This is an automated email from the ASF dual-hosted git repository. ilgrosso pushed a commit to branch 3_0_X in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/3_0_X by this push: new 66d5a74e3b WA: better scope management for OIDC RP client application (completion) (#424) 66d5a74e3b is described below commit 66d5a74e3ba67dcd99b2882613259a4a27731816 Author: Francesco Chicchiriccò <ilgro...@users.noreply.github.com> AuthorDate: Mon Mar 13 15:06:42 2023 +0100 WA: better scope management for OIDC RP client application (completion) (#424) --- .../clientapps/ClientAppModalPanelBuilder.java | 6 +++++ .../clientapps/ClientAppPropertyWizardBuilder.java | 2 +- .../clientapps/ClientAppDirectoryPanel.properties | 1 + .../ClientAppDirectoryPanel_fr_CA.properties | 1 + .../ClientAppDirectoryPanel_it.properties | 1 + .../ClientAppDirectoryPanel_ja.properties | 1 + .../ClientAppDirectoryPanel_pt_BR.properties | 1 + .../ClientAppDirectoryPanel_ru.properties | 1 + .../syncope/common/lib/to/OIDCRPClientAppTO.java | 16 ++++--------- .../apache/syncope/common/lib/types/OIDCScope.java | 28 ++++++++++++++++++++++ .../persistence/api/entity/am/OIDCRPClientApp.java | 3 +++ .../jpa/entity/am/JPAOIDCRPClientApp.java | 20 ++++++++++++++++ .../java/data/ClientAppDataBinderImpl.java | 3 +++ .../starter/mapping/OIDCRPClientAppTOMapper.java | 19 ++++++++------- 14 files changed, 81 insertions(+), 22 deletions(-) diff --git a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java index d4515ae480..89c7303a4a 100644 --- a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java +++ b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java @@ -56,6 +56,7 @@ import org.apache.syncope.common.lib.to.RealmTO; import org.apache.syncope.common.lib.types.ClientAppType; import org.apache.syncope.common.lib.types.OIDCGrantType; import org.apache.syncope.common.lib.types.OIDCResponseType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.syncope.common.lib.types.OIDCSubjectType; import org.apache.syncope.common.lib.types.PolicyType; import org.apache.syncope.common.lib.types.SAML2SPNameId; @@ -268,6 +269,11 @@ public class ClientAppModalPanelBuilder<T extends ClientAppTO> extends AbstractM new PropertyModel<>(clientAppTO, "supportedResponseTypes"), new ListModel<>(List.of(OIDCResponseType.values())))); + fields.add(new AjaxPalettePanel.Builder<OIDCScope>().setName("scopes").build( + "field", + new PropertyModel<>(clientAppTO, "scopes"), + new ListModel<>(List.of(OIDCScope.values())))); + AjaxTextFieldPanel logoutUri = new AjaxTextFieldPanel( "field", "logoutUri", new PropertyModel<>(clientAppTO, "logoutUri"), false); logoutUri.addValidator(new UrlValidator()); diff --git a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java index c73b9a4be0..52da59613d 100644 --- a/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java +++ b/client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppPropertyWizardBuilder.java @@ -28,7 +28,7 @@ import org.apache.wicket.PageReference; public class ClientAppPropertyWizardBuilder extends AttrWizardBuilder { - private static final long serialVersionUID = 1L; + private static final long serialVersionUID = -91564005263775261L; private final ClientAppType type; diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties index 625bcf3dab..a51a303773 100644 --- a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties +++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel.properties @@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy properties.title=Properties for ${name} type_extensions.title=properties bypassApprovalPrompt=Bypass Approval Prompt +scopes=Scopes diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties index b90f283f43..6ab6528c25 100644 --- a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties +++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_fr_CA.properties @@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy properties.title=Properties for ${name} type_extensions.title=properties bypassApprovalPrompt=Bypass Approval Prompt +scopes=Scopes diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties index d280a11c3c..1e4aa4611b 100644 --- a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties +++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_it.properties @@ -58,3 +58,4 @@ attrReleasePolicy=Politica Rilascio Attributi properties.title=Propriet\u00e0 di ${name} type_extensions.title=propriet\u00e0 bypassApprovalPrompt=Salta richiesta approvazione +scopes=Scope diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties index d3d1364c84..ce61864b46 100644 --- a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties +++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ja.properties @@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy properties.title=Properties for ${name} type_extensions.title=properties bypassApprovalPrompt=Bypass Approval Prompt +scopes=Scopes diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties index 625bcf3dab..a51a303773 100644 --- a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties +++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_pt_BR.properties @@ -58,3 +58,4 @@ attrReleasePolicy=Attribute Release Policy properties.title=Properties for ${name} type_extensions.title=properties bypassApprovalPrompt=Bypass Approval Prompt +scopes=Scopes diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties index 47b953f751..b9af8ebe0f 100644 --- a/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties +++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/clientapps/ClientAppDirectoryPanel_ru.properties @@ -59,3 +59,4 @@ attrReleasePolicy=Attribute Release Policy properties.title=Properties for ${name} type_extensions.title=properties bypassApprovalPrompt=Bypass Approval Prompt +scopes=Scopes diff --git a/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java b/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java index 480ff8edc4..7e0019494a 100644 --- a/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java +++ b/common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java @@ -28,6 +28,7 @@ import org.apache.commons.lang3.builder.EqualsBuilder; import org.apache.commons.lang3.builder.HashCodeBuilder; import org.apache.syncope.common.lib.types.OIDCGrantType; import org.apache.syncope.common.lib.types.OIDCResponseType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.syncope.common.lib.types.OIDCSubjectType; @Schema(allOf = { ClientAppTO.class }) @@ -35,15 +36,6 @@ public class OIDCRPClientAppTO extends ClientAppTO { private static final long serialVersionUID = -6370888503924521351L; - public enum SCOPE { - OPENID, - PROFILE, - EMAIL, - ADDRESS, - PHONE - - } - private String clientId; private String clientSecret; @@ -60,9 +52,9 @@ public class OIDCRPClientAppTO extends ClientAppTO { private final List<OIDCResponseType> supportedResponseTypes = new ArrayList<>(); - private String logoutUri; + private final List<OIDCScope> scopes = new ArrayList<>(); - private final List<SCOPE> scopes = new ArrayList<>(); + private String logoutUri; private boolean bypassApprovalPrompt = true; @@ -143,7 +135,7 @@ public class OIDCRPClientAppTO extends ClientAppTO { @JacksonXmlElementWrapper(localName = "scopes") @JacksonXmlProperty(localName = "scope") - public List<SCOPE> getScopes() { + public List<OIDCScope> getScopes() { return scopes; } diff --git a/common/am/lib/src/main/java/org/apache/syncope/common/lib/types/OIDCScope.java b/common/am/lib/src/main/java/org/apache/syncope/common/lib/types/OIDCScope.java new file mode 100644 index 0000000000..a3771db4f9 --- /dev/null +++ b/common/am/lib/src/main/java/org/apache/syncope/common/lib/types/OIDCScope.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.syncope.common.lib.types; + +public enum OIDCScope { + OPENID, + PROFILE, + EMAIL, + ADDRESS, + PHONE + +} diff --git a/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java b/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java index 0667c92f96..357a7d0d59 100644 --- a/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java +++ b/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java @@ -21,6 +21,7 @@ package org.apache.syncope.core.persistence.api.entity.am; import java.util.Set; import org.apache.syncope.common.lib.types.OIDCGrantType; import org.apache.syncope.common.lib.types.OIDCResponseType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.syncope.common.lib.types.OIDCSubjectType; public interface OIDCRPClientApp extends ClientApp { @@ -39,6 +40,8 @@ public interface OIDCRPClientApp extends ClientApp { Set<OIDCResponseType> getSupportedResponseTypes(); + Set<OIDCScope> getScopes(); + boolean isSignIdToken(); void setSignIdToken(boolean signIdToken); diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java index fbd172e512..ebc97578f5 100644 --- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java +++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java @@ -35,6 +35,7 @@ import javax.persistence.Table; import javax.persistence.Transient; import org.apache.syncope.common.lib.types.OIDCGrantType; import org.apache.syncope.common.lib.types.OIDCResponseType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.syncope.common.lib.types.OIDCSubjectType; import org.apache.syncope.core.persistence.api.entity.am.OIDCRPClientApp; import org.apache.syncope.core.provisioning.api.serialization.POJOHelper; @@ -58,6 +59,10 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien new TypeReference<Set<OIDCResponseType>>() { }; + protected static final TypeReference<Set<OIDCScope>> SCOPE_TYPEREF = + new TypeReference<Set<OIDCScope>>() { + }; + @Column(unique = true, nullable = false) private String clientId; @@ -90,6 +95,12 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien @Transient private Set<OIDCResponseType> supportedResponseTypesSet = new HashSet<>(); + @Lob + private String scopes; + + @Transient + private Set<OIDCScope> scopesSet = new HashSet<>(); + private String logoutUri; @Override @@ -167,6 +178,11 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien return supportedResponseTypesSet; } + @Override + public Set<OIDCScope> getScopes() { + return scopesSet; + } + @Override public String getLogoutUri() { return logoutUri; @@ -192,6 +208,9 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien if (supportedResponseTypes != null) { getSupportedResponseTypes().addAll(POJOHelper.deserialize(supportedResponseTypes, RESPONSE_TYPE_TYPEREF)); } + if (scopes != null) { + getScopes().addAll(POJOHelper.deserialize(scopes, SCOPE_TYPEREF)); + } } @PostLoad @@ -211,5 +230,6 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien redirectUris = POJOHelper.serialize(getRedirectUris()); supportedGrantTypes = POJOHelper.serialize(getSupportedGrantTypes()); supportedResponseTypes = POJOHelper.serialize(getSupportedResponseTypes()); + scopes = POJOHelper.serialize(getScopes()); } } diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java index a9d4fd3dcf..13b858d728 100644 --- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java +++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java @@ -225,6 +225,8 @@ public class ClientAppDataBinderImpl implements ClientAppDataBinder { clientApp.getSupportedGrantTypes().addAll(clientAppTO.getSupportedGrantTypes()); clientApp.getSupportedResponseTypes().clear(); clientApp.getSupportedResponseTypes().addAll(clientAppTO.getSupportedResponseTypes()); + clientApp.getScopes().clear(); + clientApp.getScopes().addAll(clientAppTO.getScopes()); clientApp.setLogoutUri(clientAppTO.getLogoutUri()); } @@ -239,6 +241,7 @@ public class ClientAppDataBinderImpl implements ClientAppDataBinder { clientAppTO.getRedirectUris().addAll(clientApp.getRedirectUris()); clientAppTO.getSupportedGrantTypes().addAll(clientApp.getSupportedGrantTypes()); clientAppTO.getSupportedResponseTypes().addAll(clientApp.getSupportedResponseTypes()); + clientAppTO.getScopes().addAll(clientApp.getScopes()); clientAppTO.setLogoutUri(clientApp.getLogoutUri()); clientAppTO.setJwtAccessToken(clientApp.isJwtAccessToken()); clientAppTO.setBypassApprovalPrompt(clientApp.isBypassApprovalPrompt()); diff --git a/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java b/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java index 884cd5243c..a385b1cdac 100644 --- a/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java +++ b/wa/starter/src/main/java/org/apache/syncope/wa/starter/mapping/OIDCRPClientAppTOMapper.java @@ -27,6 +27,7 @@ import java.util.stream.Stream; import org.apache.syncope.common.lib.to.OIDCRPClientAppTO; import org.apache.syncope.common.lib.types.OIDCGrantType; import org.apache.syncope.common.lib.types.OIDCResponseType; +import org.apache.syncope.common.lib.types.OIDCScope; import org.apache.syncope.common.lib.wa.WAClientApp; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.oidc.claims.OidcAddressScopeAttributeReleasePolicy; @@ -94,19 +95,19 @@ public class OIDCRPClientAppTOMapper extends AbstractClientAppMapper { } } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.OPENID)) { + if (rp.getScopes().contains(OIDCScope.OPENID)) { chain.addPolicies(new OidcOpenIdScopeAttributeReleasePolicy()); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PROFILE)) { + if (rp.getScopes().contains(OIDCScope.PROFILE)) { chain.addPolicies(new OidcProfileScopeAttributeReleasePolicy()); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.ADDRESS)) { + if (rp.getScopes().contains(OIDCScope.ADDRESS)) { chain.addPolicies(new OidcAddressScopeAttributeReleasePolicy()); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.EMAIL)) { + if (rp.getScopes().contains(OIDCScope.EMAIL)) { chain.addPolicies(new OidcEmailScopeAttributeReleasePolicy()); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PHONE)) { + if (rp.getScopes().contains(OIDCScope.PHONE)) { chain.addPolicies(new OidcPhoneScopeAttributeReleasePolicy()); } @@ -125,16 +126,16 @@ public class OIDCRPClientAppTOMapper extends AbstractClientAppMapper { map(p -> p.getAllowedAttributes().stream().collect(Collectors.toSet())). ifPresent(customClaims::addAll); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PROFILE)) { + if (rp.getScopes().contains(OIDCScope.PROFILE)) { customClaims.removeAll(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.ADDRESS)) { + if (rp.getScopes().contains(OIDCScope.ADDRESS)) { customClaims.removeAll(OidcAddressScopeAttributeReleasePolicy.ALLOWED_CLAIMS); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.EMAIL)) { + if (rp.getScopes().contains(OIDCScope.EMAIL)) { customClaims.removeAll(OidcEmailScopeAttributeReleasePolicy.ALLOWED_CLAIMS); } - if (rp.getScopes().contains(OIDCRPClientAppTO.SCOPE.PHONE)) { + if (rp.getScopes().contains(OIDCScope.PHONE)) { customClaims.removeAll(OidcPhoneScopeAttributeReleasePolicy.ALLOWED_CLAIMS); } if (!customClaims.isEmpty()) {