oauth enhancements

server/src/main/java/password/pwm/http/servlet/oauth/OAuthConsumerServlet.java

@@ -85,7 +85,7 @@ public class OAuthConsumerServlet extends AbstractPwmServlet
         final Optional<OAuthRequestState> oAuthRequestState = OAuthMachine.readOAuthRequestState( pwmRequest );
 
         final OAuthUseCase oAuthUseCaseCase = oAuthRequestState.isPresent()
-                ? oAuthRequestState.get().getoAuthState().getUseCase()
+                ? oAuthRequestState.get().getOAuthState().getUseCase()
                 : OAuthUseCase.Authentication;
 
         LOGGER.trace( pwmRequest, () -> "processing oauth return request, useCase=" + oAuthUseCaseCase
@@ -102,7 +102,7 @@ public class OAuthConsumerServlet extends AbstractPwmServlet
                 {
                     if ( oAuthRequestState.isPresent() )
                     {
-                        final String nextUrl = oAuthRequestState.get().getoAuthState().getNextUrl();
+                        final String nextUrl = oAuthRequestState.get().getOAuthState().getNextUrl();
                         LOGGER.debug( pwmSession, () -> "received unrecognized oauth response, ignoring authcode and redirecting to embedded next url: " + nextUrl );
                         pwmRequest.sendRedirect( nextUrl );
                         return;
@@ -168,7 +168,7 @@ public class OAuthConsumerServlet extends AbstractPwmServlet
             return;
         }
 
-        final OAuthState oauthState = oAuthRequestState.get().getoAuthState();
+        final OAuthState oauthState = oAuthRequestState.get().getOAuthState();
         final OAuthSettings oAuthSettings = makeOAuthSettings( pwmRequest, oauthState );
         final OAuthMachine oAuthMachine = new OAuthMachine( oAuthSettings );
 
@@ -231,6 +231,7 @@ public class OAuthConsumerServlet extends AbstractPwmServlet
             return;
         }
 
+        /*
         if ( resolveResults.getExpiresSeconds() > 0 )
         {
             if ( resolveResults.getRefreshToken() == null || resolveResults.getRefreshToken().isEmpty() )
@@ -242,6 +243,7 @@ public class OAuthConsumerServlet extends AbstractPwmServlet
                 return;
             }
         }
+        */
 
         final String oauthSuppliedUsername;
         {

server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java

@@ -25,6 +25,7 @@ package password.pwm.http.servlet.oauth;
 import org.apache.http.HttpStatus;
 import password.pwm.AppProperty;
 import password.pwm.bean.LoginInfoBean;
+import password.pwm.bean.SessionLabel;
 import password.pwm.bean.UserIdentity;
 import password.pwm.config.Configuration;
 import password.pwm.config.PwmSetting;
@@ -72,7 +73,7 @@ public class OAuthMachine
         this.settings = settings;
     }
 
-    public static Optional<OAuthRequestState> readOAuthRequestState(
+    static Optional<OAuthRequestState> readOAuthRequestState(
             final PwmRequest pwmRequest
     )
             throws PwmUnrecoverableException
@@ -116,6 +117,8 @@ public class OAuthMachine
         urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_RESPONSE_TYPE ), code );
         urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_STATE ), state );
         urlParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REDIRECT_URI ), redirectUri );
+        urlParams.put( "resourceServer", "value" );
+        urlParams.put( "scope", "openid" );
 
         if ( userIdentity != null )
         {
@@ -159,29 +162,39 @@ public class OAuthMachine
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REDIRECT_URI ), redirectUri );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), clientID );
+        requestParams.put( "client_secret", settings.getSecret().getStringValue() );
 
         final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "oauth code resolver", settings, requestUrl, requestParams );
 
-        final String resolveResponseBodyStr = restResults.getBody();
+        return resolveResultsFromResponseBody( pwmRequest.getSessionLabel(), pwmRequest.getConfig(), restResults.getBody() );
+    }
 
+    private OAuthResolveResults resolveResultsFromResponseBody(
+            final SessionLabel sessionLabel,
+            final Configuration config,
+            final String resolveResponseBodyStr
+            )
+    {
         final Map<String, String> resolveResultValues = JsonUtil.deserializeStringMap( resolveResponseBodyStr );
-        final OAuthResolveResults oAuthResolveResults = new OAuthResolveResults();
 
-        oAuthResolveResults.setAccessToken( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ) ) );
-        oAuthResolveResults.setRefreshToken( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN ) ) );
-        oAuthResolveResults.setExpiresSeconds( 0 );
+        int expireSeconds = 0;
         try
         {
-            oAuthResolveResults.setExpiresSeconds( Integer.parseInt( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_EXPIRES ) ) ) );
+            expireSeconds = Integer.parseInt( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_EXPIRES ) ) );
         }
         catch ( Exception e )
         {
-            LOGGER.warn( pwmRequest, "error parsing oauth expires value in code resolver response from server at " + requestUrl + ", error: " + e.getMessage() );
+            LOGGER.warn( sessionLabel, "error parsing oauth expires value in code resolver response from server, error: " + e.getMessage() );
         }
 
-        return oAuthResolveResults;
-    }
+        final String accessToken = readAttributeFromBodyMap( resolveResultValues, config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ) );
 
+        return OAuthResolveResults.builder()
+                .accessToken( accessToken )
+                .refreshToken( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN ) ) )
+                .expiresSeconds( expireSeconds )
+                .build();
+    }
 
     private OAuthResolveResults makeOAuthRefreshRequest(
             final PwmRequest pwmRequest,
@@ -199,24 +212,7 @@ public class OAuthMachine
 
         final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth refresh resolver", settings, requestUrl, requestParams );
 
-        final String resolveResponseBodyStr = restResults.getBody();
-
-        final Map<String, String> resolveResultValues = JsonUtil.deserializeStringMap( resolveResponseBodyStr );
-        final OAuthResolveResults oAuthResolveResults = new OAuthResolveResults();
-
-        oAuthResolveResults.setAccessToken( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ) ) );
-        oAuthResolveResults.setRefreshToken( refreshCode );
-        oAuthResolveResults.setExpiresSeconds( 0 );
-        try
-        {
-            oAuthResolveResults.setExpiresSeconds( Integer.parseInt( resolveResultValues.get( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_EXPIRES ) ) ) );
-        }
-        catch ( Exception e )
-        {
-            LOGGER.warn( pwmRequest, "error parsing oauth expires value in resolve request: " + e.getMessage() );
-        }
-
-        return oAuthResolveResults;
+        return resolveResultsFromResponseBody( pwmRequest.getSessionLabel(), pwmRequest.getConfig(), restResults.getBody() );
     }
 
     String makeOAuthGetAttributeRequest(
@@ -231,7 +227,7 @@ public class OAuthMachine
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
 
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth getattribute", settings, requestUrl, requestParams );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth getattribute", settings, requestUrl, requestParams, accessToken );
 
         return restResults.getBody();
     }
@@ -241,7 +237,8 @@ public class OAuthMachine
             final String debugText,
             final OAuthSettings settings,
             final String requestUrl,
-            final Map<String, String> requestParams
+            final Map<String, String> requestParams,
+            final String accessToken
     )
             throws PwmUnrecoverableException
     {
@@ -251,8 +248,15 @@ public class OAuthMachine
         final PwmHttpClientRequest pwmHttpClientRequest;
         {
             final Map<String, String> headers = new HashMap<>( );
-            headers.put( HttpHeader.Authorization.getHttpName(),
-                    new BasicAuthInfo( settings.getClientID(), settings.getSecret() ).toAuthHeader() );
+            if ( StringUtil.isEmpty(  accessToken ) )
+            {
+                headers.put( HttpHeader.Authorization.getHttpName(),
+                        new BasicAuthInfo( settings.getClientID(), settings.getSecret() ).toAuthHeader() );
+            }
+            else
+            {
+
+            }
             headers.put( HttpHeader.ContentType.getHttpName(), HttpContentType.form.getHeaderValue() );
 
             pwmHttpClientRequest = new PwmHttpClientRequest( HttpMethod.POST, requestUrl, requestBody, headers );
@@ -455,4 +459,20 @@ public class OAuthMachine
         LOGGER.debug( pwmRequest, () -> "oauth /sign endpoint returned signed username data: " + data );
         return data;
     }
+
+    private static String readAttributeFromBodyMap( final Map<String, String> bodyMap, final String attributeNames )
+    {
+        final List<String> attributeValues = StringUtil.splitAndTrim( attributeNames, "," );
+
+        for ( final String attribute : attributeValues )
+        {
+            final String value = bodyMap.get( attribute );
+            if ( !StringUtil.isEmpty( value ) )
+            {
+                return value;
+            }
+        }
+
+        return null;
+    }
 }

server/src/main/java/password/pwm/http/servlet/oauth/OAuthRequestState.java

@@ -22,27 +22,14 @@
 
 package password.pwm.http.servlet.oauth;
 
+import lombok.Value;
+
 import java.io.Serializable;
 
+@Value
 public class OAuthRequestState implements Serializable
 {
     @SuppressWarnings( "checkstyle:MemberName" )
     private OAuthState oAuthState;
     private boolean sessionMatch;
-
-    public OAuthRequestState( final OAuthState oAuthState, final boolean sessionMatch )
-    {
-        this.oAuthState = oAuthState;
-        this.sessionMatch = sessionMatch;
-    }
-
-    public OAuthState getoAuthState( )
-    {
-        return oAuthState;
-    }
-
-    public boolean isSessionMatch( )
-    {
-        return sessionMatch;
-    }
 }

server/src/main/java/password/pwm/http/servlet/oauth/OAuthResolveResults.java

@@ -22,42 +22,16 @@
 
 package password.pwm.http.servlet.oauth;
 
+import lombok.Builder;
+import lombok.Value;
+
 import java.io.Serializable;
 
+@Value
+@Builder( toBuilder = true )
 class OAuthResolveResults implements Serializable
 {
     private String accessToken;
     private int expiresSeconds;
     private String refreshToken;
-
-
-    public String getAccessToken( )
-    {
-        return accessToken;
-    }
-
-    public void setAccessToken( final String accessToken )
-    {
-        this.accessToken = accessToken;
-    }
-
-    public int getExpiresSeconds( )
-    {
-        return expiresSeconds;
-    }
-
-    public void setExpiresSeconds( final int expiresSeconds )
-    {
-        this.expiresSeconds = expiresSeconds;
-    }
-
-    public String getRefreshToken( )
-    {
-        return refreshToken;
-    }
-
-    public void setRefreshToken( final String refreshToken )
-    {
-        this.refreshToken = refreshToken;
-    }
 }

server/src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java

@@ -22,6 +22,8 @@
 
 package password.pwm.http.servlet.oauth;
 
+import lombok.Builder;
+import lombok.Value;
 import password.pwm.config.Configuration;
 import password.pwm.config.PwmSetting;
 import password.pwm.config.profile.ForgottenPasswordProfile;
@@ -31,6 +33,8 @@ import java.io.Serializable;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
+@Value
+@Builder
 public class OAuthSettings implements Serializable
 {
     private String loginURL;
@@ -43,57 +47,7 @@ public class OAuthSettings implements Serializable
     private List<X509Certificate> certificates;
     private String usernameSendValue;
 
-
-    private OAuthSettings( )
-    {
-    }
-
-    public String getLoginURL( )
-    {
-        return loginURL;
-    }
-
-    public String getCodeResolveUrl( )
-    {
-        return codeResolveUrl;
-    }
-
-    public String getAttributesUrl( )
-    {
-        return attributesUrl;
-    }
-
-    public String getClientID( )
-    {
-        return clientID;
-    }
-
-    public PasswordData getSecret( )
-    {
-        return secret;
-    }
-
-    public String getDnAttributeName( )
-    {
-        return dnAttributeName;
-    }
-
-    public OAuthUseCase getUse( )
-    {
-        return use;
-    }
-
-    public List<X509Certificate> getCertificates( )
-    {
-        return certificates;
-    }
-
-    public String getUsernameSendValue( )
-    {
-        return usernameSendValue;
-    }
-
-    public boolean oAuthIsConfigured( )
+    public boolean oAuthIsConfigured()
     {
         return ( loginURL != null && !loginURL.isEmpty() )
                 && ( codeResolveUrl != null && !codeResolveUrl.isEmpty() )
@@ -105,30 +59,30 @@ public class OAuthSettings implements Serializable
 
     public static OAuthSettings forSSOAuthentication( final Configuration config )
     {
-        final OAuthSettings settings = new OAuthSettings();
-        settings.loginURL = config.readSettingAsString( PwmSetting.OAUTH_ID_LOGIN_URL );
-        settings.codeResolveUrl = config.readSettingAsString( PwmSetting.OAUTH_ID_CODERESOLVE_URL );
-        settings.attributesUrl = config.readSettingAsString( PwmSetting.OAUTH_ID_ATTRIBUTES_URL );
-        settings.clientID = config.readSettingAsString( PwmSetting.OAUTH_ID_CLIENTNAME );
-        settings.secret = config.readSettingAsPassword( PwmSetting.OAUTH_ID_SECRET );
-        settings.dnAttributeName = config.readSettingAsString( PwmSetting.OAUTH_ID_DN_ATTRIBUTE_NAME );
-        settings.certificates = config.readSettingAsCertificate( PwmSetting.OAUTH_ID_CERTIFICATE );
-        settings.use = OAuthUseCase.Authentication;
-        return settings;
+        return OAuthSettings.builder()
+                .loginURL( config.readSettingAsString( PwmSetting.OAUTH_ID_LOGIN_URL ) )
+                .codeResolveUrl( config.readSettingAsString( PwmSetting.OAUTH_ID_CODERESOLVE_URL ) )
+                .attributesUrl( config.readSettingAsString( PwmSetting.OAUTH_ID_ATTRIBUTES_URL ) )
+                .clientID( config.readSettingAsString( PwmSetting.OAUTH_ID_CLIENTNAME ) )
+                .secret( config.readSettingAsPassword( PwmSetting.OAUTH_ID_SECRET ) )
+                .dnAttributeName( config.readSettingAsString( PwmSetting.OAUTH_ID_DN_ATTRIBUTE_NAME ) )
+                .certificates( config.readSettingAsCertificate( PwmSetting.OAUTH_ID_CERTIFICATE ) )
+                .use( OAuthUseCase.Authentication )
+                .build();
     }
 
     public static OAuthSettings forForgottenPassword( final ForgottenPasswordProfile config )
     {
-        final OAuthSettings settings = new OAuthSettings();
-        settings.loginURL = config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_LOGIN_URL );
-        settings.codeResolveUrl = config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_CODERESOLVE_URL );
-        settings.attributesUrl = config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_ATTRIBUTES_URL );
-        settings.clientID = config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_CLIENTNAME );
-        settings.secret = config.readSettingAsPassword( PwmSetting.RECOVERY_OAUTH_ID_SECRET );
-        settings.dnAttributeName = config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_DN_ATTRIBUTE_NAME );
-        settings.certificates = config.readSettingAsCertificate( PwmSetting.RECOVERY_OAUTH_ID_CERTIFICATE );
-        settings.use = OAuthUseCase.ForgottenPassword;
-        settings.usernameSendValue = config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_USERNAME_SEND_VALUE );
-        return settings;
+        return OAuthSettings.builder()
+                .loginURL( config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_LOGIN_URL ) )
+                .codeResolveUrl( config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_CODERESOLVE_URL ) )
+                .attributesUrl( config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_ATTRIBUTES_URL ) )
+                .clientID( config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_CLIENTNAME ) )
+                .secret( config.readSettingAsPassword( PwmSetting.RECOVERY_OAUTH_ID_SECRET ) )
+                .dnAttributeName( config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_DN_ATTRIBUTE_NAME ) )
+                .certificates( config.readSettingAsCertificate( PwmSetting.RECOVERY_OAUTH_ID_CERTIFICATE ) )
+                .use( OAuthUseCase.ForgottenPassword )
+                .usernameSendValue( config.readSettingAsString( PwmSetting.RECOVERY_OAUTH_ID_USERNAME_SEND_VALUE ) )
+                .build();
     }
 }

server/src/main/java/password/pwm/http/servlet/oauth/OAuthState.java

@@ -23,23 +23,31 @@
 package password.pwm.http.servlet.oauth;
 
 import com.google.gson.annotations.SerializedName;
+import lombok.Builder;
+import lombok.Value;
+import password.pwm.util.java.AtomicLoopIntIncrementer;
 
 import java.io.Serializable;
-import java.util.Date;
+import java.time.Instant;
 
 /*
     This serialized JSON object is passed to the browser during the OAuth request sequence.  The state is forwarded to the OAuth server and then returned (without
     modification when the OAuth server redirects back here.
  */
+
+@Value
+@Builder
 class OAuthState implements Serializable
 {
-    private static int oauthStateIdCounter = 0;
+    private static final AtomicLoopIntIncrementer OAUTH_STATE_ID_COUNTER = new AtomicLoopIntIncrementer( Integer.MAX_VALUE );
 
     @SerializedName( "c" )
-    private final int stateID = oauthStateIdCounter++;
+    @Builder.Default
+    private final int stateID = OAUTH_STATE_ID_COUNTER.next();
 
     @SerializedName( "t" )
-    private final Date issueTime = new Date();
+    @Builder.Default
+    private final Instant issueTime = Instant.now();
 
     @SerializedName( "i" )
     private String sessionID;
@@ -48,7 +56,7 @@ class OAuthState implements Serializable
     private String nextUrl;
 
     @SerializedName( "u" )
-    private OAuthUseCase use;
+    private OAuthUseCase useCase;
 
     @SerializedName( "f" )
     private String forgottenProfileId;
@@ -56,66 +64,22 @@ class OAuthState implements Serializable
     @SerializedName( "v" )
     private int version = 1;
 
-    private OAuthState( )
-    {
-    }
-
-    public static int getOauthStateIdCounter( )
-    {
-        return oauthStateIdCounter;
-    }
-
-    public int getStateID( )
-    {
-        return stateID;
-    }
-
-    public Date getIssueTime( )
-    {
-        return issueTime;
-    }
-
-    public String getSessionID( )
-    {
-        return sessionID;
-    }
-
-    public String getNextUrl( )
-    {
-        return nextUrl;
-    }
-
-    public OAuthUseCase getUseCase( )
-    {
-        return use;
-    }
-
-    public int getVersion( )
-    {
-        return version;
-    }
-
-    public String getForgottenProfileId( )
-    {
-        return forgottenProfileId;
-    }
-
-    public static OAuthState newSSOAuthenticationState( final String sessionID, final String nextUrl )
+    static OAuthState newSSOAuthenticationState( final String sessionID, final String nextUrl )
     {
-        final OAuthState state = new OAuthState();
-        state.sessionID = sessionID;
-        state.nextUrl = nextUrl;
-        state.use = OAuthUseCase.Authentication;
-        return state;
+        return OAuthState.builder()
+                .sessionID( sessionID )
+                .nextUrl( nextUrl )
+                .useCase( OAuthUseCase.Authentication )
+                .build();
     }
 
-    public static OAuthState newForgottenPasswordState( final String sessionID, final String forgottenProfileId )
+    static OAuthState newForgottenPasswordState( final String sessionID, final String forgottenProfileId )
     {
-        final OAuthState state = new OAuthState();
-        state.sessionID = sessionID;
-        state.forgottenProfileId = forgottenProfileId;
-        state.use = OAuthUseCase.ForgottenPassword;
-        return state;
+        return OAuthState.builder()
+                .sessionID( sessionID )
+                .forgottenProfileId( forgottenProfileId )
+                .useCase( OAuthUseCase.ForgottenPassword )
+                .build();
     }
 
 

server/src/main/resources/password/pwm/i18n/PwmSetting.properties

@@ -1024,13 +1024,13 @@ Setting_Label_newUser.token.lifetime.sms=New User SMS Token Maximum Lifetime
 Setting_Label_newUser.username.definition=LDAP Entry ID Definition
 Setting_Label_newUser.writeAttributes=New User Actions
 Setting_Label_notes.noteText=Configuration Notes
-Setting_Label_oauth.idserver.attributesUrl=OAuth Profile Service URL
+Setting_Label_oauth.idserver.attributesUrl=OAuth Profile/UserInfo Service URL
 Setting_Label_oauth.idserver.clientName=OAuth Client ID
 Setting_Label_oauth.idserver.codeResolveUrl=OAuth Code Resolve Service URL
 Setting_Label_oauth.idserver.dnAttributeName=OAuth User Name/DN Login Attribute
 Setting_Label_oauth.idserver.loginUrl=OAuth Login URL
 Setting_Label_oauth.idserver.secret=OAuth Shared Secret
-Setting_Label_oauth.idserver.serverCerts=OAUTH Web Service Server Certificate
+Setting_Label_oauth.idserver.serverCerts=OAuth Server Certificate
 Setting_Label_otp.enabled=Allow Saving One Time Passwords
 Setting_Label_otp.forceSetup=Force Setup of One Time Passwords
 Setting_Label_otp.profile.list=OTP Profiles