-
Notifications
You must be signed in to change notification settings - Fork 190
Add FAPI 2.0 configuration models and connector utilities #1108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
4d78cb7
b51ffcd
030fbb3
76198be
f584a37
7c66b39
98887b4
78285fc
8976c7c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| /* | ||
| * Copyright (c) 2026, WSO2 LLC. (http://www.wso2.com). | ||
| * | ||
| * WSO2 LLC. licenses this file to you under the Apache License, | ||
| * Version 2.0 (the "License"); you may not use this file except | ||
| * in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, | ||
| * software distributed under the License is distributed on an | ||
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| * KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations | ||
| * under the License. | ||
| */ | ||
|
|
||
| package org.wso2.carbon.identity.api.server.application.management.v1; | ||
|
|
||
| import io.swagger.annotations.ApiModel; | ||
| import javax.validation.constraints.*; | ||
|
|
||
| /** | ||
| * FAPI security profile. - `FAPI1_ADVANCED`: FAPI 1.0 Advanced Security Profile. - `FAPI2_SECURITY`: FAPI 2.0 Security Profile. | ||
| **/ | ||
| import javax.xml.bind.annotation.XmlType; | ||
| import javax.xml.bind.annotation.XmlEnum; | ||
| import javax.xml.bind.annotation.XmlEnumValue; | ||
|
|
||
| @XmlType(name="") | ||
| @XmlEnum(String.class) | ||
| public enum FapiProfile { | ||
|
|
||
| @XmlEnumValue("FAPI1_ADVANCED") FAPI1_ADVANCED(String.valueOf("FAPI1_ADVANCED")), @XmlEnumValue("FAPI2_SECURITY") FAPI2_SECURITY(String.valueOf("FAPI2_SECURITY")); | ||
|
|
||
|
|
||
| private String value; | ||
|
|
||
| FapiProfile(String v) { | ||
| value = v; | ||
| } | ||
|
|
||
| public String value() { | ||
| return value; | ||
| } | ||
|
|
||
| @Override | ||
| public String toString() { | ||
| return String.valueOf(value); | ||
| } | ||
|
|
||
| public static FapiProfile fromValue(String value) { | ||
| for (FapiProfile b : FapiProfile.values()) { | ||
| if (b.value.equals(value)) { | ||
| return b; | ||
| } | ||
| } | ||
| throw new IllegalArgumentException("Unexpected value '" + value + "'"); | ||
| } | ||
| } | ||
|
|
||
|
|
||
|
|
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -142,6 +142,9 @@ | |||||||||||||||||||||
| import org.wso2.carbon.identity.cors.mgt.core.exception.CORSManagementServiceException; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.cors.mgt.core.model.CORSOrigin; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.oauth.dao.OAuthAppDO; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.oauth2.fapi.exceptions.FapiConfigMgtException; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.oauth2.fapi.models.FapiProfileEnum; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.oauth2.fapi.services.FapiConfigMgtService; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.role.v2.mgt.core.RoleConstants; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderDTO; | ||||||||||||||||||||||
| import org.wso2.carbon.identity.template.mgt.TemplateManager; | ||||||||||||||||||||||
|
|
@@ -190,6 +193,7 @@ | |||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.ErrorMessage.FORBIDDEN_OPERATION; | ||||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.ErrorMessage.INBOUND_NOT_CONFIGURED; | ||||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.ErrorMessage.UNSUPPORTED_ENHANCED_ORGANIZATION_AUTHENTICATION_ENABLED_CONFIGURATION; | ||||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.ErrorMessage.UNSUPPORTED_FAPI_PROFILE; | ||||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.ErrorMessage.USE_EXTERNAL_CONSENT_PAGE_NOT_SUPPORTED; | ||||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.ISSUER; | ||||||||||||||||||||||
| import static org.wso2.carbon.identity.api.server.application.management.common.ApplicationManagementConstants.NAME; | ||||||||||||||||||||||
|
|
@@ -815,7 +819,10 @@ public String createApplication(ApplicationModel applicationModel, String templa | |||||||||||||||||||||
| */ | ||||||||||||||||||||||
| if (applicationModel.getInboundProtocolConfiguration() != null && | ||||||||||||||||||||||
| applicationModel.getInboundProtocolConfiguration().getOidc() != null) { | ||||||||||||||||||||||
| validateCORSOrigins(applicationModel.getInboundProtocolConfiguration().getOidc().getAllowedOrigins()); | ||||||||||||||||||||||
| OpenIDConnectConfiguration oidcConfig = | ||||||||||||||||||||||
| applicationModel.getInboundProtocolConfiguration().getOidc(); | ||||||||||||||||||||||
|
Comment on lines
820
to
+823
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Log Improvement Suggestion No: 2
Suggested change
|
||||||||||||||||||||||
| validateCORSOrigins(oidcConfig.getAllowedOrigins()); | ||||||||||||||||||||||
| validateFapiProfile(oidcConfig); | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| /* | ||||||||||||||||||||||
|
|
@@ -1235,6 +1242,7 @@ public void putInboundOAuthConfiguration(String applicationId, OpenIDConnectConf | |||||||||||||||||||||
| * But for now we are handling the validation here. | ||||||||||||||||||||||
| */ | ||||||||||||||||||||||
| validateCORSOrigins(oidcConfigModel.getAllowedOrigins()); | ||||||||||||||||||||||
| validateFapiProfile(oidcConfigModel); | ||||||||||||||||||||||
| putApplicationInbound(applicationId, oidcConfigModel, OAuthInboundFunctions::getInboundProtocolConfig); | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
|
@@ -2219,6 +2227,64 @@ private String buildFormattedDescription(String description, String... formatDat | |||||||||||||||||||||
| } | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| /** | ||||||||||||||||||||||
| * Validates the FAPI profile in the given OIDC configuration. | ||||||||||||||||||||||
| * | ||||||||||||||||||||||
| * <p>Validation: checks the resolved profile against the organisation's allowed list from | ||||||||||||||||||||||
| * {@link FapiConfigMgtService}. Throws a 400 error if the profile is not supported. | ||||||||||||||||||||||
| * No-ops when {@code oidcConfig} is null, FAPI is disabled, or {@link FapiConfigMgtService} | ||||||||||||||||||||||
| * is unavailable (treated as optional OSGi service). | ||||||||||||||||||||||
| * | ||||||||||||||||||||||
| * @param oidcConfig the OIDC configuration from the incoming request; may be null. | ||||||||||||||||||||||
| */ | ||||||||||||||||||||||
| private void validateFapiProfile(OpenIDConnectConfiguration oidcConfig) { | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| // Only validate when the application is marked as FAPI and a specific profile is provided. | ||||||||||||||||||||||
| // If isFAPIApplication is false the profile field is ignored in storage, so validation would | ||||||||||||||||||||||
| // produce a misleading error for a field that has no effect. | ||||||||||||||||||||||
| if (oidcConfig == null || !Boolean.TRUE.equals(oidcConfig.getIsFAPIApplication()) | ||||||||||||||||||||||
| || oidcConfig.getFapiProfile() == null) { | ||||||||||||||||||||||
| return; | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| /* | ||||||||||||||||||||||
| * FapiConfigMgtService is treated as optional here. Profile validation is an enhancement — | ||||||||||||||||||||||
| * silently skipping it avoids blocking all OIDC application updates in deployments where | ||||||||||||||||||||||
| * the FAPI bundle is not present. The configs API module (/configs/fapi) hard-requires | ||||||||||||||||||||||
| * the service at startup and fails fast if it is absent. | ||||||||||||||||||||||
| */ | ||||||||||||||||||||||
| FapiConfigMgtService fapiConfigMgtService = ApplicationManagementServiceHolder.getFapiConfigMgtService(); | ||||||||||||||||||||||
| if (fapiConfigMgtService == null) { | ||||||||||||||||||||||
| log.debug("FapiConfigMgtService is unavailable. Skipping fapiProfile validation."); | ||||||||||||||||||||||
| return; | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| String tenantDomain = ContextLoader.getTenantDomainFromContext(); | ||||||||||||||||||||||
| try { | ||||||||||||||||||||||
| List<FapiProfileEnum> supportedProfiles = | ||||||||||||||||||||||
| fapiConfigMgtService.getFapiConfig(tenantDomain).getSupportedProfiles(); | ||||||||||||||||||||||
| String requestedProfileValue = oidcConfig.getFapiProfile().toString(); | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| boolean isSupported = supportedProfiles.stream() | ||||||||||||||||||||||
| .anyMatch(p -> p.value().equals(requestedProfileValue)); | ||||||||||||||||||||||
|
Comment on lines
+2245
to
+2269
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Validate the effective default FAPI profile. When Proposed fix- // Only validate when the application is marked as FAPI and a specific profile is provided.
- // If isFAPIApplication is false the profile field is ignored in storage, so validation would
- // produce a misleading error for a field that has no effect.
- if (oidcConfig == null || !Boolean.TRUE.equals(oidcConfig.getIsFAPIApplication())
- || oidcConfig.getFapiProfile() == null) {
+ // Only validate when the application is marked as FAPI. If the profile is omitted,
+ // validate the default profile that is applied downstream.
+ if (oidcConfig == null || !Boolean.TRUE.equals(oidcConfig.getIsFAPIApplication())) {
return;
}
@@
- String requestedProfileValue = oidcConfig.getFapiProfile().toString();
+ String requestedProfileValue = oidcConfig.getFapiProfile() != null
+ ? oidcConfig.getFapiProfile().toString()
+ : FapiProfileEnum.FAPI1_ADVANCED.value();🤖 Prompt for AI Agents |
||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
coderabbitai[bot] marked this conversation as resolved.
|
||||||||||||||||||||||
| if (!isSupported) { | ||||||||||||||||||||||
| String supportedProfilesStr = supportedProfiles.stream() | ||||||||||||||||||||||
| .map(FapiProfileEnum::value) | ||||||||||||||||||||||
| .collect(Collectors.joining(", ")); | ||||||||||||||||||||||
| if (log.isDebugEnabled()) { | ||||||||||||||||||||||
| log.debug(String.format("Rejected fapiProfile '%s' for tenant '%s'. Supported: [%s]", | ||||||||||||||||||||||
| requestedProfileValue, tenantDomain, supportedProfilesStr)); | ||||||||||||||||||||||
|
Comment on lines
+2274
to
+2277
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Log Improvement Suggestion No: 3
Suggested change
|
||||||||||||||||||||||
| } | ||||||||||||||||||||||
| throw buildClientError(UNSUPPORTED_FAPI_PROFILE, requestedProfileValue, supportedProfilesStr); | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
| } catch (FapiConfigMgtException e) { | ||||||||||||||||||||||
| throw Utils.buildServerError( | ||||||||||||||||||||||
| String.format("Error while retrieving FAPI configuration for tenant '%s' during fapiProfile " + | ||||||||||||||||||||||
| "validation.", tenantDomain), e); | ||||||||||||||||||||||
|
Comment on lines
+2281
to
+2284
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use the new FAPI metadata error code here. Line 2281 currently builds a generic server error, so this retrieval-failure path does not return the new Proposed fix } catch (FapiConfigMgtException e) {
- throw Utils.buildServerError(
- String.format("Error while retrieving FAPI configuration for tenant '%s' during fapiProfile " +
- "validation.", tenantDomain), e);
+ ErrorMessage errorEnum = ErrorMessage.ERROR_RETRIEVING_FAPI_METADATA;
+ throw Utils.buildServerError(errorEnum.getCode(), errorEnum.getMessage(),
+ buildFormattedDescription(errorEnum.getDescription(), tenantDomain), e);
}🤖 Prompt for AI Agents |
||||||||||||||||||||||
| } | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
|
coderabbitai[bot] marked this conversation as resolved.
|
||||||||||||||||||||||
|
|
||||||||||||||||||||||
| /** | ||||||||||||||||||||||
| * Validate the CORS Origins. This should be moved to the service layer with the CORS adding step on creating | ||||||||||||||||||||||
| * OIDC applications. | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Log Improvement Suggestion No: 1