merged version_4.5.3

Client/pom.xml

@@ -233,11 +233,11 @@
 		<!-- Bouncycastle -->
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk15on</artifactId>
+			<artifactId>bcprov-jdk18on</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcpkix-jdk15on</artifactId>
+			<artifactId>bcpkix-jdk18on</artifactId>
 		</dependency>
 
 		<!-- Logging -->
@@ -311,11 +311,11 @@
 			<dependencies>
 				<dependency>
 					<groupId>org.bouncycastle</groupId>
-					<artifactId>bcprov-jdk15on</artifactId>
+					<artifactId>bcprov-jdk18on</artifactId>
 				</dependency>
 				<dependency>
 					<groupId>org.bouncycastle</groupId>
-					<artifactId>bcpkix-jdk15on</artifactId>
+					<artifactId>bcpkix-jdk18on</artifactId>
 				</dependency>
 			</dependencies>
 		</profile>
@@ -353,7 +353,6 @@
 				<dependency>
 					<groupId>org.gluu</groupId>
 					<artifactId>oxauth-model</artifactId>
-					<version>${project.version}</version>
 					<type>test-jar</type>
 					<scope>test</scope>
 				</dependency>

Client/src/main/assembly/jar-without-provider-dependencies.xml

@@ -16,9 +16,9 @@
 			<unpack>true</unpack>
 			<scope>runtime</scope>
 			<excludes>
-			  <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
-			  <exclude>org.bouncycastle:bcprov-jdk15on</exclude>
-			  <exclude>org.bouncycastle:bcutil-jdk15on</exclude>
+			  <exclude>org.bouncycastle:bcpkix-jdk18on</exclude>
+			  <exclude>org.bouncycastle:bcprov-jdk18on</exclude>
+			  <exclude>org.bouncycastle:bcutil-jdk18on</exclude>
 			</excludes>
 		</dependencySet>
 	</dependencySets>

Client/src/main/java/org/gluu/oxauth/util/KeyGenerator.java

@@ -47,7 +47,7 @@
 
 /**
  * Command example:
- * java -cp bcprov-jdk15on-1.54.jar:.jar:bcpkix-jdk15on-1.54.jar:commons-cli-1.2.jar:commons-codec-1.5.jar:commons-lang-2.6.jar:jettison-1.3.jar:log4j-1.2.14.jar:oxauth-model.jar:oxauth.jar org.gluu.oxauth.util.KeyGenerator -h
+ * java -cp bcprov-jdk18on-1.54.jar:.jar:bcpkix-jdk18on-1.54.jar:commons-cli-1.2.jar:commons-codec-1.5.jar:commons-lang-2.6.jar:jettison-1.3.jar:log4j-1.2.14.jar:oxauth-model.jar:oxauth.jar org.gluu.oxauth.util.KeyGenerator -h
  * <p/>
  * KeyGenerator -sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 -enc_keys RSA_OAEP RSA1_5 -keystore /Users/JAVIER/tmp/mykeystore.jks -keypasswd secret -dnname "CN=oxAuth CA Certificates" -expiration 365
  * <p/>

Model/pom.xml

@@ -128,12 +128,12 @@
 		<!-- Security -->
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk15on</artifactId>
+			<artifactId>bcprov-jdk18on</artifactId>
 			<scope>provided</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcpkix-jdk15on</artifactId>
+			<artifactId>bcpkix-jdk18on</artifactId>
 			<scope>provided</scope>
 		</dependency>
 

Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java

@@ -271,6 +271,7 @@ public class AppConfiguration implements Configuration {
 
     private Boolean return200OnClientRegistration = true;
     private Map<String, String> dateFormatterPatterns = new HashMap<>();
+
     private Boolean allowBlankValuesInDiscoveryResponse;
 
     private Boolean skipAuthenticationFilterOptionsMethod = false;

Server/integrations/acr_router/acr_routerauthenticator.py → Server/integrations/acr_router/acr_router_authenticator.py

@@ -14,7 +14,7 @@ def __init__(self, currentTimeMillis):
     def init(self, customScript, configurationAttributes):
         print "ACR Router. Initialization"
         if not configurationAttributes.containsKey("new_acr_value"):
-            print "ACR Router. Initialization. Property acr_router_value is mandatory"
+            print "ACR Router. Initialization. Property new_acr_value is mandatory"
             return False
         print "ACR Router. Initialized successfully"
         return True   

Server/integrations/acr_saml_router/Readme.txt

@@ -0,0 +1 @@
+In order to pass additional AuthZ parameters to session we need to add to authorizationRequestCustomAllowedParameters oxAuth property issuerId and entityId

Server/integrations/acr_saml_router/acr_smal_router_authenticator.py

@@ -0,0 +1,82 @@
+# oxAuth is available under the MIT License (2008). See http://opensource.org/licenses/MIT for full text.
+# Copyright (c) 2023, Gluu
+#
+# Author: Yuriy Movchan
+#
+from org.gluu.service.cdi.util import CdiUtil
+from org.gluu.oxauth.security import Identity
+from org.gluu.oxauth.util import ServerUtil
+from org.gluu.util import StringHelper
+
+from org.gluu.model.custom.script.type.auth import PersonAuthenticationType
+
+
+class PersonAuthentication(PersonAuthenticationType):
+    def __init__(self, currentTimeMillis):
+        self.currentTimeMillis = currentTimeMillis
+
+    def init(self, customScript, configurationAttributes):
+        print "ACR SAML Router. Initialization"
+        print "ACR SAML Router. Initialized successfully"
+        return True   
+
+    def destroy(self, configurationAttributes):
+        print "ACR SAML Router. Destroy"
+        print "ACR SAML Router. Destroyed successfully"
+
+        return True
+
+    def getAuthenticationMethodClaims(self, requestParameters):
+        return None
+
+    def getApiVersion(self):
+        return 11
+
+    def isValidAuthenticationMethod(self, usageType, configurationAttributes):
+        return False
+
+    def getAlternativeAuthenticationMethod(self, usageType, configurationAttributes):
+        print "ACR SAML Router. Get new acr value"
+        # !!!Note: oxAuth stores in session only known parameters
+        # We need to add to authorizationRequestCustomAllowedParameters oxAuth property issuerId and entityId
+
+        identity = CdiUtil.bean(Identity)
+        identity.getSessionId().getSessionAttributes()
+
+        session_attributes = identity.getSessionId().getSessionAttributes()
+        if session_attributes.containsKey("issuerId") and session_attributes.containsKey("entityId"):
+
+            issuerId = session_attributes.get("issuerId")
+            entityId = session_attributes.get("entityId")
+            redirect_uri = session_attributes.get("redirect_uri")
+            print "ACR SAML Router. issuerId: %s, entityId: %s, redirect_uri: %s: " % (issuerId, entityId, redirect_uri)
+            if StringHelper.equalsIgnoreCase(issuerId, "https://samltest.id/saml/sp"):
+                print "ACR SAML Router. Redirect to super_gluu"
+                return "super_gluu"
+
+        print "ACR SAML Router. Redirect to default method"
+        return "basic"
+
+    def authenticate(self, configurationAttributes, requestParameters, step):
+        return False
+
+    def prepareForStep(self, configurationAttributes, requestParameters, step):
+        return True
+
+    def getExtraParametersForStep(self, configurationAttributes, step):
+        return None
+
+    def getCountAuthenticationSteps(self, configurationAttributes):
+        return 1
+
+    def getPageForStep(self, configurationAttributes, step):
+        return ""
+
+    def getNextStep(self, configurationAttributes, requestParameters, step):
+        return -1
+
+    def getLogoutExternalUrl(self, configurationAttributes, requestParameters):
+        return None
+
+    def logout(self, configurationAttributes, requestParameters):
+        return True

Server/integrations/pingid/pom.xml

@@ -29,13 +29,13 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.67</version>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.76</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
-            <version>1.67</version>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <version>1.76</version>
         </dependency>
 
         <!-- LOGGING -->

Server/integrations/stytch/README.md

@@ -35,7 +35,7 @@ The custom script has the following properties:
 
     - For `name` use a meaningful identifier, like `stytch`
 
-    - In the `script` field use the contents of this [file](https://github.com/GluuFederation/oxAuth/raw/version_4.5.0/Server/integrations/stytch/stytchExternalAuthenticator.py)
+    - In the `script` field use the contents of this [file](https://github.com/GluuFederation/oxAuth/raw/version_4.5.1/Server/integrations/stytch/stytchExternalAuthenticator.py)
 
     - Tick the `enabled` checkbox
 

Server/integrations/super_gluu/SuperGluuExternalAuthenticator.py

@@ -141,12 +141,15 @@ def init(self, customScript, configurationAttributes):
         if StringHelper.isEmptyString(self.AS_CLIENT_ID):
             clientRegistrationResponse = self.registerScanClient(self.AS_ENDPOINT, self.AS_ENDPOINT, self.AS_SSA, customScript)
             if clientRegistrationResponse == None:
-                return False
-
-            self.AS_CLIENT_ID = clientRegistrationResponse['client_id']
-            self.AS_CLIENT_SECRET = clientRegistrationResponse['client_secret']
+                print "Super-Gluu. Failed to register Scan client!!!"
+            else:
+                self.AS_CLIENT_ID = clientRegistrationResponse['client_id']
+                self.AS_CLIENT_SECRET = clientRegistrationResponse['client_secret']
 
-        self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes)
+        if StringHelper.isNotEmptyString(self.AS_CLIENT_ID) and StringHelper.isNotEmptyString(self.AS_CLIENT_SECRET):
+            self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes)
+        else:
+            self.enabledPushNotifications = False
 
         print "Super-Gluu. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s', customLabel: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications, self.customLabel)
 
@@ -310,10 +313,10 @@ def authenticate(self, configurationAttributes, requestParameters, step):
                     return False
 
                 user_inum = userService.getUserInum(authenticated_user)
-                
+
                 attach_result = deviceRegistrationService.attachUserDeviceRegistration(user_inum, u2f_device_id)
 
-                print "Super-Gluu. Authenticate for step 2. Result after attaching u2f_device '%s' to user '%s': '%s'" % (u2f_device_id, user_name, attach_result) 
+                print "Super-Gluu. Authenticate for step 2. Result after attaching u2f_device '%s' to user '%s': '%s'" % (u2f_device_id, user_name, attach_result)
 
                 return attach_result
             elif self.twoStep:
@@ -405,7 +408,7 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
                 return False
 
             print "Super-Gluu. Prepare for step 2. auth_method: '%s'" % auth_method
-            
+
             issuer = CdiUtil.bean(ConfigurationFactory).getAppConfiguration().getIssuer()
             super_gluu_request_dictionary = {'username': user.getUserId(),
                                'app': client_redirect_uri,
@@ -1062,11 +1065,11 @@ def processAuditGroup(self, user, attribute, group):
     def buildNotifyAuthorizationHeader(self):
         token = self.getAccessTokenJansServer(self.AS_ENDPOINT, self.AS_CLIENT_ID, self.AS_CLIENT_SECRET)
         authorizationHeader =  "Bearer %s" % token
-        
+
         return authorizationHeader
 
     def getAccessTokenJansServer(self, asBaseUrl, asClientId, asClientSecret):
-        endpointUrl = asBaseUrl + "/jans-auth/restv1/token"
+        endpointUrl = asBaseUrl + "/oxauth/restv1/token"
 
         body = "grant_type=client_credentials&scope=https://api.gluu.org/auth/scopes/scan.supergluu"
 
@@ -1107,11 +1110,10 @@ def registerScanClient(self, asBaseUrl, asRedirectUri, asSSA, customScript):
 
         redirect_str = "[\"%s\"]" % asRedirectUri
         data_org = {'redirect_uris': json.loads(redirect_str),
-                    'lifetime': 7884000,
                     'software_statement': asSSA}
         body = json.dumps(data_org)
 
-        endpointUrl = asBaseUrl + "/jans-auth/restv1/register"
+        endpointUrl = asBaseUrl + "/oxauth/restv1/register"
         headers = {"Accept" : "application/json"}
 
         try:
@@ -1149,10 +1151,10 @@ def registerScanClient(self, asBaseUrl, asRedirectUri, asSSA, customScript):
                     conf.setValue2(client_id)
                 elif (StringHelper.equalsIgnoreCase(conf.getValue1(), "AS_CLIENT_SECRET")):
                     conf.setValue2(client_secret)
-            custScriptService.update(customScript)    
+            custScriptService.update(customScript)
 
             print "Super-Gluu. Scan. Stored client credentials in script parameters"
-        except: 
+        except:
             print "Super-Gluu. Scan. Failed to store client credentials.", sys.exc_info()[1]
             return None
 

Server/pom.xml

@@ -292,6 +292,12 @@
 		<dependency>
 			<groupId>org.gluu</groupId>
 			<artifactId>oxauth-common</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.bouncycastle</groupId>
+					<artifactId>bcprov-jdk15on</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<!-- persistence model -->
 		<dependency>
@@ -395,6 +401,12 @@
 			<scope>provided</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>javax.servlet-api</artifactId>
+			<scope>provided</scope>
+		</dependency>
+
         <dependency>
             <groupId>net.bootsfaces</groupId>
             <artifactId>bootsfaces</artifactId>
@@ -405,17 +417,17 @@
 		<!-- Bouncycastle -->
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk15on</artifactId>
+			<artifactId>bcprov-jdk18on</artifactId>
 			<scope>provided</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcpkix-jdk15on</artifactId>
+			<artifactId>bcpkix-jdk18on</artifactId>
 			<scope>provided</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcmail-jdk15on</artifactId>
+			<artifactId>bcmail-jdk18on</artifactId>
 			<scope>provided</scope>
 		</dependency>
 
@@ -597,14 +609,13 @@
 		<dependency>
 			<groupId>org.gluu</groupId>
 			<artifactId>oxauth-model</artifactId>
-			<version>${project.version}</version>
 			<type>test-jar</type>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.gluu</groupId>
 			<artifactId>oxauth-client</artifactId>
-			<version>${project.version}</version>
+			<version>4.5.3.Final</version>
 			<type>test-jar</type>
 			<scope>test</scope>
 		</dependency>
@@ -1010,15 +1021,15 @@
 			<dependencies>
 				<dependency>
 					<groupId>org.bouncycastle</groupId>
-					<artifactId>bcprov-jdk15on</artifactId>
+					<artifactId>bcprov-jdk18on</artifactId>
 				</dependency>
 				<dependency>
 					<groupId>org.bouncycastle</groupId>
-					<artifactId>bcpkix-jdk15on</artifactId>
+					<artifactId>bcpkix-jdk18on</artifactId>
 				</dependency>
 				<dependency>
 					<groupId>org.bouncycastle</groupId>
-					<artifactId>bcmail-jdk15on</artifactId>
+					<artifactId>bcmail-jdk18on</artifactId>
 				</dependency>                
 			</dependencies>
 		</profile>
@@ -1210,14 +1221,13 @@
 				<dependency>
 					<groupId>org.gluu</groupId>
 					<artifactId>oxauth-model</artifactId>
-					<version>${project.version}</version>
 					<type>test-jar</type>
 					<scope>test</scope>
 				</dependency>
 				<dependency>
 					<groupId>org.gluu</groupId>
 					<artifactId>oxauth-client</artifactId>
-					<version>${project.version}</version>
+					<version>4.5.3.Final</version>
 					<type>test-jar</type>
 					<scope>test</scope>
 				</dependency>

Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeAction.java

@@ -41,7 +41,7 @@
 import org.gluu.persist.exception.EntryPersistenceException;
 import org.gluu.service.net.NetworkService;
 import org.gluu.util.StringHelper;
-import org.gluu.util.ilocale.LocaleUtil;
+import org.gluu.util.locale.LocaleUtil;
 import org.slf4j.Logger;
 
 import javax.enterprise.context.RequestScoped;