feat(jans-auth-server): changed backchannel_logout_uri list->string a…

…ccording to spec (#7677)

It makes jans compatible with nimbus client.
 #7581

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

docs/admin/auth-server/authz-details/README.md

@@ -140,7 +140,7 @@ X-Xss-Protection: 1; mode=block
     "scope": "openid",
     "client_secret": "1af17da1-57a3-416b-a358-c84bb0ef0fad",
     "client_id_issued_at": 1702922353,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "jans test app",
     "par_lifetime": 600,

docs/admin/auth-server/endpoints/authorization-challenge.md

@@ -386,7 +386,7 @@ X-Xss-Protection: 1; mode=block
     "scope": "openid",
     "client_secret": "f6364c5c-295d-4e6e-bb40-6ad3a47b2119",
     "client_id_issued_at": 1691668385,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "jans test app",
     "par_lifetime": 600,
@@ -679,7 +679,7 @@ X-Xss-Protection: 1; mode=block
     "scope": "openid",
     "client_secret": "f921c89c-57f0-4a91-baaa-036a4a22737b",
     "client_id_issued_at": 1691668622,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "jans test app",
     "par_lifetime": 600,

docs/admin/auth-server/endpoints/client-registration.md

@@ -79,7 +79,7 @@ in example below:
     "scope": "profile work_phone phone user_name device_sso openid permission uma_protection address email clientinfo org_name offline_access https://jans.io/auth/ssa.portal test https://jans.io/auth/ssa.admin https://jans.io/auth/ssa.developer",
     "client_secret": "4148f812-92d6-4245-80e0-243524b3b6a4",
     "client_id_issued_at": 1678700818,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "my.jans.client",
     "par_lifetime": 600,

docs/admin/auth-server/oauth-features/mtls.md

@@ -551,7 +551,7 @@ Response:
   "scope": "email openid profile",
   "client_secret": "e1c9e9df-e542-4225-adb4-d0590f85d97d",
   "client_id_issued_at": 1698114939,
-  "backchannel_logout_uri": [],
+  "backchannel_logout_uri": "",
   "backchannel_logout_session_required": false,
   "client_name": "Test Client mTLS",
   "par_lifetime": 600,

docs/admin/auth-server/oauth-features/pkce.md

@@ -161,7 +161,7 @@ Connection: close
   "scope": "email openid profile",
   "client_secret": "a656a654-c930-4b52-9edb-68ead50d046e",
   "client_id_issued_at": 1700261473,
-  "backchannel_logout_uri": [],
+  "backchannel_logout_uri": "",
   "backchannel_logout_session_required": false,
   "client_name": "PKCE Test Client",
   "par_lifetime": 600,

docs/admin/config-guide/config-tools/curl-guide.md

@@ -103,7 +103,7 @@ If client is created successfully, response similar to below will be received:
     "scope": "openid profile permission https://jans.io/auth/ssa.portal uma_protection work_phone phone address test https://jans.io/auth/ssa.admin user_name email clientinfo device_sso org_name https://jans.io/auth/ssa.developer offline_access",
     "client_secret": "da4c17de-b6bc-4f25-b642-4c7b887c7860",
     "client_id_issued_at": 1672221633,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "par_lifetime": 600,
     "spontaneous_scopes": [],

docs/assets/log/authorization-details-run-log.txt

@@ -174,7 +174,7 @@ X-Xss-Protection: 1; mode=block
     "scope": "openid",
     "client_secret": "1af17da1-57a3-416b-a358-c84bb0ef0fad",
     "client_id_issued_at": 1702922353,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "jans test app",
     "par_lifetime": 600,

docs/assets/log/tx-token-replace-run-log.txt

@@ -176,7 +176,7 @@ X-Xss-Protection: 1; mode=block
     "scope": "openid",
     "client_secret": "cdbd420d-5f15-4031-9081-878a47a7822d",
     "client_id_issued_at": 1705054752,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "tx token test",
     "par_lifetime": 600,

docs/assets/log/tx-token-request-run-log.txt

@@ -176,7 +176,7 @@ X-Xss-Protection: 1; mode=block
     "scope": "openid",
     "client_secret": "9a62ce88-e35f-4516-9724-1437b07bccb2",
     "client_id_issued_at": 1705054359,
-    "backchannel_logout_uri": [],
+    "backchannel_logout_uri": "",
     "backchannel_logout_session_required": false,
     "client_name": "tx token test",
     "par_lifetime": 600,

jans-auth-server/client/src/main/java/io/jans/as/client/RegisterRequest.java

@@ -74,7 +74,7 @@ public class RegisterRequest extends BaseRequest {
     private final LocalizedString tosUri;
     private String frontChannelLogoutUri;
     private Boolean frontChannelLogoutSessionRequired;
-    private List<String> backchannelLogoutUris;
+    private String backchannelLogoutUri;
     private Boolean backchannelLogoutSessionRequired;
     private String jwksUri;
     private String jwks;
@@ -303,12 +303,22 @@ public void setAccessToken(String registrationAccessToken) {
         this.registrationAccessToken = registrationAccessToken;
     }
 
-    public List<String> getBackchannelLogoutUris() {
-        return backchannelLogoutUris;
+    /**
+     * Returns backchannel logout uri
+     *
+     * @return backchannel logout uri
+     */
+    public String getBackchannelLogoutUri() {
+        return backchannelLogoutUri;
     }
 
-    public void setBackchannelLogoutUris(List<String> backchannelLogoutUris) {
-        this.backchannelLogoutUris = backchannelLogoutUris;
+    /**
+     * Sets backchannel logout uri
+     *
+     * @param backchannelLogoutUri backchannel logout uri
+     */
+    public void setBackchannelLogoutUri(String backchannelLogoutUri) {
+        this.backchannelLogoutUri = backchannelLogoutUri;
     }
 
     public Boolean getBackchannelLogoutSessionRequired() {
@@ -1827,7 +1837,7 @@ public static RegisterRequest fromJson(JSONObject requestObject) throws JSONExce
         result.setMinimumAcrPriorityList(extractListByKey(requestObject, MINIMUM_ACR_PRIORITY_LIST.toString()));
         result.setFrontChannelLogoutUri(requestObject.optString(FRONT_CHANNEL_LOGOUT_URI.toString()));
         result.setFrontChannelLogoutSessionRequired(requestObject.optBoolean(FRONT_CHANNEL_LOGOUT_SESSION_REQUIRED.toString()));
-        result.setBackchannelLogoutUris(extractListByKey(requestObject, BACKCHANNEL_LOGOUT_URI.toString()));
+        result.setBackchannelLogoutUri(requestObject.optString(BACKCHANNEL_LOGOUT_URI.toString()));
         result.setBackchannelLogoutSessionRequired(requestObject.optBoolean(BACKCHANNEL_LOGOUT_SESSION_REQUIRED.toString()));
         result.setAccessTokenLifetime(integerOrNull(requestObject, ACCESS_TOKEN_LIFETIME.toString()));
         result.setParLifetime(integerOrNull(requestObject, PAR_LIFETIME.toString()));
@@ -2106,8 +2116,8 @@ public void getParameters(BiFunction<String, Object, Void> function) {
         if (frontChannelLogoutSessionRequired != null) {
             function.apply(FRONT_CHANNEL_LOGOUT_SESSION_REQUIRED.toString(), frontChannelLogoutSessionRequired.toString());
         }
-        if (backchannelLogoutUris != null && !backchannelLogoutUris.isEmpty()) {
-            function.apply(BACKCHANNEL_LOGOUT_URI.toString(), toJSONArray(backchannelLogoutUris));
+        if (backchannelLogoutUri != null && !backchannelLogoutUri.isEmpty()) {
+            function.apply(BACKCHANNEL_LOGOUT_URI.toString(), backchannelLogoutUri);
         }
         if (backchannelLogoutSessionRequired != null) {
             function.apply(BACKCHANNEL_LOGOUT_SESSION_REQUIRED.toString(), backchannelLogoutSessionRequired.toString());

jans-auth-server/client/src/test/java/io/jans/as/client/client/RegisterRequestTest.java

@@ -14,8 +14,6 @@
 import org.json.JSONObject;
 import org.testng.annotations.Test;
 
-import java.util.List;
-
 import static org.testng.Assert.assertEquals;
 
 /**
@@ -61,12 +59,12 @@ public void getJSONParametersForAdditionalAudienceShouldReturnCorrectValue() {
 
     @Test
     public void getJSONParameters_forBackchannelLogoutUri_shouldReturnCorrectValue() {
-        final List<String> value = Lists.newArrayList("https://back.com/b1", "https://back.com/b2");
+        final String value = "https://back.com/b1";
 
         RegisterRequest request = new RegisterRequest();
-        request.setBackchannelLogoutUris(value);
+        request.setBackchannelLogoutUri(value);
 
-        assertEquals(value, request.getJSONParameters().getJSONArray(RegisterRequestParam.BACKCHANNEL_LOGOUT_URI.getName()).toList());
+        assertEquals(value, request.getJSONParameters().optString(RegisterRequestParam.BACKCHANNEL_LOGOUT_URI.getName()));
     }
 
     @Test

jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/RegistrationRestWebServiceHttpTest.java

@@ -157,7 +157,7 @@ public void requestClientAssociate2(final String redirectUris, final String sect
         registerRequest.setRequestUris(Arrays.asList("http://www.gluu.org/request"));
         registerRequest.setFrontChannelLogoutUri(logoutUri);
         registerRequest.setFrontChannelLogoutSessionRequired(true);
-        registerRequest.setBackchannelLogoutUris(Lists.newArrayList(logoutUri));
+        registerRequest.setBackchannelLogoutUri(logoutUri);
         registerRequest.setBackchannelLogoutSessionRequired(true);
         registerRequest.setIdTokenSignedResponseAlg(SignatureAlgorithm.RS512);
         registerRequest.setIdTokenEncryptedResponseAlg(KeyEncryptionAlgorithm.RSA1_5);

jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterJsonService.java

@@ -154,7 +154,7 @@ public JSONObject getJSONObject(Client client) throws JSONException, StringEncry
         // Logout params
         Util.addToJSONObjectIfNotNull(responseJsonObject, FRONT_CHANNEL_LOGOUT_URI.toString(), client.getFrontChannelLogoutUri());
         Util.addToJSONObjectIfNotNull(responseJsonObject, FRONT_CHANNEL_LOGOUT_SESSION_REQUIRED.toString(), client.getFrontChannelLogoutSessionRequired());
-        Util.addToJSONObjectIfNotNull(responseJsonObject, BACKCHANNEL_LOGOUT_URI.toString(), client.getAttributes().getBackchannelLogoutUri());
+        Util.addToJSONObjectIfNotNull(responseJsonObject, BACKCHANNEL_LOGOUT_URI.toString(), client.getAttributes().getBackchannelLogoutUri().iterator().next());
         Util.addToJSONObjectIfNotNull(responseJsonObject, BACKCHANNEL_LOGOUT_SESSION_REQUIRED.toString(), client.getAttributes().getBackchannelLogoutSessionRequired());
         Util.addToJSONObjectIfNotNull(responseJsonObject, REDIRECT_URIS_REGEX.toString(), client.getAttributes().getRedirectUrisRegex());
 

jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterService.java

@@ -388,8 +388,8 @@ public void updateClientFromRequestObject(Client client, RegisterRequest request
         }
         client.setFrontChannelLogoutSessionRequired(requestObject.getFrontChannelLogoutSessionRequired());
 
-        if (requestObject.getBackchannelLogoutUris() != null && !requestObject.getBackchannelLogoutUris().isEmpty()) {
-            client.getAttributes().setBackchannelLogoutUri(requestObject.getBackchannelLogoutUris());
+        if (requestObject.getBackchannelLogoutUri() != null && !requestObject.getBackchannelLogoutUri().isEmpty()) {
+            client.getAttributes().setBackchannelLogoutUri(Lists.newArrayList(requestObject.getBackchannelLogoutUri()));
         }
         client.getAttributes().setBackchannelLogoutSessionRequired(requestObject.getBackchannelLogoutSessionRequired());
 

jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java

@@ -129,7 +129,7 @@ public Response createClient(String requestParams, HttpServletRequest httpReques
             registerValidator.validateCiba(r);
 
             registerParamsValidator.validateLogoutUri(r.getFrontChannelLogoutUri(), r.getRedirectUris(), errorResponseFactory);
-            registerParamsValidator.validateLogoutUri(r.getBackchannelLogoutUris(), r.getRedirectUris(), errorResponseFactory);
+            registerParamsValidator.validateLogoutUri(r.getBackchannelLogoutUri(), r.getRedirectUris(), errorResponseFactory);
 
             String clientsBaseDN = staticConfiguration.getBaseDn().getClients();
 

jans-auth-server/server/src/test/java/io/jans/as/server/ws/rs/EndSessionBackchannelRestServerTest.java

@@ -18,7 +18,6 @@
 import io.jans.as.model.util.StringUtils;
 import io.jans.as.server.BaseTest;
 import io.jans.as.server.model.TClientService;
-import org.jboss.arquillian.container.test.api.RunAsClient;
 import org.jboss.arquillian.test.api.ArquillianResource;
 import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
 import org.testng.annotations.Parameters;
@@ -58,7 +57,7 @@ public void requestEndSessionStep1(final String redirectUris, final String postL
         io.jans.as.client.RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app", StringUtils.spaceSeparatedToList(redirectUris));
         registerRequest.setResponseTypes(Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN));
         registerRequest.setPostLogoutRedirectUris(Arrays.asList(postLogoutRedirectUri));
-        registerRequest.setBackchannelLogoutUris(Lists.newArrayList(postLogoutRedirectUri));
+        registerRequest.setBackchannelLogoutUri(Lists.newArrayList(postLogoutRedirectUri));
         registerRequest.addCustomAttribute("jansTrustedClnt", "true");
 
         registerResponse = TClientService.register(registerRequest, getApiTagetURL(url));