diff --git a/components/org.wso2.carbon.identity.api.server.dcr/pom.xml b/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
index e606a8e69c8..01e06755ffb 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.api.server.dcr/pom.xml
@@ -5,12 +5,12 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
../../pom.xml
org.wso2.carbon.identity.api.server.dcr
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
WSO2 Carbon - User DCR Rest API
WSO2 Carbon - User DCR Rest API
diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java
index a66d1be7792..f7d980a4e11 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java
+++ b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/ApplicationDTO.java
@@ -65,6 +65,7 @@ public class ApplicationDTO {
private String jwksUri = null;
private String tokenEndpointAuthMethod = null;
+ private Boolean tokenEndpointAllowReusePvtKeyJwt = null;
private String tokenEndpointAuthSigningAlg = null;
private String sectorIdentifierUri = null;
private String idTokenSignedResponseAlg = null;
@@ -292,6 +293,17 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
}
+ @ApiModelProperty(value = "")
+ @JsonProperty("token_endpoint_allow_reuse_pvt_key_jwt")
+ public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+ return tokenEndpointAllowReusePvtKeyJwt;
+ }
+
+ public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+ }
@ApiModelProperty(value = "")
@JsonProperty("token_endpoint_auth_signing_alg")
diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java
index 92e34409e4d..e42227c3b0e 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java
+++ b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/RegistrationRequestDTO.java
@@ -49,6 +49,7 @@ public class RegistrationRequestDTO {
private String extTokenType = null;
private String tokenEndpointAuthMethod = null;
private String tokenEndpointAuthSigningAlg = null;
+ private Boolean tokenEndpointAllowReusePvtKeyJwt;
private String sectorIdentifierUri = null;
private String idTokenSignedResponseAlg = null;
private String idTokenEncryptedResponseAlg = null;
@@ -332,6 +333,18 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
}
+ @ApiModelProperty(value = "")
+ @JsonProperty("token_endpoint_allow_reuse_pvt_key_jwt")
+ public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+ return tokenEndpointAllowReusePvtKeyJwt;
+ }
+
+ public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+ }
+
@ApiModelProperty(value = "")
@JsonProperty("token_endpoint_auth_signing_alg")
diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java
index 81471cc2377..085eb32d260 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java
+++ b/components/org.wso2.carbon.identity.api.server.dcr/src/gen/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/dto/UpdateRequestDTO.java
@@ -36,6 +36,7 @@ public class UpdateRequestDTO {
private boolean extPublicClient;
private String extTokenType = null;
private String tokenEndpointAuthMethod = null;
+ private Boolean tokenEndpointAllowReusePvtKeyJwt;
private String tokenEndpointAuthSigningAlg = null;
private String sectorIdentifierUri = null;
private String idTokenSignedResponseAlg = null;
@@ -241,6 +242,18 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
}
+ @ApiModelProperty(value = "")
+ @JsonProperty("token_endpoint_allow_reuse_pvt_key_jwt")
+ public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+ return tokenEndpointAllowReusePvtKeyJwt;
+ }
+
+ public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+ }
+
@ApiModelProperty(value = "")
@JsonProperty("token_endpoint_auth_signing_alg")
public String getTokenEndpointAuthSigningAlg() {
diff --git a/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java b/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java
index 8e46d6c25f8..23e87ffa559 100644
--- a/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java
+++ b/components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java
@@ -81,6 +81,8 @@ public static ApplicationRegistrationRequest getApplicationRegistrationRequest(
appRegistrationRequest.setExtTokenType(registrationRequestDTO.getExtTokenType());
appRegistrationRequest.setJwksURI(registrationRequestDTO.getJwksUri());
appRegistrationRequest.setTokenEndpointAuthMethod(registrationRequestDTO.getTokenEndpointAuthMethod());
+ appRegistrationRequest.setTokenEndpointAllowReusePvtKeyJwt(registrationRequestDTO
+ .isTokenEndpointAllowReusePvtKeyJwt());
appRegistrationRequest.setTokenEndpointAuthSignatureAlgorithm
(registrationRequestDTO.getTokenEndpointAuthSigningAlg());
appRegistrationRequest.setSectorIdentifierURI(registrationRequestDTO.getSectorIdentifierUri());
@@ -125,6 +127,8 @@ public static ApplicationUpdateRequest getApplicationUpdateRequest(UpdateRequest
applicationUpdateRequest.setExtTokenType(updateRequestDTO.getExtTokenType());
applicationUpdateRequest.setJwksURI(updateRequestDTO.getJwksUri());
applicationUpdateRequest.setTokenEndpointAuthMethod(updateRequestDTO.getTokenEndpointAuthMethod());
+ applicationUpdateRequest.setTokenEndpointAllowReusePvtKeyJwt(
+ updateRequestDTO.isTokenEndpointAllowReusePvtKeyJwt());
applicationUpdateRequest.setTokenEndpointAuthSignatureAlgorithm
(updateRequestDTO.getTokenEndpointAuthSigningAlg());
applicationUpdateRequest.setSectorIdentifierURI(updateRequestDTO.getSectorIdentifierUri());
@@ -235,6 +239,7 @@ public static ApplicationDTO getApplicationDTOFromApplication(Application applic
applicationDTO.setExtTokenType(application.getExtTokenType());
applicationDTO.setJwksUri(application.getJwksURI());
applicationDTO.setTokenEndpointAuthMethod(application.getTokenEndpointAuthMethod());
+ applicationDTO.setTokenEndpointAllowReusePvtKeyJwt(application.isTokenEndpointAllowReusePvtKeyJwt());
applicationDTO.setTokenEndpointAuthSigningAlg(application.getTokenEndpointAuthSignatureAlgorithm());
applicationDTO.setSectorIdentifierUri(application.getSectorIdentifierURI());
applicationDTO.setIdTokenSignedResponseAlg(application.getIdTokenSignatureAlgorithm());
diff --git a/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml b/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
index 87610eaab66..4f92e80798c 100644
--- a/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
+++ b/components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml
@@ -5,12 +5,12 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
../..
org.wso2.carbon.identity.api.server.oauth.scope
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs
Rest APIs for OAuth 2.0 Scope Handling
diff --git a/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml b/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
index 932607d1239..14e0069e407 100644
--- a/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
+++ b/components/org.wso2.carbon.identity.client.attestation.filter/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
../../pom.xml
diff --git a/components/org.wso2.carbon.identity.discovery/pom.xml b/components/org.wso2.carbon.identity.discovery/pom.xml
index 7efbf85bd86..51331e7b91a 100644
--- a/components/org.wso2.carbon.identity.discovery/pom.xml
+++ b/components/org.wso2.carbon.identity.discovery/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.ciba/pom.xml b/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
index 3ac3e3dee52..6fd3b1acc67 100644
--- a/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.ciba/pom.xml
@@ -20,7 +20,7 @@
identity-inbound-auth-oauth
org.wso2.carbon.identity.inbound.auth.oauth2
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
../../pom.xml
diff --git a/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml b/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
index aa83a622f61..4e90b7cdd41 100644
--- a/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.common/pom.xml b/components/org.wso2.carbon.identity.oauth.common/pom.xml
index adcab23ad94..6b9308c67d2 100644
--- a/components/org.wso2.carbon.identity.oauth.common/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.common/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
index 78437a236b2..21b025ec806 100644
--- a/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
+++ b/components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
@@ -622,6 +622,7 @@ public static class OIDCConfigProperties {
public static final String TOKEN_BINDING_VALIDATION = "tokenBindingValidation";
public static final String TOKEN_BINDING_TYPE_NONE = "None";
public static final String TOKEN_AUTH_METHOD = "tokenEndpointAuthMethod";
+ public static final String TOKEN_EP_ALLOW_REUSE_PVT_KEY_JWT = "tokenEndpointAllowReusePvtKeyJwt";
public static final String TOKEN_AUTH_SIGNATURE_ALGORITHM = "tokenEndpointAuthSigningAlg";
public static final String SECTOR_IDENTIFIER_URI = "sectorIdentifierUri";
public static final String ID_TOKEN_SIGNATURE_ALGORITHM = "idTokenSignedResponseAlg";
@@ -636,7 +637,14 @@ public static class OIDCConfigProperties {
public static final String IS_SUBJECT_TOKEN_ENABLED = "isSubjectTokenEnabled";
public static final String SUBJECT_TOKEN_EXPIRY_TIME = "subjectTokenExpiryTime";
public static final int SUBJECT_TOKEN_EXPIRY_TIME_VALUE = 180;
-
+ public static final String PREVENT_TOKEN_REUSE = "PreventTokenReuse";
+ public static final boolean DEFAULT_VALUE_FOR_PREVENT_TOKEN_REUSE = true;
+ // Name of the {@code JWTClientAuthenticatorConfig} resource type in the Configuration Management API.
+ public static final String JWT_CONFIGURATION_RESOURCE_TYPE_NAME = "PK_JWT_CONFIGURATION";
+ // Name of the {@code JWTClientAuthenticatorConfig} resource (per tenant) in the Configuration Management API.
+ public static final String JWT_CONFIGURATION_RESOURCE_NAME = "TENANT_PK_JWT_CONFIGURATION";
+ public static final String PVT_KEY_JWT_CLIENT_AUTHENTICATOR_CLASS_NAME = "PrivateKeyJWTClientAuthenticator";
+ public static final String ENABLE_TOKEN_REUSE = "EnableTokenReuse";
private OIDCConfigProperties() {
}
@@ -710,6 +718,7 @@ public static class ActionIDs {
public static final String SCOPE_VALIDATION = "validate-scope";
public static final String ISSUE_ACCESS_TOKEN = "issue-access-token";
+ public static final String ISSUE_SUBJECT_TOKEN = "issue-subject-token";
public static final String ISSUE_ID_TOKEN = "issue-id-token";
public static final String VALIDATE_AUTHORIZATION_CODE = "validate-authz-code";
public static final String ISSUE_AUTHZ_CODE = "issue-authz-code";
@@ -771,6 +780,7 @@ public static class InputKeys {
public static final String CALLBACK_URI = "callback URI";
public static final String PROMPT = "prompt";
public static final String APP_STATE = "app state";
+ public static final String IMPERSONATOR = "impersonator";
public static final String REQUESTED_AUTHORIZATION_DETAILS = "requested authorization details";
}
diff --git a/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
index 52232a9cede..f34b5e35c82 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml
@@ -6,7 +6,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/pom.xml b/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
index 8db5f9b176c..a18677673ef 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.dcr/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java
index bb555c1f16c..7f0d3907f23 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java
+++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/Application.java
@@ -46,6 +46,7 @@ public class Application implements Serializable {
private String extTokenType = null;
private String jwksURI = null;
private String tokenEndpointAuthMethod = null;
+ private Boolean tokenEndpointAllowReusePvtKeyJwt;
private String tokenEndpointAuthSignatureAlgorithm = null;
private String sectorIdentifierURI = null;
private String idTokenSignatureAlgorithm = null;
@@ -253,6 +254,16 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
}
+ public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+ return tokenEndpointAllowReusePvtKeyJwt;
+ }
+
+ public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+ }
+
public String getTokenEndpointAuthSignatureAlgorithm() {
return tokenEndpointAuthSignatureAlgorithm;
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java
index af1666e6514..068fa186379 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java
+++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationRegistrationRequest.java
@@ -52,6 +52,7 @@ public class ApplicationRegistrationRequest implements Serializable {
private String jwksURI;
private String softwareStatement;
private String tokenEndpointAuthMethod;
+ private Boolean tokenEndpointAllowReusePvtKeyJwt;
private String tokenEndpointAuthSignatureAlgorithm;
private String sectorIdentifierURI;
private String idTokenSignatureAlgorithm;
@@ -380,6 +381,16 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
}
+ public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+ return tokenEndpointAllowReusePvtKeyJwt;
+ }
+
+ public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+ }
+
public String getTokenEndpointAuthSignatureAlgorithm() {
return tokenEndpointAuthSignatureAlgorithm;
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java
index b98772d5dd9..443821cd55c 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java
+++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/bean/ApplicationUpdateRequest.java
@@ -48,6 +48,7 @@ public class ApplicationUpdateRequest implements Serializable {
private String jwksURI = null;
private String softwareStatement;
private String tokenEndpointAuthMethod;
+ private Boolean tokenEndpointAllowReusePvtKeyJwt;
private String tokenEndpointAuthSignatureAlgorithm;
private String sectorIdentifierURI;
private String idTokenSignatureAlgorithm;
@@ -305,6 +306,16 @@ public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
}
+ public Boolean isTokenEndpointAllowReusePvtKeyJwt() {
+
+ return tokenEndpointAllowReusePvtKeyJwt;
+ }
+
+ public void setTokenEndpointAllowReusePvtKeyJwt(Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ this.tokenEndpointAllowReusePvtKeyJwt = tokenEndpointAllowReusePvtKeyJwt;
+ }
+
public String getTokenEndpointAuthSignatureAlgorithm() {
return tokenEndpointAuthSignatureAlgorithm;
diff --git a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java
index 6aa00ca66aa..994bd068fa6 100644
--- a/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java
+++ b/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java
@@ -351,6 +351,7 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
if (updateRequest.getTokenEndpointAuthMethod() != null) {
appDTO.setTokenEndpointAuthMethod(updateRequest.getTokenEndpointAuthMethod());
}
+ appDTO.setTokenEndpointAllowReusePvtKeyJwt(updateRequest.isTokenEndpointAllowReusePvtKeyJwt());
if (updateRequest.getTokenEndpointAuthSignatureAlgorithm() != null) {
appDTO.setTokenEndpointAuthSignatureAlgorithm
(updateRequest.getTokenEndpointAuthSignatureAlgorithm());
@@ -670,6 +671,7 @@ private Application buildResponse(OAuthConsumerAppDTO createdApp, String tenantD
application.setExtTokenType(createdApp.getTokenType());
application.setJwksURI(createdApp.getJwksURI());
application.setTokenEndpointAuthMethod(createdApp.getTokenEndpointAuthMethod());
+ application.setTokenEndpointAllowReusePvtKeyJwt(createdApp.isTokenEndpointAllowReusePvtKeyJwt());
application.setTokenEndpointAuthSignatureAlgorithm(createdApp.getTokenEndpointAuthSignatureAlgorithm());
application.setSectorIdentifierURI(createdApp.getSectorIdentifierURI());
application.setIdTokenSignatureAlgorithm(createdApp.getIdTokenSignatureAlgorithm());
@@ -764,6 +766,7 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist
if (registrationRequest.getTokenEndpointAuthMethod() != null) {
oAuthConsumerApp.setTokenEndpointAuthMethod(registrationRequest.getTokenEndpointAuthMethod());
}
+ oAuthConsumerApp.setTokenEndpointAllowReusePvtKeyJwt(registrationRequest.isTokenEndpointAllowReusePvtKeyJwt());
if (registrationRequest.getTokenEndpointAuthSignatureAlgorithm() != null) {
oAuthConsumerApp.setTokenEndpointAuthSignatureAlgorithm
(registrationRequest.getTokenEndpointAuthSignatureAlgorithm());
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
index 564cacdef7b..62caca312d5 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java
index b521a4c7990..a7176750d10 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java
@@ -36,6 +36,7 @@
import org.wso2.carbon.identity.oauth.client.authn.filter.OAuthClientAuthenticatorProxy;
import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper;
import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidApplicationClientException;
import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestParentException;
@@ -53,6 +54,7 @@
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.DiagnosticLog;
+import java.util.Arrays;
import java.util.List;
import java.util.Map;
@@ -159,6 +161,7 @@ protected Response issueAccessToken(HttpServletRequest request, HttpServletRespo
startSuperTenantFlow();
}
validateRepeatedParams(request, paramMap);
+ validateSensitiveDataInQueryParams(request);
HttpServletRequestWrapper httpRequest = new OAuthRequestWrapper(request, paramMap);
CarbonOAuthTokenRequest oauthRequest = buildCarbonOAuthTokenRequest(httpRequest);
OAuthClientAuthnContext oauthClientAuthnContext = oauthRequest.getoAuthClientAuthnContext();
@@ -231,6 +234,20 @@ private void validateRepeatedParams(HttpServletRequest request, Map param.split("=")[0])
+ .anyMatch(OAuthServerConfiguration.getInstance().getRestrictedQueryParameters()::contains);
+ if (containsSensitiveData) {
+ throw new TokenEndpointBadRequestException("Invalid request with sensitive data in the URL.");
+ }
+ }
+ }
+
private void validateOAuthApplication(OAuthClientAuthnContext oAuthClientAuthnContext)
throws InvalidApplicationClientException {
diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpointTest.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpointTest.java
index c3478d22d60..e2833a9ce9d 100644
--- a/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpointTest.java
+++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpointTest.java
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2017-2024, WSO2 LLC. (http://www.wso2.com).
*
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
@@ -15,6 +15,7 @@
* specific language governing permissions and limitations
* under the License.
*/
+
package org.wso2.carbon.identity.oauth.endpoint.token;
import org.apache.axiom.util.base64.Base64Utils;
@@ -366,6 +367,8 @@ public Object[][] testTokenErrorResponseDataProvider() {
OAuth2ErrorCodes.INVALID_CLIENT},
{OAuth2ErrorCodes.SERVER_ERROR, null, HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
OAuth2ErrorCodes.SERVER_ERROR},
+ {OAuth2ErrorCodes.ACCESS_DENIED, null, HttpServletResponse.SC_BAD_REQUEST,
+ OAuth2ErrorCodes.ACCESS_DENIED},
{SQL_ERROR, null, HttpServletResponse.SC_BAD_GATEWAY, OAuth2ErrorCodes.SERVER_ERROR},
{TOKEN_ERROR, null, HttpServletResponse.SC_BAD_REQUEST, TOKEN_ERROR},
{TOKEN_ERROR, headers1, HttpServletResponse.SC_BAD_REQUEST, TOKEN_ERROR},
diff --git a/components/org.wso2.carbon.identity.oauth.extension/pom.xml b/components/org.wso2.carbon.identity.oauth.extension/pom.xml
index c724c16dc3b..9a9b8847542 100644
--- a/components/org.wso2.carbon.identity.oauth.extension/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.extension/pom.xml
@@ -19,7 +19,7 @@
identity-inbound-auth-oauth
org.wso2.carbon.identity.inbound.auth.oauth2
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
../../pom.xml
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.par/pom.xml b/components/org.wso2.carbon.identity.oauth.par/pom.xml
index e4faa8da7b4..1cb452762f9 100644
--- a/components/org.wso2.carbon.identity.oauth.par/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.par/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml b/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
index 87e3ed30b93..40762e7c3dc 100644
--- a/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.stub/pom.xml b/components/org.wso2.carbon.identity.oauth.stub/pom.xml
index e63467eaba4..bf3ef314f2a 100644
--- a/components/org.wso2.carbon.identity.oauth.stub/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.stub/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl b/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl
old mode 100644
new mode 100755
index 8b9539eddcd..a1b5a188711
--- a/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl
+++ b/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl
@@ -432,6 +432,7 @@
+
diff --git a/components/org.wso2.carbon.identity.oauth.ui/pom.xml b/components/org.wso2.carbon.identity.oauth.ui/pom.xml
index 29f20f0fb6f..25d49f86afd 100644
--- a/components/org.wso2.carbon.identity.oauth.ui/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth.ui/pom.xml
@@ -22,7 +22,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
diff --git a/components/org.wso2.carbon.identity.oauth/pom.xml b/components/org.wso2.carbon.identity.oauth/pom.xml
index 99450b2ae1c..e21e52cae67 100644
--- a/components/org.wso2.carbon.identity.oauth/pom.xml
+++ b/components/org.wso2.carbon.identity.oauth/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0
@@ -107,6 +107,10 @@
org.wso2.orbit.org.opensaml
opensaml
+
+ org.wso2.carbon.identity.framework
+ org.wso2.carbon.identity.action.execution
+
org.wso2.carbon.identity.framework
org.wso2.carbon.identity.event
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
old mode 100644
new mode 100755
index 068ac62c57c..3129f554594
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
@@ -107,6 +107,7 @@
import static org.wso2.carbon.identity.oauth.OAuthUtil.handleErrorWithExceptionType;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_ACTIVE;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OauthAppStates.APP_STATE_DELETED;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.PRIVATE_KEY_JWT;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.TokenBindings.NONE;
import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.buildScopeString;
import static org.wso2.carbon.identity.oauth2.util.OAuth2Util.getTenantId;
@@ -429,6 +430,13 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO
}
app.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
}
+ Boolean tokenEndpointAllowReusePvtKeyJwt = application.isTokenEndpointAllowReusePvtKeyJwt();
+ if (isInvalidTokenEPReusePvtKeyJwtRequest(tokenEndpointAuthMethod,
+ tokenEndpointAllowReusePvtKeyJwt)) {
+ throw handleClientError(INVALID_REQUEST, "Requested client authentication method " +
+ "incompatible with the Private Key JWT Reuse config value.");
+ }
+ app.setTokenEndpointAllowReusePvtKeyJwt(tokenEndpointAllowReusePvtKeyJwt);
String tokenEndpointAuthSigningAlgorithm = application.getTokenEndpointAuthSignatureAlgorithm();
if (StringUtils.isNotEmpty(tokenEndpointAuthSigningAlgorithm)) {
if (isFAPIConformanceEnabled) {
@@ -855,6 +863,13 @@ void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO, boolean enabl
}
oAuthAppDO.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
+ Boolean tokenEndpointAllowReusePvtKeyJwt = consumerAppDTO.isTokenEndpointAllowReusePvtKeyJwt();
+ if (isInvalidTokenEPReusePvtKeyJwtRequest(tokenEndpointAuthMethod, tokenEndpointAllowReusePvtKeyJwt)) {
+ throw handleClientError(INVALID_REQUEST, "Requested client authentication method " +
+ "incompatible with the Private Key JWT Reuse config value.");
+ }
+ oAuthAppDO.setTokenEndpointAllowReusePvtKeyJwt(tokenEndpointAllowReusePvtKeyJwt);
+
String tokenEndpointAuthSignatureAlgorithm = consumerAppDTO.getTokenEndpointAuthSignatureAlgorithm();
if (StringUtils.isNotEmpty(tokenEndpointAuthSignatureAlgorithm)) {
if (isFAPIConformanceEnabled) {
@@ -2492,6 +2507,24 @@ private void handleInternalTokenRevocation(String consumerKey, Properties proper
}
}
+ /**
+ * Return whether the request of updating the tokenEndpointAllowReusePvtKeyJwt is valid.
+ *
+ * @param tokenEndpointAuthMethod token endpoint client authentication method.
+ * @param tokenEndpointAllowReusePvtKeyJwt During client authentication whether to reuse private key JWT.
+ * @return True if tokenEndpointAuthMethod and tokenEndpointAllowReusePvtKeyJwt is NOT in the correct format.
+ */
+ private boolean isInvalidTokenEPReusePvtKeyJwtRequest(String tokenEndpointAuthMethod,
+ Boolean tokenEndpointAllowReusePvtKeyJwt) {
+
+ if (StringUtils.isNotBlank(tokenEndpointAuthMethod)) {
+ if (tokenEndpointAuthMethod.equals(PRIVATE_KEY_JWT)) {
+ return tokenEndpointAllowReusePvtKeyJwt == null;
+ }
+ }
+ return tokenEndpointAllowReusePvtKeyJwt != null;
+ }
+
/**
* FAPI validation to restrict the token endpoint authentication methods.
* Link - https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server (5.2.2 - 14)
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
old mode 100644
new mode 100755
index 2fe5e743a01..ccda0801918
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java
@@ -37,6 +37,11 @@
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityConstants;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
+import org.wso2.carbon.identity.configuration.mgt.core.exception.ConfigurationManagementException;
+import org.wso2.carbon.identity.configuration.mgt.core.model.Attribute;
+import org.wso2.carbon.identity.configuration.mgt.core.model.Resource;
+import org.wso2.carbon.identity.core.handler.AbstractIdentityHandler;
+import org.wso2.carbon.identity.core.model.IdentityEventListenerConfig;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
@@ -77,6 +82,7 @@
import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
@@ -89,6 +95,12 @@
import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.CURRENT_TOKEN_IDENTIFIER;
import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.Config.PRESERVE_LOGGED_IN_SESSION_AT_PASSWORD_UPDATE;
import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.ORGANIZATION_LOGIN_HOME_REALM_IDENTIFIER;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.DEFAULT_VALUE_FOR_PREVENT_TOKEN_REUSE;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.ENABLE_TOKEN_REUSE;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.JWT_CONFIGURATION_RESOURCE_NAME;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.JWT_CONFIGURATION_RESOURCE_TYPE_NAME;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.PREVENT_TOKEN_REUSE;
+import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OIDCConfigProperties.PVT_KEY_JWT_CLIENT_AUTHENTICATOR_CLASS_NAME;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.TokenBindings.NONE;
import static org.wso2.carbon.identity.oauth.common.OAuthConstants.UserType.FEDERATED_USER_DOMAIN_PREFIX;
@@ -536,6 +548,7 @@ public static OAuthConsumerAppDTO buildConsumerAppDTO(OAuthAppDO appDO) {
.isTokenRevocationWithIDPSessionTerminationEnabled());
dto.setTokenBindingValidationEnabled(appDO.isTokenBindingValidationEnabled());
dto.setTokenEndpointAuthMethod(appDO.getTokenEndpointAuthMethod());
+ dto.setTokenEndpointAllowReusePvtKeyJwt(appDO.isTokenEndpointAllowReusePvtKeyJwt());
dto.setTokenEndpointAuthSignatureAlgorithm(appDO.getTokenEndpointAuthSignatureAlgorithm());
dto.setSectorIdentifierURI(appDO.getSectorIdentifierURI());
dto.setIdTokenSignatureAlgorithm(appDO.getIdTokenSignatureAlgorithm());
@@ -1158,6 +1171,31 @@ private static User getUserFromTenant(String username, String userId, int tenant
return user;
}
+ /**
+ * Get user from tenant by user id.
+ *
+ * @param userId The user id.
+ * @param tenantId The tenant id where user resides.
+ * @return User object from tenant userStoreManager.
+ * @throws IdentityOAuth2Exception Error when user cannot be resolved.
+ */
+ public static User getUserFromTenant(String userId, int tenantId)
+ throws IdentityOAuth2Exception {
+
+ User user = null;
+ try {
+ AbstractUserStoreManager userStoreManager =
+ (AbstractUserStoreManager) OAuthComponentServiceHolder.getInstance()
+ .getRealmService().getTenantUserRealm(tenantId).getUserStoreManager();
+ if (StringUtils.isNotEmpty(userId) && userStoreManager.isExistingUserWithID(userId)) {
+ user = getApplicationUser(userStoreManager.getUser(userId, null));
+ }
+ return user;
+ } catch (org.wso2.carbon.user.api.UserStoreException e) {
+ throw new IdentityOAuth2Exception("Error finding user in tenant.", e);
+ }
+ }
+
private static User getApplicationUser(org.wso2.carbon.user.core.common.User coreUser) {
User user = new User();
@@ -1197,4 +1235,73 @@ private static void setOrganizationSSOUserDetails(AuthenticatedUser authenticate
authenticatedUser.setFederatedIdPName(orgSsoIdp.getIdentityProviderName());
}
}
+
+ /**
+ * Get the value of the Tenant configuration of Reuse Private key JWT from the tenant configuration.
+ *
+ * @param tokenEPAllowReusePvtKeyJwtValue Value of the tokenEPAllowReusePvtKeyJwt configuration.
+ * @param tokenAuthMethod Token authentication method.
+ * @return Value of the tokenEPAllowReusePvtKeyJwt configuration.
+ * @throws IdentityOAuth2ServerException IdentityOAuth2ServerException exception.
+ */
+ public static String getValueOfTokenEPAllowReusePvtKeyJwt(String tokenEPAllowReusePvtKeyJwtValue,
+ String tokenAuthMethod)
+ throws IdentityOAuth2ServerException {
+
+ if (tokenEPAllowReusePvtKeyJwtValue == null && StringUtils.isNotBlank(tokenAuthMethod)
+ && OAuthConstants.PRIVATE_KEY_JWT.equals(tokenAuthMethod)) {
+ try {
+ tokenEPAllowReusePvtKeyJwtValue = readTenantConfigurationPvtKeyJWTReuse();
+ } catch (ConfigurationManagementException e) {
+ throw new IdentityOAuth2ServerException("Unable to retrieve JWT Authenticator tenant configuration.",
+ e);
+ }
+ if (tokenEPAllowReusePvtKeyJwtValue == null) {
+ tokenEPAllowReusePvtKeyJwtValue = readServerConfigurationPvtKeyJWTReuse();
+ if (tokenEPAllowReusePvtKeyJwtValue == null) {
+ tokenEPAllowReusePvtKeyJwtValue = String.valueOf(DEFAULT_VALUE_FOR_PREVENT_TOKEN_REUSE);
+ }
+ }
+ }
+ return tokenEPAllowReusePvtKeyJwtValue;
+ }
+
+ private static String readTenantConfigurationPvtKeyJWTReuse() throws ConfigurationManagementException {
+
+ String tokenEPAllowReusePvtKeyJwtTenantConfig = null;
+ Resource resource = OAuthComponentServiceHolder.getInstance().getConfigurationManager()
+ .getResource(JWT_CONFIGURATION_RESOURCE_TYPE_NAME, JWT_CONFIGURATION_RESOURCE_NAME);
+
+ if (resource != null) {
+ tokenEPAllowReusePvtKeyJwtTenantConfig = resource.getAttributes().stream()
+ .filter(attribute -> ENABLE_TOKEN_REUSE.equals(attribute.getKey()))
+ .map(Attribute::getValue)
+ .findFirst()
+ .orElse(null);
+ }
+ return tokenEPAllowReusePvtKeyJwtTenantConfig;
+ }
+
+ private static String readServerConfigurationPvtKeyJWTReuse() {
+
+ String tokenEPAllowReusePvtKeyJwtTenantConfig = null;
+ IdentityEventListenerConfig identityEventListenerConfig = IdentityUtil.readEventListenerProperty(
+ AbstractIdentityHandler.class.getName(), PVT_KEY_JWT_CLIENT_AUTHENTICATOR_CLASS_NAME);
+
+ if (identityEventListenerConfig != null
+ && Boolean.parseBoolean(identityEventListenerConfig.getEnable())) {
+ if (identityEventListenerConfig.getProperties() != null) {
+ for (Map.Entry property : identityEventListenerConfig.getProperties().entrySet()) {
+ String key = (String) property.getKey();
+ String value = (String) property.getValue();
+ if (Objects.equals(key, PREVENT_TOKEN_REUSE)) {
+ boolean preventTokenReuse = Boolean.parseBoolean(value);
+ tokenEPAllowReusePvtKeyJwtTenantConfig = String.valueOf(!preventTokenReuse);
+ break;
+ }
+ }
+ }
+ }
+ return tokenEPAllowReusePvtKeyJwtTenantConfig;
+ }
}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenRequestBuilder.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenRequestBuilder.java
new file mode 100644
index 00000000000..f41249469ea
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenRequestBuilder.java
@@ -0,0 +1,354 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth.action;
+
+import com.nimbusds.jwt.JWTClaimsSet;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.action.execution.ActionExecutionRequestBuilder;
+import org.wso2.carbon.identity.action.execution.exception.ActionExecutionRequestBuilderException;
+import org.wso2.carbon.identity.action.execution.model.ActionExecutionRequest;
+import org.wso2.carbon.identity.action.execution.model.ActionType;
+import org.wso2.carbon.identity.action.execution.model.AllowedOperation;
+import org.wso2.carbon.identity.action.execution.model.Event;
+import org.wso2.carbon.identity.action.execution.model.Operation;
+import org.wso2.carbon.identity.action.execution.model.Organization;
+import org.wso2.carbon.identity.action.execution.model.Request;
+import org.wso2.carbon.identity.action.execution.model.Tenant;
+import org.wso2.carbon.identity.action.execution.model.User;
+import org.wso2.carbon.identity.action.execution.model.UserStore;
+import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.identity.oauth.action.model.AccessToken;
+import org.wso2.carbon.identity.oauth.action.model.PreIssueAccessTokenEvent;
+import org.wso2.carbon.identity.oauth.action.model.TokenRequest;
+import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
+import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
+import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
+import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
+import org.wso2.carbon.identity.oauth2.model.HttpRequestHeader;
+import org.wso2.carbon.identity.oauth2.model.RequestParameter;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
+import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler;
+import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+/**
+ * This class is responsible for building the action execution request for the pre issue access token action.
+ */
+public class PreIssueAccessTokenRequestBuilder implements ActionExecutionRequestBuilder {
+
+ public static final String CLAIMS_PATH_PREFIX = "/accessToken/claims/";
+ public static final String SCOPES_PATH_PREFIX = "/accessToken/scopes/";
+ private static final Log LOG = LogFactory.getLog(PreIssueAccessTokenRequestBuilder.class);
+
+ @Override
+ public ActionType getSupportedActionType() {
+
+ return ActionType.PRE_ISSUE_ACCESS_TOKEN;
+ }
+
+ @Override
+ public ActionExecutionRequest buildActionExecutionRequest(Map eventContext)
+ throws ActionExecutionRequestBuilderException {
+
+ OAuthTokenReqMessageContext tokenMessageContext =
+ (OAuthTokenReqMessageContext) eventContext.get("tokenMessageContext");
+
+ Map additionalClaimsToAddToToken = getAdditionalClaimsToAddToToken(tokenMessageContext);
+
+ ActionExecutionRequest.Builder actionRequestBuilder = new ActionExecutionRequest.Builder();
+ actionRequestBuilder.actionType(getSupportedActionType());
+ actionRequestBuilder.event(getEvent(tokenMessageContext, additionalClaimsToAddToToken));
+ actionRequestBuilder.allowedOperations(getAllowedOperations(additionalClaimsToAddToToken));
+
+ return actionRequestBuilder.build();
+ }
+
+ private Event getEvent(OAuthTokenReqMessageContext tokenMessageContext, Map claimsToAdd)
+ throws ActionExecutionRequestBuilderException {
+
+ OAuth2AccessTokenReqDTO tokenReqDTO = tokenMessageContext.getOauth2AccessTokenReqDTO();
+ AuthenticatedUser authorizedUser = tokenMessageContext.getAuthorizedUser();
+
+ PreIssueAccessTokenEvent.Builder eventBuilder = new PreIssueAccessTokenEvent.Builder();
+ eventBuilder.tenant(new Tenant(String.valueOf(IdentityTenantUtil.getTenantId(tokenReqDTO.getTenantDomain())),
+ tokenReqDTO.getTenantDomain()));
+
+ boolean isAuthorizedForUser = isAccessTokenAuthorizedForUser(tokenReqDTO.getGrantType(), tokenMessageContext);
+ if (isAuthorizedForUser) {
+ setUserForEventBuilder(eventBuilder, authorizedUser, tokenReqDTO.getClientId(), tokenReqDTO.getGrantType());
+ setOrganizationForEventBuilder(eventBuilder, authorizedUser, tokenReqDTO.getClientId(),
+ tokenReqDTO.getGrantType());
+ eventBuilder.userStore(new UserStore(authorizedUser.getUserStoreDomain()));
+ }
+
+ eventBuilder.accessToken(getAccessToken(tokenMessageContext, claimsToAdd));
+ eventBuilder.request(getRequest(tokenReqDTO));
+
+ return eventBuilder.build();
+ }
+
+ private void setUserForEventBuilder(PreIssueAccessTokenEvent.Builder eventBuilder, AuthenticatedUser user,
+ String clientID, String grantType) {
+
+ try {
+ eventBuilder.user(new User(user.getUserId()));
+ } catch (UserIdNotFoundException e) {
+ if (LOG.isDebugEnabled()) {
+ // todo: fall back to a different identifier like username.
+ // Verify based on when this exception is thrown.
+ LOG.debug(String.format(
+ "Error occurred while retrieving user id of the authorized user for application: " + clientID +
+ "for grantType: " + grantType), e);
+ }
+ }
+ }
+
+ private void setOrganizationForEventBuilder(PreIssueAccessTokenEvent.Builder eventBuilder, AuthenticatedUser user,
+ String clientID, String grantType) {
+
+ try {
+ String organizationId = user.getUserResidentOrganization();
+ if (organizationId != null && !organizationId.isEmpty()) {
+ String organizationName = OAuthComponentServiceHolder.getInstance().getOrganizationManager()
+ .getOrganizationNameById(user.getUserResidentOrganization());
+ eventBuilder.organization(new Organization(user.getUserResidentOrganization(),
+ organizationName));
+ }
+ } catch (OrganizationManagementException e) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(String.format(
+ "Error occurred while retrieving organization name of the authorized user for application: " +
+ clientID + "for grantType: " + grantType), e);
+ }
+ }
+ }
+
+ private Request getRequest(OAuth2AccessTokenReqDTO tokenRequestDTO) {
+
+ TokenRequest.Builder tokenRequestBuilder = new TokenRequest.Builder();
+ tokenRequestBuilder.clientId(tokenRequestDTO.getClientId());
+ tokenRequestBuilder.grantType(tokenRequestDTO.getGrantType());
+ tokenRequestBuilder.scopes(Arrays.asList(tokenRequestDTO.getScope()));
+
+ HttpRequestHeader[] httpHeaders = tokenRequestDTO.getHttpRequestHeaders();
+ if (httpHeaders != null) {
+ for (HttpRequestHeader header : httpHeaders) {
+ tokenRequestBuilder.addAdditionalHeader(header.getName(), header.getValue());
+ }
+ }
+
+ RequestParameter[] requestParameters = tokenRequestDTO.getRequestParameters();
+ if (requestParameters != null) {
+ for (RequestParameter parameter : requestParameters) {
+ tokenRequestBuilder.addAdditionalParam(parameter.getKey(), parameter.getValue());
+ }
+ }
+
+ return tokenRequestBuilder.build();
+ }
+
+ private boolean isAccessTokenAuthorizedForUser(String grantType, OAuthTokenReqMessageContext tokReqMsgCtx)
+ throws ActionExecutionRequestBuilderException {
+
+ AuthorizationGrantHandler grantHandler =
+ OAuthServerConfiguration.getInstance().getSupportedGrantTypes().get(grantType);
+
+ try {
+ return grantHandler.isOfTypeApplicationUser(tokReqMsgCtx);
+ } catch (IdentityOAuth2Exception e) {
+ throw new ActionExecutionRequestBuilderException(
+ "Failed to determine the authorized entity of the token for grant type: " +
+ grantType, e);
+ }
+ }
+
+ private AccessToken getAccessToken(OAuthTokenReqMessageContext
+ tokenMessageContext, Map claimsToAdd)
+ throws ActionExecutionRequestBuilderException {
+
+ try {
+ OAuthAppDO oAuthAppDO = getAppInformation(tokenMessageContext);
+ String issuer = getIssuer(tokenMessageContext);
+ List audience = getAudience(tokenMessageContext, oAuthAppDO);
+ String tokenType = oAuthAppDO.getTokenType();
+
+ AccessToken.Builder accessTokenBuilder = new AccessToken.Builder();
+
+ handleStandardClaims(tokenMessageContext, tokenType, issuer, audience, accessTokenBuilder);
+ handleSubjectClaim(tokenMessageContext.getAuthorizedUser(), oAuthAppDO, accessTokenBuilder);
+ handleTokenBindingClaims(tokenMessageContext, accessTokenBuilder);
+ claimsToAdd.forEach(accessTokenBuilder::addClaim);
+ return accessTokenBuilder.build();
+ } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
+ throw new ActionExecutionRequestBuilderException(
+ "Failed to generate pre issue access token action request for application: " +
+ tokenMessageContext.getOauth2AccessTokenReqDTO().getClientId() + " grant type: " +
+ tokenMessageContext.getOauth2AccessTokenReqDTO().getGrantType(), e);
+ }
+ }
+
+ private OAuthAppDO getAppInformation(OAuthTokenReqMessageContext tokenMessageContext)
+ throws InvalidOAuthClientException, IdentityOAuth2Exception {
+
+ return OAuth2Util.getAppInformationByClientId(
+ tokenMessageContext.getOauth2AccessTokenReqDTO().getClientId(),
+ tokenMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain());
+ }
+
+ private String getIssuer(OAuthTokenReqMessageContext tokenMessageContext) throws IdentityOAuth2Exception {
+
+ return OAuth2Util.getIdTokenIssuer(tokenMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain());
+ }
+
+ private List getAudience(OAuthTokenReqMessageContext tokenMessageContext, OAuthAppDO oAuthAppDO) {
+
+ if (tokenMessageContext.isPreIssueAccessTokenActionsExecuted()) {
+ return tokenMessageContext.getAudiences();
+ } else {
+ return OAuth2Util.getOIDCAudience(oAuthAppDO.getOauthConsumerKey(), oAuthAppDO);
+ }
+ }
+
+ private void handleStandardClaims(OAuthTokenReqMessageContext tokenMessageContext, String tokenType,
+ String issuer, List audience, AccessToken.Builder accessTokenBuilder) {
+
+ accessTokenBuilder.tokenType(tokenType)
+ .addClaim(AccessToken.ClaimNames.ISS.getName(), issuer)
+ .addClaim(AccessToken.ClaimNames.CLIENT_ID.getName(),
+ tokenMessageContext.getOauth2AccessTokenReqDTO().getClientId())
+ .addClaim(AccessToken.ClaimNames.AUTHORIZED_USER_TYPE.getName(),
+ String.valueOf(tokenMessageContext.getProperty(OAuthConstants.UserType.USER_TYPE)))
+ .addClaim(AccessToken.ClaimNames.EXPIRES_IN.getName(),
+ tokenMessageContext.getValidityPeriod() / 1000)
+ .addClaim(AccessToken.ClaimNames.AUD.getName(), audience)
+ .scopes(Arrays.asList(tokenMessageContext.getScope()));
+ }
+
+ private void handleSubjectClaim(AuthenticatedUser authorizedUser, OAuthAppDO oAuthAppDO,
+ AccessToken.Builder accessTokenBuilder) throws IdentityOAuth2Exception {
+
+ String sub = authorizedUser.getAuthenticatedSubjectIdentifier();
+ if (OAuth2Util.isPairwiseSubEnabledForAccessTokens()) {
+ sub = OIDCClaimUtil.getSubjectClaim(sub, oAuthAppDO);
+ accessTokenBuilder.addClaim(AccessToken.ClaimNames.SUBJECT_TYPE.getName(),
+ OIDCClaimUtil.getSubjectType(oAuthAppDO).getValue());
+ }
+ accessTokenBuilder.addClaim(AccessToken.ClaimNames.SUB.getName(), sub);
+ }
+
+ private Map getAdditionalClaimsToAddToToken(OAuthTokenReqMessageContext tokenMessageContext)
+ throws ActionExecutionRequestBuilderException {
+ /*
+ Directly return custom claims if pre-issue access token actions have been executed.
+ This is to ensure that the custom claims added are incorporated in the refresh token flow.
+ Moreover, this execution expects that the claim handlers executed at the token issuance flow
+ does not incorporate any additional custom rules based on refresh grant.
+ */
+ if (tokenMessageContext.isPreIssueAccessTokenActionsExecuted()) {
+ return tokenMessageContext.getAdditionalAccessTokenClaims();
+ }
+
+ try {
+ CustomClaimsCallbackHandler claimsCallBackHandler =
+ OAuthServerConfiguration.getInstance().getOpenIDConnectCustomClaimsCallbackHandler();
+ JWTClaimsSet claimsSet =
+ claimsCallBackHandler.handleCustomClaims(new JWTClaimsSet.Builder(), tokenMessageContext);
+ return Optional.ofNullable(claimsSet).map(JWTClaimsSet::getClaims).orElseGet(HashMap::new);
+ } catch (IdentityOAuth2Exception e) {
+ throw new ActionExecutionRequestBuilderException(
+ "Failed to retrieve OIDC claim set for the access token for grant type: " +
+ tokenMessageContext.getOauth2AccessTokenReqDTO().getGrantType(), e);
+ }
+ }
+
+ private void handleTokenBindingClaims(OAuthTokenReqMessageContext tokenMessageContext,
+ AccessToken.Builder accessTokenBuilder) {
+
+ if (tokenMessageContext.getTokenBinding() != null) {
+ accessTokenBuilder.addClaim(AccessToken.ClaimNames.TOKEN_BINDING_REF.getName(),
+ tokenMessageContext.getTokenBinding().getBindingReference())
+ .addClaim(AccessToken.ClaimNames.TOKEN_BINDING_TYPE.getName(),
+ tokenMessageContext.getTokenBinding().getBindingType());
+ }
+ }
+
+ public List getAllowedOperations(Map oidcClaims) {
+
+ List removeOrReplacePaths = getRemoveOrReplacePaths(oidcClaims);
+
+ List replacePaths = new ArrayList<>(removeOrReplacePaths);
+ replacePaths.add(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.EXPIRES_IN.getName());
+
+ AllowedOperation addOperation =
+ createAllowedOperation(Operation.ADD, Arrays.asList(CLAIMS_PATH_PREFIX, SCOPES_PATH_PREFIX,
+ CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName() + "/"));
+ AllowedOperation removeOperation = createAllowedOperation(Operation.REMOVE, removeOrReplacePaths);
+ AllowedOperation replaceOperation = createAllowedOperation(Operation.REPLACE, replacePaths);
+
+ return Arrays.asList(addOperation, removeOperation, replaceOperation);
+ }
+
+ private List getRemoveOrReplacePaths(Map oidcClaims) {
+
+ List removeOrReplacePaths = oidcClaims.entrySet().stream()
+ .filter(entry -> entry.getValue() instanceof String || entry.getValue() instanceof Number ||
+ entry.getValue() instanceof Boolean || entry.getValue() instanceof List ||
+ entry.getValue() instanceof String[])
+ .map(this::generatePathForClaim)
+ .collect(Collectors.toList());
+
+ removeOrReplacePaths.add(SCOPES_PATH_PREFIX);
+ removeOrReplacePaths.add(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName() + "/");
+ return removeOrReplacePaths;
+ }
+
+ private String generatePathForClaim(Map.Entry entry) {
+
+ String basePath = CLAIMS_PATH_PREFIX + entry.getKey();
+ if (entry.getValue() instanceof List || entry.getValue() instanceof String[]) {
+ basePath += "/";
+ }
+ return basePath;
+ }
+
+ private AllowedOperation createAllowedOperation(Operation op, List paths) {
+
+ AllowedOperation operation = new AllowedOperation();
+ operation.setOp(op);
+ operation.setPaths(new ArrayList<>(paths));
+ return operation;
+ }
+
+}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenResponseProcessor.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenResponseProcessor.java
new file mode 100644
index 00000000000..2ff54fb5063
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenResponseProcessor.java
@@ -0,0 +1,723 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth.action;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.action.execution.ActionExecutionResponseProcessor;
+import org.wso2.carbon.identity.action.execution.exception.ActionExecutionResponseProcessorException;
+import org.wso2.carbon.identity.action.execution.model.ActionExecutionStatus;
+import org.wso2.carbon.identity.action.execution.model.ActionInvocationErrorResponse;
+import org.wso2.carbon.identity.action.execution.model.ActionInvocationSuccessResponse;
+import org.wso2.carbon.identity.action.execution.model.ActionType;
+import org.wso2.carbon.identity.action.execution.model.Event;
+import org.wso2.carbon.identity.action.execution.model.PerformableOperation;
+import org.wso2.carbon.identity.oauth.action.model.AccessToken;
+import org.wso2.carbon.identity.oauth.action.model.ClaimPathInfo;
+import org.wso2.carbon.identity.oauth.action.model.OperationExecutionResult;
+import org.wso2.carbon.identity.oauth.action.model.PreIssueAccessTokenEvent;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * This class is responsible for processing the response received from the action execution
+ * of the pre issue access token.
+ */
+public class PreIssueAccessTokenResponseProcessor implements ActionExecutionResponseProcessor {
+
+ private static final Log LOG = LogFactory.getLog(PreIssueAccessTokenResponseProcessor.class);
+ private static final String SCOPE_PATH_PREFIX = "/accessToken/scopes/";
+ private static final String CLAIMS_PATH_PREFIX = "/accessToken/claims/";
+ private static final Pattern NQCHAR_PATTERN = Pattern.compile("^[\\x21\\x23-\\x5B\\x5D-\\x7E]+$");
+ private static final Pattern STRING_OR_URI_PATTERN =
+ Pattern.compile("^([a-zA-Z][a-zA-Z0-9+.-]*://[^\\s/$.?#].\\S*)|(^[a-zA-Z0-9.-]+$)");
+ private static final String LAST_ELEMENT_CHARACTER = "-";
+ private static final char PATH_SEPARATOR = '/';
+
+ @Override
+ public ActionType getSupportedActionType() {
+
+ return ActionType.PRE_ISSUE_ACCESS_TOKEN;
+ }
+
+ @Override
+ public ActionExecutionStatus processSuccessResponse(Map eventContext, Event event,
+ ActionInvocationSuccessResponse actionInvocationSuccessResponse)
+ throws ActionExecutionResponseProcessorException {
+
+ OAuthTokenReqMessageContext tokenMessageContext =
+ (OAuthTokenReqMessageContext) eventContext.get("tokenMessageContext");
+ PreIssueAccessTokenEvent preIssueAccessTokenEvent = (PreIssueAccessTokenEvent) event;
+ List operationsToPerform = actionInvocationSuccessResponse.getOperations();
+
+ AccessToken requestAccessToken = preIssueAccessTokenEvent.getAccessToken();
+ AccessToken.Builder responseAccessTokenBuilder = preIssueAccessTokenEvent.getAccessToken().copy();
+ List operationExecutionResultList = new ArrayList<>();
+
+ if (operationsToPerform != null) {
+ for (PerformableOperation operation : operationsToPerform) {
+ switch (operation.getOp()) {
+ case ADD:
+ operationExecutionResultList.add(
+ handleAddOperation(operation, requestAccessToken, responseAccessTokenBuilder));
+ break;
+ case REMOVE:
+ operationExecutionResultList.add(
+ handleRemoveOperation(operation, requestAccessToken, responseAccessTokenBuilder));
+ break;
+ case REPLACE:
+ operationExecutionResultList.add(
+ handleReplaceOperation(operation, requestAccessToken, responseAccessTokenBuilder));
+ break;
+ default:
+ break;
+ }
+ }
+ }
+
+ logOperationExecutionResults(getSupportedActionType(), operationExecutionResultList);
+
+ AccessToken responseAccessToken = responseAccessTokenBuilder.build();
+ updateTokenMessageContext(tokenMessageContext, responseAccessToken);
+
+ return new ActionExecutionStatus(ActionExecutionStatus.Status.SUCCESS, eventContext);
+ }
+
+ private void logOperationExecutionResults(ActionType actionType,
+ List operationExecutionResultList) {
+
+ //todo: need to add to diagnostic logs
+ if (LOG.isDebugEnabled()) {
+ ObjectMapper objectMapper = new ObjectMapper();
+ objectMapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
+ objectMapper.setSerializationInclusion(JsonInclude.Include.NON_EMPTY);
+ try {
+ String executionSummary = objectMapper.writeValueAsString(operationExecutionResultList);
+ LOG.debug(String.format("Processed response for action type: %s. Results of operations performed: %s",
+ actionType, executionSummary));
+ } catch (JsonProcessingException e) {
+ LOG.debug("Error occurred while logging operation execution results.", e);
+ }
+ }
+ }
+
+ @Override
+ public ActionExecutionStatus processErrorResponse(Map map, Event event,
+ ActionInvocationErrorResponse actionInvocationErrorResponse)
+ throws ActionExecutionResponseProcessorException {
+
+ //todo: need to implement to process the error so that if a processable error is received
+ // it is communicated to the client.
+ // we will look into this as we go along with other extension types validating the way to model this.
+ return null;
+ }
+
+ private void updateTokenMessageContext(OAuthTokenReqMessageContext tokenMessageContext,
+ AccessToken responseAccessToken) {
+
+ tokenMessageContext.setScope(responseAccessToken.getScopes().toArray(new String[0]));
+
+ String expiresInClaimName = CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.EXPIRES_IN.getName();
+ responseAccessToken.getClaims().stream()
+ .filter(claim -> expiresInClaimName.equals(claim.getName()))
+ .findFirst()
+ .map(claim -> Long.parseLong(claim.getValue().toString()) * 1000)
+ .ifPresent(tokenMessageContext::setValidityPeriod);
+
+ Optional.ofNullable(responseAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName()))
+ .map(AccessToken.Claim::getValue)
+ .ifPresent(value -> {
+ List audienceList;
+ if (value instanceof List) {
+ audienceList = (List) value;
+ } else {
+ audienceList = Collections.emptyList();
+ }
+ tokenMessageContext.setAudiences(audienceList);
+ });
+
+ Map customClaims = new HashMap<>();
+ for (AccessToken.Claim claim : responseAccessToken.getClaims()) {
+ if (!AccessToken.ClaimNames.contains(claim.getName())) {
+ customClaims.put(claim.getName(), claim.getValue());
+ }
+ }
+ tokenMessageContext.setAdditionalAccessTokenClaims(customClaims);
+
+ tokenMessageContext.setPreIssueAccessTokenActionsExecuted(true);
+ }
+
+ private OperationExecutionResult handleAddOperation(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ if (operation.getPath().startsWith(SCOPE_PATH_PREFIX)) {
+ return addScope(operation, responseAccessToken);
+ } else if (operation.getPath().startsWith(CLAIMS_PATH_PREFIX)) {
+ return addClaim(operation, requestAccessToken, responseAccessToken);
+ }
+
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Unknown path.");
+ }
+
+ private OperationExecutionResult addScope(PerformableOperation operation,
+ AccessToken.Builder responseAccessToken) {
+
+ List authorizedScopes =
+ responseAccessToken.getScopes() != null ? responseAccessToken.getScopes() : new ArrayList<>();
+
+ int index = validateIndex(operation.getPath(), authorizedScopes.size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String scopeToAdd = operation.getValue().toString();
+ if (authorizedScopes.contains(scopeToAdd) || !validateNQChar(scopeToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Scope exists or is invalid.");
+ }
+
+ authorizedScopes.add(scopeToAdd);
+ responseAccessToken.scopes(authorizedScopes);
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS, "Scope added.");
+ }
+
+ private OperationExecutionResult addClaim(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ List claims = requestAccessToken.getClaims();
+
+ if (claims == null || claims.isEmpty()) {
+ // todo: not sure why this is here. If it's an add we don't need to check for empty claims rather just add.
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Claims not found.");
+ }
+
+ if (operation.getPath().startsWith(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName())) {
+ return addAudience(operation, requestAccessToken, responseAccessToken);
+ } else {
+ return addToOtherClaims(operation, requestAccessToken, responseAccessToken);
+ }
+ }
+
+ private OperationExecutionResult addAudience(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ AccessToken.Claim audience = requestAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName());
+ if (audience != null && audience.getValue() != null && audience.getValue() instanceof List) {
+ List audienceList = (List) audience.getValue();
+
+ int index = validateIndex(operation.getPath(), audienceList.size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String audienceToAdd = operation.getValue().toString();
+ if (!isValidStringOrURI(audienceToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Audience is invalid.");
+ }
+
+ AccessToken.Claim responseAudience =
+ responseAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName());
+ List responseAudienceList = (List) responseAudience.getValue();
+ if (responseAudienceList.contains(audienceToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Audience already exists.");
+ }
+
+ responseAudienceList.add(audienceToAdd);
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Audience added.");
+ }
+
+ //todo: In the add path it should be possible to add audience irrespective of the fact the access token
+ // included a set of audiences or not. Need to recheck this.
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Audience claim not found.");
+ }
+
+ private OperationExecutionResult addToOtherClaims(PerformableOperation operation,
+ AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ int index = validateIndex(operation.getPath(), requestAccessToken.getClaims().size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ Object claimToAdd = operation.getValue();
+ ObjectMapper objectMapper = new ObjectMapper();
+ try {
+ AccessToken.Claim claim = objectMapper.convertValue(claimToAdd, AccessToken.Claim.class);
+ if (requestAccessToken.getClaim(claim.getName()) != null) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "An access token claim already exists.");
+ }
+
+ Object claimValue = claim.getValue();
+ if (isValidPrimitiveValue(claimValue) || isValidListValue(claimValue)) {
+ responseAccessToken.addClaim(claim.getName(), claimValue);
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS, "Claim added.");
+
+ } else {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid claim value.");
+ }
+ } catch (IllegalArgumentException e) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid claim.");
+ }
+ }
+
+ private OperationExecutionResult handleRemoveOperation(PerformableOperation operation,
+ AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ if (operation.getPath().startsWith(SCOPE_PATH_PREFIX)) {
+ return removeScope(operation, requestAccessToken, responseAccessToken);
+ } else if (operation.getPath().startsWith(CLAIMS_PATH_PREFIX)) {
+ return removeClaim(operation, requestAccessToken, responseAccessToken);
+ }
+
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Unknown path.");
+ }
+
+ private OperationExecutionResult removeScope(PerformableOperation operation,
+ AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ if (requestAccessToken.getScopes() == null || requestAccessToken.getScopes().isEmpty()) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "No scopes to remove.");
+ }
+
+ int index = validateIndex(operation.getPath(), requestAccessToken.getScopes().size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String scopeToRemove = requestAccessToken.getScopes().get(index);
+ boolean removed = responseAccessToken.getScopes().remove(scopeToRemove);
+ if (removed) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Scope removed.");
+ } else {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Failed to remove scope.");
+ }
+ }
+
+ private OperationExecutionResult removeClaim(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ List claims = requestAccessToken.getClaims();
+ if (claims == null || claims.isEmpty()) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "No claims to remove.");
+ }
+
+ if (operation.getPath().startsWith(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName())) {
+ return removeAudience(operation, requestAccessToken, responseAccessToken);
+ } else {
+ return removeOtherClaims(operation, requestAccessToken, responseAccessToken);
+ }
+ }
+
+ private OperationExecutionResult removeAudience(PerformableOperation operation,
+ AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ AccessToken.Claim audience = requestAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName());
+ if (audience != null && audience.getValue() != null && audience.getValue() instanceof List) {
+ List audienceList = (List) audience.getValue();
+
+ int index = validateIndex(operation.getPath(), audienceList.size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String audienceToRemove = audienceList.get(index);
+ AccessToken.Claim responseAudience =
+ responseAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName());
+ List responseAudienceList = (List) responseAudience.getValue();
+ boolean removed = responseAudienceList.remove(audienceToRemove);
+ if (removed) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Audience removed.");
+ }
+ }
+
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Audience not found.");
+ }
+
+ private OperationExecutionResult removeOtherClaims(PerformableOperation operation,
+ AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ ClaimPathInfo claimPathInfo = parseOperationPath(operation.getPath());
+ AccessToken.Claim claim = requestAccessToken.getClaim(claimPathInfo.getClaimName());
+ if (claim == null) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE, "Claim not found.");
+ }
+
+ if (claimPathInfo.getIndex() != -1) {
+ return removeClaimValueAtIndexFromArrayTypeClaim(operation, claimPathInfo, claim,
+ responseAccessToken);
+ } else {
+ return removePrimitiveTypeClaim(operation, claimPathInfo, responseAccessToken);
+ }
+ }
+
+ private OperationExecutionResult removeClaimValueAtIndexFromArrayTypeClaim(PerformableOperation operation,
+ ClaimPathInfo claimPathInfo,
+ AccessToken.Claim claim,
+ AccessToken.Builder
+ responseAccessToken) {
+
+ if (!(claim.getValue() instanceof List)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Claim to remove the value from is not an array.");
+ }
+
+ List claimValueList = (List) claim.getValue();
+ if (claimPathInfo.getIndex() < 0 || claimPathInfo.getIndex() >= claimValueList.size()) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String claimValueToRemove = claimValueList.get(claimPathInfo.getIndex());
+
+ AccessToken.Claim claimInResponse =
+ responseAccessToken.getClaim(claimPathInfo.getClaimName());
+ List claimValueListInResponse = (List) claimInResponse.getValue();
+ boolean removed = claimValueListInResponse.remove(claimValueToRemove);
+
+ if (removed) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Claim value removed.");
+ } else {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Failed to remove claim value.");
+ }
+ }
+
+ private OperationExecutionResult removePrimitiveTypeClaim(PerformableOperation operation,
+ ClaimPathInfo claimPathInfo,
+ AccessToken.Builder responseAccessToken) {
+
+ boolean claimRemoved =
+ responseAccessToken.getClaims().removeIf(claim -> claim.getName().equals(claimPathInfo.getClaimName()));
+
+ if (claimRemoved) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Claim removed.");
+ } else {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Failed to remove claim.");
+ }
+ }
+
+ private OperationExecutionResult handleReplaceOperation(PerformableOperation operation,
+ AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ if (operation.getPath().startsWith(SCOPE_PATH_PREFIX)) {
+ return replaceScope(operation, requestAccessToken, responseAccessToken);
+ } else if (operation.getPath().startsWith(CLAIMS_PATH_PREFIX)) {
+ return replaceClaim(operation, requestAccessToken, responseAccessToken);
+ }
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Unknown path.");
+ }
+
+ private OperationExecutionResult replaceScope(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ List scopes = requestAccessToken.getScopes();
+ if (scopes == null || scopes.isEmpty()) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "No scopes.");
+ }
+
+ int index = validateIndex(operation.getPath(), scopes.size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String scopeToAdd = operation.getValue().toString();
+ if (!validateNQChar(scopeToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid scope.");
+ }
+
+ if (scopes.contains(scopeToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Scope already exists.");
+ }
+
+ String scopeToReplace = scopes.get(index);
+ responseAccessToken.getScopes().remove(scopeToReplace);
+ responseAccessToken.getScopes().add(scopeToAdd);
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS, "Scope replaced.");
+ }
+
+ private OperationExecutionResult replaceClaim(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ List claims = requestAccessToken.getClaims();
+
+ if (claims == null || claims.isEmpty()) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "No claims to replace.");
+ }
+
+ if (operation.getPath().equals(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.EXPIRES_IN.getName())) {
+ return replaceExpiresIn(operation, responseAccessToken);
+ } else if (operation.getPath().startsWith(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName())) {
+ return replaceAudience(operation, requestAccessToken, responseAccessToken);
+ } else {
+ return replaceOtherClaims(operation, requestAccessToken, responseAccessToken);
+ }
+ }
+
+ private OperationExecutionResult replaceExpiresIn(PerformableOperation operation,
+ AccessToken.Builder responseAccessToken) {
+
+ long expiresIn;
+ try {
+ expiresIn = Long.parseLong(operation.getValue().toString());
+ } catch (NumberFormatException e) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid expiry time format.");
+ }
+
+ if (expiresIn <= 0) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid expiry time. Must be positive.");
+ }
+
+ responseAccessToken.getClaims().removeIf(
+ claim -> claim.getName()
+ .equals(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.EXPIRES_IN.getName()));
+ responseAccessToken.addClaim(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.EXPIRES_IN.getName(),
+ expiresIn);
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Expiry time updated.");
+ }
+
+ private OperationExecutionResult replaceOtherClaims(PerformableOperation operation, AccessToken requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ ClaimPathInfo claimPathInfo = parseOperationPath(operation.getPath());
+ AccessToken.Claim claim = requestAccessToken.getClaim(claimPathInfo.getClaimName());
+
+ if (claim == null) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Claim not found.");
+ }
+
+ if (claimPathInfo.getIndex() != -1) {
+ return replaceClaimValueAtIndexFromArrayTypeClaim(operation, claimPathInfo, claim, responseAccessToken);
+ } else {
+ return replacePrimitiveTypeClaim(operation, claimPathInfo, responseAccessToken);
+ }
+ }
+
+ private OperationExecutionResult replaceClaimValueAtIndexFromArrayTypeClaim(PerformableOperation operation,
+ ClaimPathInfo claimPathInfo,
+ AccessToken.Claim claim,
+ AccessToken.Builder
+ responseAccessToken) {
+
+ if (!(claim.getValue() instanceof List)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Claim to replace the value is not an array.");
+ }
+
+ List claimValueList = (List) claim.getValue();
+ if (claimPathInfo.getIndex() < 0 || claimPathInfo.getIndex() >= claimValueList.size()) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE, "Invalid index.");
+ }
+
+ Object claimValue = operation.getValue();
+ if (!isValidPrimitiveValue(claimValue)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid claim value. Must be a valid string, number or boolean.");
+ }
+
+ // Replace claim value in the response access token
+ AccessToken.Claim claimInResponse = responseAccessToken.getClaim(claimPathInfo.getClaimName());
+ List claimValueListInResponse = (List) claimInResponse.getValue();
+ String claimToReplace = claimValueList.get(claimPathInfo.getIndex());
+ if (claimValueListInResponse.contains(claimValue.toString())) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Claim value already exists.");
+ }
+ claimValueListInResponse.remove(claimToReplace);
+ claimValueListInResponse.add(claimValue.toString());
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Claim value replaced.");
+ }
+
+ private OperationExecutionResult replacePrimitiveTypeClaim(PerformableOperation operation,
+ ClaimPathInfo claimPathInfo,
+ AccessToken.Builder responseAccessToken) {
+
+ boolean claimRemoved = responseAccessToken.getClaims()
+ .removeIf(claim -> claim.getName().equals(claimPathInfo.getClaimName()));
+ if (claimRemoved) {
+ responseAccessToken.addClaim(claimPathInfo.getClaimName(),
+ operation.getValue());
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Claim replaced.");
+ } else {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Failed to replace claim.");
+ }
+ }
+
+ private OperationExecutionResult replaceAudience(PerformableOperation operation, AccessToken
+ requestAccessToken,
+ AccessToken.Builder responseAccessToken) {
+
+ AccessToken.Claim audience = requestAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName());
+ if (audience != null && audience.getValue() != null && audience.getValue() instanceof List) {
+ List audienceList = (List) audience.getValue();
+
+ int index = validateIndex(operation.getPath(), audienceList.size());
+ if (index == -1) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid index.");
+ }
+
+ String audienceToAdd = operation.getValue().toString();
+ if (!isValidStringOrURI(audienceToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Invalid Audience. Must be a valid string or URI.");
+ }
+
+ if (audienceList.contains(audienceToAdd)) {
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Audience to replace already exists.");
+ }
+
+ String audienceToReplace = audienceList.get(index);
+
+ AccessToken.Claim responseAudience =
+ responseAccessToken.getClaim(AccessToken.ClaimNames.AUD.getName());
+ List responseAudienceList = (List) responseAudience.getValue();
+ responseAudienceList.remove(audienceToReplace);
+ responseAudienceList.add(audienceToAdd);
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.SUCCESS,
+ "Audience replaced.");
+ }
+
+ return new OperationExecutionResult(operation, OperationExecutionResult.Status.FAILURE,
+ "Audience claim not found.");
+ }
+
+ private ClaimPathInfo parseOperationPath(String operationPath) {
+
+ String[] pathSegments = operationPath.split("/");
+ String lastSegment = pathSegments[pathSegments.length - 1];
+ String claimName;
+ int index = -1;
+
+ try {
+ // Attempt to parse the last segment as an integer to check if it's an index
+ index = Integer.parseInt(lastSegment);
+ // If parsing succeeds, the last segment is an index, so the claim name is the second last segment
+ claimName = pathSegments[pathSegments.length - 2];
+ } catch (NumberFormatException e) {
+ // If parsing fails, the last segment is not an index, so it's the claim name itself
+ claimName = lastSegment;
+ }
+
+ return new ClaimPathInfo(claimName, index);
+ }
+
+ private boolean isValidPrimitiveValue(Object value) {
+
+ return value instanceof String || value instanceof Number || value instanceof Boolean;
+ }
+
+ private boolean isValidListValue(Object value) {
+
+ if (!(value instanceof List)) {
+ return false;
+ }
+ List list = (List) value;
+ return list.stream().allMatch(item -> item instanceof String);
+ }
+
+ private int validateIndex(String operationPath, int listSize) {
+
+ String indexPart = operationPath.substring(operationPath.lastIndexOf(PATH_SEPARATOR) + 1);
+ if (LAST_ELEMENT_CHARACTER.equals(indexPart)) {
+ return listSize > 0 ? listSize - 1 : 0;
+ }
+
+ try {
+ int index = Integer.parseInt(indexPart);
+ if (index >= 0 && index < listSize) {
+ return index;
+ } else {
+ LOG.info("Index is out of bounds: " + indexPart);
+ return -1;
+ }
+ } catch (NumberFormatException ignored) {
+ LOG.info("Extracted index is not a valid integer. Index: " + indexPart);
+ }
+
+ LOG.info("Invalid index: " + indexPart);
+ return -1;
+ }
+
+ private boolean validateNQChar(String input) {
+
+ Matcher matcher = NQCHAR_PATTERN.matcher(input);
+ return matcher.matches();
+ }
+
+ private boolean isValidStringOrURI(String input) {
+
+ Matcher matcher = STRING_OR_URI_PATTERN.matcher(input);
+ return matcher.matches();
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/AccessToken.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/AccessToken.java
new file mode 100644
index 00000000000..48ae5300554
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/action/model/AccessToken.java
@@ -0,0 +1,256 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth.action.model;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+/**
+ * This class represents the model of the access token sent in the json request
+ * to the API endpoint of the pre issue access token action.
+ */
+public class AccessToken {
+
+ private final String tokenType;
+ List scopes;
+ List claims;
+
+ private AccessToken(Builder builder) {
+
+ this.tokenType = builder.tokenType;
+ this.scopes = builder.scopes;
+ this.claims = builder.claims;
+ }
+
+ public String getTokenType() {
+
+ return tokenType;
+ }
+
+ public List getScopes() {
+
+ return scopes;
+ }
+
+ public List getClaims() {
+
+ return claims;
+ }
+
+ public Claim getClaim(String name) {
+
+ if (claims != null) {
+ for (Claim claim : claims) {
+ if (claim.getName().equals(name)) {
+ return claim;
+ }
+ }
+ }
+
+ return null;
+ }
+
+ public AccessToken.Builder copy() {
+
+ return new Builder()
+ .tokenType(this.tokenType)
+ .scopes(new ArrayList<>(this.scopes))
+ .claims(this.claims.stream().map(Claim::copy).collect(Collectors.toList()));
+ }
+
+ /**
+ * Enum for standard claim names.
+ */
+ public enum ClaimNames {
+
+ SUB("sub"),
+ ISS("iss"),
+ AUD("aud"),
+ CLIENT_ID("client_id"),
+ AUTHORIZED_USER_TYPE("aut"),
+ EXPIRES_IN("expires_in"),
+
+ TOKEN_BINDING_REF("binding_ref"),
+ TOKEN_BINDING_TYPE("binding_type"),
+ SUBJECT_TYPE("subject_type");
+
+ private final String name;
+
+ ClaimNames(String name) {
+
+ this.name = name;
+ }
+
+ public static boolean contains(String name) {
+
+ return Arrays.stream(ClaimNames.values())
+ .anyMatch(claimName -> claimName.name.equals(name));
+ }
+
+ public String getName() {
+
+ return name;
+ }
+ }
+
+ /**
+ * Model class for claims.
+ */
+ public static class Claim {
+
+ private String name;
+ private Object value;
+
+ public Claim() {
+
+ }
+
+ public Claim(String name, Object value) {
+
+ this.name = name;
+ this.value = value;
+ }
+
+ public String getName() {
+
+ return name;
+ }
+
+ public void setName(String name) {
+
+ this.name = name;
+ }
+
+ public Object getValue() {
+
+ return value;
+ }
+
+ public void setValue(Object value) {
+
+ this.value = value;
+ }
+
+ public Claim copy() {
+
+ return new Claim(this.name, deepCopyValue(this.value));
+ }
+
+ private Object deepCopyValue(Object value) {
+
+ if (value instanceof List) {
+ List originalList = (List) value;
+ List
+
+ org.wso2.carbon.identity.framework
+ org.wso2.carbon.identity.action.execution
+ ${carbon.identity.framework.version}
+
@@ -915,7 +920,7 @@
[1.0.1, 2.0.0)
- 7.2.37
+ 7.3.50
[5.25.234, 8.0.0)
diff --git a/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml b/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
index a26791f0601..4c1fde7e7bf 100644
--- a/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
+++ b/service-stubs/org.wso2.carbon.claim.metadata.mgt.stub/pom.xml
@@ -21,7 +21,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
../../pom.xml
diff --git a/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml b/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
index 391555ea62d..7fba9719750 100644
--- a/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
+++ b/test-utils/org.wso2.carbon.identity.oauth.common.testng/pom.xml
@@ -23,7 +23,7 @@
org.wso2.carbon.identity.inbound.auth.oauth2
identity-inbound-auth-oauth
../../pom.xml
- 7.0.107-SNAPSHOT
+ 7.0.128-SNAPSHOT
4.0.0