diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ciba/CibaAuthRequestValidator.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ciba/CibaAuthRequestValidator.java index bc7bcb683d7..508e14678ce 100644 --- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ciba/CibaAuthRequestValidator.java +++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ciba/CibaAuthRequestValidator.java @@ -47,6 +47,7 @@ import java.util.ArrayList; import java.util.Calendar; import java.util.List; +import java.util.Map; import java.util.TimeZone; import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OAuth20Endpoints.OAUTH2_TOKEN_EP_URL; @@ -157,7 +158,8 @@ private void valiateTransactionContext(JWTClaimsSet claimsSet) throws CibaAuthFa // Request has no transaction_context claim. return; } - if (StringUtils.isBlank(claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT).toJSONString())) { + Map claims = claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT); + if (StringUtils.isBlank(new JSONObject(claims).toJSONString())) { if (log.isDebugEnabled()) { log.debug("Invalid CIBA Authentication Request made by client with clientID : " + claimsSet.getIssuer() + ".The request is with invalid " + @@ -791,9 +793,9 @@ public CibaAuthCodeRequest prepareAuthCodeRequest(String request) throws CibaAut cibaAuthCodeRequest.setBindingMessage(claimsSet.getStringClaim(CibaConstants.BINDING_MESSAGE)); // Setting transaction_context to AuthenticationRequest after successful validation. - JSONObject transactionContext = claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT); + Map transactionContext = claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT); if (transactionContext != null) { - cibaAuthCodeRequest.setTransactionContext(transactionContext.toJSONString()); + cibaAuthCodeRequest.setTransactionContext(new JSONObject(transactionContext).toJSONString()); } // Setting requested_expiry to AuthenticationRequest after successful validation. diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java index 666597532b9..c5345595a06 100644 --- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java +++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java @@ -48,6 +48,7 @@ import java.util.ArrayList; import java.util.Enumeration; import java.util.List; +import java.util.Map; import javax.jws.WebService; import javax.ws.rs.GET; @@ -135,7 +136,10 @@ private void populateJWKSArray(List certInfoList, List encodedCertList = generateEncodedCertList(certChain, alias); RSAKey.Builder jwk = getJWK(algorithm, encodedCertList, cert, hashingAlgorithm, alias); - jwksArray.add(jwk.build().toJSONObject()); + Map jwkMap = jwk.build().toJSONObject(); + JSONObject jsonObject = new JSONObject(); + jsonObject.putAll(jwkMap); + jwksArray.add(jsonObject); } } } diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java index f607597f0bf..57544a5281f 100644 --- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java +++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java @@ -23,6 +23,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.google.gson.Gson; import com.google.gson.reflect.TypeToken; +import com.nimbusds.jose.util.JSONObjectUtils; import com.nimbusds.jwt.SignedJWT; import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.collections.CollectionUtils; @@ -2987,11 +2988,11 @@ private static void overrideAuthzParameters(OAuthMessage oAuthMessage, OAuth2Par replaceIfPresent(requestObject, ID_TOKEN_HINT, params::setIDTokenHint, ignoreClaimsOutsideRequestObject); replaceIfPresent(requestObject, PROMPT, params::setPrompt, ignoreClaimsOutsideRequestObject); - if (requestObject.getClaim(CLAIMS) instanceof net.minidev.json.JSONObject) { + if (requestObject.getClaim(CLAIMS) instanceof Map) { // Claims in the request object is in the type of net.minidev.json.JSONObject, // hence retrieving claims as a JSONObject - net.minidev.json.JSONObject claims = (net.minidev.json.JSONObject) requestObject.getClaim(CLAIMS); - params.setEssentialClaims(claims.toJSONString()); + Map claims = (Map) requestObject.getClaim(CLAIMS); + params.setEssentialClaims(JSONObjectUtils.toJSONString(claims)); } if (isPkceSupportEnabled()) { diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/jwt/JWKSBasedJWTValidator.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/jwt/JWKSBasedJWTValidator.java index 44fb1fb3c28..9c0ff51c974 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/jwt/JWKSBasedJWTValidator.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/jwt/JWKSBasedJWTValidator.java @@ -19,6 +19,7 @@ package org.wso2.carbon.identity.oauth2.validators.jwt; import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JOSEObjectType; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.KeySourceException; @@ -29,6 +30,7 @@ import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.jwk.source.RemoteJWKSet; import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier; import com.nimbusds.jose.proc.JWSKeySelector; import com.nimbusds.jose.proc.JWSVerificationKeySelector; import com.nimbusds.jose.proc.SecurityContext; @@ -77,6 +79,11 @@ public JWKSBasedJWTValidator() { /* Set up a JWT processor to parse the tokens and then check their signature and validity time window (bounded by the "iat", "nbf" and "exp" claims). */ this.jwtProcessor = new DefaultJWTProcessor<>(); + jwtProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>( + JOSEObjectType.JWT, + new JOSEObjectType("at+jwt"), + null + )); } @Override diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/model/RequestObject.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/model/RequestObject.java index af569847ef7..4be2de58be0 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/model/RequestObject.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/model/RequestObject.java @@ -85,8 +85,9 @@ public void setPlainJWT(PlainJWT plainJWT) throws RequestObjectException { "the Request Object."); } if (this.claimsSet.getClaim(CLAIMS) != null) { - JSONObject claims = this.claimsSet.toJSONObject(); - processClaimObject(claims); + Map claims = this.claimsSet.toJSONObject(); + JSONObject jsonClaims = new JSONObject(claims); + processClaimObject(jsonClaims); } } @@ -118,8 +119,9 @@ public void setSignedJWT(SignedJWT signedJWT) throws RequestObjectException { "the Request Object."); } if (this.claimsSet.getClaim(CLAIMS) != null) { - JSONObject claims = this.claimsSet.toJSONObject(); - processClaimObject(claims); + Map claims = this.claimsSet.toJSONObject(); + JSONObject jsonClaims = new JSONObject(claims); + processClaimObject(jsonClaims); } } @@ -142,7 +144,7 @@ private void processClaimObject(JSONObject jsonObjectRequestedClaims) throws Req try { Map> claimsforClaimRequestor = new HashMap<>(); if (jsonObjectRequestedClaims.get(CLAIMS) != null) { - JSONObject jsonObjectClaim = (JSONObject) jsonObjectRequestedClaims.get(CLAIMS); + Map jsonObjectClaim = (Map) jsonObjectRequestedClaims.get(CLAIMS); //To iterate the claims json object to fetch the claim requestor and all requested claims. for (Map.Entry requesterClaimsMap : jsonObjectClaim.entrySet()) { @@ -152,16 +154,17 @@ private void processClaimObject(JSONObject jsonObjectRequestedClaims) throws Req // Get requested claim object Object requestedClaimObject = jsonObjectClaim.get(requesterClaimsMap.getKey()); // Extract all requested claims if attribute is an JSONObject - if (requestedClaimObject instanceof JSONObject) { - JSONObject jsonObjectAllRequestedClaims = (JSONObject) + if (requestedClaimObject instanceof Map) { + Map jsonObjectAllRequestedClaims = (Map) jsonObjectClaim.get(requesterClaimsMap.getKey()); if (jsonObjectAllRequestedClaims != null) { for (Map.Entry requestedClaims : jsonObjectAllRequestedClaims .entrySet()) { - JSONObject jsonObjectClaimAttributes = null; + Map jsonObjectClaimAttributes = null; if (jsonObjectAllRequestedClaims.get(requestedClaims.getKey()) != null) { jsonObjectClaimAttributes = - (JSONObject) jsonObjectAllRequestedClaims.get(requestedClaims.getKey()); + (Map) jsonObjectAllRequestedClaims.get( + requestedClaims.getKey()); } populateRequestedClaimValues(requestedClaimsList, jsonObjectClaimAttributes, requestedClaims.getKey(), requesterClaimsMap.getKey()); @@ -180,7 +183,7 @@ private void processClaimObject(JSONObject jsonObjectRequestedClaims) throws Req } private void populateRequestedClaimValues(List requestedClaims, - JSONObject jsonObjectClaimAttributes, String claimName, + Map jsonObjectClaimAttributes, String claimName, String claimType) { RequestedClaim claim = new RequestedClaim(); @@ -198,13 +201,16 @@ private void populateRequestedClaimValues(List requestedClaims, } else if (VALUE.equals(claimAttributes.getKey())) { claim.setValue((String) value); } else if (VALUES.equals(claimAttributes.getKey())) { - JSONArray jsonArray = (JSONArray) value; - if (jsonArray != null && jsonArray.size() > 0) { - List values = new ArrayList<>(); - for (Object aJsonArray : jsonArray) { - values.add(aJsonArray.toString()); + Object valuesObj = value; + if (valuesObj instanceof List) { + List jsonArray = (List) valuesObj; + if (!jsonArray.isEmpty()) { + List values = new ArrayList<>(); + for (Object item : jsonArray) { + values.add(item.toString()); + } + claim.setValues(values); } - claim.setValues(values); } } } diff --git a/pom.xml b/pom.xml index 06dec90bd7d..e1a9c30d823 100644 --- a/pom.xml +++ b/pom.xml @@ -1029,8 +1029,8 @@ 1.6.wso2v6 [1.6.0, 2.0) - 7.9.0.wso2v1 - [7.3.0,8.0.0) + 10.3.0.wso2v1 + [10.0.0,11.0.0) 1.7.0.wso2v1 1.9.0.wso2v1