fix(oxauth): cnf introspection response is null even when valid cert …

…is send during MTLS #6343 #1868 (4.5.3)

#1868

Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java

@@ -178,14 +178,14 @@ private Response introspect(String p_authorization, String p_token, String token
             } else {
                 log.debug("Failed to find grant for access_token: " + p_token + ". Return 200 with active=false.");
             }
-            JSONObject responseAsJsonObject = createResponseAsJsonObject(response, tokenToIntrospect);
+            JSONObject responseAsJsonObject = createResponseAsJsonObject(response, grantOfIntrospectionToken);
 
             ExternalIntrospectionContext context = new ExternalIntrospectionContext(authorizationGrant, httpRequest, httpResponse, appConfiguration, attributeService);
             context.setGrantOfIntrospectionToken(grantOfIntrospectionToken);
             if (externalIntrospectionService.executeExternalModifyResponse(responseAsJsonObject, context)) {
                 log.trace("Successfully run extenal introspection scripts.");
             } else {
-                responseAsJsonObject = createResponseAsJsonObject(response, tokenToIntrospect);
+                responseAsJsonObject = createResponseAsJsonObject(response, grantOfIntrospectionToken);
                 log.trace("Canceled changes made by external introspection script since method returned `false`.");
             }
 
@@ -198,7 +198,11 @@ private Response introspect(String p_authorization, String p_token, String token
                 return Response.status(Response.Status.OK).entity(createResponseAsJwt(responseAsJsonObject, grantOfIntrospectionToken)).build();
             }
 
-            return Response.status(Response.Status.OK).entity(responseAsJsonObject.toString()).type(MediaType.APPLICATION_JSON_TYPE).build();
+            final String entity = responseAsJsonObject.toString();
+            if (log.isTraceEnabled()) {
+                log.trace("Response entity: {}", entity);
+            }
+            return Response.status(Response.Status.OK).entity(entity).type(MediaType.APPLICATION_JSON_TYPE).build();
 
         } catch (WebApplicationException e) {
             log.error(e.getMessage(), e);
@@ -230,12 +234,21 @@ private String createResponseAsJwt(JSONObject response, AuthorizationGrant grant
         return jwtSigner.sign().toString();
     }
 
-    private static JSONObject createResponseAsJsonObject(IntrospectionResponse response, AbstractToken tokenToIntrospect) throws JSONException, IOException {
+    private JSONObject createResponseAsJsonObject(IntrospectionResponse response, AuthorizationGrant grantOfIntrospectionToken) throws JSONException, IOException {
         final JSONObject result = new JSONObject(ServerUtil.asJson(response));
-        if (tokenToIntrospect != null && StringUtils.isNotBlank(tokenToIntrospect.getX5ts256())) {
-            final JSONObject cnf = new JSONObject();
-            cnf.put("x5t#S256", tokenToIntrospect.getX5ts256());
-            result.put("cnf", cnf);
+
+        if (log.isTraceEnabled()) {
+            log.trace("grantOfIntrospectionToken: {}, x5ts256: {}", (grantOfIntrospectionToken != null), (grantOfIntrospectionToken != null ? grantOfIntrospectionToken.getX5ts256() : ""));
+        }
+
+        if (grantOfIntrospectionToken != null && StringUtils.isNotBlank(grantOfIntrospectionToken.getX5ts256())) {
+            JSONObject cnf = result.optJSONObject("cnf");
+            if (cnf == null) {
+                cnf = new JSONObject();
+                result.put("cnf", cnf);
+            }
+
+            cnf.put("x5t#S256", grantOfIntrospectionToken.getX5ts256());
         }
 
         return result;

Server/src/main/java/org/gluu/oxauth/model/common/AbstractAuthorizationGrant.java

@@ -57,7 +57,7 @@ public abstract class AbstractAuthorizationGrant implements IAuthorizationGrant
     private IdToken idToken;
     private AuthorizationCode authorizationCode;
     private String tokenBindingHash;
-    private String x5cs256;
+    private String x5ts256;
     private String nonce;
     private String codeChallenge;
     private String codeChallengeMethod;
@@ -125,12 +125,12 @@ public void setTokenBindingHash(String tokenBindingHash) {
         this.tokenBindingHash = tokenBindingHash;
     }
 
-    public String getX5cs256() {
-        return x5cs256;
+    public String getX5ts256() {
+        return x5ts256;
     }
 
-    public void setX5cs256(String x5cs256) {
-        this.x5cs256 = x5cs256;
+    public void setX5ts256(String x5ts256) {
+        this.x5ts256 = x5ts256;
     }
 
     @Override
@@ -497,6 +497,6 @@ public String toString() {
                 + '\'' + ", sessionDn='" + sessionDn + '\'' + ", codeChallenge='" + codeChallenge + '\''
                 + ", codeChallengeMethod='" + codeChallengeMethod + '\'' + ", authenticationTime=" + authenticationTime
                 + ", scopes=" + scopes + ", authorizationGrantType=" + authorizationGrantType + ", tokenBindingHash=" + tokenBindingHash
-                + ", x5cs256=" + x5cs256 + ", claims=" + claims + '}';
+                + ", x5ts256=" + x5ts256 + ", claims=" + claims + '}';
     }
 }

Server/src/main/java/org/gluu/oxauth/model/common/AuthorizationGrantList.java

@@ -306,7 +306,7 @@ public AuthorizationGrant asGrant(TokenLdap tokenLdap) {
 
                 result.setTokenBindingHash(tokenLdap.getTokenBindingHash());
                 result.setNonce(nonce);
-                result.setX5cs256(tokenLdap.getAttributes().getX5cs256());
+                result.setX5ts256(tokenLdap.getAttributes().getX5cs256());
                 result.setTokenLdap(tokenLdap);
                 if (StringUtils.isNotBlank(grantId)) {
                     result.setGrantId(grantId);
@@ -334,23 +334,28 @@ public AuthorizationGrant asGrant(TokenLdap tokenLdap) {
                             if (result instanceof AuthorizationCodeGrant) {
                                 final AuthorizationCode code = new AuthorizationCode(tokenLdap.getTokenCode(), tokenLdap.getCreationDate(), tokenLdap.getExpirationDate());
                                 final AuthorizationCodeGrant g = (AuthorizationCodeGrant) result;
+                                code.setX5ts256(g.getX5ts256());
                                 g.setAuthorizationCode(code);
                             }
                             break;
                         case REFRESH_TOKEN:
                             final RefreshToken refreshToken = new RefreshToken(tokenLdap.getTokenCode(), tokenLdap.getCreationDate(), tokenLdap.getExpirationDate());
+                            refreshToken.setX5ts256(result.getX5ts256());
                             result.setRefreshTokens(Arrays.asList(refreshToken));
                             break;
                         case ACCESS_TOKEN:
                             final AccessToken accessToken = new AccessToken(tokenLdap.getTokenCode(), tokenLdap.getCreationDate(), tokenLdap.getExpirationDate());
+                            accessToken.setX5ts256(result.getX5ts256());
                             result.setAccessTokens(Arrays.asList(accessToken));
                             break;
                         case ID_TOKEN:
                             final IdToken idToken = new IdToken(tokenLdap.getTokenCode(), tokenLdap.getCreationDate(), tokenLdap.getExpirationDate());
+                            idToken.setX5ts256(result.getX5ts256());
                             result.setIdToken(idToken);
                             break;
                         case LONG_LIVED_ACCESS_TOKEN:
                             final AccessToken longLivedAccessToken = new AccessToken(tokenLdap.getTokenCode(), tokenLdap.getCreationDate(), tokenLdap.getExpirationDate());
+                            longLivedAccessToken.setX5ts256(result.getX5ts256());
                             result.setLongLivedAccessToken(longLivedAccessToken);
                             break;
                     }