Implement Explicit Client Registration (RP Role)

iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java

@@ -127,8 +127,8 @@ public RegisteredClientDTO saveNewClient(RegisteredClientDTO client) throws Pars
     entity.setActive(true);
 
     if (hasRelyingParty(client)) {
-      ClientRelyingPartyEntity clientRelyingParty =
-          new ClientRelyingPartyEntity(entity, client.getExpiration(), client.getEntityId());
+      ClientRelyingPartyEntity clientRelyingParty = new ClientRelyingPartyEntity(entity,
+          client.getExpiration(), client.getEntityId(), client.getClientType());
       entity.setClientRelyingParty(clientRelyingParty);
       entity.setRequestObjectSigningAlg(client.getRequestObjectSigningAlgorithm());
     }
@@ -197,7 +197,7 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO cli
 
     if (hasRelyingParty(clientDTO)) {
       ClientRelyingPartyEntity clientRelyingParty = new ClientRelyingPartyEntity(newClient,
-          clientDTO.getExpiration(), clientDTO.getEntityId());
+          clientDTO.getExpiration(), clientDTO.getEntityId(), clientDTO.getClientType());
       newClient.setClientRelyingParty(clientRelyingParty);
       newClient.setRequestObjectSigningAlg(clientDTO.getRequestObjectSigningAlgorithm());
       newClient.setActive(true);

iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java

@@ -15,15 +15,20 @@
  */
 package it.infn.mw.iam.api.client.registration.service;
 
+import static it.infn.mw.iam.api.client.util.ClientSuppliers.clientNotFound;
+import static it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy.ADMINISTRATORS;
+import static it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy.ANYONE;
+import static it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy.REGISTERED_USERS;
+import static java.util.Objects.isNull;
+import static java.util.stream.Collectors.toSet;
+
 import java.text.ParseException;
 import java.time.Clock;
 import java.time.Instant;
 import java.util.EnumSet;
-import static java.util.Objects.isNull;
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.Supplier;
-import static java.util.stream.Collectors.toSet;
 
 import javax.validation.constraints.NotBlank;
 
@@ -50,7 +55,6 @@
 import it.infn.mw.iam.api.client.service.ClientConverter;
 import it.infn.mw.iam.api.client.service.ClientDefaultsService;
 import it.infn.mw.iam.api.client.service.ClientService;
-import static it.infn.mw.iam.api.client.util.ClientSuppliers.clientNotFound;
 import it.infn.mw.iam.api.common.client.AuthorizationGrantType;
 import it.infn.mw.iam.api.common.client.RegisteredClientDTO;
 import it.infn.mw.iam.audit.events.account.client.AccountClientOwnerAssigned;
@@ -60,9 +64,6 @@
 import it.infn.mw.iam.audit.events.client.ClientUpdatedEvent;
 import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties;
 import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy;
-import static it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy.ADMINISTRATORS;
-import static it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy.ANYONE;
-import static it.infn.mw.iam.config.client_registration.ClientRegistrationProperties.ClientRegistrationAuthorizationPolicy.REGISTERED_USERS;
 import it.infn.mw.iam.core.IamTokenService;
 import it.infn.mw.iam.core.oauth.scope.matchers.ScopeMatcher;
 import it.infn.mw.iam.core.oauth.scope.matchers.ScopeMatcherRegistry;
@@ -370,8 +371,8 @@ public RegisteredClientDTO registerClient(RegisteredClientDTO request,
     }
 
     if (hasRelyingParty(request)) {
-      ClientRelyingPartyEntity clientRelyingParty =
-          new ClientRelyingPartyEntity(client, request.getExpiration(), request.getEntityId());
+      ClientRelyingPartyEntity clientRelyingParty = new ClientRelyingPartyEntity(client,
+          request.getExpiration(), request.getEntityId(), request.getClientType());
       client.setClientRelyingParty(clientRelyingParty);
     }
 

iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java

@@ -29,6 +29,7 @@
 import javax.validation.constraints.Size;
 
 import org.hibernate.validator.constraints.URL;
+import org.mitre.oauth2.model.ClientRelyingPartyEntity.ClientType;
 
 import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonInclude;
@@ -257,6 +258,11 @@ public class RegisteredClientDTO {
   @JsonFormat(shape = JsonFormat.Shape.STRING)
   private String entityId;
 
+  @JsonView({ClientViews.Limited.class, ClientViews.ClientManagement.class,
+      ClientViews.NoSecretDynamicRegistration.class, ClientViews.DynamicRegistration.class})
+  @JsonFormat(shape = JsonFormat.Shape.STRING)
+  private ClientType clientType;
+
   @JsonView({ClientViews.Full.class, ClientViews.ClientManagement.class,
       ClientViews.DynamicRegistration.class})
   @Size(max = 65535, groups = {OnClientCreation.class, OnClientUpdate.class})
@@ -539,6 +545,14 @@ public void setEntityId(String entityId) {
     this.entityId = entityId;
   }
 
+  public ClientType getClientType() {
+    return clientType;
+  }
+
+  public void setClientType(ClientType clientType) {
+    this.clientType = clientType;
+  }
+
   public String getJwk() {
     return jwk;
   }

iam-login-service/src/main/java/it/infn/mw/iam/api/openid_federation/FederatedOpRegistrationService.java

@@ -0,0 +1,214 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.api.openid_federation;
+
+import static it.infn.mw.iam.core.oidc.FederationException.invalidClientMetadata;
+import static it.infn.mw.iam.core.oidc.FederationException.invalidRequest;
+import static it.infn.mw.iam.core.oidc.FederationException.invalidTrustChain;
+
+import java.net.URI;
+import java.text.ParseException;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.oauth2.model.ClientRelyingPartyEntity.ClientType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Profile;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Service;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestTemplate;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.oauth2.sdk.GrantType;
+import com.nimbusds.oauth2.sdk.ResponseType;
+import com.nimbusds.openid.connect.sdk.federation.entities.EntityStatement;
+import com.nimbusds.openid.connect.sdk.federation.trust.TrustChain;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+
+import it.infn.mw.iam.api.client.registration.service.ClientRegistrationService;
+import it.infn.mw.iam.api.client.service.ClientService;
+import it.infn.mw.iam.api.common.client.AuthorizationGrantType;
+import it.infn.mw.iam.api.common.client.OAuthResponseType;
+import it.infn.mw.iam.api.common.client.RegisteredClientDTO;
+import it.infn.mw.iam.api.common.client.TokenEndpointAuthenticationMethod;
+import it.infn.mw.iam.authn.oidc.RestTemplateFactory;
+import it.infn.mw.iam.config.oidc.OpenidFederationProperties;
+import it.infn.mw.iam.core.oidc.ExplicitRegistrationEntityStatementBuilder;
+import it.infn.mw.iam.core.oidc.FederationException;
+import it.infn.mw.iam.core.oidc.TrustChainService;
+
+@Service
+@Profile("openid-federation")
+public class FederatedOpRegistrationService {
+
+  public static final Logger LOG = LoggerFactory.getLogger(FederatedOpRegistrationService.class);
+
+  private final TrustChainService tcService;
+  private final ExplicitRegistrationEntityStatementBuilder explRegistrationEsBuilder;
+  private final ClientRegistrationService clientRegistrationService;
+  private final ClientService clientService;
+  private final OpenidFederationProperties oidFedProperties;
+  private final RestTemplate restTemplate;
+
+  @Value("${iam.baseUrl}")
+  private String iamBaseUrl;
+
+  public FederatedOpRegistrationService(TrustChainService tcService,
+      ExplicitRegistrationEntityStatementBuilder explRegistrationEsBuilder,
+      ClientRegistrationService clientRegistrationService, ClientService clientService,
+      OpenidFederationProperties oidFedProperties, RestTemplateFactory restTemplateFactory) {
+
+    this.tcService = tcService;
+    this.explRegistrationEsBuilder = explRegistrationEsBuilder;
+    this.clientRegistrationService = clientRegistrationService;
+    this.clientService = clientService;
+    this.oidFedProperties = oidFedProperties;
+    this.restTemplate = restTemplateFactory.newRestTemplate();
+  }
+
+  public RegisteredClientDTO registerOp(String issuer, Optional<ClientDetailsEntity> existingClient)
+      throws JOSEException, ParseException, FederationException {
+
+    validateIssuer(issuer);
+
+    // 1. Resolve trust chain
+    TrustChain trustChain = tcService.validateFromEntityId(issuer);
+
+    // 2. Select authority_hints
+    List<String> authorityHints = selectAuthorityHints(trustChain, issuer);
+
+    // 3. Build Explicit Registration Entity Statement
+    String registrationJwt = explRegistrationEsBuilder.build(issuer, authorityHints);
+
+    // 4. Discover OP federation registration endpoint
+    EntityStatement opEc = trustChain.getLeafSelfStatement();
+    URI regEndpoint = opEc.getClaimsSet().getOPMetadata().getFederationRegistrationEndpointURI();
+
+    // 5. POST explicit registration request
+    String responseJwt = postRegistration(regEndpoint, registrationJwt);
+    SignedJWT signedResponse = SignedJWT.parse(responseJwt);
+
+    // 6. Persist client
+    RegisteredClientDTO dtoClient = createClientDtoFromOpMetadata(opEc);
+    dtoClient.setExpiration(trustChain.resolveExpirationTime());
+    dtoClient.setRequestObjectSigningAlgorithm(signedResponse.getHeader().getAlgorithm());
+    dtoClient.setClientType(ClientType.EXTERNAL);
+
+    RegisteredClientDTO registeredClient =
+        clientRegistrationService.registerClient(dtoClient, null);
+
+    if (existingClient.isPresent()) {
+      clientService.deleteClient(existingClient.get());
+    }
+
+    return registeredClient;
+  }
+
+  private List<String> selectAuthorityHints(TrustChain trustChain, String issuer)
+      throws FederationException {
+
+    List<String> chainIssuers = trustChain.getSuperiorStatements()
+      .stream()
+      .map(es -> es.getClaimsSet().getIssuer().getValue())
+      .distinct()
+      .toList();
+
+    List<String> configuredHints = oidFedProperties.getEntityConfiguration().getAuthorityHints();
+
+    List<String> selected = chainIssuers.stream().filter(configuredHints::contains).toList();
+
+    if (selected.isEmpty()) {
+      throw invalidTrustChain("No valid authority_hints found for OP: " + issuer);
+    }
+
+    return selected;
+  }
+
+  private String postRegistration(URI endpoint, String jwt) throws FederationException {
+
+    HttpHeaders headers = new HttpHeaders();
+    headers.setContentType(new MediaType("application", "entity-statement+jwt"));
+
+    HttpEntity<String> entity = new HttpEntity<>(jwt, headers);
+
+    try {
+      return restTemplate.postForObject(endpoint, entity, String.class);
+    } catch (HttpClientErrorException e) {
+      throw invalidRequest("Federation registration failed: " + e.getResponseBodyAsString(), e);
+    }
+  }
+
+  private void validateIssuer(String issuer) throws FederationException {
+    URI uri = URI.create(issuer);
+    if (!"https".equalsIgnoreCase(uri.getScheme())) {
+      throw invalidRequest("Issuer must use https");
+    }
+  }
+
+  private RegisteredClientDTO createClientDtoFromOpMetadata(EntityStatement opEc)
+      throws FederationException {
+    RegisteredClientDTO dtoClient = new RegisteredClientDTO();
+    OIDCProviderMetadata metadata = opEc.getClaimsSet().getOPMetadata();
+
+    dtoClient.setClientName("OIDFed OP client");
+    Set<AuthorizationGrantType> grantTypes = Optional.ofNullable(metadata.getGrantTypes())
+      .orElse(List.of(GrantType.AUTHORIZATION_CODE))
+      .stream()
+      .map(GrantType::getValue)
+      .map(AuthorizationGrantType::fromGrantType)
+      .collect(Collectors.toSet());
+
+    dtoClient.setGrantTypes(grantTypes);
+    dtoClient.setRedirectUris(Set.of(iamBaseUrl + "/openid_connect_login"));
+    Set<String> supportedResponseTypes =
+        Set.of(ResponseType.CODE.toString(), ResponseType.TOKEN.toString());
+    if (metadata.getResponseTypes() != null) {
+      Set<OAuthResponseType> responseTypes = metadata.getResponseTypes()
+        .stream()
+        .map(ResponseType::toString)
+        .filter(supportedResponseTypes::contains)
+        .map(OAuthResponseType::fromResponseType)
+        .collect(Collectors.toSet());
+      if (responseTypes.isEmpty()) {
+        throw invalidClientMetadata("Unsupported response type");
+      }
+      dtoClient.setResponseTypes(responseTypes);
+    } else {
+      dtoClient.setResponseTypes(Set.of(OAuthResponseType.CODE));
+    }
+    dtoClient.setTokenEndpointAuthMethod(TokenEndpointAuthenticationMethod.client_secret_basic);
+    if (metadata.getScopes() != null) {
+      dtoClient.setScope(metadata.getScopes().toStringList().stream().collect(Collectors.toSet()));
+    } else {
+      dtoClient.setScope(Set.of("openid"));
+    }
+    dtoClient.setEntityId(opEc.getEntityID().getValue());
+    Optional.ofNullable(metadata.getJWKSetURI())
+      .ifPresent(uri -> dtoClient.setJwksUri(uri.toASCIIString()));
+
+    LOG.debug("Client metadata mapped successfully for OP: {}", dtoClient.getEntityId());
+    return dtoClient;
+  }
+}