feat(docker): support for OAuth 2.0 Rich Authorization Requests (#7196)

Signed-off-by: iromli <isman.firmansyah@gmail.com> Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
JanssenProject · Dec 27, 2023 · f02db0f · f02db0f
1 parent 19968e8
commit f02db0f
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 86 deletions.
diff --git a/docker-jans-auth-server/Dockerfile b/docker-jans-auth-server/Dockerfile
@@ -51,7 +51,7 @@ RUN /opt/jython/bin/pip uninstall -y pip setuptools
 # ===========
 
 ENV CN_VERSION=1.0.22-SNAPSHOT
-ENV CN_BUILD_DATE='2023-12-14 08:38'
+ENV CN_BUILD_DATE='2023-12-22 08:29'
 ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war
 
 # Install Jans Auth
@@ -95,7 +95,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-auth/agama/fl \
     ${JETTY_BASE}/jans-auth/agama/ftl \
     ${JETTY_BASE}/jans-auth/agama/scripts
 
-ENV JANS_SOURCE_VERSION=a2c5d4bd3d09c9f34e79b0d24bc63ece4ca7da43
+ENV JANS_SOURCE_VERSION=c7d99c81efbaffd31b1b7d2963cd4f77768fd40e
 
 # note that as we're pulling from a monorepo (with multiple project in it)
 # we are using partial-clone and sparse-checkout to get the agama code

diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile
@@ -26,7 +26,7 @@ RUN python3 -m ensurepip \
 # =====================
 
 # janssenproject/jans SHA commit
-ENV JANS_SOURCE_VERSION=fd6ece561314e675a31cf8db2d0ca15f9edd0bd0
+ENV JANS_SOURCE_VERSION=c7d99c81efbaffd31b1b7d2963cd4f77768fd40e
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 ARG JANS_SCRIPT_CATALOG_DIR=docs/script-catalog
 ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources

diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py
@@ -633,11 +633,19 @@ def update_auth_errors_config(self):
         if self.backend.type != "couchbase":
             entry.attrs["jansConfErrors"] = json.loads(entry.attrs["jansConfErrors"])
 
-        conf, should_update = _transform_auth_errors_config(entry.attrs["jansConfErrors"])
+        should_update = False
+
+        # compare config from persistence with the ones from assets
+        with open("/app/templates/jans-auth/jans-auth-errors.json") as f:
+            new_conf = json.loads(f.read())
+
+            if entry.attrs["jansConfErrors"] != new_conf:
+                entry.attrs["jansConfErrors"] = new_conf
+                should_update = True
 
         if should_update:
             if self.backend.type != "couchbase":
-                entry.attrs["jansConfErrors"] = json.dumps(conf)
+                entry.attrs["jansConfErrors"] = json.dumps(entry.attrs["jansConfErrors"])
 
             entry.attrs["jansRevision"] += 1
             self.backend.modify_entry(entry.id, entry.attrs, **kwargs)
@@ -803,87 +811,6 @@ def update_config(self):
             self.backend.modify_entry(entry.id, entry.attrs, **kwargs)
 
 
-def _transform_auth_errors_config(conf):
-    should_update = False
-
-    if "ssa" not in conf:
-        conf["ssa"] = [
-            {
-                "id": "invalid_request",
-                "description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
-                "uri": None,
-            },
-            {
-                "id": "unauthorized_client",
-                "description": "The Client is not authorized to use this authentication flow.",
-                "uri": None,
-            },
-            {
-                "id": "invalid_client",
-                "description": "The Client is not authorized to use this authentication flow.",
-                "uri": None,
-            },
-            {
-                "id": "unknown_error",
-                "description": "Unknown or not found error.",
-                "uri": None,
-            },
-        ]
-        should_update = True
-
-    # add new ssa error
-    ssa_errors = [err["id"] for err in conf["ssa"]]
-
-    if "invalid_signature" not in ssa_errors:
-        conf["ssa"].append({
-            "id": "invalid_signature",
-            "description": "No algorithm found to sign the JWT.",
-            "uri": None,
-        })
-        should_update = True
-
-    if "invalid_ssa_metadata" not in ssa_errors:
-        conf["ssa"].append({
-            "id": "invalid_ssa_metadata",
-            "description": "The value of one of the SSA Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for any requested parameter of a SSA's Metadata.",
-            "uri": None,
-        })
-        should_update = True
-
-    # dpop as part of token errors
-    dpop_errors = [
-        {
-            "id": "use_dpop_nonce",
-            "description": "Authorization server requires nonce in DPoP proof.",
-            "uri": None
-        },
-        {
-            "id": "use_new_dpop_nonce",
-            "description": "Authorization server requires new nonce in DPoP proof.",
-            "uri": None
-        },
-    ]
-    token_err_ids = [err["id"] for err in conf["token"]]
-
-    for err in dpop_errors:
-        if err["id"] in token_err_ids:
-            continue
-        conf["token"].append(err)
-        should_update = True
-
-    # add stale_evidence on register
-    reg_errors = [err["id"] for err in conf["register"]]
-    if "stale_evidence" not in reg_errors:
-        conf["register"].append({
-            "id": "stale_evidence",
-            "description": "The provided evidence is not current. Resend fresh evidence.",
-            "uri": None,
-        })
-        should_update = True
-
-    return conf, should_update
-
-
 def _transform_auth_static_config(conf):
     should_update = False