CHANGELOG.md

+# [18.0.0](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v17.3.3...v18.0.0) (2024-03-19)
+
+
+### Bug Fixes
+
+* 🐛 update LS AAI theme ([702c58c](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/commit/702c58cef7f3d7fbf6e65483145e18b623bf21e9))
+
+
+### Features
+
+* 🎸 Pass in ACRs onlyAllowed and blocked IdPs ([ec6662b](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/commit/ec6662b6c9f7865bc849d559c926e68ce86fe507))
+
+
+### BREAKING CHANGES
+
+* requires database update (see v18.0.0.sql script)
+
 ## [17.3.3](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v17.3.2...v17.3.3) (2024-03-18)
 
 

perun-oidc-server-webapp/pom.xml

@@ -21,7 +21,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>17.3.3</version>
+		<version>18.0.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql

@@ -302,3 +302,13 @@ CREATE TABLE IF NOT EXISTS device_code_request_parameter (
 	param VARCHAR(2048),
 	val VARCHAR(2048)
 );
+
+CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+CREATE TABLE IF NOT EXISTS client_blocked_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);

perun-oidc-server-webapp/src/main/resources/db/hsql/v18.0.0.sql

+CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+CREATE TABLE IF NOT EXISTS client_blocked_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+alter table client_only_allowed_idps
+    add constraint client_only_allowed_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
+
+alter table client_blocked_idps
+    add constraint client_blocked_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
\ No newline at end of file

perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql

@@ -205,6 +205,16 @@ CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
     redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+CREATE TABLE IF NOT EXISTS client_blocked_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
     id BIGINT AUTO_INCREMENT PRIMARY KEY,
     token_value VARCHAR(4096),
@@ -471,3 +481,13 @@ alter table whitelisted_site_scope
     add constraint whitelisted_site_scope_whitelisted_site_id_fk
         foreign key (owner_id) references whitelisted_site (id)
             on update cascade on delete cascade;
+
+alter table client_only_allowed_idps
+    add constraint client_only_allowed_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
+
+alter table client_blocked_idps
+    add constraint client_blocked_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
\ No newline at end of file

perun-oidc-server-webapp/src/main/resources/db/mysql/v18.0.0.sql

+CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+CREATE TABLE IF NOT EXISTS client_blocked_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+alter table client_only_allowed_idps
+    add constraint client_only_allowed_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
+
+alter table client_blocked_idps
+    add constraint client_blocked_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
\ No newline at end of file

perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql

@@ -209,6 +209,16 @@ CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
     redirect_uri VARCHAR(2048)
 );
 
+CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+CREATE TABLE IF NOT EXISTS client_blocked_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
     id BIGSERIAL PRIMARY KEY,
     token_value VARCHAR(4096),
@@ -435,6 +445,16 @@ alter table client_scope
         foreign key (owner_id) references client_details (id)
             on update cascade on delete cascade;
 
+alter table client_only_allowed_idps
+    add constraint client_only_allowed_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
+
+alter table client_blocked_idps
+    add constraint client_blocked_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
+
 alter table device_code
     add constraint device_code_client_details_id_fk
         foreign key (client_id) references client_details (client_id)

perun-oidc-server-webapp/src/main/resources/db/psql/v18.0.0.sql

+CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+CREATE TABLE IF NOT EXISTS client_blocked_idps (
+    owner_id BIGINT,
+    idp_entity_id VARCHAR(512)
+);
+
+alter table client_only_allowed_idps
+    add constraint client_only_allowed_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
+
+alter table client_blocked_idps
+    add constraint client_blocked_idps_client_details_id_fk
+        foreign key (owner_id) references client_details (id)
+            on update cascade on delete cascade;
\ No newline at end of file

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/footer.tag

@@ -6,6 +6,7 @@
 <%@ taglib prefix="ceitec" tagdir="/WEB-INF/tags/ceitec" %>
 <%@ taglib prefix="envri" tagdir="/WEB-INF/tags/envri" %>
 <%@ taglib prefix="muni" tagdir="/WEB-INF/tags/muni" %>
+<%@ taglib prefix="lsaai" tagdir="/WEB-INF/tags/lsaai" %>
 <%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
 <%@ attribute name="baseURL" required="true" %>
 <%@ attribute name="samlResourcesURL" required="true" %>
@@ -27,6 +28,9 @@
     <c:when test="${theme eq 'muni'}">
         <muni:footer/>
     </c:when>
+    <c:when test="${theme eq 'lsaai'}">
+        <lsaai:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
     <c:otherwise>
         <o:footer />
     </c:otherwise>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/header.tag

@@ -6,6 +6,7 @@
 <%@ taglib prefix="ceitec" tagdir="/WEB-INF/tags/ceitec" %>
 <%@ taglib prefix="envri" tagdir="/WEB-INF/tags/envri" %>
 <%@ taglib prefix="muni" tagdir="/WEB-INF/tags/muni" %>
+<%@ taglib prefix="lsaai" tagdir="/WEB-INF/tags/lsaai" %>
 <%@ attribute name="title" required="true" %>
 <%@ attribute name="reqURL" required="true" %>
 <%@ attribute name="baseURL" required="true" %>
@@ -29,6 +30,9 @@
     <c:when test="${theme eq 'muni'}">
         <muni:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
     </c:when>
+    <c:when test="${theme eq 'lsaai'}">
+        <lsaai:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+    </c:when>
     <c:otherwise>
         <o:header title="${title}"/>
     </c:otherwise>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/footer.tag

 <%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
+<%@ attribute name="js" required="false"%>
+<%@ attribute name="baseURL" required="true"%>
+<%@ attribute name="samlResourcesURL" required="true"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<jsp:useBean id="date" class="java.util.Date" />
 
-        </div> <!-- ENDCARD_BODY -->
-    </div> <!-- ENDCARD -->
-</div> <!-- ENDCOL -->
-</div> <!-- ENDROW -->
-<footer>
-    <div class="footer offset-1 col-10 offset-sm-1 col-sm-10 offset-md-2 col-md-8 offset-lg-3 col-lg-6 offset-xl-3 col-xl-6">
-        <div class="footer-contact">
-            <a class="contact-link" href="mailto:support@aai.lifescience-ri.eu">Contact us</a>
+<div class="container" id="footer">
+    <div class="row mt-1">
+        <div class="col-xs-3 col-md-2">
+            <div class="img-wrap" id="footer-ls-logo">
+                <a href="https://lifescience-ri.eu/ls-login/" target="_blank">
+                    <img src="${samlResourcesURL}/module.php/perun/res/img/lsaai_logo_120.png"
+                         alt="European Life Science Research Infrastructures Logo">
+                </a>
+            </div>
         </div>
-        <div class="footer-policy">
-            <a class="footer-policy-link" href="https://lifescience-ri.eu/ls-login/ls-aai-aup.html">Privacy Policy</a>
+        <div class="col-xs-9 col-md-10 mt-xs-1">
+            <p class="text-justify ">LS Login, an authentication service of the European Life Science Research
+                Infrastructures (LS RI), is a community platform established via the EOSC-Life project and operated by
+                Masaryk University, Brno, CZ. Visit our
+                <a href="https://lifescience-ri.eu/ls-login/" target="_blank">homepage</a>
+                or contact us at
+                <a href="mailto:support@aai.lifescience-ri.eu">support@aai.lifescience-ri.eu</a>.</p>
         </div>
     </div>
-</footer>
-<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/lsaai/jquery.min.js"></script>
-<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/lsaai/bootstrap.min.js"></script>
-<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/lsaai/cmservice.js"></script>
-</body>
-</html>
\ No newline at end of file
+    <div class="row mb-2 mt-1">
+        <div class="col-xs-3 col-md-2">
+            <div class="img-wrap">
+                <img src="${samlResourcesURL}/module.php/perun/res/img/eu_logo_120.png"
+                     alt="European Union flag">
+            </div>
+        </div>
+        <div class="col-xs-9 col-md-10 mt-xs-1">
+            <p class="text-justify">
+                <a href="https://lifescience-ri.eu/" target="_blank">The European Life Science Research
+                    Infrastructures</a> has received funding from the European Union’s Horizon 2020 research
+                and innovation programme under grant agreement No 654248 and from the European Union’s Horizon
+                2020 programme under grant agreement number 824087.
+            </p>
+        </div>
+    </div>
+</div>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/header.tag

 <%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<html>
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
-    <link href="${config.getIssuer(false)}/resources/css/lsaai/bootstrap.min.css" rel="stylesheet" type="text/css"/>
-    <link href="${config.getIssuer(false)}/resources/css/lsaai/eduteams.css" rel="stylesheet" type="text/css"/>
-    <link href="${config.getIssuer(false)}/resources/css/lsaai/cmservice.css" rel="stylesheet" type="text/css"/>
-    <link rel="icon" href="${config.favicon}">
-    <title>LS Login</title>
-    <link rel="preconnect" href="https://fonts.googleapis.com">
-    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-    <link href="https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;0,700;0,900;1,100;1,300;1,400;1,500;1,700;1,900&display=swap" rel="stylesheet">
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
+<%@ attribute name="title" required="true" %>
+<%@ attribute name="reqURL" required="true" %>
+<%@ attribute name="baseURL" required="true" %>
+<%@ attribute name="samlResourcesURL" required="true" %>
+<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
+
+<c:set var="logoURL" value="${samlResourcesURL}/module.php/perun/res/img/lsaai_logo_200.png"/>
+
+<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
+
+<link rel="icon" href="resources/images/lsaai.ico" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/perun/res/bootstrap/css/bootstrap.min.css" />
+<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/perun/res/css/lsaai.css" />
+
+<o:headerCssLinks cssLinks="${cssLinks}"/>
+
+</head>
+
 <body>
-<div class="row">
-    <div class="offset-1 col-10 offset-sm-1 col-sm-10 offset-md-2 col-md-8 offset-lg-3 col-lg-6 offset-xl-3 col-xl-6">
-        <div class="card">
-            <img class="card-img-top" src="${config.getIssuer(false)}/resources/images/lsaai/lsaai_logo.png" alt="Life Science Login logo">
-            <div class="card-body">
\ No newline at end of file
+
+    <div id="wrap" style="box-shadow: rgba(0, 0, 0, 0.15) 0 1rem 3rem 0.5rem;">
+        <div id="header">
+            <img src="${logoURL}" alt="logo">

perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -98,6 +98,8 @@
 				<prop key="proxy.extSource.name"/>
 				<prop key="proxy.base.url"/>
 				<prop key="proxy.add_client_id_to_acrs">false</prop>
+				<prop key="proxy.only_allowed_idps_enabled">false</prop>
+				<prop key="proxy.blocked_idps_enabled">false</prop>
 				<!-- OIDC STUFF -->
 				<prop key="jwk">file:///etc/perun/perun-oidc-keystore.jwks</prop>
 				<prop key="id_token.scopes">openid,profile,email,phone,address</prop>
@@ -128,6 +130,7 @@
 				<prop key="filter.stats.spIdColumnName">spId</prop>
 				<prop key="sentry.config.location"/>
 				<prop key="ga4gh.tokenExchange.brokerUrl"/>
+
 			</props>
 		</property>
 	</bean>
@@ -476,6 +479,8 @@
 		<property name="krbTokenExchangeRequiredScopes" value="#{'${token-exchange.kerberos.requiredScopes}'.split('\s*,\s*')}"/>
 		<property name="requesterIdPrefix" value="${saml.requester-id.prefix}"/>
 		<property name="logRequestsEnabled" value="${logRequestsEnabled}"/>
+		<property name="onlyAllowedIdpsEnabled" value="${proxy.only_allowed_idps_enabled}"/>
+		<property name="blockedIdpsEnabled" value="${proxy.blocked_idps_enabled}"/>
 	</bean>
 
 	<bean id="facilityAttrsConfig" class="cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig">

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approve.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8" %>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
 
-<ls:header />
-<!-- block container -->
-<div class="aas-message">
-    <p>
-        The service <strong><c:out value="${client.clientName}" /></strong> requires access to your personal data.
-        <c:if test="${not empty(client.policyUri)}">
-        Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service to learn more about its commitments to protect your data.
-        </c:if>
-    </p>
-</div>
-<c:if test="${empty(client.policyUri)}">
-<div class="alert alert-warning" role="alert">
-    <h6>This service is missing a Privacy Policy document.</h6>
-</div>
-</c:if>
-<c:if test="${getsOfflineAccess}">
-<div class="alert alert-warning" role="alert">
-    <div><h6>This service requests continuous access to your personal data.</h6>
-        <p>
-            Normally when you close your browser the service stops fetching your personal data from Life Science Login.
-            However, in this case, fetching your personal data continues as it is required for the service to work.
-        </p>
+<%
+
+  String samlCssUrl = (String) request.getAttribute("samlResourcesURL");
+  List<String> cssLinks = new ArrayList<>();
+
+  cssLinks.add(samlCssUrl + "/module.php/consent/assets/css/consent.css");
+  cssLinks.add(samlCssUrl + "/module.php/perun/res/css/consent.css");
+
+  request.setAttribute("cssLinks", cssLinks);
+
+%>
+
+<spring:message code="consent_title" var="title"/>
+<t:header title="${title}" reqURL="${reqURL}" baseURL="${baseURL}"
+          cssLinks="${cssLinks}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>
+
+<h1 class="h3"><spring:message code="consent_header"/>${" "}${fn:escapeXml(client.clientName)}</h1>
+
+</div> <%-- header --%>
+
+<div id="content">
+  <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
+  <c:if test="${getsOfflineAccess}">
+    <div class="alert alert-warning text-justify" role="alert">
+      <h4>Continuous data access.</h4>
+      <p>This service requests continuous access to your data. That means that the service might continuously fetch the
+        information you allow to be released via the form below without further interaction needed.</p>
     </div>
-</div>
-</c:if>
-<c:if test="${isTestSp or (not client.acceptedTos)}">
+  </c:if>
+  <c:if test="${not empty(jurisdiction)}">
+    <div class="alert alert-warning text-justify" role="alert">
+      <c:choose>
+        <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)} or ${'INT'.equalsIgnoreCase(jurisdiction)}">
+          <h4>This service is provided by an international organization.</h4>
+        </c:when>
+        <c:otherwise>
+          <h4>This service is in ${jurisdiction}/></h4>
+        </c:otherwise>
+      </c:choose>
+      <c:choose>
+        <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)}">
+          <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
+            an international organization outside EU/EEA jurisdictions.</p>
+          <p>Please be aware that upon transfer your personal data will be protected by
+            <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/"
+               target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</p>;
+        </c:when>
+        <c:otherwise>
+          <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
+            a country outside EU/EEA. We cannot guarantee that this country offers an adequately high level of personal
+            data protection as EU/EEA countries.</p>
+        </c:otherwise>
+      </c:choose>
+    </div>
+  </c:if>
+  <c:if test="${not acceptedTos}">
     <div class="alert alert-warning" role="alert">
-        <p>You are entering a service that is in the test environment of Life Science Login. The test environment is for service developers to test their relying service’s AAI integration before requesting to move them to the Life Science Login production environment.</p>
-        <p>The test environment is not intended for common users. You are able to access the service because you have opted in as a test user. You need to refresh your registration every 30 days.</p>
+      <h4>Terms of Use for Service Providers not accepted</h4>
+      <p class="text-justify">You are entering a service which has not yet accepted the
+        <a href="https://lifescience-ri.eu/ls-login/terms-of-use-for-service-providers.html"
+           target="_blank">Terms of Use for Service Providers</a>.
+        <c:if test="${isTestSp}">
+          This might be due to the service being registered in the test environment, which does not force the service to
+          do so. To get more information about the different environments of the LS Login, please visit
+          <a href="https://lifescience-ri.eu/ls-login/relying-parties/environments.html" target="_blank">this page</a>.
+        </c:if>
+      </p>
     </div>
-</c:if>
-<form name="confirmationForm" id="allow_consent_form" class="form-group"
-          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
-    <div id="accordion">
-        <div class="section">
-            <div class="card-header" id="headingOne">
-                <h5 class="mb-0">
-                    <button class="btn btn-link" type="button" data-toggle="collapse" data-target="#collapseOne" aria-expanded="true" aria-controls="collapseOne">
-                        User Information
-                    </button>
-                </h5>
-            </div>
-            <c:if test="${not empty scopes}">
-                <c:forEach var="scope" items="${scopes}">
-                    <c:set var="singleClaim" value="${fn:length(claims[scope.value]) eq 1}" />
-                    <c:set var="emptyClaim" value="${fn:length(claims[scope.value]) eq 0}" />
-                    <div class="card-body <c:if test="${emptyClaim}">d-none</c:if>">
-                        <div class="attribute-row">
-                            <div class="attribute">
-                                <div class="attribute-name form-check">
-                                    <input class="form-check-input" type="checkbox" name="scope_${ fn:escapeXml(scope.value) }" checked="checked"
-                                           id="scope_${fn:escapeXml(scope.value)}" value="${fn:escapeXml(scope.value)}">
-                                    <label class="form-check-label" for="scope_${fn:escapeXml(scope.value)}">
-                                        <spring:message code="${scope.value}"/>
-                                    </label>
-                                </div>
-                            </div>
-                            <div class="attribute-values">
-                                <c:forEach var="claim" items="${claims[scope.value]}">
-                                <div class="attribute-choose">
-                                    <div class="attribute-value">
-                                        <c:if test="${claim.value.getClass().name eq 'java.util.ArrayList'}">
-                                            <c:forEach var="subValue" items="${claim.value}">
-                                                <div>
-                                                    <code>${subValue}</code>
-                                                </div>
-                                            </c:forEach>
-                                        </c:if>
-                                        <c:if test="${not(claim.value.getClass().name eq 'java.util.ArrayList')}">
-                                            <c:if test="${not(singleClaim)}">
-                                                <strong><spring:message code="${claim.key}"/>:${' '}</strong>
-                                            </c:if>
-                                            <code>${claim.value}</code>
-                                        </c:if>
-                                    </div>
-                                </div>
-                                </c:forEach>
-                            </div>
-                        </div>
-                    </div>
-                </c:forEach>
+  </c:if>
+  <form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
+    pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
+    <c:choose>
+      <c:when test="${not empty client.policyUri}">
+        <p>Document with the privacy policy for this service can be found
+          <a target="_blank" href="${fn:escapeXml(client.policyUri)}">here</a>.</p>
+      </c:when>
+      <c:otherwise>
+        <div class="alert alert-warning" role="alert">
+          <h4>Missing Privacy Policy document.</h4>
+          <p class="text-justify">This servise has not yet provided link to the Privacy Policy document.
+            <c:if test="${isTestSp}">
+              This might be due to the service being registered in the test environment, which does not force the
+              service to do so. To get more information about the different environments of the LS Login, please visit
+              <a href="https://lifescience-ri.eu/ls-login/relying-parties/environments.html" target="_blank">this page</a>.
             </c:if>
+          </p>
         </div>
-    </div>
-
-    <c:if test="${not empty jurisdiction}">
-    <div class="alert alert-danger" role="alert">
-        <h6>
-            This service is${' '}
-            <c:if test="${jurisdiction eq 'INT' or jurisdiction eq 'EMBL'}">provided by an international organization. </c:if>
-            <c:if test="${jurisdiction ne 'INT' and jurisdiction ne 'EMBL'}">in ${jurisdiction}</c:if>
-        </h6>
-        <p>
-            <c:if test="${jurisdiction eq 'EMBL'}">
-                In order to access the requested services, the Life Science Login needs to transfer your personal data to an international organization outside EU/EEA jurisdictions.<br/>
-                <i>Please be aware that upon transfer your personal data will be protected by <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/" target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</i>
-            </c:if>
-            <c:if test="${jurisdiction ne 'EMBL'}">
-                In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
-                We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
-            </c:if>
-        </p>
-        <c:if test="${not empty(client.policyUri)}">
-            <h6>Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.</h6>
-        </c:if>
-        <div class="form-check">
-            <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
-            <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>
+      </c:otherwise>
+    </c:choose>
+    <t:attributesConsent />
+    <c:if test="${rememberEnabled}">
+      <div class="row" id="saveconsentcontainer">
+        <div class="col-xs-12">
+          <div class="checkbox">
+            <input type="checkbox" name="remember" id="saveconsent" value="until-revoked"/>
+            <label for="saveconsent"><spring:message code="remember"/></label>
+          </div>
         </div>
-    </div>
+      </div>
     </c:if>
-    <div class="outro">
-        <p>
-            For withdrawing consent, contact <a href="mailto:support@aai.lifescience-ri.eu">support@aai.lifescience-ri.eu</a>
-        </p>
-    </div>
-    <div class="footer-buttons">
-        <div class="remember">
-            <label>Remember:</label>
-            <div id="select-amount">
-                <select name="remember" id="month" class="btn btn-sm btn-secondary amount">
-                    <option value="none">Just this time</option>
-                    <option value="until-revoked">Forever</option>
-                </select>
-            </div>
-        </div>
-        <div class="consent-button">
-            <a id="abort" class="btn btn-danger" href="https://lifescience-ri.eu/index.php?id=409">Abort</a>
-            <input type="submit" class="btn btn-primary" value="Consent" id="submit" name="authorize"
-                   <c:if test="${not empty jurisdiction}">disabled=""</c:if>
-                   onclick="$('#user_oauth_approval').attr('value',true)">
-        </div>
-    </div>
     <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
     <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
-</form>
+    <t:consentButtons />
+    <p class='mt-1'>
+      For withdrawing consent, contact <a href='mailto:support@aai.lifescience-ri.eu'>support@aai.lifescience-ri.eu</a>
+    </p>
+  </form>
+</div>
+</div><!-- wrap -->
 
-<ls:footer />
+<t:footer baseURL="${baseURL}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approveDevice.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ page import="java.util.ArrayList" %>
+<%@ page import="java.util.List" %>
+<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
 
-<ls:header />
-<!-- block container -->
-<div class="aas-message">
-    <p>
-        The service <strong><c:out value="${client.clientName}" /></strong> requires access to your personal data.
-        <c:if test="${not empty(client.policyUri)}">
-        Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service to learn more about its commitments to protect your data.
-        </c:if>
-    </p>
-</div>
-<c:if test="${empty(client.policyUri)}">
-<div class="alert alert-warning" role="alert">
-    <h6>This service is missing a Privacy Policy document.</h6>
-</div>
-</c:if>
-<c:if test="${getsOfflineAccess}">
-<div class="alert alert-warning" role="alert">
-    <div><h6>This service requests continuous access to your personal data.</h6>
-        <p>
-            Normally when you close your browser the service stops fetching your personal data from Life Science Login.
-            However, in this case, fetching your personal data continues as it is required for the service to work.
-        </p>
-    </div>
-</div>
-</c:if>
-<c:if test="${isTestSp or (not client.acceptedTos)}">
-    <div class="alert alert-warning" role="alert">
-        <p>You are entering a service that is in the test environment of Life Science Login. The test environment is for service developers to test their relying service’s AAI integration before requesting to move them to the Life Science Login production environment.</p>
-        <p>The test environment is not intended for common users. You are able to access the service because you have opted in as a test user. You need to refresh your registration every 30 days.</p>
-    </div>
-</c:if>
-<form name="confirmationForm" id="allow_consent_form" class="form-group"
-          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
-    <div id="accordion">
-        <div class="section">
-            <div class="card-header" id="headingOne">
-                <h5 class="mb-0">
-                    <button class="btn btn-link" type="button" data-toggle="collapse" data-target="#collapseOne" aria-expanded="true" aria-controls="collapseOne">
-                        User Information
-                    </button>
-                </h5>
-            </div>
-            <div id="collapseOne" class="collapse show" aria-labelledby="headingOne" data-parent="#accordion">
-                <c:if test="${not empty scopes}">
-                    <c:forEach var="scope" items="${scopes}">
-                        <c:set var="singleClaim" value="${fn:length(claims[scope.value]) eq 1}" />
-                        <c:set var="emptyClaim" value="${fn:length(claims[scope.value]) eq 0}" />
-                        <div class="card-body <c:if test="${emptyClaim}">d-none</c:if>">
-                            <div class="attribute-row">
-                                <div class="attribute">
-                                    <div class="attribute-name form-check">
-                                        <input class="form-check-input" type="checkbox" name="scope_${ fn:escapeXml(scope.value) }" checked="checked"
-                                               id="scope_${fn:escapeXml(scope.value)}" value="${fn:escapeXml(scope.value)}">
-                                        <label class="form-check-label" for="scope_${fn:escapeXml(scope.value)}">
-                                            <spring:message code="${scope.value}"/>
-                                        </label>
-                                    </div>
-                                </div>
-                                <div class="attribute-values">
-                                    <c:forEach var="claim" items="${claims[scope.value]}">
-                                    <div class="attribute-choose">
-                                        <div class="attribute-value">
-                                            <c:if test="${claim.value.getClass().name eq 'java.util.ArrayList'}">
-                                                <c:forEach var="subValue" items="${claim.value}">
-                                                    <div>
-                                                        <code>${subValue}</code>
-                                                    </div>
-                                                </c:forEach>
-                                            </c:if>
-                                            <c:if test="${not(claim.value.getClass().name eq 'java.util.ArrayList')}">
-                                                <c:if test="${not(singleClaim)}">
-                                                    <strong><spring:message code="${claim.key}"/>:${' '}</strong>
-                                                </c:if>
-                                                <code>${claim.value}</code>
-                                            </c:if>
-                                        </div>
-                                    </div>
-                                    </c:forEach>
-                                </div>
-                            </div>
-                        </div>
-                    </c:forEach>
-                </c:if>
-            </div>
-        </div>
-    </div>
 
-    <c:if test="${not empty jurisdiction}">
-        <div class="alert alert-danger" role="alert">
-            <h6>
-                This service is${' '}
-                <c:if test="${jurisdiction eq 'INT' or jurisdiction eq 'EMBL'}">provided by an international organization. </c:if>
-                <c:if test="${jurisdiction ne 'INT' and jurisdiction ne 'EMBL'}">in ${jurisdiction}</c:if>
-            </h6>
-            <p>
-                <c:if test="${jurisdiction eq 'EMBL'}">
-                    In order to access the requested services, the Life Science Login needs to transfer your personal data to an international organization outside EU/EEA jurisdictions.<br/>
-                    <i>Please be aware that upon transfer your personal data will be protected by <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/" target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</i>
-                </c:if>
-                <c:if test="${jurisdiction ne 'EMBL'}">
-                    In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
-                    We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
-                </c:if>
-            </p>
-            <c:if test="${not empty(client.policyUri)}">
-                <h6>Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.</h6>
-            </c:if>
-            <div class="form-check">
-                <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
-                <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>
-            </div>
+<c:set var="reqURL" value="${reqURL}"/>
+
+
+<%
+
+	String samlCssUrl = (String) request.getAttribute("samlResourcesURL");
+	List<String> cssLinks = new ArrayList<>();
+
+	cssLinks.add(samlCssUrl + "/module.php/consent/assets/css/consent.css");
+	cssLinks.add(samlCssUrl + "/module.php/perun/res/css/consent.css");
+
+	request.setAttribute("cssLinks", cssLinks);
+
+%>
+
+<spring:message code="device_approve_title" var="title"/>
+<t:header title="${title}" reqURL="${reqURL}" baseURL="${baseURL}"
+          cssLinks="${cssLinks}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>
+
+<h1 class="h3"><spring:message code="device_approve_header"/> ${" "} ${fn:escapeXml(client.clientName)}</h1>
+
+</div> <%-- header --%>
+
+<div id="content">
+    <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
+    <c:if test="${getsOfflineAccess}">
+        <div class="alert alert-warning text-justify" role="alert">
+            <h4>Continuous data access.</h4>
+            <p>This service requests continuous access to your data. That means that the service might continuously fetch the
+                information you allow to be released via the form below without further interaction needed.</p>
         </div>
     </c:if>
-    <div class="outro">
-        <p>
-            For withdrawing consent, contact
-            <a href="mailto:support@aai.lifescience-ri.eu">support@aai.lifescience-ri.eu</a>
-        </p>
-    </div>
-    <div class="footer-buttons">
-        <div class="remember">
-            <label>Remember:</label>
-            <div id="select-amount">
-                <select name="remember" id="month" class="btn btn-sm btn-secondary amount">
-                    <option value="none">Just this time</option>
-                    <option value="until-revoked">Forever</option>
-                </select>
-            </div>
+    <c:if test="${not empty(jurisdiction)}">
+        <div class="alert alert-warning text-justify" role="alert">
+            <c:choose>
+                <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)} or ${'INT'.equalsIgnoreCase(jurisdiction)}">
+                    <h4>This service is provided by an international organization.</h4>
+                </c:when>
+                <c:otherwise>
+                    <h4>This service is in ${jurisdiction}/></h4>
+                </c:otherwise>
+            </c:choose>
+            <c:choose>
+                <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)}">
+                    <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
+                        an international organization outside EU/EEA jurisdictions.</p>
+                    <p>Please be aware that upon transfer your personal data will be protected by
+                        <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/"
+                           target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</p>;
+                </c:when>
+                <c:otherwise>
+                    <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
+                        a country outside EU/EEA. We cannot guarantee that this country offers an adequately high level of personal
+                        data protection as EU/EEA countries.</p>
+                </c:otherwise>
+            </c:choose>
         </div>
-        <div class="consent-button">
-            <a id="abort" class="btn btn-danger" href="https://lifescience-ri.eu/index.php?id=409">Abort</a>
-            <input type="submit" class="btn btn-primary" value="Consent" id="submit" name="authorize"
-                   <c:if test="${not empty jurisdiction}">disabled=""</c:if>
-                   onclick="$('#user_oauth_approval').attr('value',true)">
+    </c:if>
+    <c:if test="${not acceptedTos}">
+        <div class="alert alert-warning" role="alert">
+            <h4>Terms of Use for Service Providers not accepted</h4>
+            <p class="text-justify">You are entering a service which has not yet accepted the
+                <a href="https://lifescience-ri.eu/ls-login/terms-of-use-for-service-providers.html"
+                   target="_blank">Terms of Use for Service Providers</a>.
+                <c:if test="${isTestSp}">
+                    This might be due to the service being registered in the test environment, which does not force the service to
+                    do so. To get more information about the different environments of the LS Login, please visit
+                    <a href="https://lifescience-ri.eu/ls-login/relying-parties/environments.html" target="_blank">this page</a>.
+                </c:if>
+            </p>
         </div>
+    </c:if>
+        <form name="confirmationForm"
+              action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
+            <p>
+                <c:if test="${not empty client.policyUri}">
+                    <spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a>
+                </c:if>
+            </p>
+            <t:attributesConsent/>
+            <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
+            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+            <input type="hidden" name="user_code" value="${ dc.userCode }" />
+            <t:consentButtons/>
+        </form>
     </div>
-    <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
-    <input type="hidden" name="user_code" value="${ dc.userCode }" />
-    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
-</form>
+</div><!-- wrap -->
 
-<ls:footer />
+<t:footer baseURL="${baseURL}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/aup.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
-<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
-
-<ls:header />
-
-    <h3><spring:message code="must_agree_aup"/></h3>
-    <form method="POST" action="">
-        <c:forEach var="aup" items="${newAups}">
-            <div>
-                <p style="font-size: 16px; padding: 0; margin: 0;"><spring:message code="org_vo"/>${" "}<strong>${aup.key}</strong></p>
-                <p><spring:message code="see_aup"/>${" "}${aup.value.version}${" "}
-                    <a href="${aup.value.link}"><spring:message code="here"/></a></p>
-            </div>
-        </c:forEach>
-        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
-        <div class="form-group">
-            <spring:message code="agree_aup" var="submit_value"/>
-            <input type="submit" value="${submit_value}" class="btn btn-lg btn-primary btn-block">
-        </div>
-    </form>
-
-<ls:footer/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
-<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
-
-<ls:header />
-
-    <h3><spring:message code="device_flow_error_header"/></h3>
-    <p><spring:message code="device_flow_error_message"/></p>
-
-<ls:footer/>

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/isTestSpWarning.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
-<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
-
-<ls:header />
-
-    <div id="head">
-        <h1><spring:message code="is_test_sp_warning_header"/></h1>
-    </div>
-    <p><spring:message code="is_test_sp_warning_text"/></p>
-
-    <form method="GET" action="${action}">
-        <hr/>
-        <br/>
-        <input type="hidden" name="target" value="${fn:escapeXml(target)}">
-        <input type="hidden" name="accepted" value="true">
-        <spring:message code="is_test_sp_warning_continue" var="submit_value"/>
-        <input type="submit" name="continue" value="${submit_value}" class="btn btn-lg btn-primary btn-block">
-    </form>
-<ls:footer />

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_failure.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
-<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
-
-<ls:header />
-
-    <div id="head">
-        <h1><spring:message code="login_failure_header"/></h1>
-    </div>
-    <div class="msg"><spring:message code="login_failure_msg"/></div>
-    <c:if test="${not empty('error_msg')}">
-        <div class="mgs">
-            <spring:message code="${error_msg}"/>
-        </div>
-    </c:if>
-    <div class="msg"><spring:message code="login_failure_contact_us"/>${" "}
-        <a href="mailto:${contactMail}">${contactMail}</a>.
-    </div>
-
-<ls:footer />

perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_success.jsp

-<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
-<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
-
-<ls:header />
-
-    <div id="head">
-        <h1><spring:message code="login_success_header"/></h1>
-    </div>
-    <div class="msg"><spring:message code="login_success_msg"/></div>
-
-<ls:footer />