Fix OAuth2 issues: Restore 'none' token endpoint auth method. Do not add default openid scope if non-empty. (#926)

maximthomas · web-flow · commit 433c106f00e6 · 2025-09-23T12:06:21.000+03:00
diff --git a/openam-oauth2/src/main/java/org/forgerock/openidconnect/Client.java b/openam-oauth2/src/main/java/org/forgerock/openidconnect/Client.java
@@ -13,6 +13,7 @@
  *
  * Copyright 2014-2016 ForgeRock AS.
  * Portions Copyrighted 2015 Nomura Research Institute, Ltd.
+ * Portions Copyrighted 2025 3A Systems LLC.
  */
 
 package org.forgerock.openidconnect;
@@ -217,9 +218,9 @@ public enum TokenEndpointAuthMethod {
         /** Client secret post type. */
      //   CLIENT_SECRET_JWT("client_secret_jwt"), todo uncomment as we add suppot
         /** Client secret basic type. */
-        PRIVATE_KEY_JWT("private_key_jwt");
+        PRIVATE_KEY_JWT("private_key_jwt"),
         /** None type. */
-     //   NONE("none");
+        NONE("none");
 
         private String type;
 
diff --git a/openam-oauth2/src/main/java/org/forgerock/openidconnect/OpenIdConnectClientRegistrationService.java b/openam-oauth2/src/main/java/org/forgerock/openidconnect/OpenIdConnectClientRegistrationService.java
@@ -271,13 +271,13 @@ public JsonValue createRegistration(String accessToken, String deploymentUrl, OA
                     throw new InvalidClientMetadata("Invalid scopes requested");
                 }
             } else { //if nothing requested, fall back to provider defaults
-                scopes = new ArrayList<String>();
+                scopes = new ArrayList<>();
                 scopes.addAll(providerSettings.getDefaultScopes());
             }
 
             //regardless, we add openid
-            if (!scopes.contains(OPENID)) {
-                scopes = new ArrayList<String>(scopes);
+            if (scopes.isEmpty()) {
+                scopes = new ArrayList<>();
                 scopes.add(OPENID);
             }
 
diff --git a/openam-server-only/src/main/resources/services/AgentService.xml b/openam-server-only/src/main/resources/services/AgentService.xml
@@ -28,6 +28,7 @@
 
    Portions Copyrighted 2011-2016 ForgeRock AS.
    Portions Copyrighted 2015 Nomura Research Institute, Ltd.
+   Portions Copyrighted 2025 3A Systems LLC.
 -->
 
 <!DOCTYPE ServicesConfiguration
@@ -36,7 +37,7 @@
 
 <ServicesConfiguration>
     <Service name="AgentService" version="1.0">
-        <Schema i18nFileName="agentService" revisionNumber="10">
+        <Schema i18nFileName="agentService" revisionNumber="11">
             <Organization>
                 <SubSchema name="OAuth2Client" inheritance="multiple" i18nKey="a7001" hideConfigUI="yes">
                     <AttributeSchema
@@ -181,6 +182,7 @@
                             <ChoiceValue i18nKey="a741">client_secret_basic</ChoiceValue>
                             <!--     <ChoiceValue i18nKey="a742">client_secret_jwt</ChoiceValue> -->
                             <ChoiceValue i18nKey="a743">private_key_jwt</ChoiceValue>
+                            <ChoiceValue>none</ChoiceValue>
                         </ChoiceValues>
                         <DefaultValues>
                             <Value>client_secret_basic</Value>

Original file line number	Diff line number	Diff line change
`@@ -271,13 +271,13 @@ public JsonValue createRegistration(String accessToken, String deploymentUrl, OA`
`271`	`271`	`throw new InvalidClientMetadata("Invalid scopes requested");`
`272`	`272`	`}`
`273`	`273`	`} else { //if nothing requested, fall back to provider defaults`
`274`		`- scopes = new ArrayList<String>();`
	`274`	`+ scopes = new ArrayList<>();`
`275`	`275`	`scopes.addAll(providerSettings.getDefaultScopes());`
`276`	`276`	`}`
`277`	`277`
`278`	`278`	`//regardless, we add openid`
`279`		`- if (!scopes.contains(OPENID)) {`
`280`		`- scopes = new ArrayList<String>(scopes);`
	`279`	`+ if (scopes.isEmpty()) {`
	`280`	`+ scopes = new ArrayList<>();`
`281`	`281`	`scopes.add(OPENID);`
`282`	`282`	`}`
`283`	`283`