Improve OpenID Connect discovery endpoint

components/org.wso2.carbon.identity.discovery/src/main/java/org/wso2/carbon/identity/discovery/builders/ProviderConfigBuilder.java

@@ -95,6 +95,23 @@ public OIDProviderConfigResponse buildOIDProviderConfig(OIDProviderRequest reque
                 IdentityConstants.OAuth.OIDC_CHECK_SESSION_EP_URL));
         providerConfig.setEndSessionEndpoint(IdentityUtil.getProperty(
                 IdentityConstants.OAuth.OIDC_LOGOUT_EP_URL));
+
+        try {
+            providerConfig.setUserinfoSigningAlgValuesSupported(new String[] {
+                    OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(
+                            OAuthServerConfiguration.getInstance().getUserInfoJWTSignatureAlgorithm()).getName()
+            });
+        } catch (IdentityOAuth2Exception e) {
+            throw new ServerConfigurationException("Unsupported signature algorithm configured.", e);
+        }
+        providerConfig.setTokenEndpointAuthMethodsSupported(
+                OAuth2Util.getSupportedClientAuthenticationMethods().stream().toArray(String[]::new));
+        providerConfig.setGrantTypesSupported(OAuth2Util.getSupportedGrantTypes().stream().toArray(String[]::new));
+        providerConfig.setRequestParameterSupported(String.valueOf(OAuth2Util.isRequestParameterSupported()));
+        providerConfig.setClaimsParameterSupported(String.valueOf(OAuth2Util.isClaimsParameterSupported()));
+        providerConfig.setRequestObjectSigningAlgValuesSupported(
+                OAuth2Util.getRequestObjectSigningAlgValuesSupported().stream().toArray(String[]::new));
+
         return providerConfig;
     }
 }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java

@@ -88,6 +88,7 @@
 import org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
 import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
+import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
 import org.wso2.carbon.identity.openidconnect.model.RequestedClaim;
 import org.wso2.carbon.registry.core.Registry;
 import org.wso2.carbon.registry.core.Resource;
@@ -132,6 +133,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 import javax.xml.namespace.QName;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
@@ -259,6 +261,11 @@ public class OAuth2Util {
     private static final String SHA384 = "SHA-384";
     private static final String SHA512 = "SHA-512";
 
+    // Supported Client Authentication Methods
+    private static final String CLIENT_SECRET_BASIC = "client_secret_basic";
+    private static final String CLIENT_SECRET_POST = "client_secret_post";
+    private static final String PRIVATE_KEY_JWT = "private_key_jwt";
+
     private OAuth2Util() {
 
     }
@@ -1305,29 +1312,24 @@ public static void initiateOIDCScopes(int tenantId) {
 
     public static List<String> getOIDCScopes(String tenantDomain) {
 
+        List<String> scopes = new ArrayList<>();
         try {
             int tenantId = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantManager()
                     .getTenantId(tenantDomain);
-            Registry registry = OAuth2ServiceComponentHolder.getRegistryService().getConfigSystemRegistry(tenantId);
+            // Get the scopes from the cache or the db
+            List<ScopeDTO> scopesDTOList = OAuthTokenPersistenceFactory.getInstance().getScopeClaimMappingDAO().
+                    getScopes(tenantId);
 
-            if (registry.resourceExists(OAuthConstants.SCOPE_RESOURCE_PATH)) {
-                Resource resource = registry.get(OAuthConstants.SCOPE_RESOURCE_PATH);
-                Properties properties = resource.getProperties();
-                Enumeration e = properties.propertyNames();
-                List<String> scopes = new ArrayList<>();
-                while (e.hasMoreElements()) {
-                    String scope = (String) e.nextElement();
-                    // Remove hidden registry properties from Scopes.
-                    if (StringUtils.isNotBlank(scope) && !scope.startsWith(REG_HIDDEN_PROPERTY_PREFIX)) {
-                        scopes.add(scope);
-                    }
+            if (CollectionUtils.isNotEmpty(scopesDTOList)) {
+                for (ScopeDTO scope : scopesDTOList) {
+                    scopes.add(scope.getName());
                 }
-                return scopes;
             }
-        } catch (RegistryException | UserStoreException e) {
-            log.error("Error while retrieving registry collection for :" + OAuthConstants.SCOPE_RESOURCE_PATH, e);
+
+        } catch (UserStoreException | IdentityOAuth2Exception e) {
+            log.error("Error while retrieving OIDC scopes.", e);
         }
-        return new ArrayList<>();
+        return scopes;
     }
 
     public static AccessTokenDO getAccessTokenDOfromTokenIdentifier(String accessTokenIdentifier) throws
@@ -2506,5 +2508,70 @@ public static void triggerOnIntrospectionExceptionListeners(OAuth2TokenValidatio
             }
         }
     }
+
+    /**
+     * Get the supported oauth grant types
+     *
+     * @return list of grant types
+     */
+    public static List<String> getSupportedGrantTypes() {
+
+        Map<String, AuthorizationGrantHandler> supportedGrantTypesMap = OAuthServerConfiguration.getInstance()
+                .getSupportedGrantTypes();
+        List<String> supportedGrantTypes = new ArrayList<>();
+        if (supportedGrantTypesMap != null && !supportedGrantTypesMap.isEmpty()) {
+            supportedGrantTypes = supportedGrantTypesMap.keySet().stream().collect(Collectors.toList());
+        }
+        return supportedGrantTypes;
+    }
+
+    /**
+     * Get the supported client authentication methods
+     *
+     * @return list of client authentication methods
+     */
+    public static List<String> getSupportedClientAuthenticationMethods() {
+
+        List<String> clientAuthenticationMethods = new ArrayList<>();
+        clientAuthenticationMethods.add(CLIENT_SECRET_BASIC);
+        clientAuthenticationMethods.add(CLIENT_SECRET_POST);
+
+        return clientAuthenticationMethods;
+    }
+
+    /**
+     * Get the supported request object signing algorithms
+     *
+     * @return list of algorithms
+     */
+    public static List<String> getRequestObjectSigningAlgValuesSupported() {
+
+        List<String> requestObjectSigningAlgValues = new ArrayList<>();
+        requestObjectSigningAlgValues.add(JWSAlgorithm.RS256.getName());
+        requestObjectSigningAlgValues.add(JWSAlgorithm.RS384.getName());
+        requestObjectSigningAlgValues.add(JWSAlgorithm.RS512.getName());
+        requestObjectSigningAlgValues.add(JWSAlgorithm.NONE.getName());
+
+        return requestObjectSigningAlgValues;
+    }
+
+    /**
+     * Check whether the request object parameter is supported
+     *
+     * @return true if supported
+     */
+    public static boolean isRequestParameterSupported() {
+        return Boolean.TRUE;
+    }
+
+    /**
+     * Check whether the claims parameter is supported
+     *
+     * @return true if supported
+     */
+    public static boolean isClaimsParameterSupported() {
+        return Boolean.TRUE;
+    }
+
 }
 

components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/util/OAuth2UtilTest.java

@@ -18,6 +18,7 @@
 
 package org.wso2.carbon.identity.oauth2.util;
 
+import com.nimbusds.jose.JWSAlgorithm;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.mockito.Mock;
 import org.powermock.core.classloader.annotations.PrepareForTest;
@@ -43,14 +44,18 @@
 import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
 import org.wso2.carbon.identity.oauth2.model.ClientCredentialDO;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
 import org.wso2.carbon.identity.testutil.powermock.PowerMockIdentityBaseTest;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.user.core.tenant.TenantManager;
 
 import java.sql.Timestamp;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Random;
 import java.util.Set;
@@ -118,6 +123,9 @@ public class OAuth2UtilTest extends PowerMockIdentityBaseTest {
     @Mock
     private TenantManager tenantManagerMock;
 
+    @Mock
+    private AuthorizationGrantHandler authorizationGrantHandlerMock;
+
     @BeforeMethod
     public void setUp() throws Exception {
         authzUser = new AuthenticatedUser();
@@ -1099,4 +1107,61 @@ public void testGetAuthenticatedUser(Object authenticatedUser,
         AuthenticatedUser authzUser = OAuth2Util.getAuthenticatedUser(accessTokenDO);
         assertEquals(authzUser.isFederatedUser(), expectedIsFederatedValue);
     }
+
+    @DataProvider(name = "supportedGrantTypes")
+    public Object[][] supportedGrantTypes() {
+        Map<String, AuthorizationGrantHandler> supportedGrantTypesMap = new HashMap<>();
+        supportedGrantTypesMap.put("testGrantType1", authorizationGrantHandlerMock);
+        supportedGrantTypesMap.put("testGrantType2", authorizationGrantHandlerMock);
+
+        List<String> supportedGrantTypes = new ArrayList<>();
+        supportedGrantTypes.add("testGrantType1");
+        supportedGrantTypes.add("testGrantType2");
+
+        return new Object[][] {
+                // supportedGrantTypesMap
+                // supportedGrantTypes
+                {supportedGrantTypesMap, supportedGrantTypes},
+                {new HashMap<>(), new ArrayList<>()},
+                {null, new ArrayList<>()}
+        };
+    }
+
+    @Test(dataProvider = "supportedGrantTypes")
+    public void testGetSuportedGrantTypes(Map<String, AuthorizationGrantHandler> supportedGrantTypesMap,
+            List<String> supportedGrantTypes) throws Exception {
+
+        when(oauthServerConfigurationMock.getSupportedGrantTypes()).thenReturn(supportedGrantTypesMap);
+        assertEquals(OAuth2Util.getSupportedGrantTypes(), supportedGrantTypes);
+    }
+
+    @Test
+    public void testGetSupportedClientAuthenticationMethods() throws Exception {
+        List<String> clientAuthenticationMethods = new ArrayList<>();
+        clientAuthenticationMethods.add("client_secret_basic");
+        clientAuthenticationMethods.add("client_secret_post");
+
+        assertEquals(OAuth2Util.getSupportedClientAuthenticationMethods(), clientAuthenticationMethods);
+    }
+
+    @Test
+    public void testGetRequestObjectSigningAlgValuesSupported() throws Exception {
+        List<String> requestObjectSigningAlgValues = new ArrayList<>();
+        requestObjectSigningAlgValues.add(JWSAlgorithm.RS256.getName());
+        requestObjectSigningAlgValues.add(JWSAlgorithm.RS384.getName());
+        requestObjectSigningAlgValues.add(JWSAlgorithm.RS512.getName());
+        requestObjectSigningAlgValues.add(JWSAlgorithm.NONE.getName());
+
+        assertEquals(OAuth2Util.getRequestObjectSigningAlgValuesSupported(), requestObjectSigningAlgValues);
+    }
+
+    @Test
+    public void testIsRequestParameterSupported() throws Exception {
+        assertTrue(OAuth2Util.isRequestParameterSupported());
+    }
+
+    @Test
+    public void testIsClaimsParameterSupported() throws Exception {
+        assertTrue(OAuth2Util.isClaimsParameterSupported());
+    }
 }