[SYNCOPE-1788] Allow JWKS value for OIDC client applications (#546)

apache · Nov 15, 2023 · 8d16a4d · 8d16a4d
1 parent 1b5fb45
commit 8d16a4d
Show file tree

Hide file tree

Showing 13 changed files with 215 additions and 12 deletions.
diff --git a/...rc/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java b/...rc/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java
@@ -18,14 +18,17 @@
  */
 package org.apache.syncope.client.console.clientapps;
 
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.Comparator;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+import javax.ws.rs.core.MediaType;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.syncope.client.console.SyncopeConsoleSession;
@@ -37,6 +40,7 @@
 import org.apache.syncope.client.console.rest.RealmRestClient;
 import org.apache.syncope.client.console.wicket.markup.html.bootstrap.dialog.BaseModal;
 import org.apache.syncope.client.console.wicket.markup.html.form.AjaxSearchFieldPanel;
+import org.apache.syncope.client.console.wicket.markup.html.form.BinaryFieldPanel;
 import org.apache.syncope.client.console.wicket.markup.html.form.MultiFieldPanel;
 import org.apache.syncope.client.console.wicket.markup.html.form.PolicyRenderer;
 import org.apache.syncope.client.ui.commons.Constants;
@@ -53,9 +57,11 @@
 import org.apache.syncope.common.lib.OIDCScopeConstants;
 import org.apache.syncope.common.lib.policy.PolicyTO;
 import org.apache.syncope.common.lib.to.ClientAppTO;
+import org.apache.syncope.common.lib.to.OIDCRPClientAppTO;
 import org.apache.syncope.common.lib.to.RealmTO;
 import org.apache.syncope.common.lib.types.ClientAppType;
 import org.apache.syncope.common.lib.types.LogoutType;
+import org.apache.syncope.common.lib.types.OIDCClientAuthenticationMethod;
 import org.apache.syncope.common.lib.types.OIDCGrantType;
 import org.apache.syncope.common.lib.types.OIDCResponseType;
 import org.apache.syncope.common.lib.types.OIDCSubjectType;
@@ -344,6 +350,51 @@ protected Iterator<String> getChoices(final String input) {
                             "field", "logoutUri", new PropertyModel<>(clientAppTO, "logoutUri"), false);
                     logoutUri.addValidator(new UrlValidator());
                     fields.add(logoutUri);
+
+                    BinaryFieldPanel jwks = new BinaryFieldPanel(
+                            "field",
+                            "jwks",
+                            new Model<>() {
+
+                        private static final long serialVersionUID = 7666049400663637482L;
+
+                        @Override
+                        public String getObject() {
+                            OIDCRPClientAppTO oidcRPCA = (OIDCRPClientAppTO) clientAppTO;
+                            return StringUtils.isBlank(oidcRPCA.getJwks())
+                                    ? null
+                                    : Base64.getEncoder().encodeToString(
+                                            oidcRPCA.getJwks().getBytes(StandardCharsets.UTF_8));
+                        }
+
+                        @Override
+                        public void setObject(final String object) {
+                            OIDCRPClientAppTO oidcRPCA = (OIDCRPClientAppTO) clientAppTO;
+                            if (StringUtils.isBlank(object)) {
+                                oidcRPCA.setJwks(null);
+                            } else {
+                                oidcRPCA.setJwks(
+                                        new String(Base64.getDecoder().decode(object), StandardCharsets.UTF_8));
+                            }
+                        }
+                    },
+                            MediaType.APPLICATION_JSON,
+                            "client-jwks");
+                    fields.add(jwks);
+
+                    AjaxTextFieldPanel jwksUri = new AjaxTextFieldPanel(
+                            "field", "jwksUri", new PropertyModel<>(clientAppTO, "jwksUri"), false);
+                    jwksUri.addValidator(new UrlValidator());
+                    fields.add(jwksUri);
+
+                    AjaxDropDownChoicePanel<OIDCClientAuthenticationMethod> tokenEndpointAuthenticationMethod =
+                            new AjaxDropDownChoicePanel<>(
+                                    "field",
+                                    "tokenEndpointAuthenticationMethod",
+                                    new PropertyModel<>(clientAppTO, "tokenEndpointAuthenticationMethod"),
+                                    false);
+                    tokenEndpointAuthenticationMethod.setChoices(List.of(OIDCClientAuthenticationMethod.values()));
+                    fields.add(tokenEndpointAuthenticationMethod);
                     break;
 
                 case SAML2SP:

diff --git a/...resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties b/...resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties
@@ -67,3 +67,6 @@ usernameAttributeProviderConf.title=Username Attribute Provider for ${name}
 ticketExpirationPolicy=Ticket Expiration Policy
 auditHistory.title=Configuration history
 logoutType=Logout Type
+jwks=JWKS
+jwksUri=JWKS URI
+tokenEndpointAuthenticationMethod=Token Endpoint Authentication Method
diff --git a/...ces/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties b/...ces/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties
@@ -67,3 +67,6 @@ usernameAttributeProviderConf.title=Username Attribute Provider for ${name}
 ticketExpirationPolicy=Ticket Expiration Policy
 auditHistory.title=Historique de configuration
 logoutType=Logout Type
+jwks=JWKS
+jwksUri=JWKS URI
+tokenEndpointAuthenticationMethod=Token Endpoint Authentication Method
diff --git a/...ources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties b/...ources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties
@@ -67,3 +67,6 @@ usernameAttributeProviderConf.title=Username Attribute Provider per ${name}
 ticketExpirationPolicy=Politica Ticket Expiration
 auditHistory.title=Storico delle configurazioni
 logoutType=Tipo Logout
+jwks=JWKS
+jwksUri=JWKS URI
+tokenEndpointAuthenticationMethod=Metodo di autenticazione dell'endpoint token
diff --git a/...ources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties b/...ources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties
@@ -67,3 +67,6 @@ usernameAttributeProviderConf.title=Username Attribute Provider for ${name}
 ticketExpirationPolicy=Ticket Expiration Policy
 auditHistory.title=\u8a2d\u5b9a\u5c65\u6b74
 logoutType=Logout Type
+jwks=JWKS
+jwksUri=JWKS URI
+tokenEndpointAuthenticationMethod=Token Endpoint Authentication Method
diff --git a/...ces/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties b/...ces/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties
@@ -67,3 +67,6 @@ usernameAttributeProviderConf.title=Username Attribute Provider for ${name}
 ticketExpirationPolicy=Ticket Expiration Policy
 auditHistory.title=Hist\u00f3rico de configura\u00e7\u00e3o
 logoutType=Logout Type
+jwks=JWKS
+jwksUri=JWKS URI
+tokenEndpointAuthenticationMethod=Token Endpoint Authentication Method
diff --git a/...ources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties b/...ources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties
@@ -68,3 +68,6 @@ usernameAttributeProviderConf.title=Username Attribute Provider for ${name}
 ticketExpirationPolicy=Ticket Expiration Policy
 auditHistory.title=\u0418\u0441\u0442\u043e\u0440\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438
 logoutType=Logout Type
+jwks=JWKS
+jwksUri=JWKS URI
+tokenEndpointAuthenticationMethod=Token Endpoint Authentication Method
diff --git a/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java b/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java
@@ -26,6 +26,7 @@
 import java.util.List;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
+import org.apache.syncope.common.lib.types.OIDCClientAuthenticationMethod;
 import org.apache.syncope.common.lib.types.OIDCGrantType;
 import org.apache.syncope.common.lib.types.OIDCResponseType;
 import org.apache.syncope.common.lib.types.OIDCSubjectType;
@@ -53,10 +54,17 @@ public class OIDCRPClientAppTO extends ClientAppTO {
 
     private final List<String> scopes = new ArrayList<>();
 
-    private String logoutUri;
-
     private boolean bypassApprovalPrompt = true;
 
+    private String jwks;
+
+    private String jwksUri;
+
+    private OIDCClientAuthenticationMethod tokenEndpointAuthenticationMethod =
+            OIDCClientAuthenticationMethod.client_secret_basic;
+
+    private String logoutUri;
+
     @JacksonXmlProperty(localName = "_class", isAttribute = true)
     @JsonProperty("_class")
     @Schema(name = "_class", requiredMode = Schema.RequiredMode.REQUIRED,
@@ -116,14 +124,6 @@ public void setSubjectType(final OIDCSubjectType subjectType) {
         this.subjectType = subjectType;
     }
 
-    public String getLogoutUri() {
-        return logoutUri;
-    }
-
-    public void setLogoutUri(final String logoutUri) {
-        this.logoutUri = logoutUri;
-    }
-
     public boolean isJwtAccessToken() {
         return jwtAccessToken;
     }
@@ -146,6 +146,39 @@ public void setBypassApprovalPrompt(final boolean bypassApprovalPrompt) {
         this.bypassApprovalPrompt = bypassApprovalPrompt;
     }
 
+    public String getJwks() {
+        return jwks;
+    }
+
+    public void setJwks(final String jwks) {
+        this.jwks = jwks;
+    }
+
+    public String getJwksUri() {
+        return jwksUri;
+    }
+
+    public void setJwksUri(final String jwksUri) {
+        this.jwksUri = jwksUri;
+    }
+
+    public OIDCClientAuthenticationMethod getTokenEndpointAuthenticationMethod() {
+        return tokenEndpointAuthenticationMethod;
+    }
+
+    public void setTokenEndpointAuthenticationMethod(
+            final OIDCClientAuthenticationMethod tokenEndpointAuthenticationMethod) {
+        this.tokenEndpointAuthenticationMethod = tokenEndpointAuthenticationMethod;
+    }
+
+    public String getLogoutUri() {
+        return logoutUri;
+    }
+
+    public void setLogoutUri(final String logoutUri) {
+        this.logoutUri = logoutUri;
+    }
+
     @Override
     public boolean equals(final Object obj) {
         if (obj == null) {
@@ -167,10 +200,13 @@ public boolean equals(final Object obj) {
                 .append(this.redirectUris, rhs.redirectUris)
                 .append(this.supportedGrantTypes, rhs.supportedGrantTypes)
                 .append(this.supportedResponseTypes, rhs.supportedResponseTypes)
-                .append(this.logoutUri, rhs.logoutUri)
                 .append(this.jwtAccessToken, rhs.jwtAccessToken)
                 .append(this.scopes, rhs.scopes)
                 .append(this.bypassApprovalPrompt, rhs.bypassApprovalPrompt)
+                .append(this.jwks, rhs.jwks)
+                .append(this.jwksUri, rhs.jwksUri)
+                .append(this.tokenEndpointAuthenticationMethod, rhs.tokenEndpointAuthenticationMethod)
+                .append(this.logoutUri, rhs.logoutUri)
                 .isEquals();
     }
 
@@ -185,10 +221,13 @@ public int hashCode() {
                 .append(redirectUris)
                 .append(supportedGrantTypes)
                 .append(supportedResponseTypes)
-                .append(logoutUri)
                 .append(jwtAccessToken)
                 .append(scopes)
                 .append(bypassApprovalPrompt)
+                .append(jwks)
+                .append(jwksUri)
+                .append(tokenEndpointAuthenticationMethod)
+                .append(logoutUri)
                 .toHashCode();
     }
 }
diff --git a/...lib/src/main/java/org/apache/syncope/common/lib/types/OIDCClientAuthenticationMethod.java b/...lib/src/main/java/org/apache/syncope/common/lib/types/OIDCClientAuthenticationMethod.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.types;
+
+public enum OIDCClientAuthenticationMethod {
+    client_secret_basic,
+    client_secret_post,
+    client_secret_jwt,
+    private_key_jwt,
+    tls_client_auth;
+
+}
diff --git a/...-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java b/...-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java
@@ -19,6 +19,7 @@
 package org.apache.syncope.core.persistence.api.entity.am;
 
 import java.util.Set;
+import org.apache.syncope.common.lib.types.OIDCClientAuthenticationMethod;
 import org.apache.syncope.common.lib.types.OIDCGrantType;
 import org.apache.syncope.common.lib.types.OIDCResponseType;
 import org.apache.syncope.common.lib.types.OIDCSubjectType;
@@ -57,7 +58,20 @@ public interface OIDCRPClientApp extends ClientApp {
 
     void setSubjectType(OIDCSubjectType subjectType);
 
+    String getJwks();
+
+    void setJwks(String jwks);
+
+    String getJwksUri();
+
+    void setJwksUri(String jwksUri);
+
+    OIDCClientAuthenticationMethod getTokenEndpointAuthenticationMethod();
+
+    void setTokenEndpointAuthenticationMethod(OIDCClientAuthenticationMethod tokenEndpointAuthenticationMethod);
+
     String getLogoutUri();
 
     void setLogoutUri(String logoutUri);
+
 }
diff --git a/...a/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java b/...a/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java
@@ -33,6 +33,7 @@
 import javax.persistence.PreUpdate;
 import javax.persistence.Table;
 import javax.persistence.Transient;
+import org.apache.syncope.common.lib.types.OIDCClientAuthenticationMethod;
 import org.apache.syncope.common.lib.types.OIDCGrantType;
 import org.apache.syncope.common.lib.types.OIDCResponseType;
 import org.apache.syncope.common.lib.types.OIDCSubjectType;
@@ -100,6 +101,13 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien
     @Transient
     private Set<String> scopesSet = new HashSet<>();
 
+    @Lob
+    private String jwks;
+
+    private String jwksUri;
+
+    private OIDCClientAuthenticationMethod tokenEndpointAuthenticationMethod;
+
     private String logoutUri;
 
     @Override
@@ -182,6 +190,38 @@ public Set<String> getScopes() {
         return scopesSet;
     }
 
+    @Override
+    public String getJwks() {
+        return jwks;
+    }
+
+    @Override
+    public void setJwks(final String jwks) {
+        this.jwks = jwks;
+    }
+
+    @Override
+    public String getJwksUri() {
+        return jwksUri;
+    }
+
+    @Override
+    public void setJwksUri(final String jwksUri) {
+        this.jwksUri = jwksUri;
+    }
+
+    @Override
+    public OIDCClientAuthenticationMethod getTokenEndpointAuthenticationMethod() {
+        return tokenEndpointAuthenticationMethod;
+    }
+
+    @Override
+    public void setTokenEndpointAuthenticationMethod(
+            final OIDCClientAuthenticationMethod tokenEndpointAuthenticationMethod) {
+
+        this.tokenEndpointAuthenticationMethod = tokenEndpointAuthenticationMethod;
+    }
+
     @Override
     public String getLogoutUri() {
         return logoutUri;

diff --git a/...src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java b/...src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java
@@ -237,6 +237,9 @@ protected void doUpdate(final OIDCRPClientApp clientApp, final OIDCRPClientAppTO
         clientApp.getScopes().clear();
         clientApp.getScopes().addAll(clientAppTO.getScopes());
         clientApp.setLogoutUri(clientAppTO.getLogoutUri());
+        clientApp.setJwks(clientAppTO.getJwks());
+        clientApp.setJwksUri(clientAppTO.getJwksUri());
+        clientApp.setTokenEndpointAuthenticationMethod(clientAppTO.getTokenEndpointAuthenticationMethod());
     }
 
     protected OIDCRPClientAppTO getOIDCClientAppTO(final OIDCRPClientApp clientApp) {
@@ -254,6 +257,9 @@ protected OIDCRPClientAppTO getOIDCClientAppTO(final OIDCRPClientApp clientApp)
         clientAppTO.setLogoutUri(clientApp.getLogoutUri());
         clientAppTO.setJwtAccessToken(clientApp.isJwtAccessToken());
         clientAppTO.setBypassApprovalPrompt(clientApp.isBypassApprovalPrompt());
+        clientAppTO.setJwks(clientApp.getJwks());
+        clientAppTO.setJwksUri(clientApp.getJwksUri());
+        clientAppTO.setTokenEndpointAuthenticationMethod(clientApp.getTokenEndpointAuthenticationMethod());
 
         return clientAppTO;
     }