Resolve conflicts #650

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.5.158-SNAPSHOT</version>
+        <version>5.5.177-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.5.158-SNAPSHOT</version>
+        <version>5.5.177-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
@@ -78,7 +78,8 @@
                             ${project.artifactId}
                         </Bundle-SymbolicName>
                         <Import-Package>
-                            org.apache.oltu.oauth2.common.validators; version="${oltu.package.import.version.range}",
+                            org.apache.oltu.oauth2.as.validator; version="${oltu.package.import.version.range}",
+                            org.apache.oltu.oauth2.common.*; version="${oltu.package.import.version.range}",
                             org.wso2.carbon.identity.base; version="${carbon.identity.framework.imp.pkg.version.range}"
                         </Import-Package>
                         <Export-Package>

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -305,6 +305,7 @@ public static class OIDCClaims {
         public static final String AT_HASH = "at_hash";
         public static final String NONCE = "nonce";
         public static final String ACR = "acr";
+        public static final String MAX_AGE = "max_age";
         // OIDC Specification : http://openid.net/specs/openid-connect-core-1_0.html
         public static final String C_HASH = "c_hash";
 

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.5.158-SNAPSHOT</version>
+        <version>5.5.177-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.5.158-SNAPSHOT</version>
+        <version>5.5.177-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.5.158-SNAPSHOT</version>
+        <version>5.5.177-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java

@@ -62,6 +62,7 @@
 import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
 import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
 import org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper;
+import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestException;
 import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestParentException;
 import org.wso2.carbon.identity.oauth.endpoint.message.OAuthMessage;
 import org.wso2.carbon.identity.oauth.endpoint.util.EndpointUtil;
@@ -832,6 +833,7 @@ private void addUserAttributesToCache(SessionDataCacheEntry sessionDataCacheEntr
         authorizationGrantCacheEntry.setEssentialClaims(
                 sessionDataCacheEntry.getoAuth2Parameters().getEssentialClaims());
         authorizationGrantCacheEntry.setAuthTime(sessionDataCacheEntry.getAuthTime());
+        authorizationGrantCacheEntry.setMaxAge(sessionDataCacheEntry.getoAuth2Parameters().getMaxAge());
         authorizationGrantCacheEntry.setRequestObject(sessionDataCacheEntry.getoAuth2Parameters().
                 getRequestObject());
         AuthorizationGrantCache.getInstance().addToCacheByCode(
@@ -861,7 +863,7 @@ private void addUserAttributesToCache(SessionDataCacheEntry sessionDataCacheEntr
      * @throws OAuthProblemException OAuthProblemException
      */
     private String handleOAuthAuthorizationRequest(OAuthMessage oAuthMessage)
-            throws OAuthSystemException, OAuthProblemException {
+            throws OAuthSystemException, OAuthProblemException, InvalidRequestException {
 
         OAuth2ClientValidationResponseDTO validationResponse = validateClient(oAuthMessage);
 
@@ -1035,7 +1037,7 @@ private void addSPDisplayNameParam(String clientId, OAuth2Parameters params) thr
 
     private String populateOauthParameters(OAuth2Parameters params, OAuthMessage oAuthMessage,
                                            OAuth2ClientValidationResponseDTO validationResponse,
-                                           OAuthAuthzRequest oauthRequest) throws OAuthSystemException {
+                                           OAuthAuthzRequest oauthRequest) throws OAuthSystemException, InvalidRequestException {
 
         addSPDisplayNameParam(oAuthMessage.getClientId(), params);
         params.setClientId(oAuthMessage.getClientId());
@@ -1076,15 +1078,20 @@ private String populateOauthParameters(OAuth2Parameters params, OAuthMessage oAu
         if (StringUtils.isNotBlank(oauthRequest.getParam(ACR_VALUES)) && !"null".equals(oauthRequest.getParam
                 (ACR_VALUES))) {
             String[] acrValues = oauthRequest.getParam(ACR_VALUES).split(" ");
-            LinkedHashSet list = new LinkedHashSet();
-            for (String acrValue : acrValues) {
-                list.add(acrValue);
-            }
+            LinkedHashSet<String> list = new LinkedHashSet<>();
+            list.addAll(Arrays.asList(acrValues));
             params.setACRValues(list);
         }
         if (StringUtils.isNotBlank(oauthRequest.getParam(CLAIMS))) {
             params.setEssentialClaims(oauthRequest.getParam(CLAIMS));
         }
+
+        handleMaxAgeParameter(oauthRequest, params);
+
+        /*
+            OIDC Request object will supersede parameters sent in the OAuth Authorization request. So handling the
+            OIDC Request object needs to done after processing all request parameters.
+         */
         try {
             handleOIDCRequestObject(oauthRequest, params);
         } catch (RequestObjectException e) {
@@ -1094,6 +1101,20 @@ private String populateOauthParameters(OAuth2Parameters params, OAuthMessage oAu
         return null;
     }
 
+    private void handleMaxAgeParameter(OAuthAuthzRequest oauthRequest,
+                                       OAuth2Parameters params) throws InvalidRequestException {
+        // Set max_age parameter sent in the authorization request.
+        String maxAgeParam = oauthRequest.getParam(OAuthConstants.OIDCClaims.MAX_AGE);
+        if (StringUtils.isNotBlank(maxAgeParam)) {
+            try {
+                params.setMaxAge(Long.parseLong(maxAgeParam));
+            } catch (NumberFormatException ex) {
+                log.error("Invalid max_age parameter: '" + maxAgeParam + "' sent in the authorization request.");
+                throw new InvalidRequestException("Invalid max_age parameter value sent in the authorization request.");
+            }
+        }
+    }
+
     private void handleOIDCRequestObject(OAuthAuthzRequest oauthRequest, OAuth2Parameters parameters)
             throws RequestObjectException {
 
@@ -1125,9 +1146,9 @@ private void handleRequestObject(OAuthAuthzRequest oauthRequest, OAuth2Parameter
                         "request object instance is null.");
             }
             validateSignatureAndContent(parameters, requestObject);
-            /**
-             * When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede
-             * those passed using the OAuth 2.0 request syntax
+            /*
+              When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede
+              those passed using the OAuth 2.0 request syntax
              */
             overrideAuthzParameters(parameters, oauthRequest.getParam(REQUEST), oauthRequest.getParam(REQUEST_URI),
                     requestObject);
@@ -1175,6 +1196,9 @@ private void overrideAuthzParameters(OAuth2Parameters params, String requestPara
             if (ArrayUtils.isNotEmpty(requestObject.getScopes())) {
                 params.setScopes(new HashSet<>(Arrays.asList(requestObject.getScopes())));
             }
+            if (requestObject.getMaxAge() != 0 ) {
+                params.setMaxAge(requestObject.getMaxAge());
+            }
         }
     }
 
@@ -1370,8 +1394,8 @@ private String getUserConsentURL(String sessionDataKey, OAuth2Parameters oauth2P
      * @param oauth2Params
      * @return
      */
-    private OAuth2AuthorizeRespDTO authorize(OAuth2Parameters oauth2Params
-            , SessionDataCacheEntry sessionDataCacheEntry) {
+    private OAuth2AuthorizeRespDTO authorize(OAuth2Parameters oauth2Params,
+                                             SessionDataCacheEntry sessionDataCacheEntry) {
 
         OAuth2AuthorizeReqDTO authzReqDTO = buildAuthRequest(oauth2Params, sessionDataCacheEntry);
         return getOAuth2Service().authorize(authzReqDTO);
@@ -1390,7 +1414,8 @@ private OAuth2AuthorizeReqDTO buildAuthRequest(OAuth2Parameters oauth2Params, Se
         authzReqDTO.setPkceCodeChallenge(oauth2Params.getPkceCodeChallenge());
         authzReqDTO.setPkceCodeChallengeMethod(oauth2Params.getPkceCodeChallengeMethod());
         authzReqDTO.setTenantDomain(oauth2Params.getTenantDomain());
-        authzReqDTO.setAuthTime(oauth2Params.getAuthTime());
+        authzReqDTO.setAuthTime(sessionDataCacheEntry.getAuthTime());
+        authzReqDTO.setMaxAge(oauth2Params.getMaxAge());
         authzReqDTO.setEssentialClaims(oauth2Params.getEssentialClaims());
         return authzReqDTO;
     }

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java

@@ -85,8 +85,6 @@ public Response issueAccessToken(@Context HttpServletRequest request,
             }
 
             HttpServletRequestWrapper httpRequest = new OAuthRequestWrapper(request, paramMap);
-            String consumerKey = getConsumerKey(httpRequest);
-            validateOAuthApplication(consumerKey);
 
             CarbonOAuthTokenRequest oauthRequest = buildCarbonOAuthTokenRequest(httpRequest);
             OAuth2AccessTokenRespDTO oauth2AccessTokenResp = issueAccessToken(oauthRequest);
@@ -251,8 +249,6 @@ private void validateAuthorizationHeader(HttpServletRequest request, Multivalued
             if (log.isDebugEnabled()) {
                 log.error("Error while extracting credentials from authorization header", e);
             }
-
-            throw new TokenEndpointAccessDeniedException("Client Authentication failed. Invalid Authorization Header");
         }
     }
 

components/org.wso2.carbon.identity.oauth.endpoint/src/test/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpointTest.java

@@ -176,19 +176,18 @@ public Object[][] testIssueAccessTokenDataProvider() {
                 {CLIENT_ID_VALUE, AUTHORIZATION_HEADER, mapWithCredentials, GrantType.PASSWORD.toString(), null, null,
                         null, HttpServletResponse.SC_UNAUTHORIZED, OAuth2ErrorCodes.INVALID_CLIENT },
 
-                // Request with invalid authorization header. Will return unauthorized error
+                // Request with invalid authorization header. Will return bad request error
                 {CLIENT_ID_VALUE, inCorrectAuthzHeader, mapWithClientId, GrantType.PASSWORD.toString(), null, null,
-                        null, HttpServletResponse.SC_UNAUTHORIZED, OAuth2ErrorCodes.INVALID_CLIENT },
+                        null, HttpServletResponse.SC_BAD_REQUEST, OAuth2ErrorCodes.INVALID_REQUEST },
 
-                // Request from inactive client. Will give unauthorized error
+                // Request from inactive client. Will give correct response, inactive client state should be handled
+                // in access token issuer
                 {INACTIVE_CLIENT_ID_VALUE, inactiveClientHeader, new MultivaluedHashMap<String, String>(),
-                        GrantType.PASSWORD.toString(), null, null, null, HttpServletResponse.SC_UNAUTHORIZED,
-                        OAuth2ErrorCodes.INVALID_CLIENT },
+                        GrantType.PASSWORD.toString(), null, null, null, HttpServletResponse.SC_OK, "" },
 
-                // Request from invalid client. Will give unauthorized error
+                // Request from invalid client. Will give correct response, invalid-id is handles in access token issuer
                 {"invalidId", invalidClientHeader, new MultivaluedHashMap<String, String>(),
-                        GrantType.PASSWORD.toString(), null, null, null, HttpServletResponse.SC_UNAUTHORIZED,
-                        OAuth2ErrorCodes.INVALID_CLIENT },
+                        GrantType.PASSWORD.toString(), null, null, null, HttpServletResponse.SC_OK,"" },
 
                 // Request without client id and authz header. Will give bad request error
                 {null, null, new MultivaluedHashMap<String, String>(), GrantType.PASSWORD.toString(), null, null, null,

components/org.wso2.carbon.identity.oauth.scope.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>5.5.158-SNAPSHOT</version>
+        <version>5.5.177-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.scope.endpoint/src/gen/java/org/wso2/carbon/identity/oauth/scope/endpoint/ScopesApi.java

@@ -31,29 +31,29 @@ public class ScopesApi  {
     @Path("/name/{name}")
     @Consumes({ "application/json" })
     @Produces({ "application/json" })
-    @io.swagger.annotations.ApiOperation(value = "Deletes a Scope\n", notes = "This API is used to delete scope by scope name.\n", response = String.class)
+    @io.swagger.annotations.ApiOperation(value = "Deletes a Scope\n", notes = "This API is used to delete a scope by a given scope name.\n", response = String.class)
     @io.swagger.annotations.ApiResponses(value = { 
-        @io.swagger.annotations.ApiResponse(code = 204, message = "Successful deleted"),
+        @io.swagger.annotations.ApiResponse(code = 204, message = "Successfully deleted"),
 
         @io.swagger.annotations.ApiResponse(code = 500, message = "Server Error") })
 
-    public Response deleteScope(@ApiParam(value = "scope name of the scope which need to get deleted",required=true ) @PathParam("name") String name)
+    public Response deleteScope(@ApiParam(value = "Name of the scope that is to be deleted",required=true ) @PathParam("name") String name)
     {
     return delegate.deleteScope(name);
     }
     @GET
     @Path("/name/{name}")
     @Consumes({ "application/json" })
     @Produces({ "application/json" })
-    @io.swagger.annotations.ApiOperation(value = "Returns a Scope by Scope Name\n", notes = "This API is used to get a scope by given scope name.\n", response = ScopeDTO.class)
+    @io.swagger.annotations.ApiOperation(value = "Returns a Scope by Scope Name\n", notes = "This API is used to retrieve details of a scope by a given scope name.\n", response = ScopeDTO.class)
     @io.swagger.annotations.ApiResponses(value = { 
-        @io.swagger.annotations.ApiResponse(code = 200, message = "Successful Retrieved"),
+        @io.swagger.annotations.ApiResponse(code = 200, message = "Successfully Retrieved"),
 
         @io.swagger.annotations.ApiResponse(code = 404, message = "Not Found"),
 
         @io.swagger.annotations.ApiResponse(code = 500, message = "Server Error") })
 
-    public Response getScope(@ApiParam(value = "scope name of the scope which the details to be retrieved",required=true ) @PathParam("name") String name)
+    public Response getScope(@ApiParam(value = "Name of the scope that is to be retrieved",required=true ) @PathParam("name") String name)
     {
     return delegate.getScope(name);
     }
@@ -63,30 +63,30 @@ public Response getScope(@ApiParam(value = "scope name of the scope which the de
     @Produces({ "application/json" })
     @io.swagger.annotations.ApiOperation(value = "Returns all available Scopes\n", notes = "This API is used to get all the available scopes.\n", response = ScopeDTO.class, responseContainer = "List")
     @io.swagger.annotations.ApiResponses(value = { 
-        @io.swagger.annotations.ApiResponse(code = 200, message = "Successful Retrieved"),
+        @io.swagger.annotations.ApiResponse(code = 200, message = "Successfully Retrieved"),
 
         @io.swagger.annotations.ApiResponse(code = 404, message = "Not Found"),
 
         @io.swagger.annotations.ApiResponse(code = 500, message = "Server Error") })
 
-    public Response getScopes(@ApiParam(value = "start index of the list of scopes to be retrieved") @QueryParam("startIndex") Integer startIndex,
-    @ApiParam(value = "a limited number of scopes to be retrieved") @QueryParam("count") Integer count)
+    public Response getScopes(@ApiParam(value = "The start index of the list of scopes to be retrieved") @QueryParam("startIndex") Integer startIndex,
+    @ApiParam(value = "Number of scopes to retrieve from the point of the start index") @QueryParam("count") Integer count)
     {
     return delegate.getScopes(startIndex,count);
     }
     @HEAD
     @Path("/name/{name}")
     @Consumes({ "application/json" })
     @Produces({ "application/json" })
-    @io.swagger.annotations.ApiOperation(value = "Check Scope Existance using Scope Name\n", notes = "This API is used to check scope existance using scope name.\n", response = String.class)
+    @io.swagger.annotations.ApiOperation(value = "Check Scope Existance using Scope Name\n", notes = "This API is used to check a scope's existance using a given scope name.\n", response = String.class)
     @io.swagger.annotations.ApiResponses(value = { 
         @io.swagger.annotations.ApiResponse(code = 200, message = "Scope Exists"),
 
         @io.swagger.annotations.ApiResponse(code = 404, message = "Not Found"),
 
         @io.swagger.annotations.ApiResponse(code = 500, message = "Server Error") })
 
-    public Response isScopeExists(@ApiParam(value = "scope name of the scope which the existance should be checked",required=true ) @PathParam("name") String name)
+    public Response isScopeExists(@ApiParam(value = "Name of the scope that is to be checked",required=true ) @PathParam("name") String name)
     {
     return delegate.isScopeExists(name);
     }
@@ -104,24 +104,24 @@ public Response isScopeExists(@ApiParam(value = "scope name of the scope which t
 
         @io.swagger.annotations.ApiResponse(code = 500, message = "Server Error") })
 
-    public Response registerScope(@ApiParam(value = "a scope with the bindings which to be registered" ,required=true ) ScopeDTO scope)
+    public Response registerScope(@ApiParam(value = "Define a scope with bindings to register it" ,required=true ) ScopeDTO scope)
     {
     return delegate.registerScope(scope);
     }
     @PUT
     @Path("/name/{name}")
     @Consumes({ "application/json" })
     @Produces({ "application/json" })
-    @io.swagger.annotations.ApiOperation(value = "Updates a Scope\n", notes = "This API is used to update a scope by scope name.\n", response = ScopeDTO.class)
+    @io.swagger.annotations.ApiOperation(value = "Updates a Scope\n", notes = "This API is used to update a scope by a given scope name.\n", response = ScopeDTO.class)
     @io.swagger.annotations.ApiResponses(value = { 
-        @io.swagger.annotations.ApiResponse(code = 200, message = "Successful updated"),
+        @io.swagger.annotations.ApiResponse(code = 200, message = "Successfully updated"),
 
         @io.swagger.annotations.ApiResponse(code = 409, message = "Conflict"),
 
         @io.swagger.annotations.ApiResponse(code = 500, message = "Server Error") })
 
     public Response updateScope(@ApiParam(value = "updated scope" ,required=true ) ScopeToUpdateDTO scope,
-    @ApiParam(value = "scope name of the scope which need to get updated",required=true ) @PathParam("name") String name)
+    @ApiParam(value = "Name of the scope that is to be updated",required=true ) @PathParam("name") String name)
     {
     return delegate.updateScope(scope,name);
     }