Before Github 211 fix attempt

client-installer/buildNumber.properties

@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Wed Oct 02 16:49:28 CDT 2024
-buildNumber\\d*=409
+#Tue Oct 15 05:53:26 CDT 2024
+buildNumber\\d*=439

client-loader/src/main/java/org/oa4mp/client/loader/OA2ClientLoader.java

@@ -415,6 +415,7 @@ public DelegationService get() {
                             new PAServer2(createServiceClient(getAssetURI())),
                             new UIServer2(createServiceClient(getUIURI())),
                             new RTServer2(createServiceClient(getAccessTokenURI()), getIssuer(), getWellKnownURI(), isOIDCEnabled()), // as per spec, refresh token server is at same endpoint as access token server.
+                            new RFC6749_4_4Server(createServiceClient(getAccessTokenURI()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),
                             new RFC7009Server2(createServiceClient(getRFC7009Endpoint()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),
                             new RFC7662Server2(createServiceClient(getRFC7662Endpoint()),getIssuer(), getWellKnownURI(), isOIDCEnabled()),
                             new RFC7523Server(createServiceClient(getAccessTokenURI()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),

client-loader/src/main/java/org/oa4mp/client/loader/OA2ClientLoaderImpl.java

@@ -112,6 +112,7 @@ public DelegationService get() {
                             new PAServer2(createServiceClient(getAssetURI())),
                             new UIServer2(createServiceClient(getUIURI())),
                             new RTServer2(createServiceClient(getAccessTokenURI()), getIssuer(), getWellKnownURI(), isOIDCEnabled()), // as per spec, refresh token server is at same endpoint as access token server.
+                            new RFC6749_4_4Server(createServiceClient(getAccessTokenURI()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),
                             new RFC7009Server2(createServiceClient(getRFC7009Endpoint()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),
                             new RFC7662Server2(createServiceClient(getRFC7662Endpoint()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),
                             new RFC7523Server(createServiceClient(getAccessTokenURI()), getIssuer(), getWellKnownURI(), isOIDCEnabled()),

client-loader/src/main/java/org/oa4mp/client/loader/OA2MPService.java

@@ -3,6 +3,7 @@
 import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
 import edu.uiuc.ncsa.security.core.exceptions.NFWException;
 import edu.uiuc.ncsa.security.core.util.DebugUtil;
+import edu.uiuc.ncsa.security.core.util.StringUtils;
 import edu.uiuc.ncsa.security.servlet.ServiceClient;
 import edu.uiuc.ncsa.security.util.crypto.CertUtil;
 import edu.uiuc.ncsa.security.util.crypto.KeyUtil;
@@ -155,7 +156,7 @@ public ATResponse2 rfc8628Request(OA2Asset asset, String deviceCode, Map<String,
     public void preRequestCert(Asset asset, Map parameters) {
         // do nothing here in this case. Protocol says add cert req before getCert.
         if (!parameters.containsKey(getEnvironment().getConstants().get(CALLBACK_URI_KEY))) {
-            if(getEnvironment().getCallback() ==null){
+            if (getEnvironment().getCallback() == null) {
                 throw new IllegalArgumentException("missing callback in configuration");
             }
             parameters.put(getEnvironment().getConstants().get(CALLBACK_URI_KEY), getEnvironment().getCallback().toString());
@@ -215,7 +216,7 @@ private ATResponse2 processAtRequest(OA2Asset asset, DelegatedAssetRequest dar)
         ATResponse2 atResponse2 = (ATResponse2) getEnvironment().getDelegationService().getAT(dar);
         asset.setIssuedAt(new Date(atResponse2.getAccessToken().getIssuedAt()));
         //asset.setIssuedAt((Date) atResponse2.getParameters().get(OA2Claims.ISSUED_AT));
-        if(atResponse2.hasIDToken() && atResponse2.getIdToken().getPayload().containsKey(OA2Claims.SUBJECT)) {
+        if (atResponse2.hasIDToken() && atResponse2.getIdToken().getPayload().containsKey(OA2Claims.SUBJECT)) {
             asset.setUsername(atResponse2.getIdToken().getPayload().getString(OA2Claims.SUBJECT));
             asset.setIdToken(atResponse2.getIdToken());
         }
@@ -629,6 +630,49 @@ public JSONObject introspect(OA2Asset asset, boolean doRT) {
         return ds2.rfc7662(request).getResponse();
     }
 
+    public JSONObject rfc6749_4_4(OA2Asset asset, Map parameters, boolean useRFC7523) {
+        RFC6749_4_4Request req;
+        if (useRFC7523) {
+            if (!getEnvironment().hasJWKS()) {
+                throw new IllegalArgumentException("sorry, but this client does not have any keys.");
+            }
+            // do RFC 7523 stuff
+            req = new RFC6749_4_4Request(getEnvironment().getClient(), parameters,getEnvironment().getKid());
+        } else {
+            if (StringUtils.isTrivial(getEnvironment().getClient().getSecret())) {
+                throw new IllegalArgumentException("sorry, but this client does not have a secret. Cannot start a flow that requires a secret.");
+            }
+            parameters.put(CLIENT_ID, getEnvironment().getClient().getIdentifierString());
+            parameters.put(CLIENT_SECRET, getEnvironment().getClient().getSecret());
+            req = new RFC6749_4_4Request();
+        }
+        req.setParameters(parameters);
+        DS2 ds2 = (DS2) getEnvironment().getDelegationService();
+        RFC6749_4_4_Response response = ds2.rfc6749_4_4(req);
+        JSONObject json = response.getJSON();
+        if (json.containsKey(NONCE) && !NonceHerder.hasNonce((String) json.get(NONCE))) {
+            throw new InvalidNonceException("Unknown nonce.");
+        }
+        NonceHerder.removeNonce((String) json.get(NONCE)); // prevent replay attacks.
+        if(!json.containsKey(ACCESS_TOKEN)) {
+            throw new IllegalArgumentException("No access token found in server response");
+        }
+        AccessTokenImpl at = TokenFactory.createAT(json.getString(ACCESS_TOKEN));
+        asset.setAccessToken(at);
+        if(json.containsKey(ID_TOKEN)){
+            IDTokenImpl idt = TokenFactory.createIDT(json.getString(ID_TOKEN));
+            asset.setIdToken(idt);
+        }
+        if(json.containsKey(REFRESH_TOKEN)) {
+            RefreshTokenImpl rt = TokenFactory.createRT(json.getString(REFRESH_TOKEN));
+            asset.setRefreshToken(rt);
+        }else{
+          asset.setRefreshToken(null);
+        }
+        getAssetStore().save(asset);
+        return json;
+    }
+
     public JSONObject rfc7523(OA2Asset asset, Map parameters) {
         RFC7523Request request = new RFC7523Request();
         request.setKeyID(getEnvironment().getKid());
@@ -660,23 +704,7 @@ public JSONObject rfc7523(OA2Asset asset, Map parameters) {
         }
         getAssetStore().save(asset);
 
-/*
-      asset.setIssuedAt((Date) atResponse2.getParameters().get(OA2Claims.ISSUED_AT));
-        asset.setUsername((String) atResponse2.getParameters().get(OA2Claims.SUBJECT));
-        if (atResponse2.getParameters().containsKey(NONCE) && !NonceHerder.hasNonce((String) atResponse2.getParameters().get(NONCE))) {
-            throw new InvalidNonceException("Unknown nonce.");
-        }
-        NonceHerder.removeNonce((String) atResponse2.getParameters().get(NONCE)); // prevent replay attacks.
 
-        asset.setAccessToken((AccessTokenImpl) atResponse2.getAccessToken());
-        asset.setRefreshToken(atResponse2.getRefreshToken());
-        Object idToken = atResponse2.getParameters().get(OA2Constants.ID_TOKEN);
-        if (idToken != null) {
-            asset.setIdToken((JSONObject) idToken);
-        }
-        getAssetStore().save(asset);
-        return atResponse2;
- */
         return response.getResponse();
     }
 }

client/src/main/java/org/oa4mp/delegation/client/request/BasicResponse.java

@@ -26,4 +26,18 @@ public void setParameters(Map parameters) {
     }
 
     Map parameters;
+
+    /**
+     * (Optional) set the actual, unprocessed response from the server.
+     * @return
+     */
+    public String getRawResponse() {
+        return rawResponse;
+    }
+
+    public void setRawResponse(String rawResponse) {
+        this.rawResponse = rawResponse;
+    }
+
+    String rawResponse;
 }

client/src/main/java/org/oa4mp/delegation/client/request/RFC6749_4_4Request.java

@@ -0,0 +1,14 @@
+package org.oa4mp.delegation.client.request;
+
+import org.oa4mp.delegation.common.storage.clients.Client;
+
+import java.util.Map;
+
+public class RFC6749_4_4Request extends BasicRequest{
+    public RFC6749_4_4Request(Client client, Map<String, String> parameters, String keyID) {
+        super(client, parameters, keyID);
+    }
+
+    public RFC6749_4_4Request() {
+    }
+}

client/src/main/java/org/oa4mp/delegation/client/request/RFC6749_4_4_Response.java

@@ -0,0 +1,14 @@
+package org.oa4mp.delegation.client.request;
+
+import net.sf.json.JSONObject;
+
+public class RFC6749_4_4_Response extends BasicResponse{
+    /**
+     * Conveneience method that casts the parameter map to its underlying
+     * JSON object.
+     * @return
+     */
+    public JSONObject getJSON() {
+        return (JSONObject) getParameters();
+    }
+}

oa4mp-server-oauth2/buildNumber.properties

@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Wed Oct 02 16:49:27 CDT 2024
-buildNumber\\d*=12346
+#Tue Oct 15 05:52:22 CDT 2024
+buildNumber\\d*=12364

oauth2/src/main/java/org/oa4mp/delegation/server/OA2Constants.java

@@ -49,6 +49,12 @@ public interface OA2Constants {
      */
     public static String GRANT_TYPE_IMPLICIT = "implicit";
 
+    /**
+     * Use for <a href="https://tools.ietf.org/html/rfc6749#section-4.4">client credentials flow.</a>
+     */
+    // https://github.com/ncsa/oa4mp/issues/209
+    public static String GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials";
+
     // CIL-1101
     public static String GRANT_TYPE_DEVICE_FLOW = "urn:ietf:params:oauth:grant-type:device_code";
 

oauth2/src/main/java/org/oa4mp/delegation/server/client/ATServer2.java

@@ -129,6 +129,7 @@ protected ATResponse2 getAccessToken(ATRequest atRequest) {
                 response = getServiceClient().doGet(m);
             }
         }
+
         JSONObject jsonObject = getAndCheckResponse(response);
         if (!jsonObject.containsKey(ACCESS_TOKEN)) {
             throw new IllegalArgumentException(" No access token found in server response");
@@ -173,6 +174,7 @@ protected ATResponse2 getAccessToken(ATRequest atRequest) {
             ServletDebugUtil.trace(this, "Skipping id token entry...");
         }
         ATResponse2 atr = createResponse(at, rt, idToken);
+        atr.setRawResponse(response);
         atr.setParameters(params);
         return atr;
     }

oauth2/src/main/java/org/oa4mp/delegation/server/client/DS2.java

@@ -32,13 +32,15 @@ public DS2(AGServer agServer,
                PAServer paServer,
                UIServer2 uiServer,
                RTServer rtServer,
+               RFC6749_4_4Server rfc6749_4_4Server,
                RFC7009Server rfc7009Server,
                RFC7662Server rfc7662Server,
                RFC7523Server rfc7523Server,
                RFC8623Server rfc8623Server) {
         super(agServer, atServer, paServer);
         this.uiServer = uiServer;
         this.rtServer = rtServer;
+        this.rfc6749_4_4Server = rfc6749_4_4Server;
         this.rfc7009Server = rfc7009Server;
         this.rfc7662Server = rfc7662Server;
         this.rfc7523Server = rfc7523Server;
@@ -49,6 +51,8 @@ public RFC8623Server getRfc8623Server() {
         return rfc8623Server;
     }
 
+    RFC6749_4_4Server rfc6749_4_4Server;
+
     public void setRfc8623Server(RFC8623Server rfc8623Server) {
         this.rfc8623Server = rfc8623Server;
     }
@@ -90,28 +94,32 @@ public RTResponse refresh(RTRequest refreshTokenRequest) {
     }
 
     public RFC7009Response rfc7009(RFC7009Request request) {
-        return  getRfc7009Server().processRFC7009Request(request);
+        return getRfc7009Server().processRFC7009Request(request);
     }
 
     public RFC7662Response rfc7662(RFC7662Request request) {
         return getRfc7662Server().processRFC7662Request(request);
     }
 
-    public RFC7523Response rfc7523(RFC7523Request request){
-       return rfc7523Server.processRFC7523Request(request);
+    public RFC6749_4_4_Response rfc6749_4_4(RFC6749_4_4Request request) {
+        return rfc6749_4_4Server.processRFC6749_4_4Request(request);
+    }
+
+    public RFC7523Response rfc7523(RFC7523Request request) {
+        return rfc7523Server.processRFC7523Request(request);
     }
+
     @Override
     public DelegationResponse processDelegationRequest(DelegationRequest delegationRequest) {
         DelegationResponse delResp = new DelegationResponse(null);
-        Map<String,String> m = delegationRequest.getParameters();
+        Map<String, String> m = delegationRequest.getParameters();
         m.put(OA2Constants.CLIENT_ID, delegationRequest.getClient().getIdentifierString());
         m.put(OA2Constants.REDIRECT_URI, delegationRequest.getParameters().get(OA2Constants.REDIRECT_URI));
-        URI authZUri = ((AGServer2)getAgServer()).getServiceClient().host();
+        URI authZUri = ((AGServer2) getAgServer()).getServiceClient().host();
         URI redirectURI = URI.create(ServiceClient.convertToStringRequest(authZUri.toString(), m));
         delResp.setParameters(m); //send them all back.
         delResp.setRedirectUri(redirectURI);
         return delResp;
-
     }
 
     /**
@@ -132,6 +140,7 @@ public URI createRedirectURL(DelegationRequest delegationAssetRequest, AGRespons
         }
         return URI.create(rc);
     }
+
     public RFC7662Server getRfc7662Server() {
         return rfc7662Server;
     }

oauth2/src/main/java/org/oa4mp/delegation/server/client/RFC6749_4_4Server.java

@@ -0,0 +1,32 @@
+package org.oa4mp.delegation.server.client;
+
+import edu.uiuc.ncsa.security.servlet.ServiceClient;
+import net.sf.json.JSONObject;
+import org.oa4mp.delegation.client.request.RFC6749_4_4Request;
+import org.oa4mp.delegation.client.request.RFC6749_4_4_Response;
+import org.oa4mp.delegation.server.OA2Constants;
+
+import java.net.URI;
+import java.util.Map;
+
+public class RFC6749_4_4Server extends TokenAwareServer{
+    public RFC6749_4_4Server(ServiceClient serviceClient, URI issuer, String wellKnown, boolean serverOIDCEnabled) {
+        super(serviceClient, issuer, wellKnown, serverOIDCEnabled);
+    }
+    public RFC6749_4_4_Response processRFC6749_4_4Request(RFC6749_4_4Request request) {
+        Map parameters = request.getParameters();
+        String rawResponse;
+        RFC6749_4_4_Response response = new RFC6749_4_4_Response();
+        if(parameters.containsKey(OA2Constants.CLIENT_ID)) {
+            rawResponse = getServiceClient().doPost( parameters,
+                    (String)parameters.get(OA2Constants.CLIENT_ID),
+                    (String)parameters.get(OA2Constants.CLIENT_SECRET));
+            JSONObject jsonObject = JSONObject.fromObject(rawResponse);
+            response.setParameters(jsonObject);
+        }
+        // Note that the spec is very explicit that a refresh token is never returned
+        // in the initial exchange.
+        return response;
+    }
+
+}

oauth2/src/main/java/org/oa4mp/delegation/server/client/RFC7523Utils.java

@@ -26,7 +26,10 @@
  */
 public class RFC7523Utils implements RFC7523Constants {
     /**
-     * Does a POST to the endpoint using the client's key.
+     * Does a POST to the endpoint using the client's key. This fuilfills RFC 7523's section 2.2,
+     * authentication using a JWT. This returns a string (a JSON object) since there are
+     * various checks that can/should
+     * be done on the response, but not necessarily immediately.
      *
      * @param serviceClient
      * @param oa2Client
@@ -149,7 +152,8 @@ protected static JSONWebKey findKey(Client client, String kid) {
     }
 
     /**
-     * Creates an authorization grant for the client. Note that clients must have a previous
+     * Creates an authorization grant for the client as per RFC 7523 section 2.1.
+     * Note that clients must have a previous
      * trust relationship to do this, or it will fail.
      *
      * @param serviceClient

oauth2/src/main/java/org/oa4mp/delegation/server/server/IDTokenResponse.java

@@ -171,14 +171,19 @@ public void write(HttpServletResponse response) throws IOException {
         }
 
         String ss = OA2Scopes.ScopeUtil.toString(allScopes);
-        if(!StringUtils.isTrivial(ss)) {
+        if (!StringUtils.isTrivial(ss)) {
             m.put(SCOPE, ss);
         }
         // We have to compute the user metadata no matter what, but only return it if the
-        // client is OIDC.
+        // client is OIDC AND has requested it.
         if (isOIDC() || serviceTransaction.getResponseTypes().contains(RESPONSE_TYPE_ID_TOKEN)) {
-            DebugUtil.trace(this, "writing ID token response");
-            m.put(ID_TOKEN, getIdToken().getToken());
+            if (st.getScopes().contains(OA2Scopes.SCOPE_OPENID)) {
+                // It is still possible that an OIDC client does not request its openid scope.
+                // There is nothing the spec that says it has to, just that it is not acting
+                // like an OIDC client, but a standard OAuth 2 client. It can happen.
+                DebugUtil.trace(this, "writing ID token response");
+                m.put(ID_TOKEN, getIdToken().getToken());
+            }
         }
 
         JSONObject json = JSONObject.fromObject(m);