diff --git a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/wizards/AttrWizardBuilder.java b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/wizards/AttrWizardBuilder.java index 8eb63d4ef7..16009194b5 100644 --- a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/wizards/AttrWizardBuilder.java +++ b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/wizards/AttrWizardBuilder.java @@ -44,7 +44,7 @@ protected WizardModel buildModelSteps(final Attr modelObject, final WizardModel protected static class AttrStep extends WizardStep { - private static final long serialVersionUID = 1L; + private static final long serialVersionUID = 8145346883748040158L; AttrStep(final Attr modelObject) { AjaxTextFieldPanel schema = new AjaxTextFieldPanel( diff --git a/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/panels/OIDCProvidersDirectoryPanel.java b/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/panels/OIDCProvidersDirectoryPanel.java index 283e5bbc48..b88d836840 100644 --- a/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/panels/OIDCProvidersDirectoryPanel.java +++ b/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/panels/OIDCProvidersDirectoryPanel.java @@ -137,9 +137,8 @@ protected ActionLinksTogglePanel actionTogglePanel() { @Override public void updateHeader(final AjaxRequestTarget target, final Serializable object) { - if (object instanceof OIDCC4UIProviderTO) { - setHeader(target, - StringUtils.abbreviate(((OIDCC4UIProviderTO) object).getName(), HEADER_FIRST_ABBREVIATION)); + if (object instanceof OIDCC4UIProviderTO provider) { + setHeader(target, StringUtils.abbreviate(provider.getName(), HEADER_FIRST_ABBREVIATION)); } else { super.updateHeader(target, object); } diff --git a/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java b/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java index 6757241a1c..7c80d5ae03 100644 --- a/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java +++ b/ext/oidcc4ui/client-console/src/main/java/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder.java @@ -23,6 +23,7 @@ import java.util.concurrent.Callable; import java.util.concurrent.Future; import java.util.stream.Collectors; +import java.util.stream.Stream; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.tuple.Pair; import org.apache.syncope.client.console.SyncopeConsoleSession; @@ -30,6 +31,7 @@ import org.apache.syncope.client.console.panels.OIDCProvidersDirectoryPanel; import org.apache.syncope.client.console.rest.ImplementationRestClient; import org.apache.syncope.client.console.rest.OIDCProviderRestClient; +import org.apache.syncope.client.console.wicket.markup.html.form.MultiFieldPanel; import org.apache.syncope.client.console.wizards.mapping.ItemTransformersTogglePanel; import org.apache.syncope.client.console.wizards.mapping.JEXLTransformersTogglePanel; import org.apache.syncope.client.console.wizards.mapping.OIDCProviderMappingPanel; @@ -42,6 +44,7 @@ import org.apache.syncope.common.lib.to.ImplementationTO; import org.apache.syncope.common.lib.to.OIDCC4UIProviderTO; import org.apache.syncope.common.lib.types.OIDCClientImplementationType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.wicket.PageReference; import org.apache.wicket.ajax.AjaxRequestTarget; import org.apache.wicket.extensions.wizard.WizardModel; @@ -107,11 +110,7 @@ protected Serializable onApplyInternal(final OIDCC4UIProviderTO modelObject) { @Override protected WizardModel buildModelSteps(final OIDCC4UIProviderTO modelObject, final WizardModel wizardModel) { wizardModel.add(new OP(modelObject)); - if (modelObject.getKey() == null) { - wizardModel.add(new OPContinue(modelObject)); - } else { - wizardModel.add(new OPContinue(modelObject, true)); - } + wizardModel.add(new OPContinue(modelObject, modelObject.getKey() != null)); Mapping mapping = new Mapping(); mapping.setOutputMarkupId(true); @@ -145,6 +144,7 @@ protected void sendWarning(final String message) { @Override protected Future> execute( final Callable> future) { + return SyncopeConsoleSession.get().execute(future); } @@ -200,61 +200,63 @@ public static class OPContinue extends WizardStep { private static final long serialVersionUID = -7087008312629522790L; - public OPContinue(final OIDCC4UIProviderTO opTO) { - final WebMarkupContainer content = new WebMarkupContainer("content"); + public OPContinue(final OIDCC4UIProviderTO opTO, final boolean readOnly) { this.setOutputMarkupId(true); + + WebMarkupContainer content = new WebMarkupContainer("content"); content.setOutputMarkupId(true); add(content); UrlValidator urlValidator = new UrlValidator(); - final AjaxTextFieldPanel issuer = new AjaxTextFieldPanel( + + AjaxTextFieldPanel issuer = new AjaxTextFieldPanel( "issuer", "issuer", new PropertyModel<>(opTO, "issuer")); issuer.addValidator(urlValidator); issuer.addRequiredLabel(); - content.add(issuer); + content.add(issuer.setReadOnly(readOnly)); - final AjaxCheckBoxPanel hasDiscovery = new AjaxCheckBoxPanel( + AjaxCheckBoxPanel hasDiscovery = new AjaxCheckBoxPanel( "hasDiscovery", "hasDiscovery", new PropertyModel<>(opTO, "hasDiscovery")); content.add(hasDiscovery); - final AjaxTextFieldPanel authorizationEndpoint = new AjaxTextFieldPanel("authorizationEndpoint", + AjaxTextFieldPanel authorizationEndpoint = new AjaxTextFieldPanel("authorizationEndpoint", "authorizationEndpoint", new PropertyModel<>(opTO, "authorizationEndpoint")); authorizationEndpoint.addRequiredLabel(); authorizationEndpoint.addValidator(urlValidator); - content.add(authorizationEndpoint); + content.add(authorizationEndpoint.setReadOnly(readOnly)); - final AjaxTextFieldPanel userinfoEndpoint = new AjaxTextFieldPanel("userinfoEndpoint", + AjaxTextFieldPanel userinfoEndpoint = new AjaxTextFieldPanel("userinfoEndpoint", "userinfoEndpoint", new PropertyModel<>(opTO, "userinfoEndpoint")); userinfoEndpoint.addValidator(urlValidator); - content.add(userinfoEndpoint); + content.add(userinfoEndpoint.setReadOnly(readOnly)); - final AjaxTextFieldPanel tokenEndpoint = new AjaxTextFieldPanel("tokenEndpoint", + AjaxTextFieldPanel tokenEndpoint = new AjaxTextFieldPanel("tokenEndpoint", "tokenEndpoint", new PropertyModel<>(opTO, "tokenEndpoint")); tokenEndpoint.addRequiredLabel(); tokenEndpoint.addValidator(urlValidator); - content.add(tokenEndpoint); + content.add(tokenEndpoint.setReadOnly(readOnly)); - final AjaxTextFieldPanel jwksUri = new AjaxTextFieldPanel("jwksUri", + AjaxTextFieldPanel jwksUri = new AjaxTextFieldPanel("jwksUri", "jwksUri", new PropertyModel<>(opTO, "jwksUri")); jwksUri.addRequiredLabel(); jwksUri.addValidator(urlValidator); - content.add(jwksUri); + content.add(jwksUri.setReadOnly(readOnly)); - final AjaxTextFieldPanel endSessionEndpoint = new AjaxTextFieldPanel("endSessionEndpoint", + AjaxTextFieldPanel endSessionEndpoint = new AjaxTextFieldPanel("endSessionEndpoint", "endSessionEndpoint", new PropertyModel<>(opTO, "endSessionEndpoint")); endSessionEndpoint.addValidator(urlValidator); - content.add(endSessionEndpoint); + content.add(endSessionEndpoint.setReadOnly(readOnly)); - final WebMarkupContainer visibleParam = new WebMarkupContainer("visibleParams"); - visibleParam.setOutputMarkupPlaceholderTag(true); - visibleParam.add(authorizationEndpoint); - visibleParam.add(userinfoEndpoint); - visibleParam.add(tokenEndpoint); - visibleParam.add(jwksUri); - visibleParam.add(endSessionEndpoint); - content.add(visibleParam); + WebMarkupContainer visibleParams = new WebMarkupContainer("visibleParams"); + visibleParams.setOutputMarkupPlaceholderTag(true); + visibleParams.add(authorizationEndpoint); + visibleParams.add(userinfoEndpoint); + visibleParams.add(tokenEndpoint); + visibleParams.add(jwksUri); + visibleParams.add(endSessionEndpoint); + content.add(visibleParams); - showHide(hasDiscovery, visibleParam); + showHide(hasDiscovery, visibleParams); hasDiscovery.getField().add(new IndicatorAjaxFormComponentUpdatingBehavior(Constants.ON_CHANGE) { @@ -262,70 +264,20 @@ public OPContinue(final OIDCC4UIProviderTO opTO) { @Override protected void onUpdate(final AjaxRequestTarget target) { - showHide(hasDiscovery, visibleParam); - target.add(visibleParam); + showHide(hasDiscovery, visibleParams); + target.add(visibleParams); } }); - } - - public OPContinue(final OIDCC4UIProviderTO opTO, final boolean readOnly) { - WebMarkupContainer content = new WebMarkupContainer("content"); - this.setOutputMarkupId(true); - content.setOutputMarkupId(true); - add(content); - final AjaxTextFieldPanel issuer = new AjaxTextFieldPanel( - "issuer", "issuer", new PropertyModel<>(opTO, "issuer")); - issuer.setReadOnly(readOnly); - content.add(issuer); - - final AjaxCheckBoxPanel hasDiscovery = new AjaxCheckBoxPanel( - "hasDiscovery", "hasDiscovery", new PropertyModel<>(opTO, "hasDiscovery")); - hasDiscovery.setReadOnly(readOnly); - content.add(hasDiscovery); - - final AjaxTextFieldPanel authorizationEndpoint = new AjaxTextFieldPanel("authorizationEndpoint", - "authorizationEndpoint", new PropertyModel<>(opTO, "authorizationEndpoint")); - authorizationEndpoint.setReadOnly(readOnly); - content.add(authorizationEndpoint); - - final AjaxTextFieldPanel userinfoEndpoint = new AjaxTextFieldPanel("userinfoEndpoint", - "userinfoEndpoint", new PropertyModel<>(opTO, "userinfoEndpoint")); - userinfoEndpoint.setReadOnly(readOnly); - content.add(userinfoEndpoint); - - final AjaxTextFieldPanel tokenEndpoint = new AjaxTextFieldPanel("tokenEndpoint", - "tokenEndpoint", new PropertyModel<>(opTO, "tokenEndpoint")); - tokenEndpoint.setReadOnly(readOnly); - content.add(tokenEndpoint); - - final AjaxTextFieldPanel jwksUri = new AjaxTextFieldPanel("jwksUri", - "jwksUri", new PropertyModel<>(opTO, "jwksUri")); - jwksUri.setReadOnly(readOnly); - content.add(jwksUri); - - final AjaxTextFieldPanel endSessionEndpoint = new AjaxTextFieldPanel("endSessionEndpoint", - "endSessionEndpoint", new PropertyModel<>(opTO, "endSessionEndpoint")); - endSessionEndpoint.setReadOnly(readOnly); - content.add(endSessionEndpoint); - - final WebMarkupContainer visibleParam = new WebMarkupContainer("visibleParams"); - visibleParam.setOutputMarkupPlaceholderTag(true); - visibleParam.add(authorizationEndpoint); - visibleParam.add(userinfoEndpoint); - visibleParam.add(tokenEndpoint); - visibleParam.add(jwksUri); - visibleParam.add(endSessionEndpoint); - content.add(visibleParam); + AjaxTextFieldPanel value = new AjaxTextFieldPanel("panel", "scopes", new Model<>()); + value.setChoices(Stream.of(OIDCScope.values()).map(s -> s.name().toLowerCase()).toList()); + content.add(new MultiFieldPanel.Builder( + new PropertyModel<>(opTO, "scopes")).build("scopes", "scopes", value)); } } private static void showHide(final AjaxCheckBoxPanel hasDiscovery, final WebMarkupContainer visibleParams) { - if (hasDiscovery.getField().getValue().equals("false")) { - visibleParams.setVisible(true); - } else { - visibleParams.setVisible(false); - } + visibleParams.setVisible("false".equals(hasDiscovery.getField().getValue())); } /** diff --git a/ext/oidcc4ui/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html b/ext/oidcc4ui/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html index 0f8de216f4..e36e9d2eee 100644 --- a/ext/oidcc4ui/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html +++ b/ext/oidcc4ui/client-console/src/main/resources/org/apache/syncope/client/console/wizards/OIDCProviderWizardBuilder$OPContinue.html @@ -29,6 +29,8 @@ [userinfoEndpoint] [endSessionEndpoint] + + diff --git a/ext/oidcc4ui/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCC4UIProviderTO.java b/ext/oidcc4ui/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCC4UIProviderTO.java index aaea125970..33acb7a9ce 100644 --- a/ext/oidcc4ui/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCC4UIProviderTO.java +++ b/ext/oidcc4ui/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCC4UIProviderTO.java @@ -48,6 +48,8 @@ public class OIDCC4UIProviderTO extends ItemContainer implements EntityTO { private String endSessionEndpoint; + private final List scopes = new ArrayList<>(); + private boolean hasDiscovery; private boolean createUnmatching; @@ -143,6 +145,12 @@ public void setEndSessionEndpoint(final String endSessionEndpoint) { this.endSessionEndpoint = endSessionEndpoint; } + @JacksonXmlElementWrapper(localName = "scopes") + @JacksonXmlProperty(localName = "scope") + public List getScopes() { + return scopes; + } + public UserTO getUserTemplate() { return userTemplate; } diff --git a/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/OIDCC4UILogic.java b/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/OIDCC4UILogic.java index ce4faec779..e4f974bb91 100644 --- a/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/OIDCC4UILogic.java +++ b/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/OIDCC4UILogic.java @@ -139,6 +139,7 @@ public OIDCLoginResponse login(final String redirectURI, final String authorizat // 2. get OpenID Connect tokens String idTokenHint; JWTClaimsSet idToken; + JWTClaimsSet accessToken; try { OidcCredentials credentials = new OidcCredentials(); credentials.setCode(new AuthorizationCode(authorizationCode)); @@ -149,6 +150,8 @@ public OIDCLoginResponse login(final String redirectURI, final String authorizat idToken = credentials.getIdToken().getJWTClaimsSet(); idTokenHint = credentials.getIdToken().serialize(); + + accessToken = SignedJWT.parse(credentials.getAccessToken().getValue()).getJWTClaimsSet(); } catch (Exception e) { LOG.error("While validating Token Response", e); SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown); @@ -166,9 +169,10 @@ public OIDCLoginResponse login(final String redirectURI, final String authorizat Attr attrTO = new Attr(); attrTO.setSchema(item.getExtAttrName()); - String value = idToken.getClaim(item.getExtAttrName()) == null - ? null - : idToken.getClaim(item.getExtAttrName()).toString(); + String value = Optional.ofNullable(idToken.getClaim(item.getExtAttrName())). + or(() -> Optional.ofNullable(accessToken.getClaim(item.getExtAttrName()))). + map(Object::toString). + orElse(null); if (value != null) { attrTO.getValues().add(value); loginResponse.getAttrs().add(attrTO); diff --git a/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java b/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java index 19472c8638..a4f67b3aba 100644 --- a/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java +++ b/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java @@ -33,6 +33,7 @@ import java.util.List; import java.util.Optional; import java.util.function.Function; +import java.util.stream.Collectors; import org.apache.syncope.common.lib.to.OIDCC4UIProviderTO; import org.apache.syncope.core.persistence.api.entity.OIDCC4UIProvider; import org.pac4j.core.http.callback.NoParameterCallbackUrlResolver; @@ -74,6 +75,7 @@ public static void importMetadata(final OIDCC4UIProviderTO opTO) Optional.ofNullable(metadata.getUserInfoEndpointURI()).map(URI::toASCIIString).orElse(null)); opTO.setEndSessionEndpoint( Optional.ofNullable(metadata.getEndSessionEndpointURI()).map(URI::toASCIIString).orElse(null)); + Optional.ofNullable(metadata.getScopes()).ifPresent(s -> opTO.getScopes().addAll(s.toStringList())); } protected final List cache = Collections.synchronizedList(new ArrayList<>()); @@ -103,7 +105,7 @@ public OidcClient add(final OIDCC4UIProvider op, final String callbackUrl) { cfg.setDiscoveryURI(DISCOVERY_URI.apply(op.getIssuer())); cfg.setPreferredJwsAlgorithm(JWSAlgorithm.HS256); cfg.setOpMetadataResolver(new StaticOidcOpMetadataResolver(cfg, metadata)); - cfg.setScope("openid profile email address phone offline_access"); + cfg.setScope(op.getScopes().stream().collect(Collectors.joining(" "))); cfg.setUseNonce(false); cfg.setSessionLogoutHandler(new NoOpSessionLogoutHandler()); diff --git a/ext/oidcc4ui/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCC4UIProvider.java b/ext/oidcc4ui/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCC4UIProvider.java index 325ec18bee..07df700a16 100644 --- a/ext/oidcc4ui/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCC4UIProvider.java +++ b/ext/oidcc4ui/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/OIDCC4UIProvider.java @@ -60,6 +60,10 @@ public interface OIDCC4UIProvider extends Entity { void setEndSessionEndpoint(String endSessionEndpoint); + List getScopes(); + + void setScopes(List scopes); + boolean getHasDiscovery(); void setHasDiscovery(boolean hasDiscovery); diff --git a/ext/oidcc4ui/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCC4UIProvider.java b/ext/oidcc4ui/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCC4UIProvider.java index 48bf85271c..d5e5025977 100644 --- a/ext/oidcc4ui/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCC4UIProvider.java +++ b/ext/oidcc4ui/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/JPAOIDCC4UIProvider.java @@ -40,6 +40,8 @@ import java.util.ArrayList; import java.util.List; import java.util.Optional; +import java.util.stream.Collectors; +import java.util.stream.Stream; import org.apache.syncope.common.lib.to.Item; import org.apache.syncope.common.lib.types.OIDCClientImplementationType; import org.apache.syncope.core.persistence.api.entity.Implementation; @@ -47,6 +49,7 @@ import org.apache.syncope.core.persistence.api.entity.OIDCC4UIUserTemplate; import org.apache.syncope.core.persistence.jpa.validation.entity.OIDCC4UIProviderCheck; import org.apache.syncope.core.provisioning.api.serialization.POJOHelper; +import org.springframework.util.CollectionUtils; @Entity @Table(name = JPAOIDCC4UIProvider.TABLE) @@ -85,6 +88,8 @@ public class JPAOIDCC4UIProvider extends AbstractGeneratedKeyEntity implements O @Column(nullable = true) private String endSessionEndpoint; + private String scopes; + @Column(nullable = false) private boolean hasDiscovery; @@ -204,6 +209,18 @@ public void setEndSessionEndpoint(final String endSessionEndpoint) { this.endSessionEndpoint = endSessionEndpoint; } + @Override + public List getScopes() { + return Optional.ofNullable(scopes).map(s -> Stream.of(s.split(" ")).toList()).orElse(List.of()); + } + + @Override + public void setScopes(final List scopes) { + this.scopes = CollectionUtils.isEmpty(scopes) + ? "" + : scopes.stream().collect(Collectors.joining(" ")); + } + @Override public boolean getHasDiscovery() { return hasDiscovery; diff --git a/ext/oidcc4ui/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCC4UIProviderDataBinderImpl.java b/ext/oidcc4ui/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCC4UIProviderDataBinderImpl.java index 38e9494c48..9c7d814ec6 100644 --- a/ext/oidcc4ui/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCC4UIProviderDataBinderImpl.java +++ b/ext/oidcc4ui/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCC4UIProviderDataBinderImpl.java @@ -173,6 +173,7 @@ public OIDCC4UIProvider update(final OIDCC4UIProvider op, final OIDCC4UIProvider op.setTokenEndpoint(opTO.getTokenEndpoint()); op.setUserinfoEndpoint(opTO.getUserinfoEndpoint()); op.setEndSessionEndpoint(opTO.getEndSessionEndpoint()); + op.setScopes(opTO.getScopes()); op.setHasDiscovery(opTO.getHasDiscovery()); op.setCreateUnmatching(opTO.isCreateUnmatching()); op.setSelfRegUnmatching(opTO.isSelfRegUnmatching()); @@ -243,6 +244,7 @@ public OIDCC4UIProviderTO getOIDCProviderTO(final OIDCC4UIProvider op) { opTO.setTokenEndpoint(op.getTokenEndpoint()); opTO.setUserinfoEndpoint(op.getUserinfoEndpoint()); opTO.setEndSessionEndpoint(op.getEndSessionEndpoint()); + opTO.getScopes().addAll(op.getScopes()); opTO.setHasDiscovery(op.getHasDiscovery()); opTO.setCreateUnmatching(op.isCreateUnmatching()); opTO.setSelfRegUnmatching(op.isSelfRegUnmatching()); diff --git a/fit/wa-reference/src/test/java/org/apache/syncope/fit/ui/OIDC4UIITCase.java b/fit/wa-reference/src/test/java/org/apache/syncope/fit/ui/OIDC4UIITCase.java index 26e81f5de2..1f10ec6d4c 100644 --- a/fit/wa-reference/src/test/java/org/apache/syncope/fit/ui/OIDC4UIITCase.java +++ b/fit/wa-reference/src/test/java/org/apache/syncope/fit/ui/OIDC4UIITCase.java @@ -30,6 +30,7 @@ import java.util.List; import java.util.Optional; import java.util.Set; +import java.util.stream.Stream; import org.apache.http.Consts; import org.apache.http.HttpHeaders; import org.apache.http.HttpStatus; @@ -50,6 +51,7 @@ import org.apache.syncope.common.lib.to.OIDCRPClientAppTO; import org.apache.syncope.common.lib.types.ClientAppType; import org.apache.syncope.common.lib.types.OIDCResponseType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.syncope.common.lib.types.OIDCSubjectType; import org.apache.syncope.common.rest.api.RESTHeaders; import org.apache.syncope.common.rest.api.service.wa.WAConfigService; @@ -92,6 +94,9 @@ private static void clientAppSetup(final String appName, final String baseAddres Set.of(OIDCResponseType.CODE, OIDCResponseType.ID_TOKEN_TOKEN, OIDCResponseType.TOKEN)); clientApp.setAuthPolicy(getAuthPolicy().getKey()); clientApp.setAttrReleasePolicy(getAttrReleasePolicy().getKey()); + clientApp.getScopes().add(OIDCScope.OPENID); + clientApp.getScopes().add(OIDCScope.PROFILE); + clientApp.getScopes().add(OIDCScope.EMAIL); CLIENT_APP_SERVICE.update(ClientAppType.OIDCRP, clientApp); WA_CONFIG_SERVICE.pushToWA(WAConfigService.PushSubject.clientApps, List.of()); @@ -134,6 +139,9 @@ private static void oidcSetup( cas.setUserinfoEndpoint(cas.getIssuer() + "/profile"); cas.setEndSessionEndpoint(cas.getIssuer() + "/logout"); + cas.getScopes().addAll(Stream.of(OIDCScope.values()).map(s -> s.name().toLowerCase()).toList()); + cas.getScopes().add("syncope"); + cas.setCreateUnmatching(createUnmatching); cas.setSelfRegUnmatching(selfRegUnmatching); diff --git a/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java b/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java index 3cecfba16a..f22e118ccd 100644 --- a/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java +++ b/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java @@ -138,6 +138,7 @@ public RegisteredService map( map(p -> p.getAllowedAttributes().stream().collect(Collectors.toSet())). ifPresent(customClaims::addAll); } + if (rp.getScopes().contains(OIDCScope.PROFILE)) { customClaims.removeAll(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS); }