This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/3_0_X by this push:
new 66d5a74e3b WA: better scope management for OIDC RP client application
(completion) (#424)
66d5a74e3b is described below
commit 66d5a74e3ba67dcd99b2882613259a4a27731816
Author: Francesco Chicchiriccò <ilgro...@users.noreply.github.com>
AuthorDate: Mon Mar 13 15:06:42 2023 +0100
WA: better scope management for OIDC RP client application (completion)
(#424)
---
.../clientapps/ClientAppModalPanelBuilder.java | 6 +++++
.../clientapps/ClientAppPropertyWizardBuilder.java | 2 +-
.../clientapps/ClientAppDirectoryPanel.properties | 1 +
.../ClientAppDirectoryPanel_fr_CA.properties | 1 +
.../ClientAppDirectoryPanel_it.properties | 1 +
.../ClientAppDirectoryPanel_ja.properties | 1 +
.../ClientAppDirectoryPanel_pt_BR.properties | 1 +
.../ClientAppDirectoryPanel_ru.properties | 1 +
.../syncope/common/lib/to/OIDCRPClientAppTO.java | 16 ++++---------
.../apache/syncope/common/lib/types/OIDCScope.java | 28 ++++++++++++++++++++++
.../persistence/api/entity/am/OIDCRPClientApp.java | 3 +++
.../jpa/entity/am/JPAOIDCRPClientApp.java | 20 ++++++++++++++++
.../java/data/ClientAppDataBinderImpl.java | 3 +++
.../starter/mapping/OIDCRPClientAppTOMapper.java | 19 ++++++++-------
14 files changed, 81 insertions(+), 22 deletions(-)
diff --git
a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java
b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java
index d4515ae480..89c7303a4a 100644
---
a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java
+++
b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java
@@ -56,6 +56,7 @@ import org.apache.syncope.common.lib.to.RealmTO;
import org.apache.syncope.common.lib.types.ClientAppType;
import org.apache.syncope.common.lib.types.OIDCGrantType;
import org.apache.syncope.common.lib.types.OIDCResponseType;
+import org.apache.syncope.common.lib.types.OIDCScope;
import org.apache.syncope.common.lib.types.OIDCSubjectType;
import org.apache.syncope.common.lib.types.PolicyType;
import org.apache.syncope.common.lib.types.SAML2SPNameId;
@@ -268,6 +269,11 @@ public class ClientAppModalPanelBuilder<T extends
ClientAppTO> extends AbstractM
new PropertyModel<>(clientAppTO,
"supportedResponseTypes"),
new
ListModel<>(List.of(OIDCResponseType.values()))));
+ fields.add(new
AjaxPalettePanel.Builder<OIDCScope>().setName("scopes").build(
+ "field",
+ new PropertyModel<>(clientAppTO, "scopes"),
+ new ListModel<>(List.of(OIDCScope.values()))));
+
AjaxTextFieldPanel logoutUri = new AjaxTextFieldPanel(
"field", "logoutUri", new
PropertyModel<>(clientAppTO, "logoutUri"), false);
logoutUri.addValidator(new UrlValidator());
diff --git
a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java
b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java
index c73b9a4be0..52da59613d 100644
---
a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java
+++
b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java
@@ -28,7 +28,7 @@ import org.apache.wicket.PageReference;
public class ClientAppPropertyWizardBuilder extends AttrWizardBuilder {
- private static final long serialVersionUID = 1L;
+ private static final long serialVersionUID = -91564005263775261L;
private final ClientAppType type;
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties
index 625bcf3dab..a51a303773 100644
---
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties
+++
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties
@@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy
properties.title=Properties for ${name}
type_extensions.title=properties
bypassApprovalPrompt=Bypass Approval Prompt
+scopes=Scopes
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties
index b90f283f43..6ab6528c25 100644
---
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties
+++
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties
@@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy
properties.title=Properties for ${name}
type_extensions.title=properties
bypassApprovalPrompt=Bypass Approval Prompt
+scopes=Scopes
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties
index d280a11c3c..1e4aa4611b 100644
---
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties
+++
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties
@@ -58,3 +58,4 @@ attrReleasePolicy=Politica Rilascio Attributi
properties.title=Propriet\u00e0 di ${name}
type_extensions.title=propriet\u00e0
bypassApprovalPrompt=Salta richiesta approvazione
+scopes=Scope
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties
index d3d1364c84..ce61864b46 100644
---
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties
+++
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties
@@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy
properties.title=Properties for ${name}
type_extensions.title=properties
bypassApprovalPrompt=Bypass Approval Prompt
+scopes=Scopes
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties
index 625bcf3dab..a51a303773 100644
---
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties
+++
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties
@@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy
properties.title=Properties for ${name}
type_extensions.title=properties
bypassApprovalPrompt=Bypass Approval Prompt
+scopes=Scopes
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties
index 47b953f751..b9af8ebe0f 100644
---
a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties
+++
b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties
@@ -59,3 +59,4 @@ attrReleasePolicy=Attribute Release Policy
properties.title=Properties for ${name}
type_extensions.title=properties
bypassApprovalPrompt=Bypass Approval Prompt
+scopes=Scopes
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java
index 480ff8edc4..7e0019494a 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java
@@ -28,6 +28,7 @@ import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.syncope.common.lib.types.OIDCGrantType;
import org.apache.syncope.common.lib.types.OIDCResponseType;
+import org.apache.syncope.common.lib.types.OIDCScope;
import org.apache.syncope.common.lib.types.OIDCSubjectType;
@Schema(allOf = { ClientAppTO.class })
@@ -35,15 +36,6 @@ public class OIDCRPClientAppTO extends ClientAppTO {
private static final long serialVersionUID = -6370888503924521351L;
- public enum SCOPE {
- OPENID,
- PROFILE,
- EMAIL,
- ADDRESS,
- PHONE
-
- }
-
private String clientId;
private String clientSecret;
@@ -60,9 +52,9 @@ public class OIDCRPClientAppTO extends ClientAppTO {
private final List<OIDCResponseType> supportedResponseTypes = new
ArrayList<>();
- private String logoutUri;
+ private final List<OIDCScope> scopes = new ArrayList<>();
- private final List<SCOPE> scopes = new ArrayList<>();
+ private String logoutUri;
private boolean bypassApprovalPrompt = true;
@@ -143,7 +135,7 @@ public class OIDCRPClientAppTO extends ClientAppTO {
@JacksonXmlElementWrapper(localName = "scopes")
@JacksonXmlProperty(localName = "scope")
- public List<SCOPE> getScopes() {
+ public List<OIDCScope> getScopes() {
return scopes;
}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/types/OIDCScope.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/types/OIDCScope.java
new file mode 100644
index 0000000000..a3771db4f9
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/types/OIDCScope.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.types;
+
+public enum OIDCScope {
+ OPENID,
+ PROFILE,
+ EMAIL,
+ ADDRESS,
+ PHONE
+
+}
diff --git
a/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java
b/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java
index 0667c92f96..357a7d0d59 100644
---
a/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java
+++
b/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java
@@ -21,6 +21,7 @@ package org.apache.syncope.core.persistence.api.entity.am;
import java.util.Set;
import org.apache.syncope.common.lib.types.OIDCGrantType;
import org.apache.syncope.common.lib.types.OIDCResponseType;
+import org.apache.syncope.common.lib.types.OIDCScope;
import org.apache.syncope.common.lib.types.OIDCSubjectType;
public interface OIDCRPClientApp extends ClientApp {
@@ -39,6 +40,8 @@ public interface OIDCRPClientApp extends ClientApp {
Set<OIDCResponseType> getSupportedResponseTypes();
+ Set<OIDCScope> getScopes();
+
boolean isSignIdToken();
void setSignIdToken(boolean signIdToken);
diff --git
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java
index fbd172e512..ebc97578f5 100644
---
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java
+++
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java
@@ -35,6 +35,7 @@ import javax.persistence.Table;
import javax.persistence.Transient;
import org.apache.syncope.common.lib.types.OIDCGrantType;
import org.apache.syncope.common.lib.types.OIDCResponseType;
+import org.apache.syncope.common.lib.types.OIDCScope;
import org.apache.syncope.common.lib.types.OIDCSubjectType;
import org.apache.syncope.core.persistence.api.entity.am.OIDCRPClientApp;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
@@ -58,6 +59,10 @@ public class JPAOIDCRPClientApp extends AbstractClientApp
implements OIDCRPClien
new TypeReference<Set<OIDCResponseType>>() {
};
+ protected static final TypeReference<Set<OIDCScope>> SCOPE_TYPEREF =
+ new TypeReference<Set<OIDCScope>>() {
+ };
+
@Column(unique = true, nullable = false)
private String clientId;
@@ -90,6 +95,12 @@ public class JPAOIDCRPClientApp extends AbstractClientApp
implements OIDCRPClien
@Transient
private Set<OIDCResponseType> supportedResponseTypesSet = new HashSet<>();
+ @Lob
+ private String scopes;
+
+ @Transient
+ private Set<OIDCScope> scopesSet = new HashSet<>();
+
private String logoutUri;
@Override
@@ -167,6 +178,11 @@ public class JPAOIDCRPClientApp extends AbstractClientApp
implements OIDCRPClien
return supportedResponseTypesSet;
}
+ @Override
+ public Set<OIDCScope> getScopes() {
+ return scopesSet;
+ }
+
@Override
public String getLogoutUri() {
return logoutUri;
@@ -192,6 +208,9 @@ public class JPAOIDCRPClientApp extends AbstractClientApp
implements OIDCRPClien
if (supportedResponseTypes != null) {
getSupportedResponseTypes().addAll(POJOHelper.deserialize(supportedResponseTypes,
RESPONSE_TYPE_TYPEREF));
}
+ if (scopes != null) {
+ getScopes().addAll(POJOHelper.deserialize(scopes, SCOPE_TYPEREF));
+ }
}
@PostLoad
@@ -211,5 +230,6 @@ public class JPAOIDCRPClientApp extends AbstractClientApp
implements OIDCRPClien
redirectUris = POJOHelper.serialize(getRedirectUris());
supportedGrantTypes = POJOHelper.serialize(getSupportedGrantTypes());
supportedResponseTypes =
POJOHelper.serialize(getSupportedResponseTypes());
+ scopes = POJOHelper.serialize(getScopes());
}
}
diff --git
a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java
b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java
index a9d4fd3dcf..13b858d728 100644
---
a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java
+++
b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java
@@ -225,6 +225,8 @@ public class ClientAppDataBinderImpl implements
ClientAppDataBinder {
clientApp.getSupportedGrantTypes().addAll(clientAppTO.getSupportedGrantTypes());
clientApp.getSupportedResponseTypes().clear();
clientApp.getSupportedResponseTypes().addAll(clientAppTO.getSupportedResponseTypes());
+ clientApp.getScopes().clear();
+ clientApp.getScopes().addAll(clientAppTO.getScopes());
clientApp.setLogoutUri(clientAppTO.getLogoutUri());
}
@@ -239,6 +241,7 @@ public class ClientAppDataBinderImpl implements
ClientAppDataBinder {
clientAppTO.getRedirectUris().addAll(clientApp.getRedirectUris());
clientAppTO.getSupportedGrantTypes().addAll(clientApp.getSupportedGrantTypes());
clientAppTO.getSupportedResponseTypes().addAll(clientApp.getSupportedResponseTypes());
+ clientAppTO.getScopes().addAll(clientApp.getScopes());
clientAppTO.setLogoutUri(clientApp.getLogoutUri());
clientAppTO.setJwtAccessToken(clientApp.isJwtAccessToken());
clientAppTO.setBypassApprovalPrompt(clientApp.isBypassApprovalPrompt());
diff --git
a/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java
b/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java
index 884cd5243c..a385b1cdac 100644
---
a/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java
+++
b/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java
@@ -27,6 +27,7 @@ import java.util.stream.Stream;
import org.apache.syncope.common.lib.to.OIDCRPClientAppTO;
import org.apache.syncope.common.lib.types.OIDCGrantType;
import org.apache.syncope.common.lib.types.OIDCResponseType;
+import org.apache.syncope.common.lib.types.OIDCScope;
import org.apache.syncope.common.lib.wa.WAClientApp;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.oidc.claims.OidcAddressScopeAttributeReleasePolicy;
@@ -94,19 +95,19 @@ public class OIDCRPClientAppTOMapper extends
AbstractClientAppMapper {
}
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.OPENID)) {
+ if (rp.getScopes().contains(OIDCScope.OPENID)) {
chain.addPolicies(new OidcOpenIdScopeAttributeReleasePolicy());
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PROFILE)) {
+ if (rp.getScopes().contains(OIDCScope.PROFILE)) {
chain.addPolicies(new OidcProfileScopeAttributeReleasePolicy());
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.ADDRESS)) {
+ if (rp.getScopes().contains(OIDCScope.ADDRESS)) {
chain.addPolicies(new OidcAddressScopeAttributeReleasePolicy());
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.EMAIL)) {
+ if (rp.getScopes().contains(OIDCScope.EMAIL)) {
chain.addPolicies(new OidcEmailScopeAttributeReleasePolicy());
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PHONE)) {
+ if (rp.getScopes().contains(OIDCScope.PHONE)) {
chain.addPolicies(new OidcPhoneScopeAttributeReleasePolicy());
}
@@ -125,16 +126,16 @@ public class OIDCRPClientAppTOMapper extends
AbstractClientAppMapper {
map(p ->
p.getAllowedAttributes().stream().collect(Collectors.toSet())).
ifPresent(customClaims::addAll);
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PROFILE)) {
+ if (rp.getScopes().contains(OIDCScope.PROFILE)) {
customClaims.removeAll(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.ADDRESS)) {
+ if (rp.getScopes().contains(OIDCScope.ADDRESS)) {
customClaims.removeAll(OidcAddressScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.EMAIL)) {
+ if (rp.getScopes().contains(OIDCScope.EMAIL)) {
customClaims.removeAll(OidcEmailScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
}
- if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PHONE)) {
+ if (rp.getScopes().contains(OIDCScope.PHONE)) {
customClaims.removeAll(OidcPhoneScopeAttributeReleasePolicy.ALLOWED_CLAIMS);
}
if (!customClaims.isEmpty()) {
