Create mechanisms to support whitelisting of registered clients and blacklisting of domains.

Add support for dynamic client registration

Multiple errors (such as InvalidJwtSignature) need to have error view beans mapped to them.

Develop a Connect Client filter that can speak to multiple Connect servers, mitigated through an Account Chooser UI application. The Account Chooser will be developed separately and run on a separate system.

Protocol flow:

User starts at client app, protected by this filter
Filter starts OIDC transaction against configured Account Chooser endpoint (AC)
AC gives user multiple options for login against different connect servers, handles login to these servers
AC redirects user back to client app with Code and some indicator as to which server the user chose
Filter picks up the code and the server indicator and finishes the OIDC transaction

Add support for request objects and request files, both signed and unsigned.

Should be in resource/bootstrap2 not resource/boostrap2. Easy to miss, inconsistent.

The Algorithm enum is defined in all of the JwtSigner implementations. It should be moved to a centralized Enum class.

The client name and description should not be limited to only 3+ alphanumeric characters. These are free-text user-facing values and need to contain arbitrary text. They are also completely optional and may be left blank. Blank values should be pushed in as nulls.

The RsaSigner class will return true from its verify method, even if the signature has been removed from the given jwt.

Concerning: org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService

Must implement new method from OAuth2TokenEntityService --> AuthorizationServerTokenServices interface, getAccessToken(OAuth2Authentication authentication). Added stub so that this will compile.

Our builds on the Travis CI are taking a very long time:

http://travis-ci.org/#!/jricher/OpenID-Connect-Java-Spring-Server/builds

Recent ones on the order of a half an hour. There must be something wrong with our Travis config that is causing it to timeout.

Add support for the implicit flow

It's possible to set it via constructor args, but it really is better to do this via get/set methods. Also, consider making it protected to allow subclassing.

Our unit tests are broken since the refactor into client/server/common submodules. They should at least be fixed to allow for a clean compile, and more unit tests need to be added.

Create a view to output the tokens instead of using a direct JSON serializer, submit patch back to SECOAUTH.

We need to implement our own UserApprovalHandler. This class is injected into the AuthorizationEndpoint and is called on to check whether the user has already approved this request.

Issuer URL is read correctly but several of the URLs are incorrect.

Concerning org.mitre.oauth2.model.OAuth2RefreshTokenEntity:

Superclass (ExpiringOAuth2RefreshToken) does not have a default (empty) constructor. Constructor takes String value and Date expiration. expiration is marked final in the superclass and cannot be set other than through the constructor.

Added super(null, null) to OAuth2RefreshTokenEntity constructor, and commented out super.setExpiration in setExpiration so that this will compile.

The latest update from SECOAUTH makes ClientDetails.registeredRedirectUri a Set of Strings, rather than a single String. The management interface code needs to be updated to support this change.

The "redirect uri" portion of a client's information is now stored in a utility table instead of in the client details table itself. The sql file and any documentation needs to be updated.

This repo is under Justin's name, it should be moved to an organization instead.

Develop an account chooser application to allow redirection to multiple Connect servers

Not sure if this is a configuration issue or not but the iss attribute in the checkid response is set to http://localhost/

Add support for a protected PortableContacts (PoCo) compatible endpoint, fed by the same data as the UserInfo endpoint

We need to add licence headers to our class files.

Title says it all

Client edit, add, delete, etc, in the admin pages

If a user tries to access the authorization endpoint to request an authorization code while they are already logged in and have a session, Spring Security goes in to an infinite redirect loop. We probably have a bad setting somewhere in our Spring Security config.

Several UI elements need to have type ahead completion, such as the scope and authority entries on the client registration page.

In the client administration panels, the id and secret need to be directly viewable and editable by the admin.

Make the home page less of a mockup.

The "issuer" field of the IdTokens created when passing through the ConnectAuthCodeTokenGranter needs to be set to the server's current base URL. org.mitre.Utility.findBaseUrl() will produce that URL if given an HttpRequest, but the request object is not available inside the token granter. For now, the token granter is using a dummy string value.

Is there a way to properly insert the (dynamically discovered) current base URL into the token granter? Or should this value be statically configured at deployment time?

The CheckID Endpoint needs to to support all methods of the Bearer token presentation, including the query parameter, form parameter, and auth header mechanisms. This should be wired in using SECOAUTH filters.

We need to support http basic auth for client authentication at the token endpoint. For now, stick to url query authorization with the client_id and client_secret parameters.

The user needs to be granted more options on the authorization page, including:

• which scopes/claims to allow
• whether to remember this authorization in the future

These choices need to be passed through to the granter and expressed in the grant decision.

Deploy system in production configuration for application scanning.

Update SECOAUTH reference to the HEAD revision and refactor token code

Justin and I had a conversation with Dave Syer today, and decided it would be worth taking a look at how we could move the custom token generation/enhancement code, which we currently have in our TokenGranter impl, into the token service layer instead.

This will change the TokenService interface, which the SECOAUTH team is OK with re-evaluating. We also talked about the TokenService interface having create, enhance, and finish methods.

I will fork our code and push up a new branch to work on these changes.

Configure header filter, get list of protected URIs to OAM team

Modify the nexus project to work with the transition of the project to the mitre-id connect organization.

The button styling on the user authorization page is missing, likely due to the switch to Bootstrap2 throughout the project.

Add a service and controller for the UserInfo endpoint.

Trim ECDSA Code from repository

Concerning org.mitre.oauth2.model.ClientDetailsEntity:

Must implement int getAccessTokenValiditySeconds(). Added stub so that this will compile.

The signatures produced by the RsaSigner are very long - 2-3 times longer than the jwt itself. They make the jwts too big to be stored in our original database tables. We've updated the table definition in accesstoken.sql and on idsandbox to fit them, but they probably should not be that large. Signatures should be smaller than the entity being signed.