resolve merge conflicts

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -5,12 +5,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>7.0.107-SNAPSHOT</version>
+    <version>7.0.128-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java

@@ -65,6 +65,7 @@ public class ApplicationDTO  {
 
     private String jwksUri = null;
     private String tokenEndpointAuthMethod = null;
+    private Boolean tokenEndpointAllowReusePvtKeyJwt = null;
     private String tokenEndpointAuthSigningAlg = null;
     private String sectorIdentifierUri = null;
     private String idTokenSignedResponseAlg = null;
@@ -292,6 +293,17 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
     this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
   }
 
+  @ApiModelProperty(value = "")
+  @JsonProperty("token_endpoint_allow_reuse_pvt_key_jwt")
+  public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+      return tokenEndpointAllowReusePvtKeyJwt;
+  }
+
+  public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+      this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+  }
 
   @ApiModelProperty(value = "")
   @JsonProperty("token_endpoint_auth_signing_alg")

components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java

@@ -49,6 +49,7 @@ public class RegistrationRequestDTO  {
   private String extTokenType = null;
   private String tokenEndpointAuthMethod = null;
   private String tokenEndpointAuthSigningAlg = null;
+  private Boolean tokenEndpointAllowReusePvtKeyJwt;
   private String sectorIdentifierUri = null;
   private String idTokenSignedResponseAlg = null;
   private String idTokenEncryptedResponseAlg = null;
@@ -332,6 +333,18 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
     this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
   }
 
+  @ApiModelProperty(value = "")
+  @JsonProperty("token_endpoint_allow_reuse_pvt_key_jwt")
+  public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+      return tokenEndpointAllowReusePvtKeyJwt;
+  }
+
+  public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+    this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+  }
+
 
   @ApiModelProperty(value = "")
   @JsonProperty("token_endpoint_auth_signing_alg")

components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java

@@ -36,6 +36,7 @@ public class UpdateRequestDTO {
     private boolean extPublicClient;
     private String extTokenType = null;
     private String tokenEndpointAuthMethod = null;
+    private Boolean tokenEndpointAllowReusePvtKeyJwt;
     private String tokenEndpointAuthSigningAlg = null;
     private String sectorIdentifierUri = null;
     private String idTokenSignedResponseAlg = null;
@@ -241,6 +242,18 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
         this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
     }
 
+    @ApiModelProperty(value = "")
+    @JsonProperty("token_endpoint_allow_reuse_pvt_key_jwt")
+    public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+        return tokenEndpointAllowReusePvtKeyJwt;
+    }
+
+    public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+        this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+    }
+
     @ApiModelProperty(value = "")
     @JsonProperty("token_endpoint_auth_signing_alg")
     public String getTokenEndpointAuthSigningAlg() {

components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java

@@ -81,6 +81,8 @@ public static ApplicationRegistrationRequest getApplicationRegistrationRequest(
         appRegistrationRequest.setExtTokenType(registrationRequestDTO.getExtTokenType());
         appRegistrationRequest.setJwksURI(registrationRequestDTO.getJwksUri());
         appRegistrationRequest.setTokenEndpointAuthMethod(registrationRequestDTO.getTokenEndpointAuthMethod());
+        appRegistrationRequest.setTokenEndpointAllowReusePvtKeyJwt(registrationRequestDTO
+                .isTokenEndpointAllowReusePvtKeyJwt());
         appRegistrationRequest.setTokenEndpointAuthSignatureAlgorithm
                 (registrationRequestDTO.getTokenEndpointAuthSigningAlg());
         appRegistrationRequest.setSectorIdentifierURI(registrationRequestDTO.getSectorIdentifierUri());
@@ -125,6 +127,8 @@ public static ApplicationUpdateRequest getApplicationUpdateRequest(UpdateRequest
         applicationUpdateRequest.setExtTokenType(updateRequestDTO.getExtTokenType());
         applicationUpdateRequest.setJwksURI(updateRequestDTO.getJwksUri());
         applicationUpdateRequest.setTokenEndpointAuthMethod(updateRequestDTO.getTokenEndpointAuthMethod());
+        applicationUpdateRequest.setTokenEndpointAllowReusePvtKeyJwt(
+                updateRequestDTO.isTokenEndpointAllowReusePvtKeyJwt());
         applicationUpdateRequest.setTokenEndpointAuthSignatureAlgorithm
                 (updateRequestDTO.getTokenEndpointAuthSigningAlg());
         applicationUpdateRequest.setSectorIdentifierURI(updateRequestDTO.getSectorIdentifierUri());
@@ -235,6 +239,7 @@ public static ApplicationDTO getApplicationDTOFromApplication(Application applic
         applicationDTO.setExtTokenType(application.getExtTokenType());
         applicationDTO.setJwksUri(application.getJwksURI());
         applicationDTO.setTokenEndpointAuthMethod(application.getTokenEndpointAuthMethod());
+        applicationDTO.setTokenEndpointAllowReusePvtKeyJwt(application.isTokenEndpointAllowReusePvtKeyJwt());
         applicationDTO.setTokenEndpointAuthSigningAlg(application.getTokenEndpointAuthSignatureAlgorithm());
         applicationDTO.setSectorIdentifierUri(application.getSectorIdentifierURI());
         applicationDTO.setIdTokenSignedResponseAlg(application.getIdTokenSignatureAlgorithm());

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -5,12 +5,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>7.0.107-SNAPSHOT</version>
+    <version>7.0.128-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.client.attestation.filter/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -622,6 +622,7 @@ public static class OIDCConfigProperties {
         public static final String TOKEN_BINDING_VALIDATION = "tokenBindingValidation";
         public static final String TOKEN_BINDING_TYPE_NONE = "None";
         public static final String TOKEN_AUTH_METHOD =  "tokenEndpointAuthMethod";
+        public static final String TOKEN_EP_ALLOW_REUSE_PVT_KEY_JWT =  "tokenEndpointAllowReusePvtKeyJwt";
         public static final String TOKEN_AUTH_SIGNATURE_ALGORITHM = "tokenEndpointAuthSigningAlg";
         public static final String SECTOR_IDENTIFIER_URI = "sectorIdentifierUri";
         public static final String ID_TOKEN_SIGNATURE_ALGORITHM = "idTokenSignedResponseAlg";
@@ -636,7 +637,14 @@ public static class OIDCConfigProperties {
         public static final String IS_SUBJECT_TOKEN_ENABLED = "isSubjectTokenEnabled";
         public static final String SUBJECT_TOKEN_EXPIRY_TIME = "subjectTokenExpiryTime";
         public static final int SUBJECT_TOKEN_EXPIRY_TIME_VALUE = 180;
-
+        public static final String PREVENT_TOKEN_REUSE = "PreventTokenReuse";
+        public static final boolean DEFAULT_VALUE_FOR_PREVENT_TOKEN_REUSE = true;
+        // Name of the {@code  JWTClientAuthenticatorConfig} resource type in the Configuration Management API.
+        public static final String JWT_CONFIGURATION_RESOURCE_TYPE_NAME = "PK_JWT_CONFIGURATION";
+        // Name of the {@code JWTClientAuthenticatorConfig} resource (per tenant) in the Configuration Management API.
+        public static final String JWT_CONFIGURATION_RESOURCE_NAME = "TENANT_PK_JWT_CONFIGURATION";
+        public static final String PVT_KEY_JWT_CLIENT_AUTHENTICATOR_CLASS_NAME = "PrivateKeyJWTClientAuthenticator";
+        public static final String ENABLE_TOKEN_REUSE = "EnableTokenReuse";
         private OIDCConfigProperties() {
 
         }
@@ -710,6 +718,7 @@ public static class ActionIDs {
 
             public static final String SCOPE_VALIDATION = "validate-scope";
             public static final String ISSUE_ACCESS_TOKEN = "issue-access-token";
+            public static final String ISSUE_SUBJECT_TOKEN = "issue-subject-token";
             public static final String ISSUE_ID_TOKEN = "issue-id-token";
             public static final String VALIDATE_AUTHORIZATION_CODE = "validate-authz-code";
             public static final String ISSUE_AUTHZ_CODE = "issue-authz-code";
@@ -771,6 +780,7 @@ public static class InputKeys {
             public static final String CALLBACK_URI = "callback URI";
             public static final String PROMPT = "prompt";
             public static final String APP_STATE = "app state";
+            public static final String IMPERSONATOR = "impersonator";
             public static final String REQUESTED_AUTHORIZATION_DETAILS = "requested authorization details";
         }
 

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java

@@ -46,6 +46,7 @@ public class Application implements Serializable {
     private String extTokenType = null;
     private String jwksURI = null;
     private String tokenEndpointAuthMethod = null;
+    private Boolean tokenEndpointAllowReusePvtKeyJwt;
     private String tokenEndpointAuthSignatureAlgorithm = null;
     private String sectorIdentifierURI = null;
     private String idTokenSignatureAlgorithm = null;
@@ -253,6 +254,16 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
         this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
     }
 
+    public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+        return tokenEndpointAllowReusePvtKeyJwt;
+    }
+
+    public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+        this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+    }
+
     public String getTokenEndpointAuthSignatureAlgorithm() {
 
         return tokenEndpointAuthSignatureAlgorithm;

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java

@@ -52,6 +52,7 @@ public class ApplicationRegistrationRequest implements Serializable {
     private String jwksURI;
     private String softwareStatement;
     private String tokenEndpointAuthMethod;
+    private Boolean tokenEndpointAllowReusePvtKeyJwt;
     private String tokenEndpointAuthSignatureAlgorithm;
     private String sectorIdentifierURI;
     private String idTokenSignatureAlgorithm;
@@ -380,6 +381,16 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
         this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
     }
 
+    public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+        return tokenEndpointAllowReusePvtKeyJwt;
+    }
+
+    public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+        this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+    }
+
     public String getTokenEndpointAuthSignatureAlgorithm() {
 
         return tokenEndpointAuthSignatureAlgorithm;

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java

@@ -48,6 +48,7 @@ public class ApplicationUpdateRequest implements Serializable {
     private String jwksURI = null;
     private String softwareStatement;
     private String tokenEndpointAuthMethod;
+    private Boolean tokenEndpointAllowReusePvtKeyJwt;
     private String tokenEndpointAuthSignatureAlgorithm;
     private String sectorIdentifierURI;
     private String idTokenSignatureAlgorithm;
@@ -305,6 +306,16 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
         this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
     }
 
+    public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+        return tokenEndpointAllowReusePvtKeyJwt;
+    }
+
+    public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+        this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+    }
+
     public String getTokenEndpointAuthSignatureAlgorithm() {
 
         return tokenEndpointAuthSignatureAlgorithm;

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java

@@ -351,6 +351,7 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
             if (updateRequest.getTokenEndpointAuthMethod() != null) {
                 appDTO.setTokenEndpointAuthMethod(updateRequest.getTokenEndpointAuthMethod());
             }
+            appDTO.setTokenEndpointAllowReusePvtKeyJwt(updateRequest.isTokenEndpointAllowReusePvtKeyJwt());
             if (updateRequest.getTokenEndpointAuthSignatureAlgorithm() != null) {
                 appDTO.setTokenEndpointAuthSignatureAlgorithm
                         (updateRequest.getTokenEndpointAuthSignatureAlgorithm());
@@ -670,6 +671,7 @@ private Application buildResponse(OAuthConsumerAppDTO createdApp, String tenantD
         application.setExtTokenType(createdApp.getTokenType());
         application.setJwksURI(createdApp.getJwksURI());
         application.setTokenEndpointAuthMethod(createdApp.getTokenEndpointAuthMethod());
+        application.setTokenEndpointAllowReusePvtKeyJwt(createdApp.isTokenEndpointAllowReusePvtKeyJwt());
         application.setTokenEndpointAuthSignatureAlgorithm(createdApp.getTokenEndpointAuthSignatureAlgorithm());
         application.setSectorIdentifierURI(createdApp.getSectorIdentifierURI());
         application.setIdTokenSignatureAlgorithm(createdApp.getIdTokenSignatureAlgorithm());
@@ -764,6 +766,7 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist
         if (registrationRequest.getTokenEndpointAuthMethod() != null) {
             oAuthConsumerApp.setTokenEndpointAuthMethod(registrationRequest.getTokenEndpointAuthMethod());
         }
+        oAuthConsumerApp.setTokenEndpointAllowReusePvtKeyJwt(registrationRequest.isTokenEndpointAllowReusePvtKeyJwt());
         if (registrationRequest.getTokenEndpointAuthSignatureAlgorithm() != null) {
             oAuthConsumerApp.setTokenEndpointAuthSignatureAlgorithm
                     (registrationRequest.getTokenEndpointAuthSignatureAlgorithm());

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.107-SNAPSHOT</version>
+        <version>7.0.128-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java

@@ -36,6 +36,7 @@
 import org.wso2.carbon.identity.oauth.client.authn.filter.OAuthClientAuthenticatorProxy;
 import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
 import org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper;
 import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidApplicationClientException;
 import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestParentException;
@@ -53,6 +54,7 @@
 import org.wso2.carbon.user.core.util.UserCoreUtil;
 import org.wso2.carbon.utils.DiagnosticLog;
 
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
@@ -159,6 +161,7 @@ protected Response issueAccessToken(HttpServletRequest request, HttpServletRespo
                 startSuperTenantFlow();
             }
             validateRepeatedParams(request, paramMap);
+            validateSensitiveDataInQueryParams(request);
             HttpServletRequestWrapper httpRequest = new OAuthRequestWrapper(request, paramMap);
             CarbonOAuthTokenRequest oauthRequest = buildCarbonOAuthTokenRequest(httpRequest);
             OAuthClientAuthnContext oauthClientAuthnContext = oauthRequest.getoAuthClientAuthnContext();
@@ -231,6 +234,20 @@ private void validateRepeatedParams(HttpServletRequest request, Map<String, List
         }
     }
 
+    private void validateSensitiveDataInQueryParams(HttpServletRequest request)
+            throws TokenEndpointBadRequestException {
+
+        String queryString = request.getQueryString();
+        if (StringUtils.isNotBlank(queryString)) {
+            boolean containsSensitiveData = Arrays.stream(queryString.split("&"))
+                    .map(param -> param.split("=")[0])
+                    .anyMatch(OAuthServerConfiguration.getInstance().getRestrictedQueryParameters()::contains);
+            if (containsSensitiveData) {
+                throw new TokenEndpointBadRequestException("Invalid request with sensitive data in the URL.");
+            }
+        }
+    }
+
     private void validateOAuthApplication(OAuthClientAuthnContext oAuthClientAuthnContext)
             throws InvalidApplicationClientException {