Upgrade Nimbus Jose JWT version to 10.3.0

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ciba/CibaAuthRequestValidator.java

@@ -47,6 +47,7 @@
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.List;
+import java.util.Map;
 import java.util.TimeZone;
 
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.OAuth20Endpoints.OAUTH2_TOKEN_EP_URL;
@@ -157,7 +158,8 @@ private void valiateTransactionContext(JWTClaimsSet claimsSet) throws CibaAuthFa
                 // Request has no transaction_context claim.
                 return;
             }
-            if (StringUtils.isBlank(claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT).toJSONString())) {
+            Map<String, Object> claims = claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT);
+            if (StringUtils.isBlank(new JSONObject(claims).toJSONString())) {
                 if (log.isDebugEnabled()) {
                     log.debug("Invalid CIBA Authentication Request made by client with clientID : " +
                             claimsSet.getIssuer() + ".The request is with invalid  " +
@@ -791,9 +793,9 @@ public CibaAuthCodeRequest prepareAuthCodeRequest(String request) throws CibaAut
             cibaAuthCodeRequest.setBindingMessage(claimsSet.getStringClaim(CibaConstants.BINDING_MESSAGE));
 
             // Setting transaction_context to AuthenticationRequest after successful validation.
-            JSONObject transactionContext = claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT);
+            Map<String, Object> transactionContext = claimsSet.getJSONObjectClaim(CibaConstants.TRANSACTION_CONTEXT);
             if (transactionContext != null) {
-                cibaAuthCodeRequest.setTransactionContext(transactionContext.toJSONString());
+                cibaAuthCodeRequest.setTransactionContext(new JSONObject(transactionContext).toJSONString());
             }
 
             // Setting requested_expiry to AuthenticationRequest after successful validation.

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java

@@ -48,6 +48,7 @@
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.Map;
 
 import javax.jws.WebService;
 import javax.ws.rs.GET;
@@ -135,7 +136,10 @@ private void populateJWKSArray(List<CertificateInfo> certInfoList, List<JWSAlgor
                 List<Base64> encodedCertList = generateEncodedCertList(certChain, alias);
                 RSAKey.Builder jwk = getJWK(algorithm, encodedCertList, cert,
                         hashingAlgorithm, alias);
-                jwksArray.add(jwk.build().toJSONObject());
+                Map<String, Object> jwkMap = jwk.build().toJSONObject();
+                JSONObject jsonObject = new JSONObject();
+                jsonObject.putAll(jwkMap);
+                jwksArray.add(jsonObject);
             }
         }
     }

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java

@@ -23,6 +23,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
 import com.google.gson.reflect.TypeToken;
+import com.nimbusds.jose.util.JSONObjectUtils;
 import com.nimbusds.jwt.SignedJWT;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.collections.CollectionUtils;
@@ -2987,11 +2988,11 @@ private static void overrideAuthzParameters(OAuthMessage oAuthMessage, OAuth2Par
             replaceIfPresent(requestObject, ID_TOKEN_HINT, params::setIDTokenHint, ignoreClaimsOutsideRequestObject);
             replaceIfPresent(requestObject, PROMPT, params::setPrompt, ignoreClaimsOutsideRequestObject);
 
-            if (requestObject.getClaim(CLAIMS) instanceof net.minidev.json.JSONObject) {
+            if (requestObject.getClaim(CLAIMS) instanceof Map) {
                 // Claims in the request object is in the type of net.minidev.json.JSONObject,
                 // hence retrieving claims as a JSONObject
-                net.minidev.json.JSONObject claims = (net.minidev.json.JSONObject) requestObject.getClaim(CLAIMS);
-                params.setEssentialClaims(claims.toJSONString());
+                Map<String, Object>  claims = (Map<String, Object>) requestObject.getClaim(CLAIMS);
+                params.setEssentialClaims(JSONObjectUtils.toJSONString(claims));
             }
 
             if (isPkceSupportEnabled()) {

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/jwt/JWKSBasedJWTValidator.java

@@ -19,6 +19,7 @@
 package org.wso2.carbon.identity.oauth2.validators.jwt;
 
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JOSEObjectType;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.KeySourceException;
@@ -29,6 +30,7 @@
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
 import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
 import com.nimbusds.jose.proc.JWSKeySelector;
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
@@ -77,6 +79,11 @@ public JWKSBasedJWTValidator() {
         /* Set up a JWT processor to parse the tokens and then check their signature and validity time window
         (bounded by the "iat", "nbf" and "exp" claims). */
         this.jwtProcessor = new DefaultJWTProcessor<>();
+        jwtProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(
+                JOSEObjectType.JWT,
+                new JOSEObjectType("at+jwt"),
+                null
+        ));
     }
 
     @Override

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/model/RequestObject.java

@@ -85,8 +85,9 @@ public void setPlainJWT(PlainJWT plainJWT) throws RequestObjectException {
                     "the Request Object.");
         }
         if (this.claimsSet.getClaim(CLAIMS) != null) {
-            JSONObject claims = this.claimsSet.toJSONObject();
-            processClaimObject(claims);
+            Map<String, Object> claims = this.claimsSet.toJSONObject();
+            JSONObject jsonClaims = new JSONObject(claims);
+            processClaimObject(jsonClaims);
         }
     }
 
@@ -118,8 +119,9 @@ public void setSignedJWT(SignedJWT signedJWT) throws RequestObjectException {
                     "the Request Object.");
         }
         if (this.claimsSet.getClaim(CLAIMS) != null) {
-            JSONObject claims = this.claimsSet.toJSONObject();
-            processClaimObject(claims);
+            Map<String, Object> claims = this.claimsSet.toJSONObject();
+            JSONObject jsonClaims = new JSONObject(claims);
+            processClaimObject(jsonClaims);
         }
     }
 
@@ -142,7 +144,7 @@ private void processClaimObject(JSONObject jsonObjectRequestedClaims) throws Req
         try {
             Map<String, List<RequestedClaim>> claimsforClaimRequestor = new HashMap<>();
             if (jsonObjectRequestedClaims.get(CLAIMS) != null) {
-                JSONObject jsonObjectClaim = (JSONObject) jsonObjectRequestedClaims.get(CLAIMS);
+                Map<String, Object> jsonObjectClaim = (Map<String, Object>) jsonObjectRequestedClaims.get(CLAIMS);
 
                 //To iterate the claims json object to fetch the claim requestor and all requested claims.
                 for (Map.Entry<String, Object> requesterClaimsMap : jsonObjectClaim.entrySet()) {
@@ -152,16 +154,17 @@ private void processClaimObject(JSONObject jsonObjectRequestedClaims) throws Req
                         // Get requested claim object
                         Object requestedClaimObject = jsonObjectClaim.get(requesterClaimsMap.getKey());
                         // Extract all requested claims if attribute is an JSONObject
-                        if (requestedClaimObject instanceof JSONObject) {
-                            JSONObject jsonObjectAllRequestedClaims  = (JSONObject)
+                        if (requestedClaimObject instanceof Map) {
+                            Map<String, Object> jsonObjectAllRequestedClaims  = (Map<String, Object>)
                                     jsonObjectClaim.get(requesterClaimsMap.getKey());
                             if (jsonObjectAllRequestedClaims != null) {
                                 for (Map.Entry<String, Object> requestedClaims : jsonObjectAllRequestedClaims
                                         .entrySet()) {
-                                    JSONObject jsonObjectClaimAttributes = null;
+                                    Map<String, Object> jsonObjectClaimAttributes = null;
                                     if (jsonObjectAllRequestedClaims.get(requestedClaims.getKey()) != null) {
                                         jsonObjectClaimAttributes =
-                                                (JSONObject) jsonObjectAllRequestedClaims.get(requestedClaims.getKey());
+                                                (Map<String, Object>) jsonObjectAllRequestedClaims.get(
+                                                        requestedClaims.getKey());
                                     }
                                     populateRequestedClaimValues(requestedClaimsList, jsonObjectClaimAttributes,
                                             requestedClaims.getKey(), requesterClaimsMap.getKey());
@@ -180,7 +183,7 @@ private void processClaimObject(JSONObject jsonObjectRequestedClaims) throws Req
     }
 
     private void populateRequestedClaimValues(List<RequestedClaim> requestedClaims,
-                                              JSONObject jsonObjectClaimAttributes, String claimName,
+                                              Map<String, Object> jsonObjectClaimAttributes, String claimName,
                                               String claimType) {
 
         RequestedClaim claim = new RequestedClaim();
@@ -198,13 +201,16 @@ private void populateRequestedClaimValues(List<RequestedClaim> requestedClaims,
                     } else if (VALUE.equals(claimAttributes.getKey())) {
                         claim.setValue((String) value);
                     } else if (VALUES.equals(claimAttributes.getKey())) {
-                        JSONArray jsonArray = (JSONArray) value;
-                        if (jsonArray != null && jsonArray.size() > 0) {
-                            List<String> values = new ArrayList<>();
-                            for (Object aJsonArray : jsonArray) {
-                                values.add(aJsonArray.toString());
+                        Object valuesObj = value;
+                        if (valuesObj instanceof List<?>) {
+                            List<?> jsonArray = (List<?>) valuesObj;
+                            if (!jsonArray.isEmpty()) {
+                                List<String> values = new ArrayList<>();
+                                for (Object item : jsonArray) {
+                                    values.add(item.toString());
+                                }
+                                claim.setValues(values);
                             }
-                            claim.setValues(values);
                         }
                     }
                 }

pom.xml

@@ -1029,8 +1029,8 @@
         <waffle-jna.wso2.version>1.6.wso2v6</waffle-jna.wso2.version>
         <waffle-jna.imp.pkg.version.range>[1.6.0, 2.0)</waffle-jna.imp.pkg.version.range>
 
-        <nimbusds.version>7.9.0.wso2v1</nimbusds.version>
-        <nimbusds.osgi.version.range>[7.3.0,8.0.0)</nimbusds.osgi.version.range>
+        <nimbusds.version>10.3.0.wso2v1</nimbusds.version>
+        <nimbusds.osgi.version.range>[10.0.0,11.0.0)</nimbusds.osgi.version.range>
 
         <thetransactioncompany.cors-filter.wso2.version>1.7.0.wso2v1</thetransactioncompany.cors-filter.wso2.version>
         <thetransactioncompany.utils.wso2.version>1.9.0.wso2v1</thetransactioncompany.utils.wso2.version>