; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.TOKEN_REVOCATION_WITH_IDP_SESSION_TERMINATION; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.TOKEN_TYPE; +import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS; import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.OPENID_CONNECT_AUDIENCE; import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.getConsoleCallbackFromServerConfig; import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.getMyAccountCallbackFromServerConfig; @@ -980,13 +982,29 @@ private void addOrUpdateOIDCSpProperty(OAuthAppDO oauthAppDO, TOKEN_BINDING_VALIDATION, String.valueOf(oauthAppDO.isTokenBindingValidationEnabled()), prepStatementForPropertyAdd, preparedStatementForPropertyUpdate); + if (oauthAppDO.isUseClientIdAsSubClaimForAppTokens() != null) { + addOrUpdateOIDCSpProperty(preprocessedClientId, spTenantId, spOIDCProperties, + USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS, + String.valueOf(oauthAppDO.isUseClientIdAsSubClaimForAppTokens()), + prepStatementForPropertyAdd, preparedStatementForPropertyUpdate); + } + + if (oauthAppDO.isOmitUsernameInIntrospectionRespForAppTokens() != null) { + addOrUpdateOIDCSpProperty(preprocessedClientId, spTenantId, spOIDCProperties, + OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN, + String.valueOf(oauthAppDO.isOmitUsernameInIntrospectionRespForAppTokens()), + prepStatementForPropertyAdd, preparedStatementForPropertyUpdate); + } + addOrUpdateOIDCSpProperty(preprocessedClientId, spTenantId, spOIDCProperties, TOKEN_AUTH_METHOD, oauthAppDO.getTokenEndpointAuthMethod(), prepStatementForPropertyAdd, preparedStatementForPropertyUpdate); - addOrUpdateOIDCSpProperty(preprocessedClientId, spTenantId, spOIDCProperties, - TOKEN_EP_ALLOW_REUSE_PVT_KEY_JWT, String.valueOf(oauthAppDO.isTokenEndpointAllowReusePvtKeyJwt()), - prepStatementForPropertyAdd, preparedStatementForPropertyUpdate); + if (oauthAppDO.isTokenEndpointAllowReusePvtKeyJwt() != null) { + addOrUpdateOIDCSpProperty(preprocessedClientId, spTenantId, spOIDCProperties, + TOKEN_EP_ALLOW_REUSE_PVT_KEY_JWT, String.valueOf(oauthAppDO.isTokenEndpointAllowReusePvtKeyJwt()), + prepStatementForPropertyAdd, preparedStatementForPropertyUpdate); + } addOrUpdateOIDCSpProperty(preprocessedClientId, spTenantId, spOIDCProperties, TOKEN_AUTH_SIGNATURE_ALGORITHM, oauthAppDO.getTokenEndpointAuthSignatureAlgorithm(), @@ -1639,6 +1657,14 @@ private void addServiceProviderOIDCProperties(Connection connection, TOKEN_BINDING_VALIDATION, String.valueOf(consumerAppDO.isTokenBindingValidationEnabled())); + addToBatchForOIDCPropertyAdd(processedClientId, spTenantId, prepStmtAddOIDCProperty, + USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS, + String.valueOf(consumerAppDO.isUseClientIdAsSubClaimForAppTokens())); + + addToBatchForOIDCPropertyAdd(processedClientId, spTenantId, prepStmtAddOIDCProperty, + OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN, + String.valueOf(consumerAppDO.isOmitUsernameInIntrospectionRespForAppTokens())); + addToBatchForOIDCPropertyAdd(processedClientId, spTenantId, prepStmtAddOIDCProperty, TOKEN_AUTH_METHOD, consumerAppDO.getTokenEndpointAuthMethod()); @@ -1801,6 +1827,15 @@ private void setSpOIDCProperties(Map> spOIDCProperties, OAu oauthApp.setTokenBindingValidationEnabled(isTokenBindingValidationEnabled); } + String useClientIdAsSubClaimForAppTokens = + getFirstPropertyValue(spOIDCProperties, USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS); + oauthApp.setUseClientIdAsSubClaimForAppTokens(Boolean.parseBoolean(useClientIdAsSubClaimForAppTokens)); + + String omitUsernameInIntrospectionRespForAppTokens = + getFirstPropertyValue(spOIDCProperties, OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN); + oauthApp.setOmitUsernameInIntrospectionRespForAppTokens( + Boolean.parseBoolean(omitUsernameInIntrospectionRespForAppTokens)); + String renewRefreshToken = getFirstPropertyValue(spOIDCProperties, RENEW_REFRESH_TOKEN); oauthApp.setRenewRefreshTokenEnabled(renewRefreshToken); diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDO.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDO.java index 50a1f48db45..48814f2aa79 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDO.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dao/OAuthAppDO.java @@ -80,6 +80,8 @@ public class OAuthAppDO extends InboundConfigurationProtocol implements Serializ private String tokenBindingType; private boolean tokenRevocationWithIDPSessionTerminationEnabled; private boolean tokenBindingValidationEnabled; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private String tokenEndpointAuthMethod; private Boolean tokenEndpointAllowReusePvtKeyJwt; private String tokenEndpointAuthSignatureAlgorithm; @@ -374,6 +376,27 @@ public void setTokenBindingValidationEnabled(boolean tokenBindingValidationEnabl this.tokenBindingValidationEnabled = tokenBindingValidationEnabled; } + + public Boolean isUseClientIdAsSubClaimForAppTokens() { + + return useClientIdAsSubClaimForAppTokens; + } + + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + public Boolean isOmitUsernameInIntrospectionRespForAppTokens() { + + return omitUsernameInIntrospectionRespForAppTokens; + } + + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + public String getTokenEndpointAuthMethod() { return tokenEndpointAuthMethod; diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dto/OAuthConsumerAppDTO.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dto/OAuthConsumerAppDTO.java index fba94088c12..cb134002465 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dto/OAuthConsumerAppDTO.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dto/OAuthConsumerAppDTO.java @@ -65,6 +65,8 @@ public class OAuthConsumerAppDTO implements InboundProtocolConfigurationDTO { private String tokenBindingType; private boolean tokenRevocationWithIDPSessionTerminationEnabled; private boolean tokenBindingValidationEnabled; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private String tokenEndpointAuthMethod; private String tokenEndpointAuthSignatureAlgorithm; private Boolean tokenEndpointAllowReusePvtKeyJwt; @@ -365,6 +367,26 @@ public void setTokenBindingValidationEnabled(boolean tokenBindingValidationEnabl this.tokenBindingValidationEnabled = tokenBindingValidationEnabled; } + public Boolean isUseClientIdAsSubClaimForAppTokens() { + + return useClientIdAsSubClaimForAppTokens; + } + + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + public Boolean isOmitUsernameInIntrospectionRespForAppTokens() { + + return omitUsernameInIntrospectionRespForAppTokens; + } + + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + public String getTokenEndpointAuthMethod() { return tokenEndpointAuthMethod; From d09bf0da45513761d02c301978e5061280a34e45 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Wed, 14 Aug 2024 12:32:18 +0530 Subject: [PATCH 2/9] Add app token configs support to DCR apps. --- .../dcr/endpoint/dto/ApplicationDTO.java | 29 +++++++++++++++++++ .../endpoint/dto/RegistrationRequestDTO.java | 23 +++++++++++++++ .../dcr/endpoint/dto/UpdateRequestDTO.java | 23 +++++++++++++++ .../oauth2/dcr/endpoint/util/DCRMUtils.java | 11 +++++++ .../identity/oauth/dcr/bean/Application.java | 23 +++++++++++++++ .../bean/ApplicationRegistrationRequest.java | 21 ++++++++++++++ .../dcr/bean/ApplicationUpdateRequest.java | 22 ++++++++++++++ .../oauth/dcr/service/DCRMService.java | 18 ++++++++++++ 8 files changed, 170 insertions(+) diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java index f7d980a4e11..e3c0666ed5d 100644 --- a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java +++ b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java @@ -64,6 +64,8 @@ public class ApplicationDTO { private String jwksUri = null; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private String tokenEndpointAuthMethod = null; private Boolean tokenEndpointAllowReusePvtKeyJwt = null; private String tokenEndpointAuthSigningAlg = null; @@ -284,6 +286,30 @@ public void setJwksUri(String jwksUri) { this.jwksUri = jwksUri; } + @ApiModelProperty(value = "") + @JsonProperty("use_client_id_as_sub_claim_for_app_tokens") + public Boolean isUseClientIdAsSubClaimForAppTokens() { + + return useClientIdAsSubClaimForAppTokens; + } + + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + @ApiModelProperty(value = "") + @JsonProperty("omit_username_in_introspection_resp_for_app_tokens") + public Boolean isOmitUsernameInIntrospectionRespForAppTokens() { + + return omitUsernameInIntrospectionRespForAppTokens; + } + + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + @ApiModelProperty(value = "") @JsonProperty("token_endpoint_auth_method") public String getTokenEndpointAuthMethod() { @@ -467,6 +493,9 @@ public String toString() { sb.append(" extPkceSupportPlain: ").append(extPkceSupportPlain).append("\n"); sb.append(" extPublicClient: ").append(extPublicClient).append("\n"); sb.append(" jwksUri: ").append(jwksUri).append("\n"); + sb.append(" useClientIdAsSubClaimForAppTokens: ").append(useClientIdAsSubClaimForAppTokens).append("\n"); + sb.append(" omitUsernameInIntrospectionRespForAppTokens: ") + .append(omitUsernameInIntrospectionRespForAppTokens).append("\n"); sb.append(" tokenEndpointAuthMethod: ").append(tokenEndpointAuthMethod).append("\n"); sb.append(" tokenEndpointAuthSigningAlg: ").append(tokenEndpointAuthSigningAlg).append("\n"); sb.append(" sectorIdentifierUri: ").append(sectorIdentifierUri).append("\n"); diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java index e42227c3b0e..71569dfa1d5 100644 --- a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java +++ b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java @@ -47,6 +47,8 @@ public class RegistrationRequestDTO { private boolean extPkceSupportPlain; private boolean extPublicClient; private String extTokenType = null; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private String tokenEndpointAuthMethod = null; private String tokenEndpointAuthSigningAlg = null; private Boolean tokenEndpointAllowReusePvtKeyJwt; @@ -324,6 +326,24 @@ public void setExtPublicClient(boolean extPublicClient) { this.extPublicClient = extPublicClient; } + @ApiModelProperty(value = "") + @JsonProperty("use_client_id_as_sub_claim_for_app_tokens") + public Boolean isUseClientIdAsSubClaimForAppTokens() { + return useClientIdAsSubClaimForAppTokens; + } + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + @ApiModelProperty(value = "") + @JsonProperty("omit_username_in_introspection_resp_for_app_tokens") + public Boolean isOmitUsernameInIntrospectionRespForAppTokens() { + return omitUsernameInIntrospectionRespForAppTokens; + } + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + @ApiModelProperty(value = "") @JsonProperty("token_endpoint_auth_method") public String getTokenEndpointAuthMethod() { @@ -518,6 +538,9 @@ public String toString() { sb.append(" ext_pkce_mandatory: ").append(extPkceMandatory).append("\n"); sb.append(" ext_pkce_support_plain: ").append(extPkceSupportPlain).append("\n"); sb.append(" ext_public_client: ").append(extPublicClient).append("\n"); + sb.append(" use_client_id_as_sub_claim_for_app_tokens: ").append(useClientIdAsSubClaimForAppTokens).append("\n"); + sb.append(" omit_username_in_introspection_resp_for_app_tokens: ") + .append(omitUsernameInIntrospectionRespForAppTokens).append("\n"); sb.append(" token_endpoint_auth_method: ").append(tokenEndpointAuthMethod).append("\n"); sb.append(" token_endpoint_auth_signing_alg: ").append(tokenEndpointAuthSigningAlg).append("\n"); sb.append(" sector_identifier_uri: ").append(sectorIdentifierUri).append("\n"); diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java index 085eb32d260..3bf3b611bde 100644 --- a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java +++ b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java @@ -51,6 +51,8 @@ public class UpdateRequestDTO { private String requestObjectEncryptionAlgorithm = null; private String requestObjectEncryptionMethod = null; private String softwareStatement = null; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private final Map additionalAttributes = new HashMap<>(); @ApiModelProperty(value = "") @@ -264,6 +266,24 @@ public void setTokenEndpointAuthSigningAlg(String tokenEndpointAuthSigningAlg) { this.tokenEndpointAuthSigningAlg = tokenEndpointAuthSigningAlg; } + @ApiModelProperty(value = "") + @JsonProperty("use_client_id_as_sub_claim_for_app_tokens") + public Boolean isUseClientIdAsSubClaimForAppTokens() { + return useClientIdAsSubClaimForAppTokens; + } + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + @ApiModelProperty(value = "") + @JsonProperty("omit_username_in_introspection_resp_for_app_tokens") + public Boolean isOmitUsernameInIntrospectionRespForAppTokens() { + return omitUsernameInIntrospectionRespForAppTokens; + } + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + @ApiModelProperty(value = "") @JsonProperty("sector_identifier_uri") public String getSectorIdentifierUri() { @@ -434,6 +454,9 @@ public String toString() { sb.append(" ext_pkce_mandatory: ").append(extPkceMandatory).append("\n"); sb.append(" ext_pkce_support_plain: ").append(extPkceSupportPlain).append("\n"); sb.append(" ext_public_client: ").append(extPublicClient).append("\n"); + sb.append(" use_client_id_as_sub_claim_for_app_tokens: ").append(useClientIdAsSubClaimForAppTokens).append("\n"); + sb.append(" omit_username_in_introspection_resp_for_app_tokens: ") + .append(omitUsernameInIntrospectionRespForAppTokens).append("\n"); sb.append(" token_endpoint_auth_method: ").append(tokenEndpointAuthMethod).append("\n"); sb.append(" token_endpoint_auth_signing_alg: ").append(tokenEndpointAuthSigningAlg).append("\n"); sb.append(" sector_identifier_uri: ").append(sectorIdentifierUri).append("\n"); diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java b/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java index 23e87ffa559..b01e01726b7 100644 --- a/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java +++ b/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java @@ -78,6 +78,10 @@ public static ApplicationRegistrationRequest getApplicationRegistrationRequest( appRegistrationRequest.setExtPkceMandatory(registrationRequestDTO.getExtPkceMandatory()); appRegistrationRequest.setExtPkceSupportPlain(registrationRequestDTO.getExtPkceSupportPlain()); appRegistrationRequest.setExtPublicClient(registrationRequestDTO.getExtPublicClient()); + appRegistrationRequest.setUseClientIdAsSubClaimForAppTokens( + registrationRequestDTO.isUseClientIdAsSubClaimForAppTokens()); + appRegistrationRequest.setOmitUsernameInIntrospectionRespForAppTokens( + registrationRequestDTO.isOmitUsernameInIntrospectionRespForAppTokens()); appRegistrationRequest.setExtTokenType(registrationRequestDTO.getExtTokenType()); appRegistrationRequest.setJwksURI(registrationRequestDTO.getJwksUri()); appRegistrationRequest.setTokenEndpointAuthMethod(registrationRequestDTO.getTokenEndpointAuthMethod()); @@ -126,6 +130,10 @@ public static ApplicationUpdateRequest getApplicationUpdateRequest(UpdateRequest applicationUpdateRequest.setExtPublicClient(updateRequestDTO.getExtPublicClient()); applicationUpdateRequest.setExtTokenType(updateRequestDTO.getExtTokenType()); applicationUpdateRequest.setJwksURI(updateRequestDTO.getJwksUri()); + applicationUpdateRequest.setUseClientIdAsSubClaimForAppTokens( + updateRequestDTO.isUseClientIdAsSubClaimForAppTokens()); + applicationUpdateRequest.setOmitUsernameInIntrospectionRespForAppTokens( + updateRequestDTO.isOmitUsernameInIntrospectionRespForAppTokens()); applicationUpdateRequest.setTokenEndpointAuthMethod(updateRequestDTO.getTokenEndpointAuthMethod()); applicationUpdateRequest.setTokenEndpointAllowReusePvtKeyJwt( updateRequestDTO.isTokenEndpointAllowReusePvtKeyJwt()); @@ -245,6 +253,9 @@ public static ApplicationDTO getApplicationDTOFromApplication(Application applic applicationDTO.setIdTokenSignedResponseAlg(application.getIdTokenSignatureAlgorithm()); applicationDTO.setIdTokenEncryptedResponseAlg(application.getIdTokenEncryptionAlgorithm()); applicationDTO.setIdTokenEncryptedResponseEnc(application.getIdTokenEncryptionMethod()); + applicationDTO.setUseClientIdAsSubClaimForAppTokens(application.getUseClientIdAsSubClaimForAppTokens()); + applicationDTO.setOmitUsernameInIntrospectionRespForAppTokens( + application.getOmitUsernameInIntrospectionRespForAppTokens()); applicationDTO.setRequireSignedRequestObject(application.isRequestObjectSignatureValidationEnabled()); applicationDTO.setRequestObjectSigningAlg(application.getRequestObjectSignatureAlgorithm()); applicationDTO.setTlsClientAuthSubjectDn(application.getTlsClientAuthSubjectDN()); diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java index 7f0d3907f23..ffd6f8ded53 100644 --- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java +++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java @@ -61,6 +61,8 @@ public class Application implements Serializable { private String idTokenEncryptionAlgorithm = null; private String idTokenEncryptionMethod = null; private String softwareStatement = null; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private Map additionalAttributes; @@ -392,6 +394,27 @@ public void setIdTokenEncryptionMethod(String idTokenEncryptionMethod) { this.idTokenEncryptionMethod = idTokenEncryptionMethod; } + + public Boolean getUseClientIdAsSubClaimForAppTokens() { + + return useClientIdAsSubClaimForAppTokens; + } + + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + public Boolean getOmitUsernameInIntrospectionRespForAppTokens() { + + return omitUsernameInIntrospectionRespForAppTokens; + } + + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + @Override public String toString() { diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java index 068fa186379..b28549d8a94 100644 --- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java +++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java @@ -67,6 +67,8 @@ public class ApplicationRegistrationRequest implements Serializable { private String requestObjectEncryptionAlgorithm; private String requestObjectEncryptionMethod; private Map additionalAttributes; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; public void setAdditionalAttributes(Map additionalAttributes) { @@ -530,5 +532,24 @@ public void setSoftwareStatement(String softwareStatement) { this.softwareStatement = softwareStatement; } + public Boolean getUseClientIdAsSubClaimForAppTokens() { + + return useClientIdAsSubClaimForAppTokens; + } + + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + public Boolean getOmitUsernameInIntrospectionRespForAppTokens() { + + return omitUsernameInIntrospectionRespForAppTokens; + } + + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } } diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java index 443821cd55c..9d72bd2a14e 100644 --- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java +++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java @@ -60,6 +60,8 @@ public class ApplicationUpdateRequest implements Serializable { private boolean tlsClientCertificateBoundAccessTokens; private boolean requireSignedRequestObject; private String subjectType; + private Boolean useClientIdAsSubClaimForAppTokens; + private Boolean omitUsernameInIntrospectionRespForAppTokens; private String requestObjectEncryptionAlgorithm; private String requestObjectEncryptionMethod; private Map additionalAttributes; @@ -74,6 +76,26 @@ public Map getAdditionalAttributes() { return additionalAttributes; } + public Boolean getUseClientIdAsSubClaimForAppTokens() { + + return useClientIdAsSubClaimForAppTokens; + } + + public void setUseClientIdAsSubClaimForAppTokens(Boolean useClientIdAsSubClaimForAppTokens) { + + this.useClientIdAsSubClaimForAppTokens = useClientIdAsSubClaimForAppTokens; + } + + public Boolean getOmitUsernameInIntrospectionRespForAppTokens() { + + return omitUsernameInIntrospectionRespForAppTokens; + } + + public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { + + this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } + public List getRedirectUris() { return redirectUris; diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java index 994bd068fa6..7a569d83095 100644 --- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java +++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java @@ -348,6 +348,13 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str if (updateRequest.getExtIdTokenLifetime() != null) { appDTO.setIdTokenExpiryTime(updateRequest.getExtIdTokenLifetime()); } + if (updateRequest.getUseClientIdAsSubClaimForAppTokens() != null) { + appDTO.setUseClientIdAsSubClaimForAppTokens(updateRequest.getUseClientIdAsSubClaimForAppTokens()); + } + if (updateRequest.getOmitUsernameInIntrospectionRespForAppTokens() != null) { + appDTO.setOmitUsernameInIntrospectionRespForAppTokens( + updateRequest.getOmitUsernameInIntrospectionRespForAppTokens()); + } if (updateRequest.getTokenEndpointAuthMethod() != null) { appDTO.setTokenEndpointAuthMethod(updateRequest.getTokenEndpointAuthMethod()); } @@ -671,6 +678,9 @@ private Application buildResponse(OAuthConsumerAppDTO createdApp, String tenantD application.setExtTokenType(createdApp.getTokenType()); application.setJwksURI(createdApp.getJwksURI()); application.setTokenEndpointAuthMethod(createdApp.getTokenEndpointAuthMethod()); + application.setUseClientIdAsSubClaimForAppTokens(createdApp.isUseClientIdAsSubClaimForAppTokens()); + application.setOmitUsernameInIntrospectionRespForAppTokens( + createdApp.isOmitUsernameInIntrospectionRespForAppTokens()); application.setTokenEndpointAllowReusePvtKeyJwt(createdApp.isTokenEndpointAllowReusePvtKeyJwt()); application.setTokenEndpointAuthSignatureAlgorithm(createdApp.getTokenEndpointAuthSignatureAlgorithm()); application.setSectorIdentifierURI(createdApp.getSectorIdentifierURI()); @@ -763,6 +773,14 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist if (registrationRequest.getExtIdTokenLifetime() != null) { oAuthConsumerApp.setIdTokenExpiryTime(registrationRequest.getExtIdTokenLifetime()); } + if (registrationRequest.getUseClientIdAsSubClaimForAppTokens() != null) { + oAuthConsumerApp.setUseClientIdAsSubClaimForAppTokens( + registrationRequest.getUseClientIdAsSubClaimForAppTokens()); + } + if (registrationRequest.getOmitUsernameInIntrospectionRespForAppTokens() != null) { + oAuthConsumerApp.setOmitUsernameInIntrospectionRespForAppTokens( + registrationRequest.getOmitUsernameInIntrospectionRespForAppTokens()); + } if (registrationRequest.getTokenEndpointAuthMethod() != null) { oAuthConsumerApp.setTokenEndpointAuthMethod(registrationRequest.getTokenEndpointAuthMethod()); } From b4dc00638dd176cb08af3fa556cf99d6a9445ed3 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Thu, 15 Aug 2024 10:28:16 +0530 Subject: [PATCH 3/9] Use useClientIdAsSubClaimForAppTokens config to set sub claim logic. --- .../wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java index 07eaaab09f2..df9fe0bfe5f 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.java @@ -459,7 +459,8 @@ private OAuth2AccessTokenRespDTO validateGrantAndIssueToken(OAuth2AccessTokenReq AuthenticatedUser authorizedUser = tokReqMsgCtx.getAuthorizedUser(); if (authorizedUser.getAuthenticatedSubjectIdentifier() == null) { - if (!isOfTypeApplicationUser && useClientIdAsSubClaimForAppTokensEnabled) { + if (!isOfTypeApplicationUser && useClientIdAsSubClaimForAppTokensEnabled + && oAuthAppDO.isUseClientIdAsSubClaimForAppTokens()) { authorizedUser.setAuthenticatedSubjectIdentifier(oAuthAppDO.getOauthConsumerKey()); } else { authorizedUser.setAuthenticatedSubjectIdentifier( From d88891278bd3216798dcc073a44fe2179996e146 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Thu, 15 Aug 2024 10:30:57 +0530 Subject: [PATCH 4/9] Use omitUsernameInIntrospectionRespForAppTokens config to set introspection resp logic. --- .../validators/TokenValidationHandler.java | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java index 6d2d0b56cf6..eaa843ded9f 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java @@ -31,10 +31,13 @@ import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityUtil; +import org.wso2.carbon.identity.oauth.OAuthAdminServiceImpl; import org.wso2.carbon.identity.oauth.common.OAuthConstants; import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException; import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration; import org.wso2.carbon.identity.oauth.dao.OAuthAppDO; +import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO; +import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder; import org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider; import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; import org.wso2.carbon.identity.oauth2.OAuth2Constants; @@ -502,8 +505,9 @@ private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidation } } else { + String tenantDomain; try { - String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); + tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); accessTokenDO = OAuth2ServiceComponentHolder.getInstance().getTokenProvider() .getVerifiedAccessToken(validationRequest.getAccessToken().getIdentifier(), false); boolean isCrossTenantTokenIntrospectionAllowed @@ -570,6 +574,8 @@ private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidation boolean removeUsernameFromAppTokenEnabled = OAuthServerConfiguration.getInstance() .isRemoveUsernameFromIntrospectionResponseForAppTokensEnabled(); boolean isAppTokenType = StringUtils.equals(OAuthConstants.UserType.APPLICATION, tokenType); + boolean omitUsernameInIntrospectionRespForAppTokens = + isOmitUsernameInIntrospectionRespForAppTokens(accessTokenDO, tenantDomain); // should be in seconds introResp.setIat(accessTokenDO.getIssuedTime().getTime() / 1000); @@ -578,7 +584,8 @@ private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidation // token scopes introResp.setScope(OAuth2Util.buildScopeString((accessTokenDO.getScope()))); // set user-name - if (!removeUsernameFromAppTokenEnabled || !isAppTokenType) { + if (!(removeUsernameFromAppTokenEnabled && omitUsernameInIntrospectionRespForAppTokens) + || !isAppTokenType) { introResp.setUsername(getAuthzUser(accessTokenDO)); } // add client id @@ -671,6 +678,23 @@ private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidation return introResp; } + private static boolean isOmitUsernameInIntrospectionRespForAppTokens(AccessTokenDO accessTokenDO, + String tenantDomain) + throws IdentityOAuth2Exception { + + OAuthAdminServiceImpl oAuthAdminService = OAuthComponentServiceHolder.getInstance().getoAuthAdminService(); + boolean omitUsernameInIntrospectionRespForAppTokens; + try { + OAuthConsumerAppDTO oAuthApp = oAuthAdminService.getOAuthApplicationData(accessTokenDO.getConsumerKey(), + tenantDomain); + omitUsernameInIntrospectionRespForAppTokens = oAuthApp.isOmitUsernameInIntrospectionRespForAppTokens(); + } catch (Exception e) { + throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id:" + + accessTokenDO.getConsumerKey(), e); + } + return omitUsernameInIntrospectionRespForAppTokens; + } + private String getAuthzUser(AccessTokenDO accessTokenDO) throws IdentityOAuth2Exception { AuthenticatedUser user = accessTokenDO.getAuthzUser(); From 6e4bba90488daa5074e249e7b36ded12d369c495 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Thu, 15 Aug 2024 13:40:42 +0530 Subject: [PATCH 5/9] Add unit tests. --- .../TokenValidationHandlerTest.java | 80 ++++++++++++++----- 1 file changed, 61 insertions(+), 19 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandlerTest.java b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandlerTest.java index 4c531ae43ac..fb5b69cf900 100644 --- a/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandlerTest.java +++ b/components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandlerTest.java @@ -44,9 +44,11 @@ import org.wso2.carbon.identity.core.util.IdentityDatabaseUtil; import org.wso2.carbon.identity.core.util.IdentityTenantUtil; import org.wso2.carbon.identity.core.util.IdentityUtil; +import org.wso2.carbon.identity.oauth.OAuthAdminServiceImpl; import org.wso2.carbon.identity.oauth.cache.AppInfoCache; import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration; import org.wso2.carbon.identity.oauth.dao.OAuthAppDO; +import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO; import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder; import org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor; import org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider; @@ -81,6 +83,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Optional; import static org.mockito.ArgumentMatchers.any; @@ -92,6 +95,7 @@ import static org.mockito.Mockito.when; import static org.testng.Assert.assertEquals; import static org.testng.Assert.assertNotNull; +import static org.testng.Assert.assertNull; import static org.testng.Assert.assertThrows; import static org.testng.Assert.assertTrue; import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.SUB_ORG_START_LEVEL; @@ -138,7 +142,12 @@ public class TokenValidationHandlerTest { private IdentityProvider identityProvider; @Mock private FederatedAuthenticatorConfig federatedAuthenticatorConfig = new FederatedAuthenticatorConfig(); - + @Mock + OAuthComponentServiceHolder mockOAuthComponentServiceHolder; + @Mock + OAuthConsumerAppDTO mockedOAuthConsumerAppDTO; + @Mock + OAuthAdminServiceImpl mockedOAuthAdminService; private MockedStatic loggerUtils; @BeforeMethod @@ -146,6 +155,7 @@ public void setUp() { authzUser = new AuthenticatedUser(); authzUser.setAccessingOrganization("test_org"); + authzUser.setUserName("test_user"); issuedTime = new Timestamp(System.currentTimeMillis()); refreshTokenIssuedTime = new Timestamp(System.currentTimeMillis()); validityPeriodInMillis = 3600000L; @@ -239,13 +249,21 @@ public void testFindOAuthConsumerIfTokenIsValid(boolean isIDPIdColumnEnabled) th @DataProvider(name = "CommonDataProvider") public Object[][] commonDataProvider() { return new Object[][]{ - {true, "1234"}, - {false, "12345"} + {true, "1234", "testAccessToken", false, false}, + {false, "12345", "testAccessToken", false, false}, + /* These test data are related to testing token type, server and app level config combination for omit + username from introspection response. */ + {true, "1234", "APPLICATION", true, true}, + {true, "1234", "APPLICATION", false, true}, + {true, "1234", "APPLICATION", true, false}, + {true, "1234", "testAccessToken", true, true} }; } @Test(dataProvider = "CommonDataProvider") - public void testBuildIntrospectionResponse(boolean isIDPIdColumnEnabled, String accessTokenId) throws Exception { + public void testBuildIntrospectionResponse(boolean isIDPIdColumnEnabled, String accessTokenId, String tokenTypeData, + boolean omitUsernameInIntrospectionRespAppConfig, + boolean omitUsernameInIntrospectionRespServerConfig) throws Exception { try (MockedStatic oAuthServerConfiguration = mockStatic( OAuthServerConfiguration.class); @@ -281,8 +299,8 @@ public void testBuildIntrospectionResponse(boolean isIDPIdColumnEnabled, String accessToken.setTokenType("bearer"); AccessTokenDO accessTokenDO = new AccessTokenDO(clientId, authzUser, scopeArraySorted, issuedTime, - refreshTokenIssuedTime, validityPeriodInMillis, refreshTokenValidityPeriodInMillis, tokenType, - authorizationCode); + refreshTokenIssuedTime, validityPeriodInMillis, refreshTokenValidityPeriodInMillis, + tokenTypeData, authorizationCode); accessTokenDO.setTokenId(accessTokenId); TokenBinding tokenBinding = new TokenBinding(); @@ -313,19 +331,43 @@ public void testBuildIntrospectionResponse(boolean isIDPIdColumnEnabled, String appInfoCache.addToCache("testConsumerKey", oAuthAppDO); oAuth2TokenValidationRequestDTO.setAccessToken(accessToken); - oAuth2Util.when(OAuth2Util::getPersistenceProcessor).thenReturn(new PlainTextPersistenceProcessor()); - oAuth2Util.when(() -> OAuth2Util.getAppInformationByAccessTokenDO(any())).thenReturn(oAuthAppDO); - oAuth2Util.when(() -> OAuth2Util.getAccessTokenExpireMillis(any(), Mockito.anyBoolean())) - .thenReturn(1000L); - - OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO = tokenValidationHandler - .buildIntrospectionResponse(oAuth2TokenValidationRequestDTO); - assertNotNull(oAuth2IntrospectionResponseDTO); - assertEquals(oAuth2IntrospectionResponseDTO.getBindingType(), - OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER); - assertEquals(oAuth2IntrospectionResponseDTO.getBindingReference(), "test_binding_reference"); - assertEquals(oAuth2IntrospectionResponseDTO.getCnfBindingValue(), - "R4Hj_0nNdIzVvPdCdsWlxNKm6a74cszp4Za4M1iE8P9"); + try (MockedStatic oAuthComponentServiceHolder = + mockStatic(OAuthComponentServiceHolder.class)) { + when(OAuthComponentServiceHolder.getInstance()).thenReturn(mockOAuthComponentServiceHolder); + lenient().when(mockOAuthComponentServiceHolder.getoAuthAdminService()) + .thenReturn(mockedOAuthAdminService); + lenient().when(mockedOAuthAdminService.getOAuthApplicationData(anyString(), anyString())) + .thenReturn(mockedOAuthConsumerAppDTO); + lenient().when(mockedOAuthConsumerAppDTO.isOmitUsernameInIntrospectionRespForAppTokens()) + .thenReturn(omitUsernameInIntrospectionRespAppConfig); + + // Mock server level config value. + when(OAuthServerConfiguration.getInstance()).thenReturn(mockOAuthServerConfiguration); + lenient().when(mockOAuthServerConfiguration + .isRemoveUsernameFromIntrospectionResponseForAppTokensEnabled()) + .thenReturn(omitUsernameInIntrospectionRespServerConfig); + + oAuth2Util.when(OAuth2Util::getPersistenceProcessor) + .thenReturn(new PlainTextPersistenceProcessor()); + oAuth2Util.when(() -> OAuth2Util.getAppInformationByAccessTokenDO(any())).thenReturn(oAuthAppDO); + oAuth2Util.when(() -> OAuth2Util.getAccessTokenExpireMillis(any(), Mockito.anyBoolean())) + .thenReturn(1000L); + + OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO = tokenValidationHandler + .buildIntrospectionResponse(oAuth2TokenValidationRequestDTO); + assertNotNull(oAuth2IntrospectionResponseDTO); + assertEquals(oAuth2IntrospectionResponseDTO.getBindingType(), + OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER); + assertEquals(oAuth2IntrospectionResponseDTO.getBindingReference(), "test_binding_reference"); + assertEquals(oAuth2IntrospectionResponseDTO.getCnfBindingValue(), + "R4Hj_0nNdIzVvPdCdsWlxNKm6a74cszp4Za4M1iE8P9"); + if (omitUsernameInIntrospectionRespAppConfig && omitUsernameInIntrospectionRespServerConfig && + Objects.equals(tokenTypeData, "APPLICATION")) { + assertNull(oAuth2IntrospectionResponseDTO.getUsername()); + } else { + assertEquals(oAuth2IntrospectionResponseDTO.getUsername(), authzUser.getUserName()); + } + } } } } From fc19a148553d8b5f18c96b1146e02223f7bb2f03 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Thu, 15 Aug 2024 14:32:04 +0530 Subject: [PATCH 6/9] Add meaningful variable names. --- .../identity/oauth/dcr/bean/ApplicationUpdateRequest.java | 1 + .../identity/oauth2/validators/TokenValidationHandler.java | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java index fd659996e0b..b58bbe2c5c1 100644 --- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java +++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java @@ -95,6 +95,7 @@ public Boolean getOmitUsernameInIntrospectionRespForAppTokens() { public void setOmitUsernameInIntrospectionRespForAppTokens(Boolean omitUsernameInIntrospectionRespForAppTokens) { this.omitUsernameInIntrospectionRespForAppTokens = omitUsernameInIntrospectionRespForAppTokens; + } public String getExtAllowedAudience() { diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java index eaa843ded9f..ae0c6d9d0f7 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.java @@ -571,10 +571,10 @@ private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidation } String tokenType = accessTokenDO.getTokenType(); - boolean removeUsernameFromAppTokenEnabled = OAuthServerConfiguration.getInstance() + boolean removeUsernameFromAppTokenEnabledServerConfig = OAuthServerConfiguration.getInstance() .isRemoveUsernameFromIntrospectionResponseForAppTokensEnabled(); boolean isAppTokenType = StringUtils.equals(OAuthConstants.UserType.APPLICATION, tokenType); - boolean omitUsernameInIntrospectionRespForAppTokens = + boolean removeUsernameFromAppTokenEnabledAppConfig = isOmitUsernameInIntrospectionRespForAppTokens(accessTokenDO, tenantDomain); // should be in seconds @@ -584,7 +584,7 @@ private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidation // token scopes introResp.setScope(OAuth2Util.buildScopeString((accessTokenDO.getScope()))); // set user-name - if (!(removeUsernameFromAppTokenEnabled && omitUsernameInIntrospectionRespForAppTokens) + if (!(removeUsernameFromAppTokenEnabledServerConfig && removeUsernameFromAppTokenEnabledAppConfig) || !isAppTokenType) { introResp.setUsername(getAuthzUser(accessTokenDO)); } From a52e255e372f6063561a377b037be2b0307f83f4 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Tue, 20 Aug 2024 20:47:33 +0530 Subject: [PATCH 7/9] Remove unused variables. --- .../org/wso2/carbon/identity/oauth/common/OAuthConstants.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java index 555d18f8a6c..9729a6ab6d7 100644 --- a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java +++ b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java @@ -624,12 +624,9 @@ public static class OIDCConfigProperties { "tokenRevocationWithIDPSessionTermination"; public static final String TOKEN_BINDING_VALIDATION = "tokenBindingValidation"; public static final String USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS = "useClientIdAsSubClaimForAppTokens"; - public static final boolean USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_OLD_APP_DEFAULT_VALUE = false; public static final boolean USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE = true; public static final String OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN = "omitUsernameInIntrospectionRespForAppTokens"; - public static final boolean OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_OLD_APP_DEFAULT_VALUE = - false; public static final boolean OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE = true; public static final String TOKEN_BINDING_TYPE_NONE = "None"; From 654f5f317e1172caab3391cbeb66a4bc2703b04b Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Tue, 20 Aug 2024 21:31:26 +0530 Subject: [PATCH 8/9] Fix checkstyle issues. --- .../identity/oauth/OAuthAdminServiceImpl.java | 44 ++++++++++--------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java index 0df9fa4ca0f..a694370e4f7 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java @@ -109,9 +109,9 @@ import static org.wso2.carbon.identity.oauth.Error.INVALID_SUBJECT_TYPE_UPDATE; import static org.wso2.carbon.identity.oauth.OAuthUtil.handleError; import static org.wso2.carbon.identity.oauth.OAuthUtil.handleErrorWithExceptionType; +import static org.wso2.carbon.identity.oauth.common.OAuthConstants.ENABLE_CLAIMS_SEPARATION_FOR_ACCESS_TOKEN; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE; -import static org.wso2.carbon.identity.oauth.common.OAuthConstants.ENABLE_CLAIMS_SEPARATION_FOR_ACCESS_TOKEN; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDC_DIALECT; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_ACTIVE; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_DELETED; @@ -221,7 +221,7 @@ public OAuthConsumerAppDTO getOAuthApplicationData(String consumerKey) throws Id /** * Get OAuth application data by the consumer key and tenant domain. * - * @param consumerKey Consumer Key + * @param consumerKey Consumer Key * @param tenantDomain Tenant domain * @return OAuthConsumerAppDTO with application information * @throws IdentityOAuthAdminException Error when reading application information from persistence store. @@ -343,8 +343,8 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO */ if (defaultAppOwner == null) { if (LOG.isDebugEnabled()) { - LOG.debug("No authenticated user found. Setting tenant admin as the owner for app : " + - application.getApplicationName()); + LOG.debug("No authenticated user found. Setting tenant admin as the owner for app : " + + application.getApplicationName()); } String adminUsername = application.getUsername(); defaultAppOwner = buildAuthenticatedUser(adminUsername, tenantDomain); @@ -474,7 +474,7 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO validateFAPISignatureAlgorithms(tokenEndpointAuthSigningAlgorithm); } else { filterSignatureAlgorithms(tokenEndpointAuthSigningAlgorithm, - OAuthConstants.TOKEN_EP_SIGNATURE_ALG_CONFIGURATION); + OAuthConstants.TOKEN_EP_SIGNATURE_ALG_CONFIGURATION); } app.setTokenEndpointAuthSignatureAlgorithm(tokenEndpointAuthSigningAlgorithm); } @@ -514,7 +514,7 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO validateFAPISignatureAlgorithms(idTokenSignatureAlgorithm); } else { filterSignatureAlgorithms(idTokenSignatureAlgorithm, - OAuthConstants.ID_TOKEN_SIGNATURE_ALG_CONFIGURATION); + OAuthConstants.ID_TOKEN_SIGNATURE_ALG_CONFIGURATION); } app.setIdTokenSignatureAlgorithm(idTokenSignatureAlgorithm); } @@ -612,7 +612,6 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO return oAuthConsumerAppDTO; } - private Optional getLoggedInUser(String tenantDomain) { String tenantAwareLoggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername(); @@ -717,6 +716,7 @@ private void validateBindingType(String bindingType) throws IdentityOAuthClientE /** * FAPI validation to restrict the token binding type to ensure MTLS sender constrained access tokens. * Link - https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server + * * @param bindingType Token binding type. * @throws IdentityOAuthClientException if binding type is not 'certificate'. */ @@ -1496,7 +1496,6 @@ void removeOAuthApplicationData(String consumerKey, boolean enableAuditing) thro Properties properties = new Properties(); properties.setProperty(OAuthConstants.OAUTH_APP_NEW_STATE, APP_STATE_DELETED); - Set activeDetailedTokens; try { activeDetailedTokens = OAuthTokenPersistenceFactory @@ -1638,7 +1637,7 @@ public OAuthConsumerAppDTO[] getAppsAuthorizedByUser() throws IdentityOAuthAdmin try { scopedToken = OAuthTokenPersistenceFactory.getInstance(). getAccessTokenDAO().getLatestAccessToken(clientId, loggedInUser, userStoreDomain, - scopeString, true); + scopeString, true); if (scopedToken != null && !distinctClientUserScopeCombo.contains(clientId + ":" + username)) { OAuthAppDO appDO = getOAuthAppDO(scopedToken.getConsumerKey(), tenantDomain); if (LOG.isDebugEnabled()) { @@ -2284,7 +2283,6 @@ String[] filterScopeValidators(OAuthConsumerAppDTO application) throws IdentityO return requestedScopeValidators; } - /** * Get the IdToken Encryption Method registered by the user and filter the allowed one. * @@ -2574,7 +2572,7 @@ private void handleInternalTokenRevocation(String consumerKey, Properties proper /** * Return whether the request of updating the tokenEndpointAllowReusePvtKeyJwt is valid. * - * @param tokenEndpointAuthMethod token endpoint client authentication method. + * @param tokenEndpointAuthMethod token endpoint client authentication method. * @param tokenEndpointAllowReusePvtKeyJwt During client authentication whether to reuse private key JWT. * @return True if tokenEndpointAuthMethod and tokenEndpointAllowReusePvtKeyJwt is NOT in the correct format. */ @@ -2592,6 +2590,7 @@ private boolean isInvalidTokenEPReusePvtKeyJwtRequest(String tokenEndpointAuthMe /** * FAPI validation to restrict the token endpoint authentication methods. * Link - https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server (5.2.2 - 14) + * * @param authenticationMethod authentication methid used to authenticate to the token endpoint * @throws IdentityOAuthClientException */ @@ -2607,6 +2606,7 @@ private void validateFAPITokenAuthMethods(String authenticationMethod) throws Id /** * FAPI validation to restrict the signature algorithms. * Link - https://openid.net/specs/openid-financial-api-part-2-1_0.html#algorithm-considerations + * * @param signatureAlgorithm signature algorithm used to sign the assertions. * @throws IdentityOAuthClientException */ @@ -2623,6 +2623,7 @@ private void validateFAPISignatureAlgorithms(String signatureAlgorithm) /** * FAPI validation to restrict the encryption algorithms. * Link - https://openid.net/specs/openid-financial-api-part-2-1_0.html#encryption-algorithm-considerations + * * @param encryptionAlgorithm * @throws IdentityOAuthClientException */ @@ -2634,11 +2635,11 @@ private void validateFAPIEncryptionAlgorithms(String encryptionAlgorithm) } } - /** * If there are multiple hostnames in the registered redirect_uris, * the Client MUST register a sector_identifier_uri. * https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg + * * @param redirectURIs list of callback urls sent in the request * @throws IdentityOAuthClientException */ @@ -2700,7 +2701,8 @@ private void validateSectorIdentifierURI(String sectorIdentifierURI, List getRedirectURIList(OAuthConsumerAppDTO application) { @@ -2760,14 +2762,14 @@ private static void clearTokensFromCache(String consumerKey, AccessTokenDO detai authorizedUser = detailToken.getAuthzUser().getUserId(); } catch (UserIdNotFoundException e) { /* - * This fall back mechanism is added to support the token deletion process of the token exchange grant type. - * When a token is issued from the token exchange grant type, the username for the token is set from the - * `sub` property of the JWT token. This `sub` property of the JWT claim can be any value. When deleting - * those access tokens while deleting the applications, it tried to resolve the user to remove the cache. - * In that case, the user id extraction is failing because the user is searched from the username claim - * by adding the `sub` value of the user. To prevent that, the authorized user will be extracted from the - * subject identifier of the issued token. - */ + * This fall back mechanism is added to support the token deletion process of the token exchange grant type. + * When a token is issued from the token exchange grant type, the username for the token is set from the + * `sub` property of the JWT token. This `sub` property of the JWT claim can be any value. When deleting + * those access tokens while deleting the applications, it tried to resolve the user to remove the cache. + * In that case, the user id extraction is failing because the user is searched from the username claim + * by adding the `sub` value of the user. To prevent that, the authorized user will be extracted from the + * subject identifier of the issued token. + */ if (detailToken.getAuthzUser().getAuthenticatedSubjectIdentifier() != null) { authorizedUser = detailToken.getAuthzUser().getAuthenticatedSubjectIdentifier(); } else { From 0db749da6c8c4cc749b23a669db6e8019383a061 Mon Sep 17 00:00:00 2001 From: Madhavi Gayathri Date: Wed, 21 Aug 2024 08:41:37 +0530 Subject: [PATCH 9/9] Check server config, before applying default behavior. --- .../identity/oauth/OAuthAdminServiceImpl.java | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java index a694370e4f7..fc2c4e5fc52 100755 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java @@ -437,21 +437,33 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO application.isTokenRevocationWithIDPSessionTerminationEnabled()); /* If the value is not sent at the request, set the default value for new apps, this ensures for new apps, the USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS property is never null. */ + boolean useClientIdAsSubClaimForAppTokensEnabledServerConfig = OAuthServerConfiguration + .getInstance().isUseClientIdAsSubClaimForAppTokensEnabled(); if (application.isUseClientIdAsSubClaimForAppTokens() != null) { app.setUseClientIdAsSubClaimForAppTokens(application.isUseClientIdAsSubClaimForAppTokens()); - } else { + } else if (useClientIdAsSubClaimForAppTokensEnabledServerConfig) { app.setUseClientIdAsSubClaimForAppTokens( USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE); + } else { + app.setUseClientIdAsSubClaimForAppTokens( + !USE_CLIENT_ID_AS_SUB_CLAIM_FOR_APP_TOKENS_NEW_APP_DEFAULT_VALUE); } + /* If the value is not sent at the request, set the default value for new apps, this ensures for new apps, the OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN property is never null. */ + boolean removeUsernameFromAppTokenEnabledServerConfig = OAuthServerConfiguration.getInstance() + .isRemoveUsernameFromIntrospectionResponseForAppTokensEnabled(); if (application.isOmitUsernameInIntrospectionRespForAppTokens() != null) { app.setOmitUsernameInIntrospectionRespForAppTokens( application.isOmitUsernameInIntrospectionRespForAppTokens()); - } else { + } else if (removeUsernameFromAppTokenEnabledServerConfig) { app.setOmitUsernameInIntrospectionRespForAppTokens( OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE); + } else { + app.setOmitUsernameInIntrospectionRespForAppTokens( + !OMIT_USERNAME_IN_INTROSPECTION_RESP_FOR_APP_TOKEN_NEW_APP_DEFAULT_VALUE); } + String tokenEndpointAuthMethod = application.getTokenEndpointAuthMethod(); if (StringUtils.isNotEmpty(tokenEndpointAuthMethod)) { if (isFAPIConformanceEnabled) {