This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 4_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/4_1_X by this push:
new 96c5cbc441 [SYNCOPE-1955] Aligning OIDC JWKS management
96c5cbc441 is described below
commit 96c5cbc441aa13d847f0968c57a8065639f71183
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Mon Mar 16 11:12:04 2026 +0100
[SYNCOPE-1955] Aligning OIDC JWKS management
---
.../core/persistence/api/entity/am/OIDCOpEntity.java | 4 ++--
.../core/persistence/jpa/entity/am/JPAOIDCOpEntity.java | 9 +++++----
.../core/persistence/jpa/inner/OIDCOpEntityTest.java | 3 ++-
.../persistence/neo4j/entity/am/Neo4jOIDCOpEntity.java | 9 +++++----
.../core/persistence/neo4j/inner/OIDCOpEntityTest.java | 3 ++-
.../provisioning/api/data/OIDCOpEntityDataBinder.java | 2 +-
.../java/data/OIDCOpEntityDataBinderImpl.java | 17 ++++++++++-------
.../wa/bootstrap/mapping/DefaultAttrReleaseMapper.java | 5 -----
8 files changed, 27 insertions(+), 25 deletions(-)
diff --git
a/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCOpEntity.java
b/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCOpEntity.java
index c5aa01e3a8..e66e26e579 100644
---
a/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCOpEntity.java
+++
b/core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCOpEntity.java
@@ -24,9 +24,9 @@ import org.apache.syncope.core.persistence.api.entity.Entity;
public interface OIDCOpEntity extends Entity {
- String getJWKS();
+ byte[] getJWKS();
- void setJWKS(String jwks);
+ void setJWKS(byte[] jwks);
Map<String, Set<String>> getCustomScopes();
}
diff --git
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCOpEntity.java
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCOpEntity.java
index 4f14f8d642..e5f4e568d8 100644
---
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCOpEntity.java
+++
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCOpEntity.java
@@ -32,6 +32,7 @@ import jakarta.persistence.Transient;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
+import org.apache.commons.lang3.ArrayUtils;
import org.apache.syncope.core.persistence.api.entity.am.OIDCOpEntity;
import
org.apache.syncope.core.persistence.jpa.entity.AbstractGeneratedKeyEntity;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
@@ -50,7 +51,7 @@ public class JPAOIDCOpEntity extends
AbstractGeneratedKeyEntity implements OIDCO
@Column(nullable = false)
@Lob
- private String jwks;
+ private byte[] jwks;
@Lob
private String customScopes;
@@ -59,13 +60,13 @@ public class JPAOIDCOpEntity extends
AbstractGeneratedKeyEntity implements OIDCO
private Map<String, Set<String>> customScopesMap = new HashMap<>();
@Override
- public String getJWKS() {
+ public byte[] getJWKS() {
return jwks;
}
@Override
- public void setJWKS(final String jwks) {
- this.jwks = jwks;
+ public void setJWKS(final byte[] jwks) {
+ this.jwks = ArrayUtils.clone(jwks);
}
@Override
diff --git
a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/OIDCOpEntityTest.java
b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/OIDCOpEntityTest.java
index 515b8390d7..83ff443b5b 100644
---
a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/OIDCOpEntityTest.java
+++
b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/OIDCOpEntityTest.java
@@ -25,6 +25,7 @@ import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
+import java.nio.charset.StandardCharsets;
import java.util.Set;
import java.util.UUID;
import org.apache.syncope.core.persistence.api.dao.OIDCOpEntityDAO;
@@ -48,7 +49,7 @@ public class OIDCOpEntityTest extends AbstractTest {
keyUse(KeyUse.SIGNATURE).
keyID(UUID.randomUUID().toString()).
generate();
- oidcOpEntity.setJWKS(new JWKSet(jwk).toString());
+ oidcOpEntity.setJWKS(new
JWKSet(jwk).toString().getBytes(StandardCharsets.UTF_8));
oidcOpEntity.getCustomScopes().put("scope1", Set.of("claim1",
"claim2"));
oidcOpEntity.getCustomScopes().put("scope2", Set.of("claim1",
"claim3", "claim4"));
diff --git
a/core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/am/Neo4jOIDCOpEntity.java
b/core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/am/Neo4jOIDCOpEntity.java
index c5d2fc0f0a..74c27f6928 100644
---
a/core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/am/Neo4jOIDCOpEntity.java
+++
b/core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/am/Neo4jOIDCOpEntity.java
@@ -23,6 +23,7 @@ import jakarta.validation.constraints.NotNull;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
+import org.apache.commons.lang3.ArrayUtils;
import org.apache.syncope.core.persistence.api.entity.am.OIDCOpEntity;
import
org.apache.syncope.core.persistence.neo4j.entity.AbstractGeneratedKeyNode;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
@@ -42,7 +43,7 @@ public class Neo4jOIDCOpEntity extends
AbstractGeneratedKeyNode implements OIDCO
};
@NotNull
- private String jwks;
+ private byte[] jwks;
private String customScopes;
@@ -50,13 +51,13 @@ public class Neo4jOIDCOpEntity extends
AbstractGeneratedKeyNode implements OIDCO
private Map<String, Set<String>> customScopesMap = new HashMap<>();
@Override
- public String getJWKS() {
+ public byte[] getJWKS() {
return jwks;
}
@Override
- public void setJWKS(final String jwks) {
- this.jwks = jwks;
+ public void setJWKS(final byte[] jwks) {
+ this.jwks = ArrayUtils.clone(jwks);
}
@Override
diff --git
a/core/persistence-neo4j/src/test/java/org/apache/syncope/core/persistence/neo4j/inner/OIDCOpEntityTest.java
b/core/persistence-neo4j/src/test/java/org/apache/syncope/core/persistence/neo4j/inner/OIDCOpEntityTest.java
index ec88cfc591..6fd036d0a4 100644
---
a/core/persistence-neo4j/src/test/java/org/apache/syncope/core/persistence/neo4j/inner/OIDCOpEntityTest.java
+++
b/core/persistence-neo4j/src/test/java/org/apache/syncope/core/persistence/neo4j/inner/OIDCOpEntityTest.java
@@ -25,6 +25,7 @@ import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
+import java.nio.charset.StandardCharsets;
import java.util.Set;
import java.util.UUID;
import org.apache.syncope.core.persistence.api.dao.OIDCOpEntityDAO;
@@ -48,7 +49,7 @@ public class OIDCOpEntityTest extends AbstractTest {
keyUse(KeyUse.SIGNATURE).
keyID(UUID.randomUUID().toString()).
generate();
- oidcOpEntity.setJWKS(new JWKSet(jwk).toString());
+ oidcOpEntity.setJWKS(new
JWKSet(jwk).toString().getBytes(StandardCharsets.UTF_8));
oidcOpEntity.getCustomScopes().put("scope1", Set.of("claim1",
"claim2"));
oidcOpEntity.getCustomScopes().put("scope2", Set.of("claim1",
"claim3", "claim4"));
diff --git
a/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/OIDCOpEntityDataBinder.java
b/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/OIDCOpEntityDataBinder.java
index 20e9479e48..a2ac8530a7 100644
---
a/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/OIDCOpEntityDataBinder.java
+++
b/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/data/OIDCOpEntityDataBinder.java
@@ -53,7 +53,7 @@ public interface OIDCOpEntityDataBinder {
}
}
- String generateJWKS(String jwksKeyId, String jwksType, int jwksKeySize);
+ byte[] generateJWKS(String jwksKeyId, String jwksType, int jwksKeySize);
OIDCOpEntityTO getOIDCOpEntityTO(OIDCOpEntity oidcOpEntity);
diff --git
a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCOpEntityDataBinderImpl.java
b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCOpEntityDataBinderImpl.java
index 732d22946b..8dcd0cfb1c 100644
---
a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCOpEntityDataBinderImpl.java
+++
b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/OIDCOpEntityDataBinderImpl.java
@@ -18,7 +18,9 @@
*/
package org.apache.syncope.core.provisioning.java.data;
+import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
+import java.util.Base64;
import java.util.List;
import java.util.Locale;
import org.apache.syncope.common.lib.SyncopeClientException;
@@ -94,7 +96,7 @@ public class OIDCOpEntityDataBinderImpl implements
OIDCOpEntityDataBinder {
}
@Override
- public String generateJWKS(final String jwksKeyId, final String jwksType,
final int jwksKeySize) {
+ public byte[] generateJWKS(final String jwksKeyId, final String jwksType,
final int jwksKeySize) {
List<PublicJsonWebKey> keys = new ArrayList<>();
try {
keys.add(generate(jwksKeyId, jwksType, jwksKeySize, Use.SIGNATURE,
JsonWebKeyLifecycleState.CURRENT));
@@ -124,14 +126,16 @@ public class OIDCOpEntityDataBinderImpl implements
OIDCOpEntityDataBinder {
jwksKeySizeConfig.setValues(List.of(String.valueOf(jwksKeySize)));
waConfigDAO.save(jwksKeySizeConfig);
- return new
JsonWebKeySet(keys).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
+ return new JsonWebKeySet(keys).
+ toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE).
+ getBytes(StandardCharsets.UTF_8);
}
@Override
public OIDCOpEntityTO getOIDCOpEntityTO(final OIDCOpEntity oidcOpEntity) {
OIDCOpEntityTO oidcOpEntityTO = new OIDCOpEntityTO();
oidcOpEntityTO.setKey(oidcOpEntity.getKey());
- oidcOpEntityTO.setJWKS(oidcOpEntity.getJWKS());
+
oidcOpEntityTO.setJWKS(Base64.getEncoder().encodeToString(oidcOpEntity.getJWKS()));
oidcOpEntityTO.getCustomScopes().putAll(oidcOpEntity.getCustomScopes());
return oidcOpEntityTO;
@@ -139,10 +143,9 @@ public class OIDCOpEntityDataBinderImpl implements
OIDCOpEntityDataBinder {
@Override
public void update(final OIDCOpEntity oidcOpEntity, final OIDCOpEntityTO
oidcOpEntityTO) {
- oidcOpEntity.setJWKS(oidcOpEntityTO.getJWKS());
- if (oidcOpEntity.getJWKS() == null) {
- oidcOpEntity.setJWKS(generateJWKS("syncope", "RSA", 2048));
- }
+ oidcOpEntity.setJWKS(oidcOpEntityTO.getJWKS() == null
+ ? generateJWKS("syncope", "RSA", 2048)
+ : Base64.getDecoder().decode(oidcOpEntityTO.getJWKS()));
oidcOpEntity.getCustomScopes().clear();
oidcOpEntity.getCustomScopes().putAll(oidcOpEntityTO.getCustomScopes());
diff --git
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/DefaultAttrReleaseMapper.java
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/DefaultAttrReleaseMapper.java
index 66c62957c0..6ead2e27b5 100644
---
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/DefaultAttrReleaseMapper.java
+++
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/DefaultAttrReleaseMapper.java
@@ -171,7 +171,6 @@ public class DefaultAttrReleaseMapper implements
AttrReleaseMapper {
protected void buildForOIDCStandardScope(
final OIDCRPClientAppTO clientApp,
- final DefaultAttrReleasePolicyConf conf,
final Map<String, BaseOidcScopeAttributeReleasePolicy> policies,
final Supplier<BaseOidcScopeAttributeReleasePolicy>
attributeReleasePolicyCreator,
final OIDCStandardScope scope,
@@ -228,7 +227,6 @@ public class DefaultAttrReleaseMapper implements
AttrReleaseMapper {
if
(OidcProfileScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
buildForOIDCStandardScope(
clientApp,
- conf,
policies,
OidcProfileScopeAttributeReleasePolicy::new,
OIDCStandardScope.profile,
@@ -237,7 +235,6 @@ public class DefaultAttrReleaseMapper implements
AttrReleaseMapper {
} else if
(OidcEmailScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
buildForOIDCStandardScope(
clientApp,
- conf,
policies,
OidcEmailScopeAttributeReleasePolicy::new,
OIDCStandardScope.email,
@@ -246,7 +243,6 @@ public class DefaultAttrReleaseMapper implements
AttrReleaseMapper {
} else if
(OidcAddressScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
buildForOIDCStandardScope(
clientApp,
- conf,
policies,
OidcAddressScopeAttributeReleasePolicy::new,
OIDCStandardScope.address,
@@ -255,7 +251,6 @@ public class DefaultAttrReleaseMapper implements
AttrReleaseMapper {
} else if
(OidcPhoneScopeAttributeReleasePolicy.ALLOWED_CLAIMS.contains(external.toString()))
{
buildForOIDCStandardScope(
clientApp,
- conf,
policies,
OidcPhoneScopeAttributeReleasePolicy::new,
OIDCStandardScope.phone,
