CHANGELOG.md

+## [17.1.3](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v17.1.2...v17.1.3) (2024-02-14)
+
+
+### Bug Fixes
+
+* 🐛 default values for dynreg ([93f2a85](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/commit/93f2a85b46df5419eb20286bc69cb633ec471c47))
+* 🐛 remove addit. info. (aud, resource) from token responses ([0e0996d](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/commit/0e0996d228afdb788e66e6fe35b5338db9caac37))
+
 ## [17.1.2](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v17.1.1...v17.1.2) (2024-02-14)
 
 

perun-oidc-server-webapp/pom.xml

@@ -21,7 +21,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>17.1.2</version>
+		<version>17.1.3</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

perun-oidc-server/pom.xml

@@ -22,7 +22,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>17.1.2</version>
+		<version>17.1.3</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/DynamicallyRegisteredRequestBody.java

@@ -40,7 +40,7 @@ public class DynamicallyRegisteredRequestBody {
     private String tosUri;
 
     @JsonAlias("token_endpoint_auth_method")
-    private String tokenEndpointAuthMethod;
+    private String tokenEndpointAuthMethod = "client_secret_basic";
 
     @JsonAlias("scope")
     private Set<String> scope = new HashSet<>();
@@ -118,25 +118,25 @@ public class DynamicallyRegisteredRequestBody {
     private Set<String> requestUris = new HashSet<>();
 
     @JsonAlias("access_token_validity_seconds")
-    private Integer accessTokenValiditySeconds = 0;
+    private Integer accessTokenValiditySeconds = 3600;
 
     @JsonAlias("refresh_token_validity_seconds")
-    private Integer refreshTokenValiditySeconds = 0;
+    private Integer refreshTokenValiditySeconds = 28800;
 
     @JsonAlias("resources")
     private Set<String> resource = new HashSet<>();
 
     @JsonAlias("reuse_refresh_token")
-    private boolean reuseRefreshToken = true;
+    private boolean reuseRefreshToken = false;
 
     @JsonAlias("id_token_validity_seconds")
-    private Integer idTokenValiditySeconds;
+    private Integer idTokenValiditySeconds = 3600;
 
     @JsonAlias("clear_access_tokens_on_refresh")
     private boolean clearAccessTokensOnRefresh = true;
 
     @JsonAlias("device_code_validity_seconds")
-    private Integer deviceCodeValiditySeconds = 0;
+    private Integer deviceCodeValiditySeconds = 300;
 
     @JsonAlias("claim_redirect_uris")
     private Set<String> claimsRedirectUris = new HashSet<>();

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -253,6 +253,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			token.setApprovedSite(ap);
 		}
 
+		Set<String> aud = new HashSet<>();
+		aud.add(client.getClientId());
 		if (originalAuthRequest.getResourceIds() != null && !originalAuthRequest.getResourceIds().isEmpty()) {
 			if (!clientDetailsService.checkResourceIdsAreAllowedForClient(
 					client.getClientId(), originalAuthRequest.getResourceIds())
@@ -266,17 +268,15 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 				resourceIds.add(client.getClientId());
 				token.getAdditionalInformation().put(RESOURCE, resourceIds);
 			}
+			aud.addAll(originalAuthRequest.getResourceIds());
 		}
+		token.getAdditionalInformation().put(RESOURCE, aud);
 
 		OAuth2AccessTokenEntity enhancedToken = (OAuth2AccessTokenEntity) tokenEnhancer.enhance(token, authentication);
 
 		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
 		if (client.isAllowRefresh() && token.getScope().contains(SystemScopeService.OFFLINE_ACCESS)) {
-			OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(
-					client,
-					authHolder,
-					(Set<String>) token.getAdditionalInformation().getOrDefault(RESOURCE, new HashSet<>())
-			);
+			OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, authHolder, aud);
 			token.setRefreshToken(savedRefreshToken);
 		}
 
@@ -306,13 +306,12 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		refreshClaims.jwtID(UUID.randomUUID().toString());
 		refreshClaims.issuer(configBean.getIssuer());
 		if (resources == null || resources.isEmpty()) {
-			String audience = client.getClientId();
-			if (!Strings.isNullOrEmpty(audience)) {
-				refreshClaims.audience(Lists.newArrayList(audience));
-			}
-		} else {
-			refreshClaims.audience(new ArrayList<>(resources));
+			resources = new HashSet<>();
+		}
+		if (!Strings.isNullOrEmpty(client.getClientId())) {
+			resources.add(client.getClientId());
 		}
+		refreshClaims.audience(Lists.newArrayList(resources));
 
 		JWTClaimsSet claims = refreshClaims.build();
 
@@ -417,7 +416,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			token.setExpiration(expiration);
 		}
 
-		Set<String> resources = new HashSet<>();
+		Set<String> aud = new HashSet<>();
+		aud.add(client.getClientId());
+
 		if (refreshToken.getJwt() != null) {
 			JWTClaimsSet claimsSet;
 			try {
@@ -428,21 +429,20 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			if (claimsSet != null) {
 				List<String> audience = claimsSet.getAudience();
 				if (audience != null && !audience.isEmpty()) {
-					resources = new HashSet<>(audience);
-					token.getAdditionalInformation().put(AUD, audience.get(0));
-					if (audience.size() > 1) {
-						token.getAdditionalInformation().put(RESOURCE, resources);
-					}
+					aud.addAll(audience);
 				}
 			}
 		}
 
+		token.getAdditionalInformation().put(AUD, aud);
+		token.getAdditionalInformation().put(RESOURCE, aud);
+
 		if (client.isReuseRefreshToken()) {
 			// if the client re-uses refresh tokens, do that
 			token.setRefreshToken(refreshToken);
 		} else {
 			// otherwise, make a new refresh token
-			OAuth2RefreshTokenEntity newRefresh = createRefreshToken(client, authHolder, resources);
+			OAuth2RefreshTokenEntity newRefresh = createRefreshToken(client, authHolder, aud);
 			token.setRefreshToken(newRefresh);
 
 			// clean up the old refresh token

perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/PerunAccessTokenEnhancer.java

@@ -33,11 +33,11 @@ import java.util.Set;
 import java.util.UUID;
 
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.ACR;
-import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.AUD;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.AUTH_TIME;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.CLIENT_ID;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.SCOPE;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.SCOPE_SEPARATOR;
+import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.AUD;
 import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.RESOURCE;
 
 /**
@@ -104,7 +104,9 @@ public class PerunAccessTokenEnhancer implements TokenEnhancer {
         audience.add(client.getClientId());
         if (token.getAdditionalInformation().containsKey(RESOURCE)) {
             audience.addAll((Set<String>) token.getAdditionalInformation().getOrDefault(RESOURCE, new HashSet<>()));
+            token.getAdditionalInformation().remove(RESOURCE);
         }
+
         String audExtension = (String) authentication.getOAuth2Request().getExtensions().getOrDefault(AUD, null);
         if (StringUtils.hasText(audExtension)) {
             audience.add(audExtension);

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>cz.muni.ics</groupId>
 	<artifactId>perun-oidc-parent</artifactId>
-	<version>17.1.2</version>
+	<version>17.1.3</version>
 	<packaging>pom</packaging>
 
 	<modules>