Merge remote-tracking branch 'upstream/master' into responseModeValid…

…ation

# Conflicts:
#	components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/par/OAuth2ParEndpoint.java

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -5,12 +5,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>6.11.131-SNAPSHOT</version>
+    <version>6.11.132-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -5,12 +5,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>6.11.131-SNAPSHOT</version>
+    <version>6.11.132-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>6.11.131-SNAPSHOT</version>
+        <version>6.11.132-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java

@@ -2502,6 +2502,14 @@ private void handleOIDCRequestObject(OAuthMessage oAuthMessage, OAuthAuthzReques
         } else if (isRequestParameter(oauthRequest)) {
             requestObjValue = oauthRequest.getParam(REQUEST);
         }
+        /* Mandate request object for FAPI requests.
+           https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server (5.2.2-1)  */
+        if (isFapiConformant(oAuthMessage.getClientId())) {
+            if (requestObjValue == null) {
+                throw new InvalidRequestException("Request Object is mandatory for FAPI Conformant Applications.",
+                        OAuth2ErrorCodes.INVALID_REQUEST, "Request object is missing.");
+            }
+        }
 
         if (StringUtils.isNotEmpty(requestObjValue)) {
             handleRequestObject(oAuthMessage, oauthRequest, parameters);
@@ -2547,8 +2555,10 @@ private void handleRequestObject(OAuthMessage oAuthMessage, OAuthAuthzRequest oa
               When the request parameter is used, the OpenID Connect request parameter values contained in the JWT
               supersede those passed using the OAuth 2.0 request syntax
              */
+        boolean isFapiConformant = isFapiConformant(oAuthMessage.getClientId());
+        // If FAPI conformant, claims outside request object should be ignored.
         overrideAuthzParameters(oAuthMessage, parameters, oauthRequest.getParam(REQUEST),
-                oauthRequest.getParam(REQUEST_URI), requestObject);
+                oauthRequest.getParam(REQUEST_URI), requestObject, isFapiConformant);
 
         // If the redirect uri was not given in auth request the registered redirect uri will be available here,
         // so validating if the registered redirect uri is a single uri that can be properly redirected.
@@ -2571,17 +2581,18 @@ private void handleRequestObject(OAuthMessage oAuthMessage, OAuthAuthzRequest oa
 
     private void overrideAuthzParameters(OAuthMessage oAuthMessage, OAuth2Parameters params,
                                          String requestParameterValue,
-                                         String requestURIParameterValue, RequestObject requestObject) {
+                                         String requestURIParameterValue, RequestObject requestObject,
+                                         boolean ignoreClaimsOutsideRequestObject) {
 
         if (StringUtils.isNotBlank(requestParameterValue) || StringUtils.isNotBlank(requestURIParameterValue)) {
-            replaceIfPresent(requestObject, REDIRECT_URI, params::setRedirectURI);
-            replaceIfPresent(requestObject, NONCE, params::setNonce);
-            replaceIfPresent(requestObject, STATE, params::setState);
-            replaceIfPresent(requestObject, DISPLAY, params::setDisplay);
-            replaceIfPresent(requestObject, RESPONSE_MODE, params::setResponseMode);
-            replaceIfPresent(requestObject, LOGIN_HINT, params::setLoginHint);
-            replaceIfPresent(requestObject, ID_TOKEN_HINT, params::setIDTokenHint);
-            replaceIfPresent(requestObject, PROMPT, params::setPrompt);
+            replaceIfPresent(requestObject, REDIRECT_URI, params::setRedirectURI, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, NONCE, params::setNonce, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, STATE, params::setState, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, DISPLAY, params::setDisplay, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, RESPONSE_MODE, params::setResponseMode, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, LOGIN_HINT, params::setLoginHint, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, ID_TOKEN_HINT, params::setIDTokenHint, ignoreClaimsOutsideRequestObject);
+            replaceIfPresent(requestObject, PROMPT, params::setPrompt, ignoreClaimsOutsideRequestObject);
 
             if (requestObject.getClaim(CLAIMS) instanceof net.minidev.json.JSONObject) {
                 // Claims in the request object is in the type of net.minidev.json.JSONObject,
@@ -2593,8 +2604,8 @@ private void overrideAuthzParameters(OAuthMessage oAuthMessage, OAuth2Parameters
             if (isPkceSupportEnabled()) {
                 // If code_challenge and code_challenge_method is sent inside the request object then add them to
                 // Oauth2 parameters.
-                replaceIfPresent(requestObject, CODE_CHALLENGE, params::setPkceCodeChallenge);
-                replaceIfPresent(requestObject, CODE_CHALLENGE_METHOD, params::setPkceCodeChallengeMethod);
+                replaceIfPresent(requestObject, CODE_CHALLENGE, params::setPkceCodeChallenge, false);
+                replaceIfPresent(requestObject, CODE_CHALLENGE_METHOD, params::setPkceCodeChallengeMethod, false);
             }
 
             if (StringUtils.isNotEmpty(requestObject.getClaimValue(SCOPE))) {
@@ -2658,11 +2669,14 @@ private List<String> getAcrValues(RequestObject requestObject) {
         return acrRequestedValues;
     }
 
-    private void replaceIfPresent(RequestObject requestObject, String claim, Consumer<String> consumer) {
+    private void replaceIfPresent(RequestObject requestObject, String claim, Consumer<String> consumer,
+                                  boolean ignoreClaimsOutsideRequestObject) {
 
         String claimValue = requestObject.getClaimValue(claim);
         if (StringUtils.isNotEmpty(claimValue)) {
             consumer.accept(claimValue);
+        } else if (ignoreClaimsOutsideRequestObject) {
+            consumer.accept(null);
         }
     }
 

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/par/OAuth2ParEndpoint.java

@@ -240,7 +240,7 @@ private void validateAuthzRequest(HttpServletRequest request) throws ParCoreExce
             OAuthAuthzRequest oAuthAuthzRequest = getOAuthAuthzRequest(request);
             RequestObject requestObject = validateRequestObject(oAuthAuthzRequest);
             Map<String, String> oauthParams = overrideRequestObjectParams(request, requestObject);
-            if (isFAPIConformantApp(oAuthAuthzRequest.getClientId())) {
+            if (isFapiConformant(oAuthAuthzRequest.getClientId())) {
                 EndpointUtil.validateFAPIAllowedResponseTypeAndMode(oauthParams.get(RESPONSE_TYPE),
                         oauthParams.get(RESPONSE_MODE));
             }
@@ -302,18 +302,23 @@ private RequestObject validateRequestObject(OAuthAuthzRequest oAuthAuthzRequest)
 
         try {
             RequestObject requestObject = null;
-            if (OAuth2Util.isOIDCAuthzRequest(oAuthAuthzRequest.getScopes()) &&
-                    StringUtils.isNotBlank(oAuthAuthzRequest.getParam(REQUEST))) {
-
-                OAuth2Parameters parameters = new OAuth2Parameters();
-                parameters.setClientId(oAuthAuthzRequest.getClientId());
-                parameters.setRedirectURI(oAuthAuthzRequest.getRedirectURI());
-                parameters.setResponseType(oAuthAuthzRequest.getResponseType());
-                parameters.setTenantDomain(getSPTenantDomainFromClientId(oAuthAuthzRequest.getClientId()));
-
-                requestObject = OIDCRequestObjectUtil.buildRequestObject(oAuthAuthzRequest, parameters);
-                if (requestObject == null) {
-                    throw new ParClientException(OAuth2ErrorCodes.INVALID_REQUEST, ParConstants.INVALID_REQUEST_OBJECT);
+            if (OAuth2Util.isOIDCAuthzRequest(oAuthAuthzRequest.getScopes())) {
+                if (StringUtils.isNotBlank(oAuthAuthzRequest.getParam(REQUEST))) {
+
+                    OAuth2Parameters parameters = new OAuth2Parameters();
+                    parameters.setClientId(oAuthAuthzRequest.getClientId());
+                    parameters.setRedirectURI(oAuthAuthzRequest.getRedirectURI());
+                    parameters.setResponseType(oAuthAuthzRequest.getResponseType());
+                    parameters.setTenantDomain(getSPTenantDomainFromClientId(oAuthAuthzRequest.getClientId()));
+
+                    requestObject = OIDCRequestObjectUtil.buildRequestObject(oAuthAuthzRequest, parameters);
+                    if (requestObject == null) {
+                        throw new ParClientException(OAuth2ErrorCodes.INVALID_REQUEST, ParConstants.INVALID_REQUEST_OBJECT);
+                    }
+                } else if (isFapiConformant(oAuthAuthzRequest.getClientId())) {
+                    /* Mandate request object for FAPI requests
+                    https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server (5.2.2-1) */
+                    throw new ParClientException(OAuth2ErrorCodes.INVALID_REQUEST, ParConstants.REQUEST_OBJECT_MISSING);
                 }
             }
             return requestObject;
@@ -325,12 +330,12 @@ private RequestObject validateRequestObject(OAuthAuthzRequest oAuthAuthzRequest)
         }
     }
 
-    private boolean isFAPIConformantApp(String clientId) throws ParCoreException {
+    private boolean isFapiConformant(String clientId) throws ParClientException {
 
         try {
             return OAuth2Util.isFapiConformantApp(clientId);
         } catch (IdentityOAuth2Exception e) {
-            throw new ParCoreException(OAuth2ErrorCodes.SERVER_ERROR, e.getMessage(), e);
+            throw new ParClientException(e.getMessage(), e.getErrorCode());
         }
     }
 }

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/EndpointUtil.java

@@ -91,6 +91,7 @@
 import org.wso2.carbon.identity.oauth2.OAuth2Service;
 import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
 import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
+import org.wso2.carbon.identity.oauth2.RequestObjectException;
 import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
 import org.wso2.carbon.identity.oauth2.bean.Scope;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;
@@ -100,7 +101,11 @@
 import org.wso2.carbon.identity.oauth2.scopeservice.OAuth2Resource;
 import org.wso2.carbon.identity.oauth2.scopeservice.ScopeMetadataService;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.identity.openidconnect.OIDCRequestObjectUtil;
+import org.wso2.carbon.identity.openidconnect.RequestObjectBuilder;
 import org.wso2.carbon.identity.openidconnect.RequestObjectService;
+import org.wso2.carbon.identity.openidconnect.RequestObjectValidator;
+import org.wso2.carbon.identity.openidconnect.model.RequestObject;
 import org.wso2.carbon.identity.webfinger.DefaultWebFingerProcessor;
 import org.wso2.carbon.identity.webfinger.WebFingerProcessor;
 import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
@@ -1722,7 +1727,18 @@ public static void setParAuthService(ParAuthService parAuthService) {
     public static String retrieveStateForErrorURL(HttpServletRequest request, OAuth2Parameters oAuth2Parameters) {
 
         String state = null;
-        if (oAuth2Parameters != null && oAuth2Parameters.getState() != null) {
+
+        if (request.getParameter(OAuthConstants.OAuth20Params.REQUEST) != null) {
+            String stateInsideRequestObj = getStateFromRequestObject(request, oAuth2Parameters);
+            if (StringUtils.isNotBlank(stateInsideRequestObj)) {
+                state = stateInsideRequestObj;
+                if (log.isDebugEnabled()) {
+                    log.debug("Retrieved state value " + state + " from request object.");
+                }
+            }
+        }
+
+        if (StringUtils.isBlank(state) && oAuth2Parameters != null && oAuth2Parameters.getState() != null) {
             state = oAuth2Parameters.getState();
             if (log.isDebugEnabled()) {
                 log.debug("Retrieved state value " + state + " from OAuth2Parameters.");
@@ -1737,6 +1753,35 @@ public static String retrieveStateForErrorURL(HttpServletRequest request, OAuth2
         return state;
     }
 
+    private static String getStateFromRequestObject(HttpServletRequest request, OAuth2Parameters oAuth2Parameters) {
+
+        try {
+            RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance()
+                    .getRequestObjectValidator();
+            RequestObjectBuilder requestObjectBuilder = OAuthServerConfiguration.getInstance()
+                    .getRequestObjectBuilders().get(OIDCRequestObjectUtil.REQUEST_PARAM_VALUE_BUILDER);
+            RequestObject requestObject =
+                    requestObjectBuilder.buildRequestObject(request.getParameter(OAuthConstants.OAuth20Params.REQUEST),
+                            oAuth2Parameters);
+            if (StringUtils.isBlank(oAuth2Parameters.getClientId())) {
+                // Set client id and tenant domain required for signature validation if not already set.
+                String clientId = request.getParameter(PROP_CLIENT_ID);
+                oAuth2Parameters.setClientId(clientId);
+                oAuth2Parameters.setTenantDomain(getSPTenantDomainFromClientId(clientId));
+            }
+            // Validate request object signature to ensure request object is not tampered.
+            OIDCRequestObjectUtil.validateRequestObjectSignature(oAuth2Parameters, requestObject,
+                    requestObjectValidator);
+            return requestObject.getClaimValue(OAuthConstants.OAuth20Params.STATE);
+        } catch (RequestObjectException e) {
+            /* If request object signature validation fails, logs and return null from this method and the state value
+            will be overridden from oauth2 parameters or request parameters if present inside the
+            retrieveStateForErrorURL method. */
+            log.debug("Error while retrieving state from request object.", e);
+        }
+        return null;
+    }
+
     /**
      * Return updated redirect URL.
      *