feat(jans-auth-server): introduced additional_token_endpoint_auth_met…

…hod client's property #3473
JanssenProject · yuriyz · Mar 7, 2023 · Mar 2, 2023 · Mar 3, 2023 · Mar 3, 2023
commit 4719a5cd37d2d45c8615da9553dee5f8abb2f2ce
@@ -21,10 +21,7 @@
 import org.apache.commons.lang.StringUtils;
 
 import java.io.Serializable;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Locale;
+import java.util.*;
 
 /**
  * @author Javier Rojas Blum
@@ -328,6 +325,22 @@ public AuthenticationMethod getAuthenticationMethod() {
         return AuthenticationMethod.fromString(tokenEndpointAuthMethod);
     }
 
+    public boolean hasAuthenticationMethod(AuthenticationMethod authenticationMethod) {
+        return getAllAuthenticationMethods().contains(authenticationMethod);
+    }
+
+    public Set<AuthenticationMethod> getAllAuthenticationMethods() {
+        Set<AuthenticationMethod> set = new HashSet<>();
+
+        final AuthenticationMethod authenticationMethod = getAuthenticationMethod();
+        if (authenticationMethod != null) {
+            set.add(authenticationMethod);
+        }
+
+        set.addAll(AuthenticationMethod.fromList(getAttributes().getAdditionalTokenEndpointAuthMethods()));
+        return set;
+    }
+
     /**
      * Gets logout session required.
      *

@@ -1257,6 +1257,11 @@ paths:
                 token_endpoint_auth_method:
                   type: string
                   description: Requested Client Authentication method for the Token Endpoint.
+                additional_token_endpoint_auth_method:
+                  type: array
+                    description: Array of additional Client Authentication methods for the Token Endpoint
+                    items:
+                      type: string
                 token_endpoint_auth_signing_alg:
                   type: string
                   description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint
@@ -1645,6 +1650,11 @@ paths:
                 token_endpoint_auth_method:
                   type: string
                   description: Requested Client Authentication method for the Token Endpoint.
+                additional_token_endpoint_auth_method:
+                  type: array
+                    description: Array of additional Client Authentication methods for the Token Endpoint
+                    items:
+                      type: string
                 token_endpoint_auth_signing_alg:
                   type: string
                   description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint
@@ -2034,6 +2044,11 @@ paths:
                   token_endpoint_auth_method:
                     type: string
                     description: Requested Client Authentication method for the Token Endpoint.
+                  additional_token_endpoint_auth_method:
+                    type: array
+                      description: Array of additional Client Authentication methods for the Token Endpoint
+                      items:
+                        type: string
                   token_endpoint_auth_signing_alg:
                     type: string
                     description: JWS alg algorithm (JWA) that must be used for signing the JWT used to authenticate the Client at the Token Endpoint

@@ -9,6 +9,9 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonValue;
 
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * @author Javier Rojas Blum Date: 03.23.2012
  */
@@ -90,6 +93,17 @@ public static AuthenticationMethod fromString(String param) {
         return null;
     }
 
+    public static List<AuthenticationMethod> fromList(List<String> list) {
+        List<AuthenticationMethod> result = new ArrayList<>();
+        for (String s : list) {
+            final AuthenticationMethod authenticationMethod = fromString(s);
+            if (authenticationMethod != null) {
+                result.add(authenticationMethod);
+            }
+        }
+        return result;
+    }
+
     /**
      * Returns a string representation of the object. In this case the parameter
      * name for the authentication method parameter.

@@ -113,6 +113,9 @@ public class ClientAttributes implements Serializable {
     @JsonProperty("minimumAcrLevelAutoresolve")
     private Boolean minimumAcrLevelAutoresolve;
 
+    @JsonProperty("additionalTokenEndpointAuthMethods")
+    private List<String> additionalTokenEndpointAuthMethods;
+
     @JsonProperty("minimumAcrPriorityList")
     private List<String> minimumAcrPriorityList;
 
@@ -124,6 +127,15 @@ public void setMinimumAcrLevelAutoresolve(Boolean minimumAcrLevelAutoresolve) {
         this.minimumAcrLevelAutoresolve = minimumAcrLevelAutoresolve;
     }
 
+    public List<String> getAdditionalTokenEndpointAuthMethods() {
+        if (additionalTokenEndpointAuthMethods == null) additionalTokenEndpointAuthMethods = new ArrayList<>();
+        return additionalTokenEndpointAuthMethods;
+    }
+
+    public void setAdditionalTokenEndpointAuthMethods(List<String> additionalTokenEndpointAuthMethods) {
+        this.additionalTokenEndpointAuthMethods = additionalTokenEndpointAuthMethods;
+    }
+
     public List<String> getMinimumAcrPriorityList() {
         if (minimumAcrPriorityList == null) minimumAcrPriorityList = new ArrayList<>();
         return minimumAcrPriorityList;
@@ -415,6 +427,7 @@ public String toString() {
                 ", allowOfflineAccessWithoutConsent=" + allowOfflineAccessWithoutConsent +
                 ", minimumAcrLevel=" + minimumAcrLevel +
                 ", minimumAcrLevelAutoresolve=" + minimumAcrLevelAutoresolve +
+                ", additionalTokenEndpointAuthMethods=" + additionalTokenEndpointAuthMethods +
                 ", minimumAcrPriorityList=" + minimumAcrPriorityList +
                 ", defaultPromptLogin=" + defaultPromptLogin +
                 '}';

@@ -27,6 +27,7 @@
 
 import java.util.Date;
 import java.util.List;
+import java.util.Set;
 
 /**
  * @author Javier Rojas Blum
@@ -92,16 +93,16 @@ private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider c
                             // Validate client
                             if (client != null) {
                                 JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
-                                AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
+                                Set<AuthenticationMethod> authenticationMethods = client.getAllAuthenticationMethods();
                                 SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
 
                                 if (jwtType == null && signatureAlgorithm != null) {
                                     jwtType = signatureAlgorithm.getJwtType();
                                 }
 
                                 if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null &&
-                                        ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily()))
-                                                || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
+                                        ((authenticationMethods.contains(AuthenticationMethod.CLIENT_SECRET_JWT) && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily()))
+                                                || (authenticationMethods.contains(AuthenticationMethod.PRIVATE_KEY_JWT) && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
                                     if (client.getTokenEndpointAuthSigningAlg() == null || SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) {
                                         clientSecret = clientService.decryptSecret(client.getClientSecret());