OPTIONAL. JSON array containing the authorization details types the AS supports.
+ * @see rfc9396 + */ + public static final String AUTHORIZATION_DETAILS_TYPES_SUPPORTED = "authorization_details_types_supported"; } diff --git a/components/org.wso2.carbon.identity.discovery/src/main/java/org/wso2/carbon/identity/discovery/OIDProviderConfigResponse.java b/components/org.wso2.carbon.identity.discovery/src/main/java/org/wso2/carbon/identity/discovery/OIDProviderConfigResponse.java index d249651a23f..78020c06d42 100644 --- a/components/org.wso2.carbon.identity.discovery/src/main/java/org/wso2/carbon/identity/discovery/OIDProviderConfigResponse.java +++ b/components/org.wso2.carbon.identity.discovery/src/main/java/org/wso2/carbon/identity/discovery/OIDProviderConfigResponse.java @@ -85,6 +85,7 @@ public class OIDProviderConfigResponse { private Boolean tlsClientCertificateBoundAccessTokens; private String mtlsTokenEndpoint; private String mtlsPushedAuthorizationRequestEndpoint; + private String[] authorizationDetailsTypesSupported; private static final String MUTUAL_TLS_ALIASES_ENABLED = "OAuth.MutualTLSAliases.Enabled"; @@ -530,6 +531,16 @@ public void setMtlsPushedAuthorizationRequestEndpoint(String mtlsPushedAuthoriza this.mtlsPushedAuthorizationRequestEndpoint = mtlsPushedAuthorizationRequestEndpoint; } + public String[] getAuthorizationDetailsTypesSupported() { + + return this.authorizationDetailsTypesSupported; + } + + public void setAuthorizationDetailsTypesSupported(String[] authorizationDetailsTypesSupported) { + + this.authorizationDetailsTypesSupported = authorizationDetailsTypesSupported; + } + public MapThis method checks if the request is a rich authorization request. If it is, it + * retrieves and validates the authorization details, updating the parameters and context + * accordingly. If any validation errors occur, it logs the issue and throws an appropriate + * exception.
+ * + * @param oAuthMessage The {@link OAuthMessage} containing the authorization request details. + * @param oAuth2Parameters The {@link OAuth2Parameters} object holding the parameters of the OAuth request. + * @throws AuthorizationDetailsProcessingException If there is an error processing the authorization details. + * @throws OAuthSystemException If there is an error during the validation process. + */ + private void validateAuthorizationDetailsBeforeConsent(final OAuthMessage oAuthMessage, + final OAuth2Parameters oAuth2Parameters) + throws AuthorizationDetailsProcessingException, OAuthSystemException { + + if (!AuthorizationDetailsUtils.isRichAuthorizationRequest(oAuth2Parameters)) { + log.debug("Authorization request is not a rich authorization request. Skipping validation."); + return; + } + + try { + if (LoggerUtils.isDiagnosticLogsEnabled()) { + DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder( + OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, + OAuthConstants.LogConstants.ActionIDs.VALIDATE_AUTHORIZATION_DETAILS_BEFORE_CONSENT); + diagnosticLogBuilder.inputParam(LogConstants.InputKeys.CLIENT_ID, oAuth2Parameters.getClientId()) + .inputParam(LogConstants.InputKeys.APPLICATION_NAME, oAuth2Parameters.getApplicationName()) + .inputParam("authorization details to be validated", + oAuth2Parameters.getAuthorizationDetails().toSet()) + .resultStatus(DiagnosticLog.ResultStatus.SUCCESS) + .resultMessage("authorization details validation started") + .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION); + LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder); + } + + final OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext = + oAuthMessage.getSessionDataCacheEntry().getAuthzReqMsgCtx(); + + // Validate the authorization details + final AuthorizationDetails validatedAuthorizationDetails = OAuth2ServiceComponentHolder.getInstance() + .getAuthorizationDetailsValidator() + .getValidatedAuthorizationDetails(oAuthAuthzReqMessageContext); + + // Update the authorization message context with validated authorization details + oAuthAuthzReqMessageContext.setRequestedAuthorizationDetails(AuthorizationDetailsUtils + .assignUniqueIDsToAuthorizationDetails(validatedAuthorizationDetails)); + oAuthMessage.getSessionDataCacheEntry().setAuthzReqMsgCtx(oAuthAuthzReqMessageContext); + + // update oAuth2Parameters with validated authorization details + oAuth2Parameters.setAuthorizationDetails(oAuthAuthzReqMessageContext.getRequestedAuthorizationDetails()); + + if (LoggerUtils.isDiagnosticLogsEnabled()) { + DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder( + OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, + OAuthConstants.LogConstants.ActionIDs.VALIDATE_AUTHORIZATION_DETAILS_BEFORE_CONSENT); + diagnosticLogBuilder.inputParam(LogConstants.InputKeys.CLIENT_ID, oAuth2Parameters.getClientId()) + .inputParam(LogConstants.InputKeys.APPLICATION_NAME, oAuth2Parameters.getApplicationName()) + .inputParam("authorization details after validation", + oAuth2Parameters.getAuthorizationDetails().toSet()) + .resultStatus(DiagnosticLog.ResultStatus.SUCCESS) + .resultMessage("authorization details validation completed") + .logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION); + LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder); + } + } catch (IdentityOAuth2ServerException e) { + log.error("Error occurred while validating authorization details. Caused by, ", e); + throw new OAuthSystemException("Error occurred while validating requested authorization details", e); + } + } + + private void setAuthorizationDetails(final OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, + final OAuthASResponse.OAuthAuthorizationResponseBuilder builder, + final AuthorizationResponseDTO authorizationResponseDTO) { + + final AuthorizationDetails authorizationDetails = oAuth2AuthorizeRespDTO.getAuthorizationDetails(); + builder.setParam(AuthorizationDetailsConstants.AUTHORIZATION_DETAILS, + AuthorizationDetailsUtils.getUrlEncodedAuthorizationDetails(authorizationDetails)); + authorizationResponseDTO.getSuccessResponseDTO().setAuthorizationDetails(authorizationDetails); + } } diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/factory/AuthorizationDetailsServiceFactory.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/factory/AuthorizationDetailsServiceFactory.java new file mode 100644 index 00000000000..af195571c7e --- /dev/null +++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/factory/AuthorizationDetailsServiceFactory.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.identity.oauth.endpoint.factory; + +import org.springframework.beans.factory.config.AbstractFactoryBean; +import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder; +import org.wso2.carbon.identity.oauth2.rar.AuthorizationDetailsService; + +/** + * This class is used to register AuthorizationDetailsService as a factory bean. + */ +public class AuthorizationDetailsServiceFactory extends AbstractFactoryBean+ * This class supports both validation of custom schemas provided as input and validation of default schemas + * based on the DRAFT202012 standard. + *
+ * Typical usage: + *
+ * AuthorizationDetailsSchemaValidator validator = AuthorizationDetailsSchemaValidator.getInstance(); + * boolean isValid = validator.isSchemaCompliant(schemaString, authorizationDetail); + *+ * + *
Refer to + * json-schema for detailed information on the JSON documents structure.
+ * + * @see AuthorizationDetail + * @see JsonSchema + */ +public class AuthorizationDetailsSchemaValidator { + + private static final Log log = LogFactory.getLog(AuthorizationDetailsSchemaValidator.class); + + private static final String ADDITIONAL_PROPERTIES = "additionalProperties"; + private static final String BASE_URI = "https://wso2.com/identity-server/schemas"; + + private static volatile AuthorizationDetailsSchemaValidator instance; + private final JsonSchemaOptions jsonSchemaOptions; + private final SchemaRepository schemaRepository; + + private AuthorizationDetailsSchemaValidator() { + + this.jsonSchemaOptions = new JsonSchemaOptions() + .setBaseUri(BASE_URI) + .setDraft(Draft.DRAFT202012) + .setOutputFormat(OutputFormat.Basic); + + this.schemaRepository = SchemaRepository.create(this.jsonSchemaOptions) + .preloadMetaSchema(Vertx.vertx().fileSystem()); + } + + public static AuthorizationDetailsSchemaValidator getInstance() { + + if (instance == null) { + synchronized (AuthorizationDetailsSchemaValidator.class) { + if (instance == null) { + instance = new AuthorizationDetailsSchemaValidator(); + } + } + } + return instance; + } + + /** + * Validates whether the given schema is compliant with the JSON schema DRAFT202012 standard. + * + * @param schema the JSON schema as a string. + * @return true if the schema is valid, false if the schema is invalid or empty. + * @throws AuthorizationDetailsProcessingException if the validation fails or an error occurs during validation. + */ + public boolean isValidSchema(final String schema) throws AuthorizationDetailsProcessingException { + + if (StringUtils.isEmpty(schema)) { + log.debug("Schema validation failed. Schema cannot be null"); + return false; + } + + final OutputUnit outputUnit = this.buildOutputUnit(null, this.parseJsonObject(schema)); + try { + // Validates the schema itself against the DRAFT202012 schema standard + outputUnit.checkValidity(); + } catch (JsonSchemaValidationException e) { + if (log.isDebugEnabled()) { + log.debug(String.format("Validation failed against DRAFT202012 schema for input: %s. Caused by, ", + schema), e); + } + throw new AuthorizationDetailsProcessingException(String.format(SCHEMA_VALIDATION_FAILED_ERR_MSG_FORMAT, + buildSchemaValidationErrorMessage(outputUnit, e)), e); + } + return true; + } + + private OutputUnit buildOutputUnit(final JsonObject jsonSchema, final JsonObject jsonInput) { + + // Validate the jsonSchema if present, otherwise validate the schema itself against json-schema DRAFT202012 + final Validator validator = (jsonSchema != null) + ? this.schemaRepository.validator(JsonSchema.of(jsonSchema), this.jsonSchemaOptions) + : this.schemaRepository.validator(this.jsonSchemaOptions.getDraft().getIdentifier()); + + return validator.validate(jsonInput); + } + + /** + * Converts a JSON string into a {@link JsonObject}. If the input is invalid, throws an exception. + * + * @param jsonString The input JSON string to be converted. + * @return A {@link JsonObject} created from the input string. + * @throws AuthorizationDetailsProcessingException if the input string is not valid JSON. + */ + private JsonObject parseJsonObject(final String jsonString) throws AuthorizationDetailsProcessingException { + + try { + return new JsonObject(jsonString); + } catch (DecodeException e) { + if (log.isDebugEnabled()) { + log.debug(String.format("Failed to parse the JSON input: '%s'. Caused by, ", jsonString), e); + } + throw new AuthorizationDetailsProcessingException( + String.format("%s. Invalid JSON input received.", VALIDATION_FAILED_ERR_MSG), e); + } + } + + private String buildSchemaValidationErrorMessage(final OutputUnit outputUnit, + final JsonSchemaValidationException ex) { + + // Extract the last validation error if available, otherwise use exception message. + if (outputUnit == null || CollectionUtils.isEmpty(outputUnit.getErrors())) { + return ex.getMessage(); + } + final OutputUnit lastError = outputUnit.getErrors().get(outputUnit.getErrors().size() - 1); + return lastError.getInstanceLocation() + StringUtils.SPACE + lastError.getError(); + } + + /** + * Validates whether the given authorization detail complies with the provided JSON schema. + * + * @param schema the JSON schema as a string. + * @param authorizationDetail the authorization detail to be validated. + * @return true if the authorization detail is schema compliant, false if schema or authorizationDetail is invalid. + * @throws AuthorizationDetailsProcessingException if the validation fails or an error occurs during validation. + */ + public boolean isSchemaCompliant(final String schema, final AuthorizationDetail authorizationDetail) + throws AuthorizationDetailsProcessingException { + + if (StringUtils.isEmpty(schema) || authorizationDetail == null) { + log.debug("Schema validation failed. Inputs cannot be null"); + return false; + } + + return this.isSchemaCompliant(this.parseJsonObject(schema), authorizationDetail); + } + + public boolean isSchemaCompliant(final JsonObject schema, final AuthorizationDetail authorizationDetail) + throws AuthorizationDetailsProcessingException { + + if (schema == null || authorizationDetail == null) { + log.debug("Schema validation failed. Inputs cannot be null"); + return false; + } + + final OutputUnit outputUnit = + this.buildOutputUnit(schema, this.parseJsonObject(authorizationDetail.toJsonString())); + + try { + // Validates the authorization detail against the schema + outputUnit.checkValidity(); + } catch (JsonSchemaValidationException e) { + if (log.isDebugEnabled()) { + log.debug(String.format("Schema validation failed for authorization details type: %s. Caused by, ", + authorizationDetail.getType()), e); + } + throw new AuthorizationDetailsProcessingException(String.format(TYPE_VALIDATION_FAILED_ERR_MSG_FORMAT, + authorizationDetail.getType(), this.buildSchemaValidationErrorMessage(outputUnit, e)), e); + } + return true; + } + + public boolean isSchemaCompliant(final Map {@link AuthorizationDetailsDAO} provides methods to add, update, retrieve, and delete authorization details
+ * associated with user consent and access tokens.
+ */
+public interface AuthorizationDetailsDAO {
+
+ /**
+ * Adds user consented authorization details to the database.
+ *
+ * @param authorizationDetailsConsentDTOs A set of user consented authorization details DTOs.
+ * {@link AuthorizationDetailsConsentDTO }
+ * @return An array of positive integers indicating the number of rows affected for each batch operation,
+ * or negative integers if any of the batch operations fail.
+ * @throws SQLException If a database access error occurs.
+ */
+ int[] addUserConsentedAuthorizationDetails(Set {@link AuthorizationDetailsDAO} provides methods to add, update, retrieve, and delete authorization details
+ * associated with user consent and access tokens.
+ */
+public class AuthorizationDetailsDAOImpl implements AuthorizationDetailsDAO {
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public int[] addUserConsentedAuthorizationDetails(final Set This class encapsulates the details of authorization, including the ID, type ID,
+ * authorization detail object, and tenant ID.
+ */
+public class AuthorizationDetailsDTO {
+
+ final String id;
+ final String typeId;
+ final AuthorizationDetail authorizationDetail;
+ final int tenantId;
+
+ /**
+ * Constructs an AuthorizationDetailsDTO with all fields.
+ *
+ * @param id the ID of the authorization detail DTO.
+ * @param typeId the type ID of the authorization detail.
+ * @param authorizationDetail the authorization detail object.
+ * @param tenantId the tenant ID.
+ */
+ public AuthorizationDetailsDTO(final String id, final String typeId, final AuthorizationDetail authorizationDetail,
+ final int tenantId) {
+
+ this.id = id;
+ this.typeId = typeId;
+ this.authorizationDetail = authorizationDetail;
+ this.tenantId = tenantId;
+ }
+
+ /**
+ * Constructs an AuthorizationDetailsDTO from authorization detail JSON string.
+ *
+ * @param id the ID of the authorization detail DTO.
+ * @param typeId the type ID of the authorization detail.
+ * @param authorizationDetailJson the JSON string of the authorization detail.
+ * @param tenantId the tenant ID.
+ */
+ public AuthorizationDetailsDTO(final String id, final String typeId, final String authorizationDetailJson,
+ final int tenantId) {
+
+ this(id, typeId, fromJSON(authorizationDetailJson, AuthorizationDetail.class), tenantId);
+ }
+
+ /**
+ * Constructs an AuthorizationDetailsDTO with an authorization detail object and tenant ID.
+ *
+ * @param authorizationDetail the authorization detail object.
+ * @param tenantId the tenant ID.
+ */
+ public AuthorizationDetailsDTO(final AuthorizationDetail authorizationDetail, final int tenantId) {
+
+ this(null, null, authorizationDetail, tenantId);
+ }
+
+ /**
+ * Gets the ID of the authorization detail.
+ *
+ * @return the ID of the authorization detail.
+ */
+ public String getId() {
+ return this.id;
+ }
+
+ /**
+ * Gets the type ID of the authorization detail.
+ *
+ * @return the type ID of the authorization detail.
+ */
+ public String getTypeId() {
+ return this.typeId;
+ }
+
+ /**
+ * Gets the authorization detail object.
+ *
+ * @return the authorization detail object.
+ */
+ public AuthorizationDetail getAuthorizationDetail() {
+ return this.authorizationDetail;
+ }
+
+ /**
+ * Gets the tenant ID.
+ *
+ * @return the tenant ID.
+ */
+ public int getTenantId() {
+ return this.tenantId;
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/dto/AuthorizationDetailsTokenDTO.java b/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/dto/AuthorizationDetailsTokenDTO.java
new file mode 100644
index 00000000000..217310e208c
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/dto/AuthorizationDetailsTokenDTO.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.rar.dto;
+
+import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetail;
+
+/**
+ * Data Transfer Object (DTO) for representing authorization details along with access token information.
+ * This class extends {@link AuthorizationDetailsDTO} to include additional fields for access token ID.
+ */
+public class AuthorizationDetailsTokenDTO extends AuthorizationDetailsDTO {
+
+ final String accessTokenId;
+
+ /**
+ * Constructs an {@link AuthorizationDetailsTokenDTO} with all required fields.
+ *
+ * @param id the ID of the authorization detail DTO.
+ * @param accessTokenId the access token ID associated with the authorization detail.
+ * @param typeId the type ID of the authorization detail.
+ * @param authorizationDetail the {@link AuthorizationDetail} object.
+ * @param tenantId the tenant ID.
+ */
+ public AuthorizationDetailsTokenDTO(final String id, final String accessTokenId, final String typeId,
+ final String authorizationDetail, final int tenantId) {
+
+ super(id, typeId, authorizationDetail, tenantId);
+ this.accessTokenId = accessTokenId;
+ }
+
+ /**
+ * Constructs an {@link AuthorizationDetailsTokenDTO} with essential fields.
+ *
+ * @param accessTokenId the access token ID associated with the authorization detail.
+ * @param authorizationDetail the {@link AuthorizationDetail} object.
+ * @param tenantId the tenant ID.
+ */
+ public AuthorizationDetailsTokenDTO(final String accessTokenId, final AuthorizationDetail authorizationDetail,
+ final int tenantId) {
+
+ super(authorizationDetail, tenantId);
+ this.accessTokenId = accessTokenId;
+ }
+
+ /**
+ * Gets the access token ID associated with the authorization detail.
+ *
+ * @return the access token ID.
+ */
+ public String getAccessTokenId() {
+ return this.accessTokenId;
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/exception/AuthorizationDetailsProcessingException.java b/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/exception/AuthorizationDetailsProcessingException.java
new file mode 100644
index 00000000000..711280d1d0c
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/exception/AuthorizationDetailsProcessingException.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.rar.exception;
+
+import org.wso2.carbon.identity.base.IdentityException;
+
+/**
+ * Exception class to represent failures related to Rich Authorization Requests in OAuth 2.0 clients.
+ *
+ * This exception is thrown when there are errors in processing authorization details during the OAuth 2.0
+ * authorization flow. It extends the {@link IdentityException} class, providing more specific
+ * context for authorization-related issues. This class encapsulates the various attributes and their corresponding values that can be included within an
+ * authorization details object. The mandatory {@code type} field identifies the resource type or access requirement
+ * being described.
+ * Here is an example of {@code authorization_details} with
+ * Common Data Fields.
+ * Refer to
+ * OAuth 2.0 Rich Authorization Requests for detailed information on the Authorization Details structure. {@code type} is a unique identifier for the authorization details type as a string. The value of the type
+ * field determines the allowable contents of the object that contains it. {@code locations} is an array of strings representing the location of the resource or RS. These strings are
+ * typically URIs identifying the location of the RS. This field can allow a client to specify a particular RS. {@code actions} is an array of strings representing the kinds of actions to be taken at the resource.
+ *
+ * @return A list of actions or {@code null} if the {@code actions} field is not present.
+ */
+ public List {@code datatypes} is an array of strings representing what kinds of data being requested from the resource.
+ *
+ * @return A list of datatypes or {@code null} if the {@code datatypes} field is not present.
+ */
+ public List {@code identifier} is a string identifier indicating a specific resource available at the API.
+ *
+ * @return The String value of the identifier or {@code null} if the {@code identifier} field is not present.
+ */
+ public String getIdentifier() {
+
+ return this.identifier;
+ }
+
+ public void setIdentifier(final String identifier) {
+
+ this.identifier = identifier;
+ }
+
+ /**
+ * Gets the optional list of privileges associated with the authorization details object.
+ *
+ * {@code privileges} is an array of strings representing the types or levels of privilege being requested
+ * at the resource.
+ *
+ * @return The String value of the privileges or {@code null} if the {@code privileges} field is not present.
+ */
+ public List Refer to
+ * OAuth 2.0 Rich Authorization Requests for detailed information on the Authorization Details structure. Each AuthorizationDetail object is transformed into a Map representation using
+ * the {@link AuthorizationDetail#toMap} method.
+ *
+ * @return a Set of Maps representing the AuthorizationDetail objects.
+ */
+ public Set
+ * This class provides a way to create validation results that can be either valid or invalid, with
+ * optional metadata for further context.
+ *
+ * This method should be used to indicate that the validation passed without any issues.
+ *
+ * This method should be used to indicate that the validation failed and provide a reason for the failure.
+ *
+ * This method should be used to indicate that the validation failed, provide a reason, and include
+ * additional context or metadata.
+ *
+ * If the input set is {@code null} or an exception occurs during the conversion,
+ * an empty JSON array ({@code []}) is returned.
+ *
+ * If the input object is {@code null} or an exception occurs during the conversion,
+ * an empty JSON object ({@code {}}) is returned.
+ *
+ * If the input object is {@code null} or an exception occurs during the conversion,
+ * an empty {@link HashMap} is returned.
+ * This singleton ObjectMapper is configured to exclude properties with null values from the JSON output.
+ *
+ * @return a configured {@link ObjectMapper} instance.
+ */
+ public static ObjectMapper getDefaultObjectMapper() {
+ if (objectMapper == null) {
+ synchronized (AuthorizationDetailsCommonUtils.class) {
+ if (objectMapper == null) {
+ objectMapper = new ObjectMapper();
+ objectMapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
+ }
+ }
+ }
+ return objectMapper;
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/util/AuthorizationDetailsConstants.java b/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/util/AuthorizationDetailsConstants.java
new file mode 100644
index 00000000000..fb3749ae5a2
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth.rar/src/main/java/org/wso2/carbon/identity/oauth2/rar/util/AuthorizationDetailsConstants.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.rar.util;
+
+/**
+ * Stores constants related to OAuth2 Rich Authorization Requests.
+ */
+public final class AuthorizationDetailsConstants {
+
+ public static final String AUTHORIZATION_DETAILS = "authorization_details";
+ public static final String AUTHORIZATION_DETAILS_ID_PREFIX = "authorization_detail_id_";
+ public static final String PARAM_SEPARATOR = "&&";
+ public static final String TYPE_NOT_SUPPORTED_ERR_FORMAT = "%s is an unknown authorization details type value";
+ public static final String TYPE_VALIDATION_FAILED_ERR_MSG_FORMAT =
+ "The payload of the authorization details type '%s' contains errors: %s";
+ public static final String SCHEMA_VALIDATION_FAILED_ERR_MSG_FORMAT =
+ "The schema of the authorization details type contains errors: %s";
+ public static final String VALIDATION_FAILED_ERR_MSG = "Authorization details validation failed";
+ public static final String VALIDATION_FAILED_ERR_CODE = "invalid_authorization_details";
+ public static final String EMPTY_JSON_OBJECT = "{}";
+ public static final String EMPTY_JSON_ARRAY = "[]";
+
+ private AuthorizationDetailsConstants() {
+ // Private constructor to prevent instantiation
+ }
+}
diff --git a/components/org.wso2.carbon.identity.oauth.rar/src/test/java/org/wso2/carbon/identity/oauth2/rar/AuthorizationDetailsSchemaValidatorTest.java b/components/org.wso2.carbon.identity.oauth.rar/src/test/java/org/wso2/carbon/identity/oauth2/rar/AuthorizationDetailsSchemaValidatorTest.java
new file mode 100644
index 00000000000..740954a4aca
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth.rar/src/test/java/org/wso2/carbon/identity/oauth2/rar/AuthorizationDetailsSchemaValidatorTest.java
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.rar;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import io.vertx.core.json.JsonObject;
+import org.apache.commons.lang3.StringUtils;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+import org.wso2.carbon.identity.oauth2.rar.exception.AuthorizationDetailsProcessingException;
+import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetail;
+import org.wso2.carbon.identity.oauth2.rar.util.TestDAOUtils;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.wso2.carbon.identity.oauth2.rar.util.TestConstants.TEST_SCHEMA;
+import static org.wso2.carbon.identity.oauth2.rar.util.TestConstants.TEST_TYPE;
+
+/**
+ * Test class for {@link AuthorizationDetailsSchemaValidator}.
+ */
+public class AuthorizationDetailsSchemaValidatorTest {
+
+ private AuthorizationDetailsSchemaValidator uut;
+
+ @BeforeClass
+ public void setUp() throws JsonProcessingException {
+
+ this.uut = AuthorizationDetailsSchemaValidator.getInstance();
+ }
+
+ @Test
+ public void shouldReturnTrue_whenAuthorizationDetailIsSchemaCompliant()
+ throws AuthorizationDetailsProcessingException {
+
+ AuthorizationDetail testAuthorizationDetail = new TestDAOUtils.TestAuthorizationDetail();
+ testAuthorizationDetail.setType(TEST_TYPE);
+
+ assertTrue(this.uut.isSchemaCompliant(TEST_SCHEMA, testAuthorizationDetail));
+ assertTrue(this.uut.isSchemaCompliant(this.getTestSchema(), testAuthorizationDetail));
+ }
+
+ @Test
+ public void shouldReturnFalse_whenSchemaIsEmpty() throws AuthorizationDetailsProcessingException {
+
+ assertFalse(this.uut.isSchemaCompliant(StringUtils.EMPTY, new TestDAOUtils.TestAuthorizationDetail()));
+ assertFalse(this.uut.isSchemaCompliant(TEST_SCHEMA, null));
+ assertFalse(this.uut.isSchemaCompliant((JsonObject) null, new TestDAOUtils.TestAuthorizationDetail()));
+ assertFalse(this.uut.isSchemaCompliant(new JsonObject(), null));
+ assertFalse(this.uut.isSchemaCompliant((Map {@code
+ * [
+ * {
+ * "type": "customer_information",
+ * "locations": [
+ * "https://example.com/customers"
+ * ],
+ * "actions": [
+ * "read",
+ * "write"
+ * ],
+ * "datatypes": [
+ * "contacts",
+ * "photos"
+ * ],
+ * "identifier":"account-14-32-32-3",
+ * "privileges": [
+ * "admin"
+ * ]
+ * }
+ * ]
+ * }
+ *
+ * {@code
+ * // Example 1: Using a simple default function that returns the "type", if description is missing
+ * AuthorizationDetail detail = new AuthorizationDetail();
+ * detail.setType("user_information");
+ * detail.setConsentDescription(""); // Empty description
+ * String result = detail.getConsentDescriptionOrDefault(authDetail -> authDetail.getType());
+ * // result will be "user_information"
+ *
+ * // Example 2: Consent description is already set and not empty
+ * AuthorizationDetail detail = new AuthorizationDetail();
+ * detail.setType("user_information");
+ * detail.setConsentDescription("User consented to data usage");
+ * String result = detail.getConsentDescriptionOrDefault(authDetail -> "Default Description");
+ * // result will be "User consented to data usage"
+ * }
+ *
+ * @param defaultFunction the Function that provides a default value if the consent description is not present
+ * @return the consent description if present, otherwise the value from the Function
+ */
+ public String getDescriptionOrDefault(Function
+ * This method returns an {@link AuthorizationDetailsDAO} singleton instance that provides access to the + * {@link org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetails} data. This DAO is used to interact + * with the underlying data store to fetch and manipulate authorization information. + *
+ * @return the {@link AuthorizationDetailsDAO} instance that provides access to authorization details data. + */ + public AuthorizationDetailsDAO getAuthorizationDetailsDAO() { + return this.authorizationDetailsDAO; + } } diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AccessTokenReqDTO.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AccessTokenReqDTO.java index 193a61fd304..d6f98c73b37 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AccessTokenReqDTO.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AccessTokenReqDTO.java @@ -22,6 +22,7 @@ import org.wso2.carbon.identity.oauth2.model.AccessTokenExtendedAttributes; import org.wso2.carbon.identity.oauth2.model.HttpRequestHeader; import org.wso2.carbon.identity.oauth2.model.RequestParameter; +import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetails; import java.util.ArrayList; import java.util.Collections; @@ -62,6 +63,8 @@ public class OAuth2AccessTokenReqDTO { private AccessTokenExtendedAttributes accessTokenExtendedAttributes; + private AuthorizationDetails authorizationDetails; + public String getClientId() { return clientId; } @@ -252,4 +255,26 @@ public HttpServletResponseWrapper getHttpServletResponseWrapper() { public void setHttpServletResponseWrapper(HttpServletResponseWrapper httpServletResponseWrapper) { this.httpServletResponseWrapper = httpServletResponseWrapper; } + + /** + * Retrieves the authorization details requested in the token request. + * + * @return the {@link AuthorizationDetails} instance representing the rich authorization requests. + * If no authorization details are requested by the client, the method will return {@code null}. + */ + public AuthorizationDetails getAuthorizationDetails() { + + return this.authorizationDetails; + } + + /** + * Sets the authorization details. + * This method updates the authorization details with the provided {@link AuthorizationDetails} instance. + * + * @param authorizationDetails the {@link AuthorizationDetails} to set. + */ + public void setAuthorizationDetails(final AuthorizationDetails authorizationDetails) { + + this.authorizationDetails = authorizationDetails; + } } diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AuthorizeReqDTO.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AuthorizeReqDTO.java index 94cc22c362c..f1ed3504fd6 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AuthorizeReqDTO.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dto/OAuth2AuthorizeReqDTO.java @@ -21,6 +21,7 @@ import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; import org.wso2.carbon.identity.application.common.model.ClaimMapping; import org.wso2.carbon.identity.oauth2.model.HttpRequestHeader; +import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetails; import org.wso2.carbon.identity.openidconnect.model.RequestObject; import java.util.LinkedHashSet; @@ -64,6 +65,7 @@ public class OAuth2AuthorizeReqDTO { private String state; private String requestedSubjectId; private Map+ * This class integrates with the {@link AuthorizationDetailsDAO} to persist these details in the underlying data store. + * It also provides utility methods to check if a request contains rich authorization details. + *
+ * + * @see AuthorizationDetailsDAO + * @see AuthorizationDetails + */ +public class AuthorizationDetailsService { + + private static final Log log = LogFactory.getLog(AuthorizationDetailsService.class); + private final AuthorizationDetailsDAO authorizationDetailsDAO; + private final AuthorizationDetailsProcessorFactory authorizationDetailsProcessorFactory; + private final boolean isRichAuthorizationRequestsDisabled; + + /** + * Default constructor that initializes the service with the default {@link AuthorizationDetailsDAO} and + * {@link AuthorizationDetailsProcessorFactory}. + *+ * This constructor uses the default DAO provided by the {@link OAuthTokenPersistenceFactory} + * to handle the persistence of authorization details. + *
+ */ + public AuthorizationDetailsService() { + + this( + AuthorizationDetailsProcessorFactory.getInstance(), + OAuthTokenPersistenceFactory.getInstance().getAuthorizationDetailsDAO(), + AuthorizationDetailsTypesUtil.isRichAuthorizationRequestsEnabled() + ); + } + + /** + * Constructor that initializes the service with a given {@link AuthorizationDetailsDAO}. + * + * @param authorizationDetailsProcessorFactory Factory instance for providing authorization details. + * @param authorizationDetailsDAO The {@link AuthorizationDetailsDAO} instance to be used for + * handling authorization details persistence. Must not be {@code null}. + */ + public AuthorizationDetailsService(final AuthorizationDetailsProcessorFactory authorizationDetailsProcessorFactory, + final AuthorizationDetailsDAO authorizationDetailsDAO, + final boolean isRichAuthorizationRequestsEnabled) { + + this.authorizationDetailsDAO = + Objects.requireNonNull(authorizationDetailsDAO, "AuthorizationDetailsDAO must not be null"); + this.authorizationDetailsProcessorFactory = Objects.requireNonNull(authorizationDetailsProcessorFactory, + "AuthorizationDetailsProviderFactory must not be null"); + this.isRichAuthorizationRequestsDisabled = !isRichAuthorizationRequestsEnabled; + } + + /** + * Persists or updates user-consented authorization details. If previously stored authorization details are found, + * they are updated with the new information. + * + * @param authenticatedUser The authenticated user. + * @param clientId The client ID. + * @param oAuth2Parameters Requested OAuth2 parameters. + * @param userConsentedAuthorizationDetails User consented authorization details. + * @throws OAuthSystemException if an error occurs while storing user consented authorization details. + */ + public void storeOrUpdateUserConsentedAuthorizationDetails( + final AuthenticatedUser authenticatedUser, final String clientId, final OAuth2Parameters oAuth2Parameters, + final AuthorizationDetails userConsentedAuthorizationDetails) + throws OAuthSystemException { + + if (this.isRichAuthorizationRequestsDisabled || !isRichAuthorizationRequest(oAuth2Parameters)) { + log.debug("Request is not a rich authorization request. Skipping storage of authorization details."); + return; + } + + try { + final int tenantId = OAuth2Util.getTenantId(oAuth2Parameters.getTenantDomain()); + final OptionalThis method validates if the requested authorization detail is part of the consented authorization details. + * It uses the appropriate provider to compare the requested detail with the existing consented details.
+ * + * @param requestedAuthorizationDetail the authorization detail to be checked + * @param consentedAuthorizationDetailsByType a map of consented authorization details grouped by type + * @return {@code true} if the user has consented to the requested authorization detail, {@code false} otherwise + */ + private boolean isUserConsentedAuthorizationDetail( + final AuthorizationDetail requestedAuthorizationDetail, + final Map+ * Implementing classes are expected to provide mechanisms to validate, enrich, and identify + * authorization details specific to various types. + *
+ */ +public interface AuthorizationDetailsProcessor { + + /** + * Validates the provided authorization details context when a new Rich Authorization Request is received. + *+ * This method is invoked once a new Rich Authorization Request is received to ensure that the + * authorization details are valid and meet the required criteria. The validation logic should + * be specific to the type of authorization details handled by the implementing class. + *
+ * + * @param authorizationDetailsContext the context containing the authorization details to be validated. + * @return a {@code ValidationResult} indicating the outcome of the validation process. Returns a valid result + * if the authorization details are correct and meet the criteria, otherwise returns an invalid result with an + * appropriate error message. + * @throws AuthorizationDetailsProcessingException if the validation fails due to a request error and the + * authorization flow needs to be interrupted. + * @throws IdentityOAuth2ServerException if the validation fails due to a server error and the + * authorization flow needs to be interrupted. + * @see AuthorizationDetailsContext + * @see ValidationResult + */ + ValidationResult validate(AuthorizationDetailsContext authorizationDetailsContext) + throws AuthorizationDetailsProcessingException, IdentityOAuth2ServerException; + + /** + * Retrieves the type of authorization details handled by this provider. + *+ * Each implementation should return a unique type identifier that represents the kind of + * authorization details it processes. This identifier is used to differentiate between + * various providers in a service-oriented architecture. + *
+ * + * @return a {@code String} representing the type of authorization details managed by this provider + * @see AuthorizationDetail#getType() + */ + String getType(); + + /** + * Checks if the requested authorization detail is equal to or a subset of the existing authorization details. + * + *This method verifies if the provided {@code requestedAuthorizationDetail} is either exactly the same as or + * a subset of the {@code existingAuthorizationDetails} that have been previously accepted by the resource owner. + * + * @param requestedAuthorizationDetail The {@link AuthorizationDetail} being requested by the client. + * @param existingAuthorizationDetails The set of {@link AuthorizationDetail} that have been previously accepted + * by the resource owner. + * @return {@code true} if the requested authorization detail is equal to or a subset of the existing + * authorization details, {@code false} otherwise. + */ + boolean isEqualOrSubset(AuthorizationDetail requestedAuthorizationDetail, + AuthorizationDetails existingAuthorizationDetails); + + /** + *
+ * This method is invoked prior to presenting the consent UI to the user. Its purpose is to + * enhance or augment the authorization details, providing additional context or information + * that may be necessary for informed consent. This may include adding more descriptive + * information, default values, or other relevant details that are crucial for the user to + * understand the authorization request fully. + *
+ *+ * It is also a responsibility of this method to generate a human-readable consent + * description from the provided authorization details, which will be displayed to the user for approval. + * The consent description should provide a clear, human-readable summary of the {@code authorization_details} + * object. + *
+ *+ * This enrichment process aligns with the concepts outlined in + * RFC 9396, + * which describes the requirements for enriched authorization details to ensure clarity and transparency + * in consent management. + *
+ * + * @param authorizationDetailsContext the context containing the authorization details to be enriched. + * @return an enriched {@code AuthorizationDetail} object with additional information or context. + * This enriched object is intended to provide users with a clearer understanding of the + * authorization request when they are presented with the consent form. + * @see AuthorizationDetailsContext + * @see AuthorizationDetail + * @see AuthorizationDetail#setConsentDescription + * @see + * Enriched Authorization Details + */ + AuthorizationDetail enrich(AuthorizationDetailsContext authorizationDetailsContext); +} diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/core/AuthorizationDetailsProcessorFactory.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/core/AuthorizationDetailsProcessorFactory.java new file mode 100644 index 00000000000..163b853012d --- /dev/null +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/core/AuthorizationDetailsProcessorFactory.java @@ -0,0 +1,164 @@ +/* + * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.identity.oauth2.rar.core; + +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.context.CarbonContext; +import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException; +import org.wso2.carbon.identity.application.common.model.AuthorizationDetailsType; +import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder; + +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.ServiceLoader; +import java.util.Set; +import java.util.stream.Collectors; + +/** + * A factory class to manage and provide instances of {@link AuthorizationDetailsProcessor} Service Provider Interface. + * This class follows the Singleton pattern to ensure only one instance is created. + * It uses {@link ServiceLoader} to dynamically load and manage {@link AuthorizationDetailsProcessor} implementations. + *Example usage: + *
{@code
+ * // Get a specific provider by type
+ * AuthorizationDetailsProcessorFactory.getInstance()
+ * .getAuthorizationDetailsProcessorByType("customer_information")
+ * .ifPresentOrElse(
+ * p -> log.debug("Provider for type " + type + ": " + p.getClass().getName()),
+ * () -> log.debug("No provider found for type " + type)
+ * );
+ * }
+ *
+ * @see AuthorizationDetailsProcessor AuthorizationDetailsService
+ * @see
+ * Request Parameter "authorization_details"
+ */
+public class AuthorizationDetailsProcessorFactory {
+
+ private static final Log log = LogFactory.getLog(AuthorizationDetailsProcessorFactory.class);
+ private static volatile AuthorizationDetailsProcessorFactory instance;
+ private final MapThis constructor is intentionally private to prevent direct instantiation of the + * {@code AuthorizationDetailsProviderFactory} class. + * Instead, use the {@link #getInstance()} method to obtain the singleton instance.
+ */ + private AuthorizationDetailsProcessorFactory() { + + this.authorizationDetailsProcessors = new HashMap<>(); + } + + /** + * Provides the singleton instance of {@code AuthorizationDetailsProviderFactory}. + * + * @return Singleton instance of {@code AuthorizationDetailsProviderFactory}. + */ + public static AuthorizationDetailsProcessorFactory getInstance() { + + if (instance == null) { + synchronized (AuthorizationDetailsProcessorFactory.class) { + if (instance == null) { + instance = new AuthorizationDetailsProcessorFactory(); + } + } + } + return instance; + } + + /** + * Returns the {@link AuthorizationDetailsProcessor} provider for the given type. + * + * @param type A supported authorization details type. + * @return {@link Optional} containing the {@link AuthorizationDetailsProcessor} if present, otherwise empty. + * @see AuthorizationDetailsProcessor#getType() getAuthorizationDetailsType + */ + public Optional A type is considered "supported" if it has been registered by invoking the
+ * POST: /api/server/v1/api-resources endpoint.
The type of the authorization details processor is obtained using + * {@link AuthorizationDetailsProcessor#getType()}
+ * + * @param authorizationDetailsProcessor Processor instance to be cached, keyed by its authorization details type. + */ + public void setAuthorizationDetailsProcessors(final AuthorizationDetailsProcessor authorizationDetailsProcessor) { + + if (authorizationDetailsProcessor != null && StringUtils.isNotBlank(authorizationDetailsProcessor.getType())) { + final String type = authorizationDetailsProcessor.getType(); + if (log.isDebugEnabled()) { + log.debug(String.format("Registering AuthorizationDetailsProcessor %s against type %s", + authorizationDetailsProcessor.getClass().getSimpleName(), type)); + } + this.authorizationDetailsProcessors.put(type, authorizationDetailsProcessor); + } + } +} diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/model/AuthorizationDetailsContext.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/model/AuthorizationDetailsContext.java new file mode 100644 index 00000000000..b783eaabe9f --- /dev/null +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/model/AuthorizationDetailsContext.java @@ -0,0 +1,172 @@ +/* + * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.identity.oauth2.rar.model; + +import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; +import org.wso2.carbon.identity.application.common.model.AuthorizationDetailsType; +import org.wso2.carbon.identity.oauth.dao.OAuthAppDO; +import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext; +import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext; + +import java.util.Objects; + +import javax.servlet.http.HttpServletRequestWrapper; + +import static org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager.OAUTH_APP_PROPERTY; + +/** + * Represents the context for rich authorization requests in an OAuth2 flow. + *+ * This class holds relevant details such as OAuth2 parameters, application details, the authenticated user, + * and specific authorization details. It is immutable to ensure that the context remains consistent throughout its use. + *
+ */ +public class AuthorizationDetailsContext { + + private final AuthenticatedUser authenticatedUser; + private final AuthorizationDetail authorizationDetail; + private final AuthorizationDetailsType authorizationDetailsType; + private final HttpServletRequestWrapper httpServletRequestWrapper; + private final OAuthAppDO oAuthAppDO; + private final String[] scopes; + + /** + * Constructs a new {@code AuthorizationDetailsContext}. + * + * @param authorizationDetail the specific {@link AuthorizationDetail} to be validated. + * @param oAuthAuthzReqMessageContext the {@link OAuthAuthzReqMessageContext} instance which represent + * the authorization request context. + * @throws NullPointerException if any of the arguments are {@code null}. + */ + public AuthorizationDetailsContext(final AuthorizationDetail authorizationDetail, + final AuthorizationDetailsType authorizationDetailsType, + final OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) { + + this(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), + authorizationDetail, + authorizationDetailsType, + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getHttpServletRequestWrapper(), + (OAuthAppDO) oAuthAuthzReqMessageContext.getProperty(OAUTH_APP_PROPERTY), + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes()); + } + + /** + * Constructs a new {@code AuthorizationDetailsContext}. + *+ * This constructor ensures that all necessary details for an authorization context are provided. + *
+ * + * @param authenticatedUser the {@link AuthenticatedUser}. + * @param authorizationDetail the specific {@link AuthorizationDetail} to be validated. + * @param httpServletRequestWrapper the {@link HttpServletRequestWrapper} instance containing request details. + * @param oAuthAppDO the {@link OAuthAppDO} containing application details. + * @param scopes the array of scopes requested. + * @throws NullPointerException if any of the arguments are {@code null}. + */ + public AuthorizationDetailsContext(final AuthenticatedUser authenticatedUser, + final AuthorizationDetail authorizationDetail, + final AuthorizationDetailsType authorizationDetailsType, + final HttpServletRequestWrapper httpServletRequestWrapper, + final OAuthAppDO oAuthAppDO, + final String[] scopes) { + + this.authenticatedUser = Objects.requireNonNull(authenticatedUser, "authenticatedUser cannot be null"); + this.authorizationDetail = Objects.requireNonNull(authorizationDetail, "authorizationDetail cannot be null"); + this.authorizationDetailsType = + Objects.requireNonNull(authorizationDetailsType, "authorizationDetailsType cannot be null"); + this.httpServletRequestWrapper = + Objects.requireNonNull(httpServletRequestWrapper, "httpServletRequestWrapper cannot be null"); + this.oAuthAppDO = Objects.requireNonNull(oAuthAppDO, "oAuthAppDO cannot be null"); + this.scopes = Objects.requireNonNull(scopes, "scopes cannot be null"); + } + + /** + * Constructs a new {@code AuthorizationDetailsContext}. + * + * @param authorizationDetail the specific {@link AuthorizationDetail} to be validated. + * @param oAuthTokenReqMessageContext the {@link OAuthTokenReqMessageContext} instance which represent + * the token request context. + * @throws NullPointerException if any of the arguments are {@code null}. + */ + public AuthorizationDetailsContext(final AuthorizationDetail authorizationDetail, + final AuthorizationDetailsType authorizationDetailsType, + final OAuthTokenReqMessageContext oAuthTokenReqMessageContext) { + + this(oAuthTokenReqMessageContext.getAuthorizedUser(), + authorizationDetail, + authorizationDetailsType, + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getHttpServletRequestWrapper(), + (OAuthAppDO) oAuthTokenReqMessageContext.getProperty(OAUTH_APP_PROPERTY), + oAuthTokenReqMessageContext.getScope()); + } + + /** + * Returns the {@code AuthorizationDetail} instance. + * + * @return the {@link AuthorizationDetail} instance. + */ + public AuthorizationDetail getAuthorizationDetail() { + return this.authorizationDetail; + } + + /** + * Returns the {@code AuthorizationDetailsType} instance. + * + * @return the {@link AuthorizationDetailsType} instance. + */ + public AuthorizationDetailsType getAuthorizationDetailsType() { + return this.authorizationDetailsType; + } + + /** + * Returns the OAuth application details. + * + * @return the {@link OAuthAppDO} instance. + */ + public OAuthAppDO getOAuthAppDO() { + return this.oAuthAppDO; + } + + /** + * Returns the authenticated user. + * + * @return the {@link AuthenticatedUser} instance. + */ + public AuthenticatedUser getAuthenticatedUser() { + return this.authenticatedUser; + } + + /** + * Returns the HTTP servlet request user. + * + * @return the {@link HttpServletRequestWrapper} instance containing HTTP request details. + */ + public HttpServletRequestWrapper getHttpServletRequestWrapper() { + return this.httpServletRequestWrapper; + } + + /** + * Returns the valid scopes requested by the client. + * + * @return the {@link String} array of scopes. + */ + public String[] getScopes() { + return this.scopes; + } +} diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/token/AccessTokenResponseRARHandler.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/token/AccessTokenResponseRARHandler.java new file mode 100644 index 00000000000..bf53b79138e --- /dev/null +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/token/AccessTokenResponseRARHandler.java @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.identity.oauth2.rar.token; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; +import org.wso2.carbon.identity.oauth2.rar.util.AuthorizationDetailsConstants; +import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext; +import org.wso2.carbon.identity.oauth2.token.handlers.response.AccessTokenResponseHandler; + +import java.util.HashMap; +import java.util.Map; + +import static org.wso2.carbon.identity.oauth2.rar.util.AuthorizationDetailsUtils.isRichAuthorizationRequest; + +/** + * Class responsible for modifying the access token response to include user-consented authorization details. + * + *This class enhances the access token response by appending user-consented authorization details. + * It is invoked by the {@link org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer#issue} method during + * the OAuth 2.0 token issuance process.
+ */ +public class AccessTokenResponseRARHandler implements AccessTokenResponseHandler { + + private static final Log log = LogFactory.getLog(AccessTokenResponseRARHandler.class); + + /** + * Returns Rich Authorization Request attributes to be added to the access token response. + * + * @param oAuthTokenReqMessageContext {@link OAuthTokenReqMessageContext} token request message context. + * @return Map of additional attributes to be added to the token response. + * @throws IdentityOAuth2Exception Error while constructing additional token response attributes. + */ + @Override + public MapThis class enhances the introspection response by appending user-consented authorization details. + * It is invoked by the /introspect endpoint of the oauth.endpoint webapp during the token introspection process.
+ */ +public class IntrospectionRARDataProvider implements IntrospectionDataProvider { + + private static final Log log = LogFactory.getLog(IntrospectionRARDataProvider.class); + private final AuthorizationDetailsValidator authorizationDetailsValidator; + + public IntrospectionRARDataProvider() { + + this(OAuth2ServiceComponentHolder.getInstance().getAuthorizationDetailsValidator()); + } + + public IntrospectionRARDataProvider(final AuthorizationDetailsValidator authorizationDetailsValidator) { + + this.authorizationDetailsValidator = authorizationDetailsValidator; + } + + /** + * Provides additional Rich Authorization Requests data for OAuth token introspection. + * + * @param tokenValidationRequestDTO Token validation request DTO. + * @param introspectionResponseDTO Token introspection response DTO. + * @return Map of additional data to be added to the introspection response. + * @throws IdentityOAuth2Exception If an error occurs while setting additional introspection data. + */ + @Override + public Map+ * This method checks if the specified {@link AuthorizationDetails} instance is not {@code null} + * and has a non-empty details set. + * + * @param authorizationDetails The {@link AuthorizationDetails} to check. + * @return {@code true} if the {@link AuthorizationDetails} is not {@code null} and has a non-empty details set, + * {@code false} otherwise. + */ + public static boolean isRichAuthorizationRequest(final AuthorizationDetails authorizationDetails) { + + return !isEmpty(authorizationDetails); + } + + /** + * Determines if the provided {@link AuthorizationDetails} object is empty or not. + *
+ * This method checks if the specified {@link AuthorizationDetails} instance is not {@code null}
+ * and has a non-empty details set.
+ *
+ * @param authorizationDetails The {@link AuthorizationDetails} to check.
+ * @return {@code true} if the {@link AuthorizationDetails} is not {@code null} and has a non-empty details set,
+ * {@code false} otherwise.
+ */
+ public static boolean isEmpty(final AuthorizationDetails authorizationDetails) {
+
+ return authorizationDetails == null || authorizationDetails.getDetails().isEmpty();
+ }
+
+ /**
+ * Determines if the given {@link OAuthAuthzRequest} object contains {@code authorization_details}.
+ *
+ * @param oauthRequest The OAuth Authorization Request to check.
+ * @return {@code true} if the OAuth authorization request contains a non-blank authorization details parameter,
+ * {@code false} otherwise.
+ */
+ public static boolean isRichAuthorizationRequest(final OAuthAuthzRequest oauthRequest) {
+
+ return StringUtils.isNotBlank(oauthRequest.getParam(AuthorizationDetailsConstants.AUTHORIZATION_DETAILS));
+ }
+
+ /**
+ * Determines if the given {@link CarbonOAuthTokenRequest} object contains {@code authorization_details}.
+ *
+ * @param carbonOAuthTokenRequest The OAuth Token Request to check.
+ * @return {@code true} if the OAuth token request contains a non-blank authorization details parameter,
+ * {@code false} otherwise.
+ */
+ public static boolean isRichAuthorizationRequest(final CarbonOAuthTokenRequest carbonOAuthTokenRequest) {
+
+ return StringUtils
+ .isNotBlank(carbonOAuthTokenRequest.getParam(AuthorizationDetailsConstants.AUTHORIZATION_DETAILS));
+ }
+
+ /**
+ * Determines if the given {@link OAuthTokenReqMessageContext} object or the
+ * {@link OAuthTokenReqMessageContext#getOauth2AccessTokenReqDTO} contains {@link AuthorizationDetails}.
+ *
+ * @param oAuthTokenReqMessageContext The requested oAuthTokenReqMessageContext to check.
+ * @return {@code true} if the oAuthTokenReqMessageContext contains non-empty authorization details set,
+ * {@code false} otherwise.
+ */
+ public static boolean isRichAuthorizationRequest(final OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
+
+ return isRichAuthorizationRequest(oAuthTokenReqMessageContext.getAuthorizationDetails()) ||
+ isRichAuthorizationRequest(oAuthTokenReqMessageContext
+ .getOauth2AccessTokenReqDTO().getAuthorizationDetails());
+ }
+
+ /**
+ * Retrieves the application resource ID from the client ID.
+ *
+ * @param clientId The client ID.
+ * @return The application resource ID.
+ * @throws IdentityOAuth2Exception if an error occurs while retrieving the application resource ID.
+ */
+ public static String getApplicationResourceIdFromClientId(final String clientId) throws IdentityOAuth2Exception {
+
+ final ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(clientId);
+ if (serviceProvider != null) {
+ return serviceProvider.getApplicationResourceId();
+ }
+ throw new IdentityOAuth2Exception("Unable to find a service provider for client Id: " + clientId);
+ }
+
+ /**
+ * Retrieves the user ID from the authenticated user.
+ *
+ * @param authenticatedUser The authenticated user.
+ * @return The user ID.
+ * @throws IdentityOAuth2Exception if an error occurs while retrieving the user ID.
+ */
+ public static String getIdFromAuthenticatedUser(final AuthenticatedUser authenticatedUser)
+ throws IdentityOAuth2Exception {
+
+ try {
+ return authenticatedUser.getUserId();
+ } catch (UserIdNotFoundException e) {
+ log.error("Error occurred while extracting userId from authenticated user. Caused by, ", e);
+ throw new IdentityOAuth2Exception(
+ "User id is not found for user: " + authenticatedUser.getLoggableMaskedUserId(), e);
+ }
+ }
+
+ /**
+ * Generates a set of {@link AuthorizationDetailsConsentDTO} from the provided consent ID,
+ * authorization details, and tenant ID.
+ *
+ * @param consentId The consent ID.
+ * @param userConsentedAuthorizationDetails The user-consented authorization details.
+ * @param tenantId The tenant ID.
+ * @return A list of {@link AuthorizationDetailsConsentDTO}.
+ */
+ public static Set This interface provides methods to validate {@link AuthorizationDetails} across various OAuth2 message contexts,
+ * including authorization requests, token requests, and token validation requests. Implementations of this
+ * interface should handle the validation logic specific to the type of request and ensure that the returned
+ * AuthorizationDetails are accurate and compliant with the application's security policies.
+ * Validates the {@link AuthorizationDetails} during the authorization request phase.
+ * This is typically invoked when an authorization request is received and needs to be processed.
+ *
+ * @param oAuthAuthzReqMessageContext The OAuth authorization request message context.
+ * @return The validated {@link AuthorizationDetails}.
+ * @throws AuthorizationDetailsProcessingException If an error occurs during the processing of authorization details
+ * @throws IdentityOAuth2ServerException if the validation fails due to a server error.
+ */
+ AuthorizationDetails getValidatedAuthorizationDetails(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext)
+ throws AuthorizationDetailsProcessingException, IdentityOAuth2ServerException;
+
+ /**
+ * Validates and returns the {@link AuthorizationDetails} for the given {@link OAuthTokenReqMessageContext}.
+ *
+ * Validates the AuthorizationDetails during the token request phase. This is usually called when an authorization
+ * code is exchanged for an access token, or when a refresh token request is made.
+ *
+ * @param oAuthTokenReqMessageContext The OAuth token request message context.
+ * @return The validated {@link AuthorizationDetails}.
+ * @throws AuthorizationDetailsProcessingException If an error occurs during the processing of authorization details
+ * @throws IdentityOAuth2ServerException if the validation fails due to a server error.
+ */
+ AuthorizationDetails getValidatedAuthorizationDetails(OAuthTokenReqMessageContext oAuthTokenReqMessageContext)
+ throws AuthorizationDetailsProcessingException, IdentityOAuth2ServerException;
+
+ /**
+ * Validates and returns the {@link AuthorizationDetails} for the given {@link OAuth2TokenValidationMessageContext}.
+ *
+ * Validates the {@link AuthorizationDetails} during the token validation phase. This method is often used when an
+ * access token is being introspected to ensure its legitimacy and the associated AuthorizationDetails.
+ *
+ * @param oAuth2TokenValidationMessageContext The OAuth2 token validation message context.
+ * @return The validated {@link AuthorizationDetails}.
+ * @throws AuthorizationDetailsProcessingException If an error occurs during the processing of authorization details
+ * @throws IdentityOAuth2ServerException If an error occurs related to the OAuth2 server.
+ */
+ AuthorizationDetails getValidatedAuthorizationDetails(OAuth2TokenValidationMessageContext
+ oAuth2TokenValidationMessageContext)
+ throws AuthorizationDetailsProcessingException, IdentityOAuth2ServerException;
+}
diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/validator/DefaultAuthorizationDetailsValidator.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/validator/DefaultAuthorizationDetailsValidator.java
new file mode 100644
index 00000000000..6e3e3c0996c
--- /dev/null
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/rar/validator/DefaultAuthorizationDetailsValidator.java
@@ -0,0 +1,417 @@
+/*
+ * Copyright (c) 2025, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth2.rar.validator;
+
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.oltu.oauth2.common.message.types.GrantType;
+import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
+import org.wso2.carbon.identity.application.common.model.AuthorizationDetailsType;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ServerException;
+import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
+import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
+import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
+import org.wso2.carbon.identity.oauth2.rar.AuthorizationDetailsSchemaValidator;
+import org.wso2.carbon.identity.oauth2.rar.AuthorizationDetailsService;
+import org.wso2.carbon.identity.oauth2.rar.core.AuthorizationDetailsProcessor;
+import org.wso2.carbon.identity.oauth2.rar.core.AuthorizationDetailsProcessorFactory;
+import org.wso2.carbon.identity.oauth2.rar.exception.AuthorizationDetailsProcessingException;
+import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetail;
+import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetails;
+import org.wso2.carbon.identity.oauth2.rar.model.AuthorizationDetailsContext;
+import org.wso2.carbon.identity.oauth2.rar.model.ValidationResult;
+import org.wso2.carbon.identity.oauth2.rar.util.AuthorizationDetailsUtils;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import static org.wso2.carbon.identity.oauth2.rar.util.AuthorizationDetailsConstants.TYPE_NOT_SUPPORTED_ERR_FORMAT;
+import static org.wso2.carbon.identity.oauth2.rar.util.AuthorizationDetailsConstants.VALIDATION_FAILED_ERR_MSG;
+
+/**
+ * Default implementation class responsible for validating {@link AuthorizationDetails} in different
+ * OAuth2 message contexts.
+ */
+public class DefaultAuthorizationDetailsValidator implements AuthorizationDetailsValidator {
+
+ private static final Log log = LogFactory.getLog(DefaultAuthorizationDetailsValidator.class);
+ private final AuthorizationDetailsProcessorFactory authorizationDetailsProcessorFactory;
+ private final AuthorizationDetailsService authorizationDetailsService;
+ private final AuthorizationDetailsSchemaValidator authorizationDetailsSchemaValidator;
+
+ public DefaultAuthorizationDetailsValidator() {
+ this(
+ AuthorizationDetailsProcessorFactory.getInstance(),
+ OAuth2ServiceComponentHolder.getInstance().getAuthorizationDetailsService(),
+ AuthorizationDetailsSchemaValidator.getInstance()
+ );
+ }
+
+ public DefaultAuthorizationDetailsValidator(
+ final AuthorizationDetailsProcessorFactory authorizationDetailsProcessorFactory,
+ final AuthorizationDetailsService authorizationDetailsService,
+ final AuthorizationDetailsSchemaValidator authorizationDetailsSchemaValidator) {
+
+ this.authorizationDetailsProcessorFactory = authorizationDetailsProcessorFactory;
+ this.authorizationDetailsService = authorizationDetailsService;
+ this.authorizationDetailsSchemaValidator = authorizationDetailsSchemaValidator;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public AuthorizationDetails getValidatedAuthorizationDetails(final OAuthAuthzReqMessageContext
+ oAuthAuthzReqMessageContext)
+ throws AuthorizationDetailsProcessingException, IdentityOAuth2ServerException {
+
+ try {
+
+ return this.getValidatedAuthorizationDetails(
+ oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey(),
+ oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain(),
+ oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getAuthorizationDetails(),
+ (detail, type) -> new AuthorizationDetailsContext(detail, type, oAuthAuthzReqMessageContext)
+ );
+ } catch (IdentityOAuth2Exception e) {
+ log.error("Unable find the tenant ID of the domain: " +
+ oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain() + " Caused by, ", e);
+ throw new AuthorizationDetailsProcessingException("Invalid tenant domain", e);
+ }
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public AuthorizationDetails getValidatedAuthorizationDetails(final OAuthTokenReqMessageContext
+ oAuthTokenReqMessageContext)
+ throws AuthorizationDetailsProcessingException, IdentityOAuth2ServerException {
+
+ final OAuth2AccessTokenReqDTO accessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
+
+ if (!AuthorizationDetailsUtils.isRichAuthorizationRequest(accessTokenReqDTO.getAuthorizationDetails())) {
+ if (log.isDebugEnabled()) {
+ log.debug("Client application does not request new authorization details. " +
+ "Returning previously validated authorization details.");
+ }
+ return oAuthTokenReqMessageContext.getAuthorizationDetails();
+ }
+
+ if (GrantType.AUTHORIZATION_CODE.toString().equals(accessTokenReqDTO.getGrantType())) {
+ if (log.isDebugEnabled()) {
+ log.debug("Skipping the authorization_details validation for authorization code flow " +
+ "as this validation has already happened in the authorize flow.");
+ }
+ return oAuthTokenReqMessageContext.getAuthorizationDetails();
+ }
+
+ final AuthorizationDetails validatedAuthorizationDetails = this.getValidatedAuthorizationDetails(
+ accessTokenReqDTO.getClientId(),
+ accessTokenReqDTO.getTenantDomain(),
+ accessTokenReqDTO.getAuthorizationDetails(),
+ (detail, type) -> new AuthorizationDetailsContext(detail, type, oAuthTokenReqMessageContext)
+ );
+
+ if (GrantType.REFRESH_TOKEN.toString().equals(accessTokenReqDTO.getGrantType())) {
+ return new AuthorizationDetails(this.filterConsentedAuthorizationDetails(validatedAuthorizationDetails,
+ oAuthTokenReqMessageContext.getAuthorizationDetails()));
+ }
+
+ return validatedAuthorizationDetails;
+ }
+
+ /**
+ * Validates whether the user has consented to the requested authorization details.
+ *
+ * @param requestedAuthorizationDetails The requested authorization details.
+ * @param consentedAuthorizationDetails The consented authorization details.
+ * @throws AuthorizationDetailsProcessingException If validation fails.
+ */
+ private Set
+ * It checks if authorization details were included in the authorization code request and whether the
+ * user has consented to these specific authorization details. Depending on user consent, it selects
+ * the appropriate authorization details to be included in the token response.
+ * It retrieves the token authorization details based on the provided OAuth token request context.