Merge upstream

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -5,12 +5,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>6.11.212-SNAPSHOT</version>
+    <version>6.11.245-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -5,12 +5,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>6.11.212-SNAPSHOT</version>
+    <version>6.11.245-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.client.attestation.filter/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.client.authn.filter/src/main/java/org/wso2/carbon/identity/oauth/client/authn/filter/OAuthClientAuthenticatorProxy.java

@@ -49,8 +49,9 @@ public class OAuthClientAuthenticatorProxy extends AbstractPhaseInterceptor<Mess
     private static final Log log = LogFactory.getLog(OAuthClientAuthenticatorProxy.class);
     private static final String HTTP_REQUEST = "HTTP.REQUEST";
     private static final List<String> PROXY_ENDPOINT_LIST = Arrays.asList("/oauth2/token", "/oauth2/revoke",
-            "/oauth2/device_authorize", "/oauth2/ciba", "/oauth2/par");
+            "/oauth2/device_authorize", "/oauth2/ciba", "/oauth2/par", "/oauth2/authorize");
     private OAuthClientAuthnService oAuthClientAuthnService;
+    private static final String SLASH = "/";
 
     public OAuthClientAuthenticatorProxy() {
 
@@ -106,6 +107,7 @@ public void handleMessage(Message message) {
     private boolean canHandle(Message message) {
 
         String requestPath = (String) message.get(Message.REQUEST_URI);
+        requestPath = removeTrailingSlash(requestPath);
         return PROXY_ENDPOINT_LIST.stream().anyMatch(requestPath::equalsIgnoreCase);
     }
 
@@ -141,4 +143,11 @@ private void setContextToRequest(HttpServletRequest request, OAuthClientAuthnCon
                 oAuthClientAuthnContext);
     }
 
+    private String removeTrailingSlash(String url) {
+
+        if (url != null && url.endsWith(SLASH)) {
+            return url.substring(0, url.length() - 1);
+        }
+        return url;
+    }
 }

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -127,6 +127,7 @@ public final class OAuthConstants {
 
     public static final String ENABLE_TLS_CERT_BOUND_ACCESS_TOKENS_VIA_BINDING_TYPE = "OAuth.OpenIDConnect." +
             "EnableTLSCertificateBoundAccessTokensViaBindingType";
+    public static final String IS_API_BASED_LOGOUT_WITHOUT_COOKIES = "isAPIBasedLogoutWithoutCookies";
 
     /**
      * Enum for OIDC supported subject types.
@@ -213,6 +214,7 @@ public static SubjectType fromValue(String text) {
     //Constants used for multiple scopes
     public static final String OIDC_SCOPE_CONFIG_PATH = "oidc-scope-config.xml";
     public static final String OAUTH_SCOPE_BINDING_PATH = "oauth-scope-bindings.xml";
+    public static final String RESOURCE_ACCESS_CONTROL_V2_CONFIG_PATH = "resource-access-control-v2.xml";
     public static final String SCOPE_RESOURCE_PATH = "/oidc";
 
     public static final String RESTRICT_UNASSIGNED_SCOPES = "restrict.unassigned.scopes";
@@ -262,6 +264,7 @@ public static SubjectType fromValue(String text) {
     public static final String REQUEST_OBJECT_ENCRYPTION_METHOD = "OAuth.OpenIDConnect." +
             "SupportedRequestObjectEncryptionMethods.SupportedRequestObjectEncryptionMethod";
     public static final String IS_PUSH_AUTHORIZATION_REQUEST = "isPushAuthorizationRequest";
+    public static final String ALLOWED_SCOPES_PROPERTY = "allowedScopes";
 
 
     public static final String IS_THIRD_PARTY_APP = "isThirdPartyApp";
@@ -402,7 +405,7 @@ public static class OAuth20Endpoints {
         public static final String  OAUTH2_DISCOVERY_EP_URL = "/oauth2/oidcdiscovery";
         public static final String OAUTH2_USER_INFO_EP_URL = "oauth2/userinfo";
         public static final String OAUTH2_REVOKE_EP_URL = "oauth2/revoke";
-        public static final String OIDC_WEB_FINGER_EP_URL = ".well-know/webfinger";
+        public static final String OIDC_WEB_FINGER_EP_URL = ".well-known/webfinger";
         public static final String OAUTH2_INTROSPECT_EP_URL = "oauth2/introspect";
         public static final String OIDC_CONSENT_EP_URL = "/authenticationendpoint/oauth2_consent.do";
         public static final String OAUTH2_CONSENT_EP_URL = "/authenticationendpoint/oauth2_authz.do";

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
@@ -117,6 +117,11 @@
             <artifactId>jackson-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>com.sun.xml.parsers</groupId>
             <artifactId>jaxp-ri</artifactId>

components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java

@@ -643,6 +643,8 @@ private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest regist
                 oAuthConsumerApp.setTokenBindingType(OAuth2Constants.TokenBinderType.CERTIFICATE_BASED_TOKEN_BINDER);
                 oAuthConsumerApp.setTokenBindingValidationEnabled(true);
             }
+        } else {
+            oAuthConsumerApp.setTokenBindingType(OAuthConstants.OIDCConfigProperties.TOKEN_BINDING_TYPE_NONE);
         }
         oAuthConsumerApp.setPkceMandatory(registrationRequest.isExtPkceMandatory());
         oAuthConsumerApp.setPkceSupportPlain(registrationRequest.isExtPkceSupportPlain());

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.212-SNAPSHOT</version>
+        <version>6.11.245-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
@@ -342,7 +342,7 @@
                                         <limit implementation="org.jacoco.report.check.Limit">
                                             <counter>COMPLEXITY</counter>
                                             <value>COVEREDRATIO</value>
-                                            <minimum>0.49</minimum>
+                                            <minimum>0.48</minimum>
                                         </limit>
                                     </limits>
                                 </rule>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/api/auth/ApiAuthnHandler.java

@@ -20,19 +20,13 @@
 
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
-import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.identity.application.authentication.framework.exception.auth.service.AuthServiceException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AdditionalData;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorData;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorParamMetadata;
 import org.wso2.carbon.identity.application.authentication.framework.model.auth.service.AuthServiceResponse;
 import org.wso2.carbon.identity.application.authentication.framework.model.auth.service.AuthServiceResponseData;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
-import org.wso2.carbon.identity.application.authentication.framework.util.auth.service.AuthServiceConstants;
-import org.wso2.carbon.identity.core.ServiceURLBuilder;
-import org.wso2.carbon.identity.core.URLBuilderException;
-import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
-import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.AuthResponse;
 import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.Authenticator;
@@ -43,6 +37,7 @@
 import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.NextStep;
 import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.Param;
 import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.StepTypeEnum;
+import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
@@ -56,11 +51,9 @@
  */
 public class ApiAuthnHandler {
 
-    private static final String TENANT_NAME_FROM_CONTEXT = "TenantNameFromContext";
     private static final String ADDITIONAL_DATA_REDIRECT_URL = "redirectUrl";
     private static final String AUTHENTICATION_EP = "/oauth2/authn";
     private static final String AUTHENTICATION_EP_LINK_NAME = "authentication";
-    private static final String TENANT_CONTEXT_PATH_COMPONENT = "/t/%s";
     private static final String HTTP_POST = "POST";
     private static final String MESSAGE = "message";
     private static final String DOT_SEPARATOR = ".";
@@ -213,41 +206,23 @@ private Param buildAuthenticatorParam(AuthenticatorParamMetadata paramMetadata)
         param.setConfidential(paramMetadata.isConfidential());
         param.setOrder(paramMetadata.getParamOrder());
         param.setI18nKey(paramMetadata.getI18nKey());
+        param.setDisplayName(paramMetadata.getDisplayName());
 
         return param;
     }
 
-    private List<Link> buildLinks() throws AuthServiceException {
+    private List<Link> buildLinks() {
 
         List<Link> links = new ArrayList<>();
         Link authnEpLink = new Link();
         authnEpLink.setName(AUTHENTICATION_EP_LINK_NAME);
-        String endpoint = AUTHENTICATION_EP;
-        if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
-            endpoint = String.format(TENANT_CONTEXT_PATH_COMPONENT, getTenantDomainFromContext()) + AUTHENTICATION_EP;
-        }
-        String href;
-        try {
-            href = ServiceURLBuilder.create().addPath(endpoint).build().getAbsolutePublicURL();
-        } catch (URLBuilderException e) {
-            throw new AuthServiceException(AuthServiceConstants.ErrorMessage.ERROR_UNABLE_TO_PROCEED.code(),
-                    "Error occurred while building links", e);
-        }
+        String href = OAuth2Util.buildServiceUrl(AUTHENTICATION_EP, null);
         authnEpLink.setHref(href);
         authnEpLink.setMethod(HTTP_POST);
         links.add(authnEpLink);
         return links;
     }
 
-    private String getTenantDomainFromContext() {
-
-        String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
-        if (IdentityUtil.threadLocalProperties.get().get(TENANT_NAME_FROM_CONTEXT) != null) {
-            tenantDomain = (String) IdentityUtil.threadLocalProperties.get().get(TENANT_NAME_FROM_CONTEXT);
-        }
-        return tenantDomain;
-    }
-
     private String buildAuthenticatorId(String authenticator, String idp) {
 
         return base64URLEncode(authenticator + OAuthConstants.AUTHENTICATOR_IDP_SPLITTER + idp);

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/api/auth/model/Param.java

@@ -31,6 +31,7 @@ public class Param {
     private Integer order;
     private String validationRegex;
     private String i18nKey;
+    private String displayName;
 
     public Param() {
 
@@ -106,5 +107,15 @@ public void setI18nKey(String i18nKey) {
 
         this.i18nKey = i18nKey;
     }
+
+    public String getDisplayName() {
+
+        return displayName;
+    }
+
+    public void setDisplayName(String displayName) {
+
+        this.displayName = displayName;
+    }
 }
 

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/api/auth/model/SuccessCompleteAuthResponse.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2023, WSO2 LLC. (https://www.wso2.com) All Rights Reserved.
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.oauth.endpoint.api.auth.model;
+
+import org.wso2.carbon.identity.application.authentication.framework.util.auth.service.AuthServiceConstants;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Class containing the authentication response for successful flow completion.
+ */
+public class SuccessCompleteAuthResponse {
+
+    private AuthServiceConstants.FlowStatus flowStatus = AuthServiceConstants.FlowStatus.SUCCESS_COMPLETED;
+    private Map<String, String> authData = new HashMap<>();
+
+    public SuccessCompleteAuthResponse() {
+
+    }
+
+    public SuccessCompleteAuthResponse(Map<String, String> authData) {
+
+        this.authData = authData;
+    }
+
+    public AuthServiceConstants.FlowStatus getFlowStatus() {
+
+        return flowStatus;
+    }
+
+    public void setFlowStatus(AuthServiceConstants.FlowStatus flowStatus) {
+
+        this.flowStatus = flowStatus;
+    }
+
+    public Map<String, String> getAuthData() {
+
+        return authData;
+    }
+
+    public void setAuthData(Map<String, String> authData) {
+
+        this.authData = authData;
+    }
+}