feat(jans-auth-server): add access_token_singing_alg_values_supported…

… to discovery #2372 docs: no docs #2372
JanssenProject · Sep 16, 2022 · 82ee64c · 82ee64c
1 parent a009943
commit 82ee64c
Show file tree

Hide file tree

Showing 14 changed files with 164 additions and 293 deletions.
diff --git a/jans-auth-server/client/src/main/java/io/jans/as/client/OpenIdConfigurationClient.java b/jans-auth-server/client/src/main/java/io/jans/as/client/OpenIdConfigurationClient.java
@@ -16,65 +16,7 @@
 import jakarta.ws.rs.client.Invocation.Builder;
 import jakarta.ws.rs.core.MediaType;
 
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.ACR_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.AUTHORIZATION_ENCRYPTION_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.AUTHORIZATION_ENCRYPTION_ENC_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.AUTHORIZATION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.AUTHORIZATION_SIGNING_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.BACKCHANNEL_AUTHENTICATION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.BACKCHANNEL_AUTHENTICATION_REQUEST_SIGNING_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.BACKCHANNEL_LOGOUT_SESSION_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.BACKCHANNEL_LOGOUT_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.BACKCHANNEL_TOKEN_DELIVERY_MODES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.BACKCHANNEL_USER_CODE_PAREMETER_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.CHECK_SESSION_IFRAME;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.CLAIMS_LOCALES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.CLAIMS_PARAMETER_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.CLAIMS_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.CLAIM_TYPES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.CLIENT_INFO_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.DEVICE_AUTHZ_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.DISPLAY_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.DPOP_SIGNING_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.END_SESSION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.FRONTCHANNEL_LOGOUT_SESSION_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.FRONTCHANNEL_LOGOUT_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.GRANT_TYPES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.ID_TOKEN_ENCRYPTION_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.ID_TOKEN_ENCRYPTION_ENC_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.INTROSPECTION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.ISSUER;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.JWKS_URI;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.MTLS_ENDPOINT_ALIASES;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.OP_POLICY_URI;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.OP_TOS_URI;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.PAR_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REGISTRATION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUEST_OBJECT_ENCRYPTION_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUEST_OBJECT_ENCRYPTION_ENC_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUEST_OBJECT_SIGNING_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUEST_PARAMETER_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUEST_URI_PARAMETER_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUIRE_PAR;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REQUIRE_REQUEST_URI_REGISTRATION;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.RESPONSE_MODES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.RESPONSE_TYPES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.REVOCATION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.SCOPES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.SCOPE_TO_CLAIMS_MAPPING;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.SERVICE_DOCUMENTATION;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.SESSION_REVOCATION_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.SUBJECT_TYPES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.TLS_CLIENT_CERTIFICATE_BOUND_ACCESS_TOKENS;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.TOKEN_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.TOKEN_ENDPOINT_AUTH_SIGNING_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.UI_LOCALES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.USER_INFO_ENCRYPTION_ALG_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.USER_INFO_ENCRYPTION_ENC_VALUES_SUPPORTED;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.USER_INFO_ENDPOINT;
-import static io.jans.as.model.configuration.ConfigurationResponseClaim.USER_INFO_SIGNING_ALG_VALUES_SUPPORTED;
+import static io.jans.as.model.configuration.ConfigurationResponseClaim.*;
 
 /**
  * Encapsulates functionality to make OpenId Configuration request calls to an authorization server via REST Services.
@@ -201,6 +143,7 @@ public static void parse(String json, OpenIdConfigurationResponse response) {
         Util.addToListIfHas(response.getIdTokenSigningAlgValuesSupported(), jsonObj, ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED);
         Util.addToListIfHas(response.getIdTokenEncryptionAlgValuesSupported(), jsonObj, ID_TOKEN_ENCRYPTION_ALG_VALUES_SUPPORTED);
         Util.addToListIfHas(response.getIdTokenEncryptionEncValuesSupported(), jsonObj, ID_TOKEN_ENCRYPTION_ENC_VALUES_SUPPORTED);
+        Util.addToListIfHas(response.getAccessTokenSigningAlgValuesSupported(), jsonObj, ACCESS_TOKEN_SIGNING_ALG_VALUES_SUPPORTED);
         Util.addToListIfHas(response.getRequestObjectSigningAlgValuesSupported(), jsonObj, REQUEST_OBJECT_SIGNING_ALG_VALUES_SUPPORTED);
         Util.addToListIfHas(response.getRequestObjectEncryptionAlgValuesSupported(), jsonObj, REQUEST_OBJECT_ENCRYPTION_ALG_VALUES_SUPPORTED);
         Util.addToListIfHas(response.getRequestObjectEncryptionEncValuesSupported(), jsonObj, REQUEST_OBJECT_ENCRYPTION_ENC_VALUES_SUPPORTED);

diff --git a/jans-auth-server/client/src/main/java/io/jans/as/client/OpenIdConfigurationResponse.java b/jans-auth-server/client/src/main/java/io/jans/as/client/OpenIdConfigurationResponse.java
@@ -55,6 +55,7 @@ public class OpenIdConfigurationResponse extends BaseResponse implements Seriali
     private List<String> idTokenSigningAlgValuesSupported;
     private List<String> idTokenEncryptionAlgValuesSupported;
     private List<String> idTokenEncryptionEncValuesSupported;
+    private List<String> accessTokenSigningAlgValuesSupported;
     private List<String> requestObjectSigningAlgValuesSupported;
     private List<String> requestObjectEncryptionAlgValuesSupported;
     private List<String> requestObjectEncryptionEncValuesSupported;
@@ -114,6 +115,7 @@ public OpenIdConfigurationResponse(int status) {
         idTokenSigningAlgValuesSupported = new ArrayList<>();
         idTokenEncryptionAlgValuesSupported = new ArrayList<>();
         idTokenEncryptionEncValuesSupported = new ArrayList<>();
+        accessTokenSigningAlgValuesSupported = new ArrayList<>();
         requestObjectSigningAlgValuesSupported = new ArrayList<>();
         requestObjectEncryptionAlgValuesSupported = new ArrayList<>();
         requestObjectEncryptionEncValuesSupported = new ArrayList<>();
@@ -621,6 +623,15 @@ public void setUserInfoEncryptionEncValuesSupported(List<String> userInfoEncrypt
         this.userInfoEncryptionEncValuesSupported = userInfoEncryptionEncValuesSupported;
     }
 
+    public List<String> getAccessTokenSigningAlgValuesSupported() {
+        if (accessTokenSigningAlgValuesSupported == null) accessTokenSigningAlgValuesSupported = new ArrayList<>();
+        return accessTokenSigningAlgValuesSupported;
+    }
+
+    public void setAccessTokenSigningAlgValuesSupported(List<String> accessTokenSigningAlgValuesSupported) {
+        this.accessTokenSigningAlgValuesSupported = accessTokenSigningAlgValuesSupported;
+    }
+
     /**
      * Returns a list of the JWS signing algorithms (alg values) supported by
      * the Authorization Server for the ID Token to encode the claims in a JWT.
@@ -1205,6 +1216,7 @@ public String toString() {
                 ", idTokenSigningAlgValuesSupported=" + idTokenSigningAlgValuesSupported +
                 ", idTokenEncryptionAlgValuesSupported=" + idTokenEncryptionAlgValuesSupported +
                 ", idTokenEncryptionEncValuesSupported=" + idTokenEncryptionEncValuesSupported +
+                ", accessTokenSigningAlgValuesSupported=" + accessTokenSigningAlgValuesSupported +
                 ", requestObjectSigningAlgValuesSupported=" + requestObjectSigningAlgValuesSupported +
                 ", requestObjectEncryptionAlgValuesSupported=" + requestObjectEncryptionAlgValuesSupported +
                 ", requestObjectEncryptionEncValuesSupported=" + requestObjectEncryptionEncValuesSupported +

diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java
@@ -108,6 +108,7 @@ public class AppConfiguration implements Configuration {
     private List<String> idTokenSigningAlgValuesSupported;
     private List<String> idTokenEncryptionAlgValuesSupported;
     private List<String> idTokenEncryptionEncValuesSupported;
+    private List<String> accessTokenSigningAlgValuesSupported;
     private Boolean forceSignedRequestObject = false;
     private List<String> requestObjectSigningAlgValuesSupported;
     private List<String> requestObjectEncryptionAlgValuesSupported;
@@ -1251,6 +1252,14 @@ public void setIdTokenEncryptionEncValuesSupported(List<String> idTokenEncryptio
         this.idTokenEncryptionEncValuesSupported = idTokenEncryptionEncValuesSupported;
     }
 
+    public List<String> getAccessTokenSigningAlgValuesSupported() {
+        return accessTokenSigningAlgValuesSupported;
+    }
+
+    public void setAccessTokenSigningAlgValuesSupported(List<String> accessTokenSigningAlgValuesSupported) {
+        this.accessTokenSigningAlgValuesSupported = accessTokenSigningAlgValuesSupported;
+    }
+
     public Boolean getForceSignedRequestObject() {
         if (forceSignedRequestObject == null) {
             return false;

diff --git a/...server/model/src/main/java/io/jans/as/model/configuration/ConfigurationResponseClaim.java b/...server/model/src/main/java/io/jans/as/model/configuration/ConfigurationResponseClaim.java
@@ -47,6 +47,7 @@ private ConfigurationResponseClaim() {
     public static final String ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED = "id_token_signing_alg_values_supported";
     public static final String ID_TOKEN_ENCRYPTION_ALG_VALUES_SUPPORTED = "id_token_encryption_alg_values_supported";
     public static final String ID_TOKEN_ENCRYPTION_ENC_VALUES_SUPPORTED = "id_token_encryption_enc_values_supported";
+    public static final String ACCESS_TOKEN_SIGNING_ALG_VALUES_SUPPORTED = "access_token_signing_alg_values_supported";
     public static final String REQUEST_OBJECT_SIGNING_ALG_VALUES_SUPPORTED = "request_object_signing_alg_values_supported";
     public static final String REQUEST_OBJECT_ENCRYPTION_ALG_VALUES_SUPPORTED = "request_object_encryption_alg_values_supported";
     public static final String REQUEST_OBJECT_ENCRYPTION_ENC_VALUES_SUPPORTED = "request_object_encryption_enc_values_supported";

diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/util/Util.java b/jans-auth-server/model/src/main/java/io/jans/as/model/util/Util.java
@@ -30,18 +30,7 @@
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.time.Duration;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Calendar;
-import java.util.Collection;
-import java.util.Date;
-import java.util.GregorianCalendar;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.TimeZone;
+import java.util.*;
 
 /**
  * @author Yuriy Zabrovarnyy
@@ -367,4 +356,14 @@ public static Map<String, Serializable> toSerializableMap(Map<String, Object> ma
         }
         return result;
     }
+
+    public static void putArray(JSONObject jsonObj, List<String> list, String key) {
+        JSONArray jsonArray = new JSONArray();
+        for (String alg : list) {
+            jsonArray.put(alg);
+        }
+        if (jsonArray.length() > 0) {
+            jsonObj.put(key, jsonArray);
+        }
+    }
 }
diff --git a/jans-auth-server/model/src/test/java/io/jans/as/model/util/UtilTest.java b/jans-auth-server/model/src/test/java/io/jans/as/model/util/UtilTest.java
@@ -1,6 +1,7 @@
 package io.jans.as.model.util;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
 import io.jans.as.model.BaseTest;
 import io.jans.as.model.common.Display;
 import io.jans.as.model.common.SubjectType;
@@ -9,7 +10,6 @@
 import org.json.JSONObject;
 import org.testng.annotations.Test;
 
-import javax.swing.*;
 import java.io.IOException;
 import java.io.Serializable;
 import java.lang.reflect.InvocationTargetException;
@@ -19,6 +19,24 @@
 
 public class UtilTest extends BaseTest {
 
+    @Test
+    public void putArray_whenListIsNotEmpty_shouldAddArray() {
+        JSONObject json = new JSONObject();
+        Util.putArray(json, Lists.newArrayList("a"), "key");
+
+        final JSONArray jsonArray = json.optJSONArray("key");
+        assertNotNull(jsonArray);
+        assertEquals(jsonArray.get(0), "a");
+    }
+
+    @Test
+    public void putArray_whenListIsEmpty_shouldNotAddArray() {
+        JSONObject json = new JSONObject();
+        Util.putArray(json, Lists.newArrayList(), "key");
+
+        assertNull(json.optJSONArray("key"));
+    }
+
     @Test
     public void putNotBlank_keyNull_nothing() {
         showTitle("putNotBlank_keyNull_nothing");

diff --git a/...er/server/src/main/java/io/jans/as/server/model/registration/RegisterParamsValidator.java b/...er/server/src/main/java/io/jans/as/server/model/registration/RegisterParamsValidator.java
@@ -111,6 +111,15 @@ public void validateAlgorithms(RegisterRequest registerRequest) {
                     RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter id_token_signed_response_alg is not valid.");
         }
 
+        if (registerRequest.getAccessTokenSigningAlg() != null
+                && registerRequest.getAccessTokenSigningAlg() != SignatureAlgorithm.NONE &&
+                !appConfiguration.getAccessTokenSigningAlgValuesSupported().contains(
+                        registerRequest.getAccessTokenSigningAlg().toString())) {
+            log.debug("Parameter access_token_signed_alg is not valid.");
+            throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST,
+                    RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter access_token_signed_alg is not valid.");
+        }
+
         if (registerRequest.getIdTokenEncryptedResponseAlg() != null &&
                 !appConfiguration.getIdTokenEncryptionAlgValuesSupported().contains(
                         registerRequest.getIdTokenEncryptedResponseAlg().toString())) {

diff --git a/...er/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java b/...er/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java
@@ -119,7 +119,7 @@ public Response createClient(String requestParams, HttpServletRequest httpReques
 
             setSubjectType(r);
             setIdTokenSignedResponseAlg(r);
-            setAccessTokenSigningAlg(r);
+            setAccessTokenSigningAlgFallback(r);
 
             registerParamsValidator.validateAlgorithms(r);
 
@@ -236,7 +236,7 @@ private void setSubjectType(RegisterRequest r) {
         }
     }
 
-    private void setAccessTokenSigningAlg(RegisterRequest r) {
+    private void setAccessTokenSigningAlgFallback(RegisterRequest r) {
         if (r.getAccessTokenSigningAlg() == null) {
             r.setAccessTokenSigningAlg(SignatureAlgorithm.fromString(appConfiguration.getDefaultSignatureAlgorithm()));
         }