A few small updates. Mostly stashing this so I can test v5.6 -> v6.0 …

…migration.
ncsa · Oct 30, 2024 · 4ddbb4d · 4ddbb4d
1 parent d995c2b
commit 4ddbb4d
Show file tree

Hide file tree

Showing 14 changed files with 136 additions and 906 deletions.
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
diff --git a/.idea/encodings.xml b/.idea/encodings.xml
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
diff --git a/client-installer/buildNumber.properties b/client-installer/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Mon Oct 28 22:51:58 CDT 2024
-buildNumber\\d*=544
+#Tue Oct 29 15:35:08 CDT 2024
+buildNumber\\d*=551
diff --git a/oa4mp-server-oauth2/buildNumber.properties b/oa4mp-server-oauth2/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Mon Oct 28 22:51:57 CDT 2024
-buildNumber\\d*=12435
+#Tue Oct 29 15:35:04 CDT 2024
+buildNumber\\d*=12442
diff --git a/pom.xml b/pom.xml
@@ -98,6 +98,7 @@
         <module>server-installer</module>
         <module>client-installer</module>
         <module>installer</module>
+        <module>rfc8414</module>
     </modules>
     <dependencies>
         <dependency>

diff --git a/qdl/buildNumber.properties b/qdl/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Mon Oct 28 22:51:57 CDT 2024
-buildNumber\\d*=13480
+#Tue Oct 29 15:35:08 CDT 2024
+buildNumber\\d*=13487
diff --git a/rfc8414/src/main/java/org/oa4mp/rfc8414/RFC8414Servlet.java b/rfc8414/src/main/java/org/oa4mp/rfc8414/RFC8414Servlet.java
@@ -18,10 +18,12 @@
  */
 // Fixes https://github.com/ncsa/oa4mp/issues/175
 public class RFC8414Servlet extends HttpServlet {
+    public static final String SERVICE_NAME = "oa4mp:oa4mp.service.name";
     @Override
     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         ServletDebugUtil.printAllParameters(getClass(), req, true);
-        resp.sendRedirect("/oauth2" + req.getRequestURI());
+        String caput= getServletContext().getInitParameter(SERVICE_NAME);
+        resp.sendRedirect("/" + caput  + req.getRequestURI());
     }
 
     @Override

diff --git a/rfc8414/src/main/webapp/WEB-INF/web.xml b/rfc8414/src/main/webapp/WEB-INF/web.xml
@@ -26,4 +26,9 @@
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint>
+
+    <context-param>
+        <param-name>oa4mp:oa4mp.service.name</param-name>
+        <param-value>oauth2</param-value>
+    </context-param>
 </web-app>
diff --git a/server-admin/src/main/java/org/oa4mp/server/admin/myproxy/oauth2/tools/JWKUtilCommands.java b/server-admin/src/main/java/org/oa4mp/server/admin/myproxy/oauth2/tools/JWKUtilCommands.java
@@ -1236,7 +1236,7 @@ protected void printValidateTokenHelp() {
         sayi("    validate_token " + CL_WELL_KNOWN_FLAG + " https://foo.bar/.well-known " + CL_INPUT_FILE_FLAG + " my_token.jwt                                         ");
         sayi("       This will read the keys in the well-known file and read the token in the file                                ");
         sayi("                                                                                                                 ");
-        sayi("    validate_token " + CL_WELL_KNOWN_FLAG + "https://foo.bar/.well-known -v " + CL_INPUT_FILE_FLAG + " my_token.jwt                                      ");
+        sayi("    validate_token " + CL_WELL_KNOWN_FLAG + " https://foo.bar/.well-known -v " + CL_INPUT_FILE_FLAG + " my_token.jwt                                      ");
         sayi("       Identical behavior to the first example but note the -v flag: This causes any information about              ");
         sayi("       the token to be printed. Normally this is not used except for trying to debug issues.                        ");
         sayi("                                        ");

diff --git a/server-installer/buildNumber.properties b/server-installer/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Mon Oct 28 22:51:58 CDT 2024
-buildNumber\\d*=542
+#Tue Oct 29 15:35:08 CDT 2024
+buildNumber\\d*=549
diff --git a/server-test/buildNumber.properties b/server-test/buildNumber.properties
@@ -1,3 +1,3 @@
 #maven.buildNumber.plugin properties file
-#Mon Oct 28 22:51:57 CDT 2024
-buildNumber\\d*=11470
+#Tue Oct 29 15:35:07 CDT 2024
+buildNumber\\d*=11477
diff --git a/website/src/site/xhtml/common/configuration/supported-specifications.xhtml b/website/src/site/xhtml/common/configuration/supported-specifications.xhtml
@@ -39,7 +39,7 @@
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc7636">rfc7636</a></td><td style="vertical-align: top;">Proof key for code exchange</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc7662">rfc7662</a></td><td style="vertical-align: top;">Token introspection</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8259">rfc8259</a></td><td style="vertical-align: top;">JSON specification (most current, so UTF-8 encodings only, etc.) </td></tr>
-    <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8414">rfc8414</a></td><td style="vertical-align: top;">Discovery endpoint requirements </td></tr>
+    <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8414">rfc8414</a></td><td style="vertical-align: top;">OAuth2 Discovery</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8628">rfc8628</a></td><td style="vertical-align: top;">Device flow</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8693">rfc8693</a></td><td style="vertical-align: top;">Token exchange</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8725">rfc8725</a></td><td style="vertical-align: top;">JWT best practices</td></tr>
@@ -57,7 +57,6 @@
     </tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc6750">rfc6750</a></td><td style="vertical-align: top;">Bearer token usage</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8628">rfc8628</a></td><td style="vertical-align: top;">Device flow</td></tr>
-    <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8414">rfc8414</a></td><td style="vertical-align: top;">Discovery endpoint requirements </td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc7592">rfc7592</a></td><td style="vertical-align: top;">Dynamic client management protocol</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc7591">rfc7591</a></td><td style="vertical-align: top;">Dynamic client registration protocol</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc8259">rfc8259</a></td><td style="vertical-align: top;">JSON specification (most current, so UTF-8 encodings only, etc.) </td></tr>
@@ -68,6 +67,7 @@
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc7519">rfc7519</a></td><td style="vertical-align: top;">JWT (JSON Web Token) specification</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc9068">rfc9068</a></td><td style="vertical-align: top;">JWTs for web access tokens</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc6749">rfc6749</a></td><td style="vertical-align: top;">OAuth 2</td></tr>
+    <tr><td style="vertical-align: top;"><a href="https://datatracker.ietf.org/doc/html/rfc8414">OAuth2 Discovery</a></td><td style="vertical-align: top;">OAuth 2 Discovery</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://openid.net/specs/openid-connect-core-1_0.html">OIDC</a></td><td style="vertical-align: top;">OIDC</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OIDC Discovery</a></td><td style="vertical-align: top;">OIDC Discovery</td></tr>
     <tr><td style="vertical-align: top;"><a href="https://www.rfc-editor.org/rfc/rfc7636">rfc7636</a></td><td style="vertical-align: top;">Proof key for code exchange</td></tr>

diff --git a/website/src/site/xhtml/server/manuals/discovery.xhtml b/website/src/site/xhtml/server/manuals/discovery.xhtml
@@ -5,20 +5,42 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
     <title>The Discovery Service</title>
-    <!--#include virtual="../../head.html" -->
 </head>
 <body class="composite">
-<!--#include virtual="../../header.html" -->
 <h2>The Discovery Service</h2>
 <p>OA4MP (for OIDC) supports the .well-known endpoint, as per <a href="https://tools.ietf.org/html/rfc5785">RFC 5785</a>
+    <a href="https://datatracker.ietf.org/doc/html/rfc8414">OAuth 2 Discovery</a>,
     and <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OIDC discovery</a>.
 It should be noted that each instance of OA4MP will have its own location for this which corresponds
 to that instance. This allows for multiple services in a single domain.</p>
-<p>You may also use the discovery service to get the public signing keys. This is at the certs endpoint.
+<p>You may also use the discovery service to get the public signing keys. This is at the <b>certs</b> endpoint.
 </p>
 
-<h3>Example</h3>
-<p>If OA4MP is hosted at <code>https://services.bigstate.edu/oauth2</code>, then the discovery page is at
+<h3>By the specification</h3>
+<p>According to the specifications (RFC 8414, RFC 5785) a request to the service at the
+<b>.well-known</b> end point must return the information for the OAuth server. This means that</p>
+<ul>
+    <li>If Apache webserver is fronting Tomcat, you must use <b>mod_rewrite</b> to forward any requests to
+    the OA4MP Discovery servlet</li>
+    <li>In a Tomcat only install, you should install the RFC8414 servlet that will automatically forward
+    the requests.</li>
+</ul>
+<p>It is also possible to just use the <a href="https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html">rewrite valve</a>
+in Tomcat to forward requests, however, since it is possible to have multiple OA4MP instances each with its own
+ Discovery service, the RFC8414 servlet is much more flexible.</p>
+
+<h2>A note on issuers.</h2>
+<p>OA4MP allows for multiple issuers with their own keys and hence discovery pages to be created.
+The normal way this works is that a <i>virtual organization</i> is created and </p>
+
+<h3>Example accessing the well-known page</h3>
+<p>In this case, Tomcat has been configured to return the well-known page for a single OA4MP install using
+    the RFC8414 webapp.
+A request to <code>https://services.bigstate.edu/.well-known/openid-configuration</code> will be forwarded
+to the OA4MP instance and serviced there. See the next example for a typical response.</p>
+
+<h3>Example accessing the OA4MP Discovery service directly</h3>
+<p>If OA4MP is hosted at <code>https://services.bigstate.edu/oauth2</code>, then the discovery service is at
 <code>https://services.bigstate.edu/oauth2/.well-known/openid-configuration</code> and will return a JSON
 object such as </p>
 <pre>
@@ -86,6 +108,5 @@ and this will return a JSON WebKey object:
   }
  ]}
 </pre>
-<!--#include virtual="../../footer.html" -->
 </body>
 </html>