Merge branch 'master' into missing-claim

components/org.wso2.carbon.identity.api.server.dcr/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.dcr</artifactId>
-    <version>7.0.178-SNAPSHOT</version>
+    <version>7.0.198-SNAPSHOT</version>
     <name>WSO2 Carbon -  User DCR Rest API</name>
     <description>WSO2 Carbon - User DCR Rest API</description>
 

components/org.wso2.carbon.identity.api.server.oauth.scope/pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
         <relativePath>../..</relativePath>
     </parent>
 
     <artifactId>org.wso2.carbon.identity.api.server.oauth.scope</artifactId>
-    <version>7.0.178-SNAPSHOT</version>
+    <version>7.0.198-SNAPSHOT</version>
 
     <name>WSO2 Carbon - Identity OAuth 2.0 Scope Rest APIs</name>
     <description>Rest APIs for OAuth 2.0 Scope Handling</description>

components/org.wso2.carbon.identity.client.attestation.filter/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -21,7 +21,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -20,7 +20,7 @@
     <parent>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

components/org.wso2.carbon.identity.oauth.client.authn.filter/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
@@ -45,11 +45,6 @@
             <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
             <artifactId>org.wso2.carbon.identity.oauth</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <scope>provided</scope>
-        </dependency>
     </dependencies>
     <build>
         <plugins>

components/org.wso2.carbon.identity.oauth.client.authn.filter/src/main/java/org/wso2/carbon/identity/oauth/client/authn/filter/OAuthClientAuthenticatorProxy.java

@@ -30,7 +30,6 @@
 import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
-import org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService;
 
 import java.util.Arrays;
 import java.util.HashMap;
@@ -51,7 +50,6 @@ public class OAuthClientAuthenticatorProxy extends AbstractPhaseInterceptor<Mess
     private static final String HTTP_REQUEST = "HTTP.REQUEST";
     private static final List<String> PROXY_ENDPOINT_LIST = Arrays.asList("/oauth2/token", "/oauth2/revoke",
             "/oauth2/device_authorize", "/oauth2/ciba", "/oauth2/par", "/oauth2/authorize");
-    private OAuthClientAuthnService oAuthClientAuthnService;
     private static final String SLASH = "/";
 
     public OAuthClientAuthenticatorProxy() {
@@ -60,16 +58,6 @@ public OAuthClientAuthenticatorProxy() {
         super(Phase.PRE_INVOKE);
     }
 
-    public OAuthClientAuthnService getOAuthClientAuthnService() {
-
-        return oAuthClientAuthnService;
-    }
-
-    public void setOAuthClientAuthnService(OAuthClientAuthnService oAuthClientAuthnService) {
-
-        this.oAuthClientAuthnService = oAuthClientAuthnService;
-    }
-
     /**
      * Handles the incoming JAX-RS message for the purpose of OAuth2 client authentication.
      *
@@ -82,8 +70,8 @@ public void handleMessage(Message message) {
         HttpServletRequest request = ((HttpServletRequest) message.get(HTTP_REQUEST));
         if (canHandle(message)) {
             try {
-                OAuthClientAuthnContext oAuthClientAuthnContext = oAuthClientAuthnService
-                        .authenticateClient(request, bodyContentParams);
+                OAuthClientAuthnContext oAuthClientAuthnContext = OAuthClientAuthnServiceFactory
+                        .getOAuthClientAuthnService().authenticateClient(request, bodyContentParams);
                 if (!oAuthClientAuthnContext.isPreviousAuthenticatorEngaged()) {
                     /* If the previous authenticator is not engaged it means that either client authentication
                     flow failed or no supported authenticaiton mechanism was found.If the error details are already

components/org.wso2.carbon.identity.oauth.client.authn.filter/src/main/java/org/wso2/carbon/identity/oauth/client/authn/filter/OAuthClientAuthnServiceFactory.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2019-2024, WSO2 LLC. (http://www.wso2.com).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -18,37 +18,29 @@
 
 package org.wso2.carbon.identity.oauth.client.authn.filter;
 
-import org.springframework.beans.factory.config.AbstractFactoryBean;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService;
 
 /**
- * Factory Beans serves as a factory for creating other beans within the IOC container. This factory bean is used to
- * instantiate the OAuthClientAuthnService type of object inside the container.
+ * Factory class to get OAuthClientAuthnService OSGI service.
  */
-public class OAuthClientAuthnServiceFactory extends AbstractFactoryBean<OAuthClientAuthnService> {
+public class OAuthClientAuthnServiceFactory {
 
-    public OAuthClientAuthnService oAuthClientAuthnService;
+    private static final OAuthClientAuthnService SERVICE;
 
+    static {
+        OAuthClientAuthnService oAuthClientAuthnService = (OAuthClientAuthnService) PrivilegedCarbonContext
+                .getThreadLocalCarbonContext().getOSGiService(OAuthClientAuthnService.class, null);
 
-    @Override
-    public Class<OAuthClientAuthnService> getObjectType() {
+        if (oAuthClientAuthnService == null) {
+            throw new IllegalStateException("OAuthClientAuthnService is not available from OSGI context.");
+        }
 
-        return OAuthClientAuthnService.class;
+        SERVICE = oAuthClientAuthnService;
     }
 
-    @Override
-    protected OAuthClientAuthnService createInstance() throws Exception {
-
-        if (this.oAuthClientAuthnService != null) {
-            return this.oAuthClientAuthnService;
-        } else {
-            OAuthClientAuthnService oAuthClientAuthnService = (OAuthClientAuthnService) PrivilegedCarbonContext
-                    .getThreadLocalCarbonContext().getOSGiService(OAuthClientAuthnService.class, null);
-            if (oAuthClientAuthnService != null) {
-                this.oAuthClientAuthnService = oAuthClientAuthnService;
-            }
-            return oAuthClientAuthnService;
-        }
+    public static OAuthClientAuthnService getOAuthClientAuthnService() {
+
+        return SERVICE;
     }
 }

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -23,7 +23,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java

@@ -117,6 +117,8 @@ public final class OAuthConstants {
 
     public static final String READ_AMR_VALUE_FROM_IDP = "OAuth.ReplaceDefaultAMRValuesWithIDPSentValues";
 
+    public static final String OAUTH_APP = "OAuthAppDO";
+
     public static final String CNF = "cnf";
     public static final String MTLS_AUTH_HEADER = "MutualTLS.ClientCertificateHeader";
     public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";

components/org.wso2.carbon.identity.oauth.dcr.endpoint/pom.xml

@@ -6,7 +6,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/pom.xml

@@ -22,7 +22,7 @@
         <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
         <artifactId>identity-inbound-auth-oauth</artifactId>
         <relativePath>../../pom.xml</relativePath>
-        <version>7.0.178-SNAPSHOT</version>
+        <version>7.0.198-SNAPSHOT</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/api/auth/ApiAuthnHandler.java

@@ -130,7 +130,7 @@ private List<Message> buildMessages(AuthServiceResponse authServiceResponse) {
                         message.setContext(buildMessageContext(authenticatorData.getMessage().getContext()));
                     }
                     message.setContext(buildMessageContext(authenticatorData.getMessage().getContext()));
-
+                    messages.add(message);
                 }
             }
         }

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java

@@ -534,9 +534,7 @@ private Response handleOAuthSystemException(OAuthMessage oAuthMessage, OAuthSyst
         if (oAuthMessage.getSessionDataCacheEntry() != null) {
             params = oAuthMessage.getSessionDataCacheEntry().getoAuth2Parameters();
         }
-        if (log.isDebugEnabled()) {
-            log.debug("Server error occurred while performing authorization", e);
-        }
+        log.error("Server error occurred while performing authorization", e);
         OAuthProblemException ex = OAuthProblemException.error(OAuth2ErrorCodes.SERVER_ERROR,
                 "Server error occurred while performing authorization");
         return Response.status(HttpServletResponse.SC_FOUND).location(new URI(
@@ -547,14 +545,15 @@ private Response handleIdentityException(HttpServletRequest request, IdentityExc
             throws URISyntaxException {
 
         if (OAuth2ErrorCodes.SERVER_ERROR.equals(e.getErrorCode())) {
-            if (log.isDebugEnabled()) {
-                log.debug("Server error occurred while performing authorization", e);
-            }
+            log.error("Server error occurred while performing authorization", e);
             OAuthProblemException ex = OAuthProblemException.error(OAuth2ErrorCodes.SERVER_ERROR,
                     "Server error occurred while performing authorization");
             return Response.status(HttpServletResponse.SC_FOUND).location(new URI(
                     EndpointUtil.getErrorRedirectURL(request, ex, null))).build();
         }
+        if (log.isDebugEnabled()) {
+            log.debug("Invalid authorization request", e);
+        }
         return Response.status(HttpServletResponse.SC_FOUND).location(new URI(EndpointUtil.getErrorPageURL(request,
                 e.getErrorCode(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_AUTHORIZATION_REQUEST,
                 e.getMessage(), null))).build();

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java

@@ -30,15 +30,15 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.base.MultitenantConstants;
+import org.wso2.carbon.core.util.KeyStoreManager;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
-import org.wso2.carbon.identity.core.IdentityKeyStoreResolver;
-import org.wso2.carbon.identity.core.util.IdentityKeyStoreResolverConstants;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.utils.security.KeystoreUtils;
 
 import java.security.KeyStore;
 import java.security.cert.Certificate;
@@ -79,22 +79,21 @@ public String jwks() {
 
         try {
             final KeyStore keystore;
-
+            List<CertificateInfo> certificateInfoList = new ArrayList<>();
             if (MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equalsIgnoreCase(tenantDomain)) {
-                keystore = IdentityKeyStoreResolver.getInstance().getKeyStore(
-                        tenantDomain, IdentityKeyStoreResolverConstants.InboundProtocol.OAUTH);
+                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
+                keystore = keyStoreManager.getPrimaryKeyStore();
             } else {
                 try {
                     int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
                     IdentityTenantUtil.initializeRegistry(tenantId);
                     FrameworkUtils.startTenantFlow(tenantDomain);
-                    keystore = IdentityKeyStoreResolver.getInstance().getKeyStore(
-                            tenantDomain, IdentityKeyStoreResolverConstants.InboundProtocol.OAUTH);
+                    KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
+                    keystore = keyStoreManager.getKeyStore(generateKSNameFromDomainName(tenantDomain));
                 } finally {
                     FrameworkUtils.endTenantFlow();
                 }
             }
-            List<CertificateInfo> certificateInfoList = new ArrayList<>();
             Enumeration enumeration = keystore.aliases();
             while (enumeration.hasMoreElements()) {
                 String alias = (String) enumeration.nextElement();
@@ -251,6 +250,16 @@ private String logAndReturnError(String errorMesage, Exception e) {
         return errorMesage;
     }
 
+    /**
+     * This method generates the key store file name from the Domain Name.
+     *
+     * @return key store file name
+     */
+    private String generateKSNameFromDomainName(String tenantDomain) {
+
+        return KeystoreUtils.getKeyStoreFileLocation(tenantDomain);
+    }
+
     /**
      * This method generates the base64 encoded certificate list from a Certificate array.
      *

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/user/impl/UserInfoUserStoreClaimRetriever.java

@@ -20,6 +20,7 @@
 import org.apache.commons.collections.MapUtils;
 import org.wso2.carbon.identity.application.common.model.ClaimMapping;
 import org.wso2.carbon.identity.core.util.IdentityCoreConstants;
+import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
 import org.wso2.carbon.identity.oauth.endpoint.util.ClaimUtil;
 import org.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever;
 
@@ -43,7 +44,10 @@ public Map<String, Object> getClaimsMap(Map<ClaimMapping, String> userAttributes
                 }
                 String claimValue = entry.getValue();
                 String claimUri = entry.getKey().getRemoteClaim().getClaimUri();
-                if (ClaimUtil.isMultiValuedAttribute(claimUri, claimValue)) {
+                boolean isMultiValueSupportEnabledForUserinfoResponse = OAuthServerConfiguration.getInstance()
+                        .getUserInfoMultiValueSupportEnabled();
+                if (isMultiValueSupportEnabledForUserinfoResponse &&
+                        ClaimUtil.isMultiValuedAttribute(claimUri, claimValue)) {
                     String[] attributeValues = ClaimUtil.processMultiValuedAttribute(claimValue);
                     claims.put(entry.getKey().getRemoteClaim().getClaimUri(), attributeValues);
                 } else {

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/ClaimUtil.java

@@ -190,7 +190,10 @@ public static Map<String, Object> getClaimsFromUserStore(OAuth2TokenValidationRe
                                         continue;
                                     }
                                 }
-                                if (isMultiValuedAttribute(oidcClaimUri, claimValue)) {
+                                boolean isMultiValueSupportEnabledForUserinfoResponse = OAuthServerConfiguration
+                                        .getInstance().getUserInfoMultiValueSupportEnabled();
+                                if (isMultiValueSupportEnabledForUserinfoResponse &&
+                                        isMultiValuedAttribute(oidcClaimUri, claimValue)) {
                                     String[] attributeValues = processMultiValuedAttribute(claimValue);
                                     mappedAppClaims.put(oidcClaimUri, attributeValues);
                                 } else {