added claims redirect uri set to client model for UMA usage

openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java

@@ -141,6 +141,9 @@ public class ClientDetailsEntity implements ClientDetails {
 	private Integer idTokenValiditySeconds; //timeout for id tokens
 	private Date createdAt; // time the client was created
 	private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh?
+	
+	/** fields for UMA */
+	private Set<String> claimsRedirectUris;
 
 	public enum AuthMethod {
 		SECRET_POST("client_secret_post"),
@@ -964,5 +967,25 @@ public class ClientDetailsEntity implements ClientDetails {
 	public void setClearAccessTokensOnRefresh(boolean clearAccessTokensOnRefresh) {
 		this.clearAccessTokensOnRefresh = clearAccessTokensOnRefresh;
 	}
-	
+
+	/**
+	 * @return the claimsRedirectUris
+	 */
+	@ElementCollection(fetch = FetchType.EAGER)
+	@CollectionTable(
+			name="client_claims_redirect_uri",
+			joinColumns=@JoinColumn(name="owner_id")
+			)
+	@Column(name="redirect_uri")
+	public Set<String> getClaimsRedirectUris() {
+		return claimsRedirectUris;
+	}
+
+	/**
+	 * @param claimsRedirectUris the claimsRedirectUris to set
+	 */
+	public void setClaimsRedirectUris(Set<String> claimsRedirectUris) {
+		this.claimsRedirectUris = claimsRedirectUris;
+	}
+
 }

openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql

@@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri (
 	redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+	owner_id BIGINT, 
+	redirect_uri VARCHAR(2048) 
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
 	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
 	token_value VARCHAR(4096),

openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql

@@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri (
 	redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+	owner_id BIGINT, 
+	redirect_uri VARCHAR(2048) 
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
 	id BIGINT AUTO_INCREMENT PRIMARY KEY,
 	token_value VARCHAR(4096),

openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql

@@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri (
 	redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+	owner_id BIGINT, 
+	redirect_uri VARCHAR(2048) 
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
 	id SERIAL PRIMARY KEY,
 	token_value VARCHAR(4096),

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java

@@ -143,6 +143,7 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements
 	private static final String AUTHENTICATION_HOLDER_ID = "authenticationHolderId";
 	private static final String CLIENT_ID = "clientId";
 	private static final String EXPIRATION = "expiration";
+	private static final String CLAIMS_REDIRECT_URIS = "claimsRedirectUris";
 	private static final String ID = "id";
 	/**
 	 * Logger for this class
@@ -432,6 +433,8 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements
 				writer.name(REFRESH_TOKEN_VALIDITY_SECONDS).value(client.getRefreshTokenValiditySeconds());
 				writer.name(REDIRECT_URIS);
 				writeNullSafeArray(writer, client.getRedirectUris());
+				writer.name(CLAIMS_REDIRECT_URIS);
+				writeNullSafeArray(writer, client.getClaimsRedirectUris());
 				writer.name(NAME).value(client.getClientName());
 				writer.name(URI).value(client.getClientUri());
 				writer.name(LOGO_URI).value(client.getLogoUri());
@@ -1034,6 +1037,9 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements
 					} else if (name.equals(REDIRECT_URIS)) {
 						Set<String> redirectUris = readSet(reader);
 						client.setRedirectUris(redirectUris);
+					} else if (name.equals(CLAIMS_REDIRECT_URIS)) {
+						Set<String> claimsRedirectUris = readSet(reader);
+						client.setClaimsRedirectUris(claimsRedirectUris);
 					} else if (name.equals(NAME)) {
 						client.setClientName(reader.nextString());
 					} else if (name.equals(URI)) {

uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java

@@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -116,9 +117,15 @@ public class ClaimsCollectionEndpoint {
 		PermissionTicket updatedTicket = permissionService.updateTicket(ticket);
 		
 		if (Strings.isNullOrEmpty(redirectUri)) {
-			if (client.getRedirectUris().size() == 1) {
-				redirectUri = client.getRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here
+			if (client.getClaimsRedirectUris().size() == 1) {
+				redirectUri = client.getClaimsRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here
 				logger.info("No redirect URI passed in, using registered value: " + redirectUri);
+			} else {
+				throw new RedirectMismatchException("Unable to find redirect URI and none passed in.");
+			}
+		} else {
+			if (!client.getClaimsRedirectUris().contains(redirectUri)) {
+				throw new RedirectMismatchException("Claims redirect did not match the registered values.");
 			}
 		}