Make dcr changes to add tls bound access token as a token binding type

components/org.wso2.carbon.identity.api.server.dcr/src/main/java/org/wso2/carbon/identity/oauth2/dcr/endpoint/util/DCRMUtils.java

@@ -93,7 +93,7 @@ public static ApplicationRegistrationRequest getApplicationRegistrationRequest(
                 (registrationRequestDTO.getRequestObjectEncryptionMethod());
         appRegistrationRequest.setTlsClientAuthSubjectDN(registrationRequestDTO.getTlsClientAuthSubjectDn());
         appRegistrationRequest.setRequirePushedAuthorizationRequests
-                (registrationRequestDTO.isRequireSignedRequestObject());
+                (registrationRequestDTO.isRequirePushAuthorizationRequest());
         appRegistrationRequest.setRequireSignedRequestObject(registrationRequestDTO.isRequireSignedRequestObject());
         appRegistrationRequest.setTlsClientCertificateBoundAccessTokens
                 (registrationRequestDTO.isTlsClientCertificateBoundAccessToken());

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/internal/DCRDataHolder.java

@@ -21,6 +21,7 @@
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
 import org.wso2.carbon.identity.oauth.dcr.handler.RegistrationHandler;
 import org.wso2.carbon.identity.oauth.dcr.handler.UnRegistrationHandler;
+import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -38,6 +39,7 @@ public class DCRDataHolder {
     private ApplicationManagementService applicationManagementService = null;
     private List<RegistrationHandler> registrationHandlerList = new ArrayList<>();
     private List<UnRegistrationHandler> unRegistrationHandlerList = new ArrayList<>();
+    private List<TokenBinder> tokenBinders = new ArrayList<>();
 
     private DCRDataHolder() {
 
@@ -82,4 +84,19 @@ public void setUnRegistrationHandlerList(
 
         this.unRegistrationHandlerList = unRegistrationHandlerList;
     }
+
+    public List<TokenBinder> getTokenBinders() {
+
+        return tokenBinders;
+    }
+
+    public void addTokenBinder(TokenBinder tokenBinder) {
+
+        this.tokenBinders.add(tokenBinder);
+    }
+
+    public void removeTokenBinder(TokenBinder tokenBinder) {
+
+        this.tokenBinders.remove(tokenBinder);
+    }
 }

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/internal/DCRServiceComponent.java

@@ -29,6 +29,7 @@
 import org.wso2.carbon.identity.application.authentication.framework.inbound.HttpIdentityResponseFactory;
 import org.wso2.carbon.identity.application.authentication.framework.inbound.IdentityProcessor;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
+import org.wso2.carbon.identity.oauth.common.token.bindings.TokenBinderInfo;
 import org.wso2.carbon.identity.oauth.dcr.factory.HttpRegistrationResponseFactory;
 import org.wso2.carbon.identity.oauth.dcr.factory.HttpUnregistrationResponseFactory;
 import org.wso2.carbon.identity.oauth.dcr.factory.RegistrationRequestFactory;
@@ -37,6 +38,7 @@
 import org.wso2.carbon.identity.oauth.dcr.handler.UnRegistrationHandler;
 import org.wso2.carbon.identity.oauth.dcr.processor.DCRProcessor;
 import org.wso2.carbon.identity.oauth.dcr.service.DCRMService;
+import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
 
 /**
  * OAuth DCRM service component.
@@ -194,4 +196,28 @@ protected void unsetApplicationManagementService(ApplicationManagementService ap
         DCRDataHolder.getInstance().setApplicationManagementService(null);
     }
 
+    @Reference(name = "token.binding.service",
+            service = TokenBinderInfo.class,
+            cardinality = ReferenceCardinality.MULTIPLE,
+            policy = ReferencePolicy.DYNAMIC,
+            unbind = "unsetTokenBinderInfo")
+    protected void setTokenBinderInfo(TokenBinderInfo tokenBinderInfo) {
+
+        if (log.isDebugEnabled()) {
+            log.debug("Setting the token binder for: " + tokenBinderInfo.getBindingType());
+        }
+        if (tokenBinderInfo instanceof TokenBinder) {
+            DCRDataHolder.getInstance().addTokenBinder((TokenBinder) tokenBinderInfo);
+        }
+    }
+    protected void unsetTokenBinderInfo(TokenBinderInfo tokenBinderInfo) {
+
+        if (log.isDebugEnabled()) {
+            log.debug("Un-setting the token binder for: " + tokenBinderInfo.getBindingType());
+        }
+        if (tokenBinderInfo instanceof TokenBinder) {
+            DCRDataHolder.getInstance().removeTokenBinder((TokenBinder) tokenBinderInfo);
+        }
+    }
+
 }

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java

@@ -55,6 +55,7 @@
 import org.wso2.carbon.identity.oauth.dcr.util.ErrorCodes;
 import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.OAuth2Constants;
 import org.wso2.carbon.identity.oauth2.util.JWTSignatureValidationUtils;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 
@@ -75,7 +76,6 @@ public class DCRMService {
 
     private static final Log log = LogFactory.getLog(DCRMService.class);
     private static OAuthAdminService oAuthAdminService = new OAuthAdminService();
-
     private static final String AUTH_TYPE_OAUTH_2 = "oauth2";
     private static final String OAUTH_VERSION = "OAuth-2.0";
     private static final String GRANT_TYPE_SEPARATOR = " ";
@@ -327,7 +327,15 @@ public Application updateApplication(ApplicationUpdateRequest updateRequest, Str
             }
             appDTO.setRequestObjectSignatureValidationEnabled(updateRequest.isRequireSignedRequestObject());
             appDTO.setRequirePushedAuthorizationRequests(updateRequest.isRequirePushedAuthorizationRequests());
-            appDTO.setTlsClientCertificateBoundAccessTokens(updateRequest.isTlsClientCertificateBoundAccessTokens());
+            if (updateRequest.isTlsClientCertificateBoundAccessTokens()) {
+                boolean isCertificateTokenBinderAvailable = DCRDataHolder.getInstance().getTokenBinders().stream()
+                        .anyMatch(t -> OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER
+                                .equals(t.getBindingType()));
+                if (isCertificateTokenBinderAvailable) {
+                    appDTO.setTokenBindingType(OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER);
+                    appDTO.setTokenBindingValidationEnabled(true);
+                }
+            }
             appDTO.setPkceMandatory(updateRequest.isExtPkceMandatory());
             appDTO.setPkceSupportPlain(updateRequest.isExtPkceSupportPlain());
             appDTO.setBypassClientCredentials(updateRequest.isExtPublicClient());
@@ -513,7 +521,9 @@ private Application buildResponse(OAuthConsumerAppDTO createdApp) {
         application.setRequestObjectEncryptionAlgorithm(createdApp.getRequestObjectEncryptionAlgorithm());
         application.setRequestObjectEncryptionMethod(createdApp.getRequestObjectEncryptionMethod());
         application.setRequirePushedAuthorizationRequests(createdApp.getRequirePushedAuthorizationRequests());
-        application.setTlsClientCertificateBoundAccessTokens(createdApp.getTlsClientCertificateBoundAccessTokens());
+        if (OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER.equals(createdApp.getTokenBindingType())) {
+            application.setTlsClientCertificateBoundAccessTokens(true);
+        }
         return application;
     }
 
@@ -623,8 +633,15 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist
         oAuthConsumerApp.setRequestObjectSignatureValidationEnabled(registrationRequest.isRequireSignedRequestObject());
         oAuthConsumerApp.setRequirePushedAuthorizationRequests(
                 registrationRequest.isRequirePushedAuthorizationRequests());
-        oAuthConsumerApp.setTlsClientCertificateBoundAccessTokens(
-                registrationRequest.isTlsClientCertificateBoundAccessTokens());
+        if (registrationRequest.isTlsClientCertificateBoundAccessTokens()) {
+            boolean isCertificateTokenBinderAvailable = DCRDataHolder.getInstance().getTokenBinders().stream()
+                    .anyMatch(t -> OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER
+                            .equals(t.getBindingType()));
+            if (isCertificateTokenBinderAvailable) {
+                oAuthConsumerApp.setTokenBindingType(OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER);
+                oAuthConsumerApp.setTokenBindingValidationEnabled(true);
+            }
+        }
         oAuthConsumerApp.setPkceMandatory(registrationRequest.isExtPkceMandatory());
         oAuthConsumerApp.setPkceSupportPlain(registrationRequest.isExtPkceSupportPlain());
         oAuthConsumerApp.setBypassClientCredentials(registrationRequest.isExtPublicClient());

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java

@@ -450,8 +450,6 @@ public OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumer
                                     OAuthConstants.REQUEST_OBJECT_ENCRYPTION_METHOD));
                         }
                         app.setRequirePushedAuthorizationRequests(application.getRequirePushedAuthorizationRequests());
-                        app.setTlsClientCertificateBoundAccessTokens(
-                                application.getTlsClientCertificateBoundAccessTokens());
                         app.setFapiConformanceEnabled(application.isFapiConformanceEnabled());
                     }
                     dao.addOAuthApplication(app);
@@ -746,8 +744,8 @@ public void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO) throws
                 } else {
                     filterTokenEndpointAuthMethods(tokenEndpointAuthMethod);
                 }
-                oauthappdo.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
             }
+            oauthappdo.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
 
             String tokenEndpointAuthSignatureAlgorithm = consumerAppDTO.getTokenEndpointAuthSignatureAlgorithm();
             if (StringUtils.isNotEmpty(tokenEndpointAuthSignatureAlgorithm)) {
@@ -757,8 +755,8 @@ public void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO) throws
                     filterSignatureAlgorithms(tokenEndpointAuthSignatureAlgorithm,
                             OAuthConstants.TOKEN_EP_SIGNATURE_ALG_CONFIGURATION);
                 }
-                oauthappdo.setTokenEndpointAuthSignatureAlgorithm(tokenEndpointAuthSignatureAlgorithm);
             }
+            oauthappdo.setTokenEndpointAuthSignatureAlgorithm(tokenEndpointAuthSignatureAlgorithm);
 
             if (StringUtils.isEmpty(consumerAppDTO.getSubjectType())) {
                 // Set default subject type if not set.
@@ -787,6 +785,7 @@ public void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO) throws
                     }
                 }
             }
+            oauthappdo.setSectorIdentifierURI(consumerAppDTO.getSectorIdentifierURI());
             oauthappdo.setSubjectType(consumerAppDTO.getSubjectType());
 
             String idTokenSignatureAlgorithm = consumerAppDTO.getIdTokenSignatureAlgorithm();
@@ -797,8 +796,8 @@ public void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO) throws
                     filterSignatureAlgorithms(idTokenSignatureAlgorithm,
                             OAuthConstants.ID_TOKEN_SIGNATURE_ALG_CONFIGURATION);
                 }
-                oauthappdo.setIdTokenSignatureAlgorithm(idTokenSignatureAlgorithm);
             }
+            oauthappdo.setIdTokenSignatureAlgorithm(idTokenSignatureAlgorithm);
 
             String requestObjectSignatureAlgorithm = consumerAppDTO.getRequestObjectSignatureAlgorithm();
             if (StringUtils.isNotEmpty(requestObjectSignatureAlgorithm)) {
@@ -808,10 +807,10 @@ public void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO) throws
                     filterSignatureAlgorithms(requestObjectSignatureAlgorithm,
                             OAuthConstants.REQUEST_OBJECT_SIGNATURE_ALG_CONFIGURATION);
                 }
-                oauthappdo.setRequestObjectSignatureAlgorithm(requestObjectSignatureAlgorithm);
-                oauthappdo.setRequestObjectSignatureValidationEnabled(consumerAppDTO
-                        .isRequestObjectSignatureValidationEnabled());
             }
+            oauthappdo.setRequestObjectSignatureAlgorithm(requestObjectSignatureAlgorithm);
+            oauthappdo.setRequestObjectSignatureValidationEnabled(consumerAppDTO
+                    .isRequestObjectSignatureValidationEnabled());
 
             oauthappdo.setTlsClientAuthSubjectDN(consumerAppDTO.getTlsClientAuthSubjectDN());
 
@@ -820,17 +819,13 @@ public void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO) throws
                 if (enforceFAPIDCR) {
                     validateFAPIEncryptionAlgorithms(requestObjectEncryptionAlgorithm);
                 }
-                oauthappdo.setRequestObjectEncryptionAlgorithm(filterEncryptionAlgorithms(
-                        requestObjectEncryptionAlgorithm, OAuthConstants.REQUEST_OBJECT_ENCRYPTION_ALGORITHM));
-            }
-            if (StringUtils.isNotEmpty(consumerAppDTO.getRequestObjectEncryptionMethod())) {
-                oauthappdo.setRequestObjectEncryptionMethod(filterEncryptionMethod(
-                        consumerAppDTO.getRequestObjectEncryptionMethod(),
-                        OAuthConstants.REQUEST_OBJECT_ENCRYPTION_METHOD));
             }
+            oauthappdo.setRequestObjectEncryptionAlgorithm(filterEncryptionAlgorithms(
+                    requestObjectEncryptionAlgorithm, OAuthConstants.REQUEST_OBJECT_ENCRYPTION_ALGORITHM));
+            oauthappdo.setRequestObjectEncryptionMethod(filterEncryptionMethod(
+                    consumerAppDTO.getRequestObjectEncryptionMethod(),
+                    OAuthConstants.REQUEST_OBJECT_ENCRYPTION_METHOD));
             oauthappdo.setRequirePushedAuthorizationRequests(consumerAppDTO.getRequirePushedAuthorizationRequests());
-            oauthappdo.setTlsClientCertificateBoundAccessTokens(
-                    consumerAppDTO.getTlsClientCertificateBoundAccessTokens());
         }
         dao.updateConsumerApplication(oauthappdo);
         AppInfoCache.getInstance().addToCache(oauthappdo.getOauthConsumerKey(), oauthappdo);

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthUtil.java

@@ -523,7 +523,6 @@ public static OAuthConsumerAppDTO buildConsumerAppDTO(OAuthAppDO appDO) {
         dto.setRequestObjectEncryptionAlgorithm(appDO.getRequestObjectEncryptionAlgorithm());
         dto.setRequestObjectEncryptionMethod(appDO.getRequestObjectEncryptionMethod());
         dto.setRequirePushedAuthorizationRequests(appDO.isRequirePushedAuthorizationRequests());
-        dto.setTlsClientCertificateBoundAccessTokens(appDO.isTlsClientCertificateBoundAccessTokens());
         dto.setFapiConformanceEnabled(appDO.isFapiConformanceEnabled());
         return dto;
     }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/dto/OAuthConsumerAppDTO.java

@@ -59,7 +59,6 @@ public class OAuthConsumerAppDTO {
     private String requestObjectSignatureAlgorithm;
     private String tlsClientAuthSubjectDN;
     private boolean requirePushedAuthorizationRequests;
-    private boolean tlsClientCertificateBoundAccessTokens;
     private String subjectType;
     private String requestObjectEncryptionAlgorithm;
     private String requestObjectEncryptionMethod;
@@ -381,16 +380,6 @@ public void setRequirePushedAuthorizationRequests(boolean requirePushedAuthoriza
         this.requirePushedAuthorizationRequests = requirePushedAuthorizationRequests;
     }
 
-    public boolean getTlsClientCertificateBoundAccessTokens() {
-
-        return tlsClientCertificateBoundAccessTokens;
-    }
-
-    public void setTlsClientCertificateBoundAccessTokens(boolean tlsClientCertificateBoundAccessTokens) {
-
-        this.tlsClientCertificateBoundAccessTokens = tlsClientCertificateBoundAccessTokens;
-    }
-
     public String getSubjectType() {
 
         return subjectType;