feat(jans-auth-server): add configurable rotation of client's registr…

…ation access token #3578

jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java

@@ -382,6 +382,9 @@ public class AppConfiguration implements Configuration {
     @DocProperty(description = "Boolean value specifying whether a client_secret is returned on client GET or PUT. Set to true by default which means to return secret", defaultValue = "false")
     private Boolean returnClientSecretOnRead = false;
 
+    @DocProperty(description = "Boolean value specifying whether to rotate client registration access token after each usage", defaultValue = "false")
+    private Boolean rotateClientRegistrationAccessTokenOnUsage = false;
+
     @DocProperty(description = "Boolean value specifying whether reject JWT requested or validated with algorithm None. Default value is true", defaultValue = "true")
     private Boolean rejectJwtWithNoneAlg = true;
 
@@ -1160,6 +1163,15 @@ public void setChangeSessionIdOnAuthentication(Boolean changeSessionIdOnAuthenti
         this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
     }
 
+    public Boolean getRotateClientRegistrationAccessTokenOnUsage() {
+        if (rotateClientRegistrationAccessTokenOnUsage == null) rotateClientRegistrationAccessTokenOnUsage = false;
+        return rotateClientRegistrationAccessTokenOnUsage;
+    }
+
+    public void setRotateClientRegistrationAccessTokenOnUsage(Boolean rotateClientRegistrationAccessTokenOnUsage) {
+        this.rotateClientRegistrationAccessTokenOnUsage = rotateClientRegistrationAccessTokenOnUsage;
+    }
+
     public Boolean getReturnClientSecretOnRead() {
         if (returnClientSecretOnRead == null) returnClientSecretOnRead = false;
         return returnClientSecretOnRead;

jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java

@@ -22,18 +22,13 @@
 import io.jans.as.server.model.audit.OAuth2AuditLog;
 import io.jans.as.server.model.common.ExecutionContext;
 import io.jans.as.server.model.registration.RegisterParamsValidator;
-import io.jans.as.server.model.token.HandleTokenFactory;
 import io.jans.as.server.register.ws.rs.RegisterJsonService;
 import io.jans.as.server.register.ws.rs.RegisterService;
 import io.jans.as.server.register.ws.rs.RegisterValidator;
 import io.jans.as.server.service.ClientService;
 import io.jans.as.server.service.external.ExternalDynamicClientRegistrationService;
 import io.jans.as.server.util.ServerUtil;
 import io.jans.util.security.StringEncrypter;
-import org.apache.commons.lang.StringUtils;
-import org.json.JSONObject;
-import org.slf4j.Logger;
-
 import jakarta.ejb.Stateless;
 import jakarta.inject.Inject;
 import jakarta.inject.Named;
@@ -42,12 +37,12 @@
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.SecurityContext;
+import org.apache.commons.lang.StringUtils;
+import org.json.JSONObject;
+import org.slf4j.Logger;
+
 import java.net.URI;
-import java.util.Calendar;
-import java.util.Date;
-import java.util.GregorianCalendar;
-import java.util.TimeZone;
-import java.util.UUID;
+import java.util.*;
 
 import static org.apache.commons.lang3.BooleanUtils.isTrue;
 
@@ -144,7 +139,7 @@ public Response createClient(String requestParams, HttpServletRequest httpReques
             client.setClientId(inum);
             client.setDeletable(true);
             client.setClientSecret(clientService.encryptSecret(generatedClientSecret));
-            client.setRegistrationAccessToken(HandleTokenFactory.generateHandleToken());
+            client.setRegistrationAccessToken(clientService.generateRegistrationAccessToken());
             client.setIdTokenTokenBindingCnf(r.getIdTokenTokenBindingCnf());
 
             final Calendar calendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));

jans-auth-server/server/src/main/java/io/jans/as/server/service/ClientService.java

@@ -13,6 +13,7 @@
 import io.jans.as.model.config.StaticConfiguration;
 import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.persistence.model.Scope;
+import io.jans.as.server.model.token.HandleTokenFactory;
 import io.jans.orm.PersistenceEntryManager;
 import io.jans.orm.exception.EntryPersistenceException;
 import io.jans.orm.model.base.CustomAttribute;
@@ -27,6 +28,7 @@
 import jakarta.ejb.Stateless;
 import jakarta.inject.Inject;
 import jakarta.inject.Named;
+import org.apache.commons.lang3.BooleanUtils;
 import org.json.JSONArray;
 import org.python.jline.internal.Preconditions;
 import org.slf4j.Logger;
@@ -165,11 +167,29 @@ public boolean isPublic(Client client) {
     public Client getClient(String clientId, String registrationAccessToken) {
         final Client client = getClient(clientId);
         if (client != null && registrationAccessToken != null && registrationAccessToken.equals(client.getRegistrationAccessToken())) {
+            rotateRegistrationAccessToken(client);
             return client;
         }
         return null;
     }
 
+    public String generateRegistrationAccessToken() {
+        return HandleTokenFactory.generateHandleToken();
+    }
+
+    public void rotateRegistrationAccessToken(Client client) {
+        if (client == null) {
+            return;
+        }
+
+        if (BooleanUtils.isFalse(appConfiguration.getRotateClientRegistrationAccessTokenOnUsage())) {
+            return;
+        }
+
+        client.setRegistrationAccessToken(generateRegistrationAccessToken());
+        persist(client);
+    }
+
     public Set<Client> getClientsByDns(Collection<String> dnList) {
         return getClientsByDns(dnList, true);
     }