[SYNCOPE-1950] Allow configuration of OIDC Token Expiration Policy in WA

Author: mdisabatino

client/am/console/src/main/java/org/apache/syncope/client/console/clientapps/ClientAppModalPanelBuilder.java

@@ -465,6 +465,38 @@ public void setObject(final String object) {
                                     false);
                     tokenEndpointAuthenticationMethod.setChoices(List.of(OIDCClientAuthenticationMethod.values()));
                     fields.add(tokenEndpointAuthenticationMethod);
+
+                    AjaxTextFieldPanel accessTokenMaxTimeToLive = new AjaxTextFieldPanel(
+                            "field", "accessTokenMaxTimeToLive",
+                            new PropertyModel<>(clientAppTO, "accessTokenMaxTimeToLive"), false);
+                    fields.add(accessTokenMaxTimeToLive);
+
+                    AjaxTextFieldPanel accessTokenTimeToKill = new AjaxTextFieldPanel(
+                            "field", "accessTokenTimeToKill", new PropertyModel<>(clientAppTO, "accessTokenTimeToKill"),
+                            false);
+                    fields.add(accessTokenTimeToKill);
+
+                    AjaxNumberFieldPanel<Long> accessTokenMaxActiveTokens = new AjaxNumberFieldPanel.Builder<Long>()
+                            .enableOnChange()
+                            .build("field", "accessTokenMaxActiveTokens", Long.class,
+                                    new PropertyModel<>(clientAppTO, "accessTokenMaxActiveTokens"));
+                    fields.add(accessTokenMaxActiveTokens);
+
+                    AjaxTextFieldPanel refreshTokenTimeToKill = new AjaxTextFieldPanel(
+                            "field", "refreshTokenTimeToKill",
+                            new PropertyModel<>(clientAppTO, "refreshTokenTimeToKill"), false);
+                    fields.add(refreshTokenTimeToKill);
+
+                    AjaxNumberFieldPanel<Long> refreshTokenMaxActiveTokens = new AjaxNumberFieldPanel.Builder<Long>()
+                            .enableOnChange()
+                            .build("field", "refreshTokenMaxActiveTokens", Long.class,
+                                    new PropertyModel<>(clientAppTO, "refreshTokenMaxActiveTokens"));
+                    fields.add(refreshTokenMaxActiveTokens);
+
+                    AjaxTextFieldPanel deviceTokenTimeToKill = new AjaxTextFieldPanel(
+                            "field", "deviceTokenTimeToKill", new PropertyModel<>(clientAppTO, "deviceTokenTimeToKill"),
+                            false);
+                    fields.add(deviceTokenTimeToKill);
                     break;
 
                 case SAML2SP:

common/am/lib/src/main/java/org/apache/syncope/common/lib/to/OIDCRPClientAppTO.java

@@ -82,6 +82,18 @@ public class OIDCRPClientAppTO extends ClientAppTO {
 
     private String jwksUri;
 
+    private String accessTokenMaxTimeToLive;
+
+    private String accessTokenTimeToKill;
+
+    private Long accessTokenMaxActiveTokens;
+
+    private String refreshTokenTimeToKill;
+
+    private Long refreshTokenMaxActiveTokens;
+
+    private String deviceTokenTimeToKill;
+
     private OIDCClientAuthenticationMethod tokenEndpointAuthenticationMethod =
             OIDCClientAuthenticationMethod.client_secret_basic;
 
@@ -272,6 +284,54 @@ public void setLogoutUri(final String logoutUri) {
         this.logoutUri = logoutUri;
     }
 
+    public String getAccessTokenMaxTimeToLive() {
+        return accessTokenMaxTimeToLive;
+    }
+
+    public void setAccessTokenMaxTimeToLive(final String accessTokenMaxTimeToLive) {
+        this.accessTokenMaxTimeToLive = accessTokenMaxTimeToLive;
+    }
+
+    public String getAccessTokenTimeToKill() {
+        return accessTokenTimeToKill;
+    }
+
+    public void setAccessTokenTimeToKill(final String accessTokenTimeToKill) {
+        this.accessTokenTimeToKill = accessTokenTimeToKill;
+    }
+
+    public Long getAccessTokenMaxActiveTokens() {
+        return accessTokenMaxActiveTokens;
+    }
+
+    public void setAccessTokenMaxActiveTokens(final Long accessTokenMaxActiveTokens) {
+        this.accessTokenMaxActiveTokens = accessTokenMaxActiveTokens;
+    }
+
+    public String getRefreshTokenTimeToKill() {
+        return refreshTokenTimeToKill;
+    }
+
+    public void setRefreshTokenTimeToKill(final String refreshTokenTimeToKill) {
+        this.refreshTokenTimeToKill = refreshTokenTimeToKill;
+    }
+
+    public Long getRefreshTokenMaxActiveTokens() {
+        return refreshTokenMaxActiveTokens;
+    }
+
+    public void setRefreshTokenMaxActiveTokens(final Long refreshTokenMaxActiveTokens) {
+        this.refreshTokenMaxActiveTokens = refreshTokenMaxActiveTokens;
+    }
+
+    public String getDeviceTokenTimeToKill() {
+        return deviceTokenTimeToKill;
+    }
+
+    public void setDeviceTokenTimeToKill(final String deviceTokenTimeToKill) {
+        this.deviceTokenTimeToKill = deviceTokenTimeToKill;
+    }
+
     @Override
     public boolean equals(final Object obj) {
         if (obj == null) {
@@ -310,6 +370,12 @@ public boolean equals(final Object obj) {
                 .append(this.jwksUri, rhs.jwksUri)
                 .append(this.tokenEndpointAuthenticationMethod, rhs.tokenEndpointAuthenticationMethod)
                 .append(this.logoutUri, rhs.logoutUri)
+                .append(this.accessTokenMaxTimeToLive, rhs.accessTokenMaxTimeToLive)
+                .append(this.accessTokenTimeToKill, rhs.accessTokenTimeToKill)
+                .append(this.accessTokenMaxActiveTokens, rhs.accessTokenMaxActiveTokens)
+                .append(this.refreshTokenTimeToKill, rhs.accessTokenTimeToKill)
+                .append(this.refreshTokenMaxActiveTokens, rhs.refreshTokenMaxActiveTokens)
+                .append(this.deviceTokenTimeToKill, rhs.deviceTokenTimeToKill)
                 .isEquals();
     }
 
@@ -341,6 +407,12 @@ public int hashCode() {
                 .append(jwksUri)
                 .append(tokenEndpointAuthenticationMethod)
                 .append(logoutUri)
+                .append(accessTokenMaxTimeToLive)
+                .append(accessTokenTimeToKill)
+                .append(accessTokenMaxActiveTokens)
+                .append(refreshTokenTimeToKill)
+                .append(refreshTokenMaxActiveTokens)
+                .append(deviceTokenTimeToKill)
                 .toHashCode();
     }
 }

core/persistence-api/src/main/java/org/apache/syncope/core/persistence/api/entity/am/OIDCRPClientApp.java

@@ -118,4 +118,27 @@ public interface OIDCRPClientApp extends ClientApp {
 
     void setLogoutUri(String logoutUri);
 
+    String getDeviceTokenTimeToKill();
+
+    void setDeviceTokenTimeToKill(String deviceTokenTimeToKill);
+
+    Long getRefreshTokenMaxActiveTokens();
+
+    void setRefreshTokenMaxActiveTokens(Long refreshTokenMaxActiveTokens);
+
+    String getRefreshTokenTimeToKill();
+
+    void setRefreshTokenTimeToKill(String refreshTokenTimeToKill);
+
+    Long getAccessTokenMaxActiveTokens();
+
+    void setAccessTokenMaxActiveTokens(Long accessTokenMaxActiveTokens);
+
+    String getAccessTokenTimeToKill();
+
+    void setAccessTokenTimeToKill(String accessTokenTimeToKill);
+
+    String getAccessTokenMaxTimeToLive();
+
+    void setAccessTokenMaxTimeToLive(String accessTokenMaxTimeToLive);
 }

core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/entity/am/JPAOIDCRPClientApp.java

@@ -142,6 +142,18 @@ public class JPAOIDCRPClientApp extends AbstractClientApp implements OIDCRPClien
 
     private String logoutUri;
 
+    private String accessTokenMaxTimeToLive;
+
+    private String accessTokenTimeToKill;
+
+    private Long accessTokenMaxActiveTokens;
+
+    private String refreshTokenTimeToKill;
+
+    private Long refreshTokenMaxActiveTokens;
+
+    private String deviceTokenTimeToKill;
+
     @Override
     public Set<String> getRedirectUris() {
         return redirectUrisSet;
@@ -364,6 +376,66 @@ public void setLogoutUri(final String logoutUri) {
         this.logoutUri = logoutUri;
     }
 
+    @Override
+    public String getDeviceTokenTimeToKill() {
+        return deviceTokenTimeToKill;
+    }
+
+    @Override
+    public void setDeviceTokenTimeToKill(final String deviceTokenTimeToKill) {
+        this.deviceTokenTimeToKill = deviceTokenTimeToKill;
+    }
+
+    @Override
+    public Long getRefreshTokenMaxActiveTokens() {
+        return refreshTokenMaxActiveTokens;
+    }
+
+    @Override
+    public void setRefreshTokenMaxActiveTokens(final Long refreshTokenMaxActiveTokens) {
+        this.refreshTokenMaxActiveTokens = refreshTokenMaxActiveTokens;
+    }
+
+    @Override
+    public String getRefreshTokenTimeToKill() {
+        return refreshTokenTimeToKill;
+    }
+
+    @Override
+    public void setRefreshTokenTimeToKill(final String refreshTokenTimeToKill) {
+        this.refreshTokenTimeToKill = refreshTokenTimeToKill;
+    }
+
+    @Override
+    public Long getAccessTokenMaxActiveTokens() {
+        return accessTokenMaxActiveTokens;
+    }
+
+    @Override
+    public void setAccessTokenMaxActiveTokens(final Long accessTokenMaxActiveTokens) {
+        this.accessTokenMaxActiveTokens = accessTokenMaxActiveTokens;
+    }
+
+    @Override
+    public String getAccessTokenTimeToKill() {
+        return accessTokenTimeToKill;
+    }
+
+    @Override
+    public void setAccessTokenTimeToKill(final String accessTokenTimeToKill) {
+        this.accessTokenTimeToKill = accessTokenTimeToKill;
+    }
+
+    @Override
+    public String getAccessTokenMaxTimeToLive() {
+        return accessTokenMaxTimeToLive;
+    }
+
+    @Override
+    public void setAccessTokenMaxTimeToLive(final String accessTokenMaxTimeToLive) {
+        this.accessTokenMaxTimeToLive = accessTokenMaxTimeToLive;
+    }
+    
     protected void json2list(final boolean clearFirst) {
         if (clearFirst) {
             getRedirectUris().clear();

core/persistence-neo4j/src/main/java/org/apache/syncope/core/persistence/neo4j/entity/am/Neo4jOIDCRPClientApp.java

@@ -119,6 +119,19 @@ public class Neo4jOIDCRPClientApp extends AbstractClientApp implements OIDCRPCli
 
     private String logoutUri;
 
+
+    private String accessTokenMaxTimeToLive;
+
+    private String accessTokenTimeToKill;
+
+    private Long accessTokenMaxActiveTokens;
+
+    private String refreshTokenTimeToKill;
+
+    private Long refreshTokenMaxActiveTokens;
+
+    private String deviceTokenTimeToKill;
+
     @Override
     public Set<String> getRedirectUris() {
         return redirectUrisSet;
@@ -341,6 +354,55 @@ public void setLogoutUri(final String logoutUri) {
         this.logoutUri = logoutUri;
     }
 
+
+    public String getDeviceTokenTimeToKill() {
+        return deviceTokenTimeToKill;
+    }
+
+    public void setDeviceTokenTimeToKill(final String deviceTokenTimeToKill) {
+        this.deviceTokenTimeToKill = deviceTokenTimeToKill;
+    }
+
+    public Long getRefreshTokenMaxActiveTokens() {
+        return refreshTokenMaxActiveTokens;
+    }
+
+    public void setRefreshTokenMaxActiveTokens(final Long refreshTokenMaxActiveTokens) {
+        this.refreshTokenMaxActiveTokens = refreshTokenMaxActiveTokens;
+    }
+
+    public String getRefreshTokenTimeToKill() {
+        return refreshTokenTimeToKill;
+    }
+
+    public void setRefreshTokenTimeToKill(final String refreshTokenTimeToKill) {
+        this.refreshTokenTimeToKill = refreshTokenTimeToKill;
+    }
+
+    public Long getAccessTokenMaxActiveTokens() {
+        return accessTokenMaxActiveTokens;
+    }
+
+    public void setAccessTokenMaxActiveTokens(final Long accessTokenMaxActiveTokens) {
+        this.accessTokenMaxActiveTokens = accessTokenMaxActiveTokens;
+    }
+
+    public String getAccessTokenTimeToKill() {
+        return accessTokenTimeToKill;
+    }
+
+    public void setAccessTokenTimeToKill(final String accessTokenTimeToKill) {
+        this.accessTokenTimeToKill = accessTokenTimeToKill;
+    }
+
+    public String getAccessTokenMaxTimeToLive() {
+        return accessTokenMaxTimeToLive;
+    }
+
+    public void setAccessTokenMaxTimeToLive(final String accessTokenMaxTimeToLive) {
+        this.accessTokenMaxTimeToLive = accessTokenMaxTimeToLive;
+    }
+    
     protected void json2list(final boolean clearFirst) {
         if (clearFirst) {
             getRedirectUris().clear();

core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/ClientAppDataBinderImpl.java

@@ -257,6 +257,12 @@ protected void doUpdate(final OIDCRPClientApp clientApp, final OIDCRPClientAppTO
         clientApp.setJwks(clientAppTO.getJwks());
         clientApp.setJwksUri(clientAppTO.getJwksUri());
         clientApp.setTokenEndpointAuthenticationMethod(clientAppTO.getTokenEndpointAuthenticationMethod());
+        clientApp.setAccessTokenMaxActiveTokens(clientAppTO.getAccessTokenMaxActiveTokens());
+        clientApp.setAccessTokenMaxTimeToLive(clientAppTO.getAccessTokenMaxTimeToLive());
+        clientApp.setAccessTokenTimeToKill(clientAppTO.getAccessTokenTimeToKill());
+        clientApp.setRefreshTokenMaxActiveTokens(clientAppTO.getRefreshTokenMaxActiveTokens());
+        clientApp.setRefreshTokenTimeToKill(clientAppTO.getRefreshTokenTimeToKill());
+        clientApp.setDeviceTokenTimeToKill(clientAppTO.getDeviceTokenTimeToKill());
     }
 
     protected OIDCRPClientAppTO getOIDCClientAppTO(final OIDCRPClientApp clientApp) {
@@ -289,7 +295,12 @@ protected OIDCRPClientAppTO getOIDCClientAppTO(final OIDCRPClientApp clientApp)
         clientAppTO.setJwks(clientApp.getJwks());
         clientAppTO.setJwksUri(clientApp.getJwksUri());
         clientAppTO.setTokenEndpointAuthenticationMethod(clientApp.getTokenEndpointAuthenticationMethod());
-
+        clientAppTO.setAccessTokenMaxActiveTokens(clientApp.getAccessTokenMaxActiveTokens());
+        clientAppTO.setAccessTokenMaxTimeToLive(clientApp.getAccessTokenMaxTimeToLive());
+        clientAppTO.setAccessTokenTimeToKill(clientApp.getAccessTokenTimeToKill());
+        clientAppTO.setRefreshTokenTimeToKill(clientApp.getRefreshTokenTimeToKill());
+        clientAppTO.setRefreshTokenMaxActiveTokens(clientApp.getRefreshTokenMaxActiveTokens());
+        clientAppTO.setDeviceTokenTimeToKill(clientApp.getDeviceTokenTimeToKill());
         return clientAppTO;
     }
 

fit/core-reference/src/test/java/org/apache/syncope/fit/AbstractITCase.java

@@ -958,6 +958,13 @@ protected static OIDCRPClientAppTO buildOIDCRP() {
 
         oidcrpTO.setAuthPolicy(authPolicyTO.getKey());
         oidcrpTO.setAccessPolicy(accessPolicyTO.getKey());
+        
+        oidcrpTO.setAccessTokenMaxActiveTokens(0L);
+        oidcrpTO.setAccessTokenMaxTimeToLive("PT8H");
+        oidcrpTO.setAccessTokenTimeToKill("PT2H");
+        oidcrpTO.setRefreshTokenMaxActiveTokens(0L);
+        oidcrpTO.setRefreshTokenTimeToKill("P14D");
+        oidcrpTO.setDeviceTokenTimeToKill("PT5M");
 
         return oidcrpTO;
     }

fit/core-reference/src/test/java/org/apache/syncope/fit/core/ClientAppITCase.java

@@ -121,6 +121,7 @@ public void readOIDCRP() {
         assertFalse(found.getSupportedResponseTypes().isEmpty());
         assertNotNull(found.getAccessPolicy());
         assertNotNull(found.getAuthPolicy());
+        assertNotNull(found.getAccessTokenMaxTimeToLive());
     }
 
     @Test
@@ -147,13 +148,15 @@ public void updateOIDCRP() {
 
         oidcrpTO.setClientId("newClientId");
         oidcrpTO.setAccessPolicy(accessPolicyTO.getKey());
+        oidcrpTO.setDeviceTokenTimeToKill("PT6M");
 
         CLIENT_APP_SERVICE.update(ClientAppType.OIDCRP, oidcrpTO);
         OIDCRPClientAppTO updated = CLIENT_APP_SERVICE.read(ClientAppType.OIDCRP, oidcrpTO.getKey());
 
         assertNotNull(updated);
         assertEquals("newClientId", updated.getClientId());
         assertNotNull(updated.getAccessPolicy());
+        assertEquals("PT6M", updated.getDeviceTokenTimeToKill());
     }
 
     @Test