diff --git a/jans-auth-server/client/src/main/java/io/jans/as/client/RegisterRequest.java b/jans-auth-server/client/src/main/java/io/jans/as/client/RegisterRequest.java index 36a0b3da172..a830b1271a7 100644 --- a/jans-auth-server/client/src/main/java/io/jans/as/client/RegisterRequest.java +++ b/jans-auth-server/client/src/main/java/io/jans/as/client/RegisterRequest.java @@ -104,6 +104,9 @@ public class RegisterRequest extends BaseRequest { private SignatureAlgorithm tokenEndpointAuthSigningAlg; private Integer defaultMaxAge; private List defaultAcrValues; + private Integer minimumAcrLevel; + private Boolean minimumAcrLevelAutoresolve; + private List minimumAcrPriorityList; private String initiateLoginUri; private List groups; private List postLogoutRedirectUris; @@ -154,6 +157,7 @@ public RegisterRequest() { this.grantTypes = new ArrayList<>(); this.contacts = new ArrayList<>(); this.defaultAcrValues = new ArrayList<>(); + this.minimumAcrPriorityList = new ArrayList<>(); this.postLogoutRedirectUris = new ArrayList<>(); this.groups = new ArrayList<>(); this.requestUris = new ArrayList<>(); @@ -1039,6 +1043,60 @@ public void setDefaultMaxAge(Integer defaultMaxAge) { this.defaultMaxAge = defaultMaxAge; } + /** + * Gets minimum acr level + * + * @return minimum acr level + */ + public Integer getMinimumAcrLevel() { + return minimumAcrLevel; + } + + /** + * Sets minimum acr level + * + * @param minimumAcrLevel minimum acr level + */ + public void setMinimumAcrLevel(Integer minimumAcrLevel) { + this.minimumAcrLevel = minimumAcrLevel; + } + + /** + * Gets minimum acr level auto resolve + * + * @return minimum acr level auto resolve + */ + public Boolean getMinimumAcrLevelAutoresolve() { + return minimumAcrLevelAutoresolve; + } + + /** + * Sets minimum acr level auto resolve + * + * @param minimumAcrLevelAutoresolve minimum acr level auto resolve + */ + public void setMinimumAcrLevelAutoresolve(Boolean minimumAcrLevelAutoresolve) { + this.minimumAcrLevelAutoresolve = minimumAcrLevelAutoresolve; + } + + /** + * Gets minimum acr priority list + * + * @return minimum acr priority list + */ + public List getMinimumAcrPriorityList() { + return minimumAcrPriorityList; + } + + /** + * Sets minimum acr priority list + * + * @param minimumAcrPriorityList minimum acr priority list + */ + public void setMinimumAcrPriorityList(List minimumAcrPriorityList) { + this.minimumAcrPriorityList = minimumAcrPriorityList; + } + /** * Returns the Default requested Authentication Context Class Reference values. * @@ -1379,6 +1437,9 @@ public static RegisterRequest fromJson(JSONObject requestObject) throws JSONExce result.setPostLogoutRedirectUris(extractListByKey(requestObject, POST_LOGOUT_REDIRECT_URIS.toString())); result.setGroups(extractListByKey(requestObject, GROUPS.toString())); result.setDefaultAcrValues(extractListByKey(requestObject, DEFAULT_ACR_VALUES.toString())); + result.setMinimumAcrLevel(integerOrNull(requestObject, MINIMUM_ACR_LEVEL.toString())); + result.setMinimumAcrLevelAutoresolve(requestObject.optBoolean(MINIMUM_ACR_LEVEL_AUTORESOLVE.toString())); + result.setMinimumAcrPriorityList(extractListByKey(requestObject, MINIMUM_ACR_PRIORITY_LIST.toString())); result.setFrontChannelLogoutUri(requestObject.optString(FRONT_CHANNEL_LOGOUT_URI.toString())); result.setFrontChannelLogoutSessionRequired(requestObject.optBoolean(FRONT_CHANNEL_LOGOUT_SESSION_REQUIRED.toString())); result.setBackchannelLogoutUris(extractListByKey(requestObject, BACKCHANNEL_LOGOUT_URI.toString())); @@ -1588,6 +1649,15 @@ public void getParameters(BiFunction function) { if (defaultAcrValues != null && !defaultAcrValues.isEmpty()) { function.apply(DEFAULT_ACR_VALUES.toString(), toJSONArray(defaultAcrValues)); } + if (minimumAcrLevel != null) { + function.apply(MINIMUM_ACR_LEVEL.toString(), minimumAcrLevel.toString()); + } + if (minimumAcrLevelAutoresolve != null) { + function.apply(MINIMUM_ACR_LEVEL_AUTORESOLVE.toString(), minimumAcrLevelAutoresolve.toString()); + } + if (minimumAcrPriorityList != null) { + function.apply(MINIMUM_ACR_PRIORITY_LIST.toString(), toJSONArray(minimumAcrPriorityList)); + } if (StringUtils.isNotBlank(initiateLoginUri)) { function.apply(INITIATE_LOGIN_URI.toString(), initiateLoginUri); } diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/register/RegisterRequestParam.java b/jans-auth-server/model/src/main/java/io/jans/as/model/register/RegisterRequestParam.java index 3af8051eac8..9f5bb4e5c54 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/register/RegisterRequestParam.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/register/RegisterRequestParam.java @@ -226,6 +226,24 @@ public enum RegisterRequestParam { */ DEFAULT_ACR_VALUES("default_acr_values"), + /** + * Integer value which sets minimum acr level. + */ + MINIMUM_ACR_LEVEL("minimum_acr_level"), + + /** + * Boolean value, + * - if false and minimumAcrLevel is higher then current acr_values then reject request + * - if true - resolve acr according to either client's minimumAcrPriorityList or AS auth_level_mapping + */ + MINIMUM_ACR_LEVEL_AUTORESOLVE("minimum_acr_level_autoresolve"), + + /** + * Array of strings, + * - enables client to specify the acr order of preference, rather then just the next lowest integer value + */ + MINIMUM_ACR_PRIORITY_LIST("minimum_acr_priority_list"), + /** * URI using the https scheme that the Authorization Server can call to initiate a login at the Client. */ diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterService.java index 8bf8a968fce..782cf3aaccf 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/RegisterService.java @@ -256,6 +256,19 @@ public void updateClientFromRequestObject(Client client, RegisterRequest request client.setInitiateLoginUri(requestObject.getInitiateLoginUri()); } + final Integer minimumAcrLevel = requestObject.getMinimumAcrLevel(); + if (minimumAcrLevel != null) { + client.getAttributes().setMinimumAcrLevel(minimumAcrLevel); + } + final Boolean minimumAcrLevelAutoresolve = requestObject.getMinimumAcrLevelAutoresolve(); + if (minimumAcrLevelAutoresolve != null) { + client.getAttributes().setMinimumAcrLevelAutoresolve(minimumAcrLevelAutoresolve); + } + final List minimumAcrPriorityList = requestObject.getMinimumAcrPriorityList(); + if (minimumAcrPriorityList != null) { + client.getAttributes().setMinimumAcrPriorityList(new ArrayList<>(new HashSet<>(minimumAcrPriorityList))); + } + final List groups = requestObject.getGroups(); if (groups != null && !groups.isEmpty()) { client.setGroups(new HashSet<>(groups).toArray(new String[0])); // remove duplicates diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java b/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java index 1532032640a..e6d685fefc7 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/register/ws/rs/action/RegisterCreateAction.java @@ -100,6 +100,8 @@ public Response createClient(String requestParams, HttpServletRequest httpReques Response.ResponseBuilder builder = Response.status(Response.Status.CREATED); OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.CLIENT_REGISTRATION); try { + log.trace("Registration request = {}", requestParams); + final JSONObject requestObject = registerService.parseRequestObjectWithoutValidation(requestParams); final JSONObject softwareStatement = registerValidator.validateSoftwareStatement(httpRequest, requestObject); overrideRequestObjectFromSoftwareStatement(requestObject, softwareStatement); @@ -112,7 +114,6 @@ public Response createClient(String requestParams, HttpServletRequest httpReques log.info("Attempting to register client: applicationType = {}, clientName = {}, redirectUris = {}, isSecure = {}, sectorIdentifierUri = {}, defaultAcrValues = {}", r.getApplicationType(), r.getClientName(), r.getRedirectUris(), securityContext.isSecure(), r.getSectorIdentifierUri(), r.getDefaultAcrValues()); - log.trace("Registration request = {}", requestParams); registerValidator.validatePasswordGrantType(r); registerValidator.validateDcrAuthorizationWithClientCredentials(r);