mitreid-connect · jricher · May 11, 2020 · May 11, 2020 · May 11, 2020 · May 11, 2020
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ bin
 /target
 .springBeans
 nb-configuration.xml
+.factorypath
diff --git a/openid-connect-common/pom.xml b/openid-connect-common/pom.xml
@@ -87,6 +87,11 @@
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk15on</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>javax.annotation</groupId>
+			<artifactId>javax.annotation-api</artifactId>
+			<version>1.3.1</version>
+		</dependency>
 	</dependencies>
 
 	<packaging>jar</packaging>

diff --git a/openid-connect-server-webapp/pom.xml b/openid-connect-server-webapp/pom.xml
@@ -142,11 +142,21 @@
 			<groupId>javax.servlet</groupId>
 			<artifactId>jstl</artifactId>
 		</dependency>
-
 		<dependency>
 			<groupId>com.zaxxer</groupId>
 			<artifactId>HikariCP</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>javax.xml.bind</groupId>
+			<artifactId>jaxb-api</artifactId>
+			<version>2.3.1</version>
+		</dependency>
+		<dependency>
+			<groupId>org.glassfish.jaxb</groupId>
+			<artifactId>jaxb-runtime</artifactId>
+			<version>2.3.1</version>
+			<scope>runtime</scope>
+		</dependency>
 	</dependencies>
 	<description>Deployable package of the OpenID Connect server</description>
 </project>
diff --git a/openid-connect-server-webapp/src/main/resources/db/hsql/clients.sql b/openid-connect-server-webapp/src/main/resources/db/hsql/clients.sql
@@ -10,60 +10,31 @@ START TRANSACTION;
 -- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here.
 -- 
 
-INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
-	('client', 'secret', 'Test Client', false, null, 3600, 600, true);
-
-INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
-	('client', 'openid'),
-	('client', 'profile'),
-	('client', 'email'),
-	('client', 'address'),
-	('client', 'phone'),
-	('client', 'offline_access');
-
-INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
-	('client', 'http://localhost/'),
-	('client', 'http://localhost:8080/');
+INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection, jwks, token_endpoint_auth_method) VALUES
+	('client', 'secret', 'Test Client', false, null, 3600, 600, true, 
+	'{"keys": [{ "kty": "RSA", "d": "m1M7uj1uZMgQqd2qwqBk07rgFzbzdCAbsfu5kvqoALv3oRdyi_UVHXDhos3DZVQ3M6mKgb30XXESykY8tpWcQOU-qx6MwtSFbo-3SNx9fBtylyQosHECGyleVP79YTE4mC0odRoUIDS90J9AcFsdVtC6M2oJ3CCL577a-lJg6eYyQoRmbjdzqMnBFJ99TCfR6wBQQbzXi1K_sN6gcqhxMmQXHWlqfT7-AJIxX9QUF0rrXMMX9fPh-HboGKs2Dqoo3ofJ2XuePpmpVDvtGy_jenXmUdpsRleqnMrEI2qkBonJQSKL4HPNpsylbQyXt2UtYrzcopCp7jL-j56kRPpQAQ", "e": "AQAB",  "kid": "xyz-client",  "alg": "RS256", "n": "zwCT_3bx-glbbHrheYpYpRWiY9I-nEaMRpZnRrIjCs6b_emyTkBkDDEjSysi38OC73hj1-WgxcPdKNGZyIoH3QZen1MKyyhQpLJG1-oLNLqm7pXXtdYzSdC9O3-oiyy8ykO4YUyNZrRRfPcihdQCbO_OC8Qugmg9rgNDOSqppdaNeas1ov9PxYvxqrz1-8Ha7gkD00YECXHaB05uMaUadHq-O_WIvYXicg6I5j6S44VNU65VBwu-AlynTxQdMAWP3bYxVVy6p3-7eTJokvjYTFqgDVDZ8lUXbr5yCTnRhnhJgvf3VjD_malNe8-tOqK5OSDlHTy6gD9NqdGCm-Pm3Q" }]}',
+	'PRIVATE_KEY');
+
+INSERT INTO client_scope (owner_id, scope) VALUES
+	(1, 'openid'),
+	(1, 'profile'),
+	(1, 'email'),
+	(1, 'address'),
+	(1, 'phone'),
+	(1, 'offline_access');
+
+INSERT INTO client_redirect_uri (owner_id, redirect_uri) VALUES
+	(1, 'http://localhost/'),
+	(1, 'http://localhost:8080/'),
+	(1, 'http://host.docker.internal:9834/api/client/callback');
 
-INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
-	('client', 'authorization_code'),
-	('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
-	('client', 'urn:ietf:params:oauth:grant-type:device_code'),
-	('client', 'implicit'),
-	('client', 'refresh_token');
+INSERT INTO client_grant_type (owner_id, grant_type) VALUES
+	(1, 'authorization_code'),
+	(1, 'urn:ietf:params:oauth:grant_type:redelegate'),
+	(1, 'urn:ietf:params:oauth:grant-type:device_code'),
+	(1, 'implicit'),
+	(1, 'refresh_token');
 
---
--- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
---
-
-MERGE INTO client_details 
-  USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) AS vals(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
-  ON vals.client_id = client_details.client_id
-  WHEN NOT MATCHED THEN 
-    INSERT (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection);
-
-MERGE INTO client_scope 
-  USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) AS vals(id, scope)
-  ON vals.id = client_scope.owner_id AND vals.scope = client_scope.scope
-  WHEN NOT MATCHED THEN 
-    INSERT (owner_id, scope) values (vals.id, vals.scope);
-
-MERGE INTO client_redirect_uri 
-  USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) AS vals(id, redirect_uri)
-  ON vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri
-  WHEN NOT MATCHED THEN 
-    INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri);
-
-MERGE INTO client_grant_type 
-  USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) AS vals(id, grant_type)
-  ON vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type
-  WHEN NOT MATCHED THEN 
-    INSERT (owner_id, grant_type) values (vals.id, vals.grant_type);
-
--- 
--- Close the transaction and turn autocommit back on
--- 
-
 COMMIT;
 
 SET AUTOCOMMIT TRUE;

diff --git a/openid-connect-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql b/openid-connect-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql
@@ -382,3 +382,22 @@ CREATE TABLE IF NOT EXISTS device_code_request_parameter (
 	param VARCHAR(2048),
 	val VARCHAR(2048)
 );
+
+CREATE TABLE IF NOT EXISTS transaction (
+	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
+	handle VARCHAR(1024),
+	interaction VARCHAR(1024),
+	client_id BIGINT NOT NULL,
+	status VARCHAR(256),
+	callback_uri VARCHAR(1024),
+	client_nonce VARCHAR(1024),
+	server_nonce VARCHAR(1024),
+	interaction_ref VARCHAR(1024),
+	hash_method VARCHAR(256),
+	auth_holder_id BIGINT	
+);
+
+CREATE TABLE IF NOT EXISTS transaction_scope (
+	owner_id BIGINT NOT NULL,
+	scope VARCHAR(256) NOT NULL
+);
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -120,6 +120,18 @@
 		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
 		<security:csrf disabled="true"/>
 	</security:http>
+
+	<security:http pattern="/transaction"
+		create-session="stateless"
+		use-expressions="true"
+		entry-point-ref="http403EntryPoint"
+		>
+
+		<security:intercept-url pattern="/token" access="permitAll" /> <!--  handle authentication internally for now  -->
+		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:csrf disabled="true"/>
+
+	</security:http>
 
 	<!-- Allow open access to discovery endpoints -->
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
@@ -16,11 +16,11 @@
     <meta name="author" content="">
 
     <!-- stylesheets -->
-    <link href="resources/bootstrap2/css/bootstrap.css" rel="stylesheet">
+    <link href="resources/css/bootstrap.css" rel="stylesheet">
     <link href="resources/css/bootstrap-sheet.css" rel="stylesheet">
     <link href="resources/css/mitreid-connect.css" rel="stylesheet">
     <link href="resources/css/mitreid-connect-local.css" rel="stylesheet">
-    <link href="resources/bootstrap2/css/bootstrap-responsive.css" rel="stylesheet">
+    <link href="resources/css/bootstrap-responsive.css" rel="stylesheet">
     <link href="resources/css/mitreid-connect-responsive.css" rel="stylesheet">
     <link href="resources/css/mitreid-connect-responsive-local.css" rel="stylesheet">
 

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@@ -37,7 +37,7 @@
 		</h1>
 
 		<form name="confirmationForm"
-			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post">
+			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }${ form_target } " method="post">
 
 			<div class="row">
 				<div class="span5 offset1 well-small" style="text-align: left">