Merge remote-tracking branch 'mitre/master' into devel-1.3.1

* mitre/master: (153 commits)
  removed old document PDFs from repo
  check for missing refresh token value on refresh, closes #1242
  removed unused field from UI config bean
  fixed client readme file
  Updated copyrights
  Corrected typo
  fixed unit test for new default redirect behavior
  set redirect URI matching to strict by default
  escaped output values on approval page, closes #1111
  added changelog file
  [maven-release-plugin] prepare for next development iteration
  [maven-release-plugin] prepare release mitreid-connect-1.3.1
  downgrade mysql dependency to GA version
  Removed double 'sure'
  fixed discovery endpoint, closes #1230
  Completed end session endpoint
  end session endpoint
  skeleton of end session endpoint, maybe need a change to user info lookup
  Fix psql_database script, replace SERIAL with BIGSERIAL and fix ...
  [maven-release-plugin] prepare for next development iteration
  ...

.gitignore

@@ -1,4 +1,3 @@
-local-values.conf
 target
 *~
 bin

CHANGELOG.md

@@ -0,0 +1,22 @@
+Unreleased:
+	- Added changelog
+	- Set default redirect URI resolver strict matching to true
+	- Fixed XSS vulnerability on redirect URI display on approval page
+
+*1.3.1*:
+	- Added End Session endpoint
+	- Fixed discovery endpoint
+	- Downgrade MySQL connector dependency version from developer preview to GA release
+
+*1.3.0*:
+	- Added device flow support
+	- Added PKCE support
+	- Modularized UI to allow better overlay and extensions
+	- Modularized data import/export API
+	- Added software statements to dynamic client registration
+	- Added assertion processing framework
+	- Removed ID tokens from storage
+	- Removed structured scopes
+
+*1.2.6*: 
+	- Added string HEART compliance mode

LICENSE.txt

@@ -1,8 +1,9 @@
-Copyright 2016 The MITRE Corporation
+Copyright 2017 The MIT Internet Trust Consortium
-  and the MIT Internet Trust Consortium
+
+Portions copyright 2011-2013 The MITRE Corporation
 
 Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
+you may not use this project except in compliance with the License.
 You may obtain a copy of the License at
 
     http://www.apache.org/licenses/LICENSE-2.0

README.md

@@ -1,7 +1,7 @@
 # MITREid Connect
 ---
 
-[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent) [![Travis CI](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server.svg?branch=master)](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server)
+[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent) [![Travis CI](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server.svg?branch=master)](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server)  [![Codecov](https://codecov.io/github/mitreid-connect/OpenID-Connect-Java-Spring-Server/coverage.svg?branch=master)](https://codecov.io/github/mitreid-connect/OpenID-Connect-Java-Spring-Server)
 
 This project contains a certified OpenID Connect reference implementation in Java on the Spring platform, including a functioning [server library](openid-connect-server), [deployable server package](openid-connect-server-webapp), [client (RP) library](openid-connect-client), and general [utility libraries](openid-connect-common). The server can be used as an OpenID Connect Identity Provider as well as a general-purpose OAuth 2.0 Authorization Server.
 
@@ -28,7 +28,4 @@ The authors and key contributors of the project include:
 * [Mark Janssen](https://github.com/praseodym)
 
 
-
+Copyright ©2017, [MIT Internet Trust Consortium](http://www.trust.mit.edu/). Licensed under the Apache 2.0 license, for details see `LICENSE.txt`. 
-
-Copyright ©2016, [The MITRE Corporation](http://www.mitre.org/)
-  and the [MIT Internet Trust Consortium](http://www.mit-trust.org/). Licensed under the Apache 2.0 license, for details see `LICENSE.txt`. 

README_zh_CN.md

@@ -35,5 +35,4 @@
 
 
 
-版权所有 ©2016, [ MITRE公司 ](http://www.mitre.org/)
+版权所有 ©2017 [MIT因特网信任联盟](http://www.mit-trust.org/). 采用Apache 2.0许可证, 详见 `LICENSE.txt`. 
-  以及 [MIT因特网信任联盟](http://www.mit-trust.org/). 采用Apache 2.0许可证, 详见 `LICENSE.txt`. 

checkstyle.xml

@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    Copyright 2016 The MITRE Corporation
+    Copyright 2017 The MIT Internet Trust Consortium
-      and the MIT Internet Trust Consortium
+   
+    Portions copyright 2011-2013 The MITRE Corporation
    
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.

openid-connect-client/README.md

@@ -2,7 +2,7 @@
 
 ## Overview ##
 
-This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter.  The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the OpenID Connect Standard protocol.
+This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter.  The client facilitates a user's authentication into the secured application to an OpenID Connect Server following the OpenID Connect standard protocol.
 
 ## Configuring ##
 

openid-connect-client/pom.xml

@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    Copyright 2016 The MITRE Corporation
+    Copyright 2017 The MIT Internet Trust Consortium
-      and the MIT Internet Trust Consortium
+   
+    Portions copyright 2011-2013 The MITRE Corporation
    
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
 	<parent>
 		<artifactId>openid-connect-parent</artifactId>
 		<groupId>org.mitre</groupId>
-		<version>1.3.0.cnaf-SNAPSHOT</version>
+		<version>1.3.2.cnaf-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>openid-connect-client</artifactId>

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +17,8 @@
  *******************************************************************************/
 package org.mitre.oauth2.introspectingfilter;
 
+import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC;
+
 import java.io.IOException;
 import java.net.URI;
 import java.util.Calendar;
@@ -54,8 +57,6 @@ import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import com.nimbusds.jose.util.Base64;
 
-import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC;
-
 /**
  * This ResourceServerTokenServices implementation introspects incoming tokens at a
  * server's introspection endpoint URL and passes an Authentication object along
@@ -73,10 +74,15 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 	private boolean cacheNonExpiringTokens = false;
 	private boolean cacheTokens = true;
 
-	private HttpClient httpClient = HttpClientBuilder.create()
+	private HttpComponentsClientHttpRequestFactory factory;
-			.useSystemProperties()
+
-			.build();
+	public IntrospectingTokenService() {
-	private HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		this(HttpClientBuilder.create().useSystemProperties().build());
+	}
+
+	public IntrospectingTokenService(HttpClient httpClient) {
+		this.factory = new HttpComponentsClientHttpRequestFactory(httpClient);
+	}
 
 	// Inner class to store in the hash map
 	private class TokenCacheObject {
@@ -235,8 +241,13 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 		return storedRequest;
 	}
 
-	private Authentication createAuthentication(JsonObject token) {
+	private Authentication createUserAuthentication(JsonObject token) {
-		return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
+		JsonElement userId = token.get("user_id");
+		if(userId == null) {
+			return null;
+		}
+
+		return new PreAuthenticatedAuthenticationToken(userId.getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
 	}
 
 	private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) {
@@ -321,7 +332,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 				return null;
 			}
 			// create an OAuth2Authentication
-			OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createAuthentication(tokenResponse));
+			OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createUserAuthentication(tokenResponse));
 			// create an OAuth2AccessToken
 			OAuth2AccessToken token = createAccessToken(tokenResponse, accessToken);
 

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/OAuth2AccessTokenImpl.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionAuthorityGranter.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/JWTParsingIntrospectionConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/SimpleIntrospectionAuthorityGranter.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/StaticIntrospectionConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/AuthorizationEndpointException.java

@@ -0,0 +1,56 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+package org.mitre.openid.connect.client;
+
+import org.springframework.security.authentication.AuthenticationServiceException;
+
+public class AuthorizationEndpointException extends AuthenticationServiceException {
+
+	private static final long serialVersionUID = 6953119789654778380L;
+
+	private String error;
+
+	private String errorDescription;
+
+	private String errorURI;
+
+	public AuthorizationEndpointException(String error, String errorDescription, String errorURI) {
+		super("Error from Authorization Endpoint: " + error + " " + errorDescription + " " + errorURI);
+		this.error = error;
+		this.errorDescription = errorDescription;
+		this.errorURI = errorURI;
+	}
+
+	public String getError() {
+		return error;
+	}
+
+	public String getErrorDescription() {
+		return errorDescription;
+	}
+
+	public String getErrorURI() {
+		return errorURI;
+	}
+
+	/* (non-Javadoc)
+	 * @see java.lang.Object#toString()
+	 */
+	@Override
+	public String toString() {
+		return "AuthorizationEndpointException [error=" + error + ", errorDescription=" + errorDescription + ", errorURI=" + errorURI + "]";
+	}
+}

openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -119,6 +120,8 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 	@Autowired(required=false)
 	private JWTSigningAndValidationService authenticationSignerService;
 
+	@Autowired(required=false)
+	private HttpClient httpClient;
 
 	/*
 	 * Modular services to build out client filter.
@@ -341,14 +344,14 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 
 		// Handle Token Endpoint interaction
 
-		HttpClient httpClient = HttpClientBuilder.create()
+		if(httpClient == null) {
+			httpClient = HttpClientBuilder.create()
 					.useSystemProperties()
-				.setDefaultRequestConfig(
+					.setDefaultRequestConfig(RequestConfig.custom()
-						RequestConfig.custom()
 							.setSocketTimeout(httpSocketTimeout)
-						.build()
+							.build())
-						)
 					.build();
+		}
 
 		HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
 
@@ -381,9 +384,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 				JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg();
 
 				if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) &&
-						(alg.equals(JWSAlgorithm.HS256)
+						(JWSAlgorithm.HS256.equals(alg)
-								|| alg.equals(JWSAlgorithm.HS384)
+								|| JWSAlgorithm.HS384.equals(alg)
-								|| alg.equals(JWSAlgorithm.HS512))) {
+								|| JWSAlgorithm.HS512.equals(alg))) {
 
 					// generate one based on client secret
 					signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
@@ -647,7 +650,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 		String errorDescription = request.getParameter("error_description");
 		String errorURI = request.getParameter("error_uri");
 
-		throw new AuthenticationServiceException("Error from Authorization Endpoint: " + error + " " + errorDescription + " " + errorURI);
+		throw new AuthorizationEndpointException(error, errorDescription, errorURI);
 	}
 
 	/**
@@ -759,7 +762,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 			if (!Strings.isNullOrEmpty(target)) {
 				session.removeAttribute(TARGET_SESSION_VARIABLE);
 
+				if (deepLinkFilter != null) {
 					target = deepLinkFilter.filter(target);
+				}
 
 				response.sendRedirect(target);
 			} else {

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/SubjectIssuerGrantedAuthority.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +19,7 @@ package org.mitre.openid.connect.client;
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 
@@ -61,10 +63,14 @@ public class UserInfoFetcher {
 	private LoadingCache<PendingOIDCAuthenticationToken, UserInfo> cache;
 
 	public UserInfoFetcher() {
+		this(HttpClientBuilder.create().useSystemProperties().build());
+	}
+
+	public UserInfoFetcher(HttpClient httpClient) {
 		cache = CacheBuilder.newBuilder()
 				.expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch
 				.maximumSize(100)
-				.build(new UserInfoLoader());
+				.build(new UserInfoLoader(httpClient));
 	}
 
 	public UserInfo loadUserInfo(final PendingOIDCAuthenticationToken token) {
@@ -79,12 +85,14 @@ public class UserInfoFetcher {
 
 
 	private class UserInfoLoader extends CacheLoader<PendingOIDCAuthenticationToken, UserInfo> {
-		private HttpClient httpClient = HttpClientBuilder.create()
+		private HttpComponentsClientHttpRequestFactory factory;
-				.useSystemProperties()
-				.build();
-		private HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
 
-		public UserInfo load(final PendingOIDCAuthenticationToken token) {
+		UserInfoLoader(HttpClient httpClient) {
+			this.factory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		}
+
+		@Override
+		public UserInfo load(final PendingOIDCAuthenticationToken token) throws URISyntaxException {
 
 			ServerConfiguration serverConfiguration = token.getServerConfiguration();
 
@@ -98,8 +106,6 @@ public class UserInfoFetcher {
 				return null;
 			}
 
-			try {
-	
 			String userInfoString = null;
 
 			if (serverConfiguration.getUserInfoTokenMethod() == null || serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.HEADER)) {
@@ -138,12 +144,8 @@ public class UserInfoFetcher {
 
 				return userInfo;
 			} else {
-					// didn't get anything, return null
+				// didn't get anything throw exception
-					return null;
+				throw new IllegalArgumentException("Unable to load user info");
-				}
-			} catch (Exception e) {
-				logger.warn("Error fetching userinfo", e);
-				return null;
 			}
 
 		}

openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisher.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisherMapping.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/JwkViewResolver.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/model/IssuerServiceResponse.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestOptionsService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestUrlBuilder.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ClientConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/IssuerService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/RegisteredClientService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ServerConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -72,7 +73,11 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
 	private Set<String> blacklist = new HashSet<>();
 
 	public DynamicRegistrationClientConfigurationService() {
-		clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader());
+		this(HttpClientBuilder.create().useSystemProperties().build());
+	}
+
+	public DynamicRegistrationClientConfigurationService(HttpClient httpClient) {
+		clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader(httpClient));
 	}
 
 	@Override
@@ -168,13 +173,17 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
 	 *
 	 */
 	public class DynamicClientRegistrationLoader extends CacheLoader<ServerConfiguration, RegisteredClient> {
-		private HttpClient httpClient = HttpClientBuilder.create()
+		private HttpComponentsClientHttpRequestFactory httpFactory;
-				.useSystemProperties()
-				.build();
-
-		private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
 		private Gson gson = new Gson(); // note that this doesn't serialize nulls by default
 
+		public DynamicClientRegistrationLoader() {
+			this(HttpClientBuilder.create().useSystemProperties().build());
+		}
+
+		public DynamicClientRegistrationLoader(HttpClient httpClient) {
+			this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		}
+
 		@Override
 		public RegisteredClient load(ServerConfiguration serverConfig) throws Exception {
 			RestTemplate restTemplate = new RestTemplate(httpFactory);

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +20,13 @@
  */
 package org.mitre.openid.connect.client.service.impl;
 
+import static org.mitre.util.JsonUtils.getAsBoolean;
+import static org.mitre.util.JsonUtils.getAsEncryptionMethodList;
+import static org.mitre.util.JsonUtils.getAsJweAlgorithmList;
+import static org.mitre.util.JsonUtils.getAsJwsAlgorithmList;
+import static org.mitre.util.JsonUtils.getAsString;
+import static org.mitre.util.JsonUtils.getAsStringList;
+
 import java.util.HashSet;
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
@@ -41,13 +49,6 @@ import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 
-import static org.mitre.util.JsonUtils.getAsBoolean;
-import static org.mitre.util.JsonUtils.getAsEncryptionMethodList;
-import static org.mitre.util.JsonUtils.getAsJweAlgorithmList;
-import static org.mitre.util.JsonUtils.getAsJwsAlgorithmList;
-import static org.mitre.util.JsonUtils.getAsString;
-import static org.mitre.util.JsonUtils.getAsStringList;
-
 /**
  *
  * Dynamically fetches OpenID Connect server configurations based on the issuer. Caches the server configurations.
@@ -69,8 +70,12 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer
 	private Set<String> blacklist = new HashSet<>();
 
 	public DynamicServerConfigurationService() {
+		this(HttpClientBuilder.create().useSystemProperties().build());
+	}
+
+	public DynamicServerConfigurationService(HttpClient httpClient) {
 		// initialize the cache
-		servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher());
+		servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher(httpClient));
 	}
 
 	/**
@@ -126,12 +131,13 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer
 	 *
 	 */
 	private class OpenIDConnectServiceConfigurationFetcher extends CacheLoader<String, ServerConfiguration> {
-		private HttpClient httpClient = HttpClientBuilder.create()
+		private HttpComponentsClientHttpRequestFactory httpFactory;
-				.useSystemProperties()
-				.build();
-		private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
 		private JsonParser parser = new JsonParser();
 
+		OpenIDConnectServiceConfigurationFetcher(HttpClient httpClient) {
+			this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		}
+
 		@Override
 		public ServerConfiguration load(String issuer) throws Exception {
 			RestTemplate restTemplate = new RestTemplate(httpFactory);

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridIssuerService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/InMemoryRegisteredClientService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/JsonFileRegisteredClientService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticAuthRequestOptionsService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticClientConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticServerConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticSingleIssuerService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -94,7 +95,11 @@ public class WebfingerIssuerService implements IssuerService {
 	private boolean forceHttps = true;
 
 	public WebfingerIssuerService() {
-		issuers = CacheBuilder.newBuilder().build(new WebfingerIssuerFetcher());
+		this(HttpClientBuilder.create().useSystemProperties().build());
+	}
+
+	public WebfingerIssuerService(HttpClient httpClient) {
+		issuers = CacheBuilder.newBuilder().build(new WebfingerIssuerFetcher(httpClient));
 	}
 
 	/* (non-Javadoc)
@@ -115,7 +120,7 @@ public class WebfingerIssuerService implements IssuerService {
 					throw new AuthenticationServiceException("Issuer was in blacklist: " + lr.issuer);
 				}
 
-				return new IssuerServiceResponse(lr.issuer, lr.loginHint, null);
+				return new IssuerServiceResponse(lr.issuer, lr.loginHint, request.getParameter("target_link_uri"));
 			} catch (UncheckedExecutionException | ExecutionException e) {
 				logger.warn("Issue fetching issuer for user input: " + identifier + ": " + e.getMessage());
 				return null;
@@ -203,12 +208,13 @@ public class WebfingerIssuerService implements IssuerService {
 	 *
 	 */
 	private class WebfingerIssuerFetcher extends CacheLoader<String, LoadingResult> {
-		private HttpClient httpClient = HttpClientBuilder.create()
+		private HttpComponentsClientHttpRequestFactory httpFactory;
-				.useSystemProperties()
-				.build();
-		private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
 		private JsonParser parser = new JsonParser();
 
+		WebfingerIssuerFetcher(HttpClient httpClient) {
+			this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		}
+
 		@Override
 		public LoadingResult load(String identifier) throws Exception {
 

openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/TestOAuth2AccessTokenImpl.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/openid/connect/client/TestOIDCAuthenticationFilter.java

@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+package org.mitre.openid.connect.client;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.security.authentication.AuthenticationServiceException;
+
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.hamcrest.CoreMatchers.is;
+
+import static org.mockito.Mockito.mock;
+
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+public class TestOIDCAuthenticationFilter {
+
+	private OIDCAuthenticationFilter filter = new OIDCAuthenticationFilter();
+
+	@Test
+	public void attemptAuthentication_error() throws Exception {
+
+		HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+		Mockito.when(request.getParameter("error")).thenReturn("Error");
+		Mockito.when(request.getParameter("error_description")).thenReturn("Description");
+		Mockito.when(request.getParameter("error_uri")).thenReturn("http://example.com");
+
+		try {
+			filter.attemptAuthentication(request, mock(HttpServletResponse.class));
+
+			fail("AuthorizationEndpointException expected.");
+		}
+		catch (AuthorizationEndpointException exception) {
+			assertThat(exception.getMessage(),
+					is("Error from Authorization Endpoint: Error Description http://example.com"));
+
+			assertThat(exception.getError(), is("Error"));
+			assertThat(exception.getErrorDescription(), is("Description"));
+			assertThat(exception.getErrorURI(), is("http://example.com"));
+
+			assertThat(exception, is(instanceOf(AuthenticationServiceException.class)));
+		}
+	}
+}

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridClientConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridServerConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -91,7 +92,7 @@ public class TestSignedAuthRequestUrlBuilder {
 	@Before
 	public void prepare() throws NoSuchAlgorithmException, InvalidKeySpecException {
 
-		RSAKey key = new RSAKey(new Base64URL(n), new Base64URL(e), new Base64URL(d), KeyUse.SIGNATURE, null, new Algorithm(alg), kid, null, null, null);
+		RSAKey key = new RSAKey(new Base64URL(n), new Base64URL(e), new Base64URL(d), KeyUse.SIGNATURE, null, new Algorithm(alg), kid, null, null, null, null);
 		Map<String, JWK> keys = Maps.newHashMap();
 		keys.put("client", key);
 

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticClientConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticServerConfigurationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestThirdPartyIssuerService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-client/src/test/resources/test-context.xml

@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    Copyright 2016 The MITRE Corporation
+    Copyright 2017 The MIT Internet Trust Consortium
-      and the MIT Internet Trust Consortium
+   
+    Portions copyright 2011-2013 The MITRE Corporation
    
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.

openid-connect-common/pom.xml

@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-    Copyright 2016 The MITRE Corporation
+    Copyright 2017 The MIT Internet Trust Consortium
-      and the MIT Internet Trust Consortium
+   
+    Portions copyright 2011-2013 The MITRE Corporation
    
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -21,7 +22,7 @@
 	<parent>
 		<artifactId>openid-connect-parent</artifactId>
 		<groupId>org.mitre</groupId>
-		<version>1.3.0.cnaf-SNAPSHOT</version>
+		<version>1.3.2.cnaf-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>openid-connect-common</artifactId>

openid-connect-common/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java

@@ -0,0 +1,206 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+package org.mitre.data;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Abstract class for performing an operation on a potentially large
+ * number of items by paging through the items in discreet chunks.
+ *
+ * @param <T>  the type parameter
+ * @author Colm Smyth.
+ */
+public abstract class AbstractPageOperationTemplate<T> {
+
+	private static final Logger logger = LoggerFactory.getLogger(AbstractPageOperationTemplate.class);
+
+	private static int DEFAULT_MAX_PAGES = 1000;
+	private static long DEFAULT_MAX_TIME_MILLIS = 600000L; //10 Minutes
+
+	/**
+	 * int specifying the maximum number of
+	 * pages which should be fetched before
+	 * execution should terminate
+	 */
+	private int maxPages;
+
+	/**
+	 * long specifying the maximum execution time
+	 * in milliseconds
+	 */
+	private long maxTime;
+
+	/**
+	 * boolean specifying whether or not Exceptions
+	 * incurred performing the operation should be
+	 * swallowed during execution default true.
+	 */
+	private boolean swallowExceptions = true;
+
+	/**
+	 * String that is used for logging in final tallies.
+	 */
+	private String operationName = "";
+
+
+	/**
+	 * default constructor which sets the value of
+	 * maxPages and maxTime to DEFAULT_MAX_PAGES and
+	 * DEFAULT_MAX_TIME_MILLIS respectively
+	 */
+	public AbstractPageOperationTemplate(String operationName){
+		this(DEFAULT_MAX_PAGES, DEFAULT_MAX_TIME_MILLIS, operationName);
+	}
+
+	/**
+	 * Instantiates a new AbstractPageOperationTemplate with the
+	 * given maxPages and maxTime
+	 *
+	 * @param maxPages the maximum number of pages to fetch.
+	 * @param maxTime the maximum execution time.
+	 */
+	public AbstractPageOperationTemplate(int maxPages, long maxTime, String operationName){
+		this.maxPages = maxPages;
+		this.maxTime = maxTime;
+		this.operationName = operationName;
+	}
+
+	/**
+	 * Execute the operation on each member of a page of results
+	 * retrieved through the fetch method. the method will execute
+	 * until either the maxPages or maxTime limit is reached or until
+	 * the fetch method returns no more results. Exceptions thrown
+	 * performing the operation on the item will be swallowed if the
+	 * swallowException (default true) field is set true.
+	 */
+	public void execute(){
+		logger.debug("[" + getOperationName() +  "] Starting execution of paged operation. maximum time: " + maxTime + ", maximum pages: " + maxPages);
+
+		long startTime = System.currentTimeMillis();
+		long executionTime = 0;
+		int i = 0;
+
+		int exceptionsSwallowedCount = 0;
+		int operationsCompleted = 0;
+		Set<String> exceptionsSwallowedClasses = new HashSet<String>();
+
+
+		while (i< maxPages && executionTime < maxTime){
+			Collection<T> page = fetchPage();
+			if(page == null || page.size() == 0){
+				break;
+			}
+
+			for (T item : page) {
+				try {
+					doOperation(item);
+					operationsCompleted++;
+				} catch (Exception e){
+					if(swallowExceptions){
+						exceptionsSwallowedCount++;
+						exceptionsSwallowedClasses.add(e.getClass().getName());
+						logger.debug("Swallowing exception " + e.getMessage(), e);
+					} else {
+						logger.debug("Rethrowing exception " + e.getMessage());
+						throw e;
+					}
+				}
+			}
+
+			i++;
+			executionTime = System.currentTimeMillis() - startTime;
+		}
+
+		finalReport(operationsCompleted, exceptionsSwallowedCount, exceptionsSwallowedClasses);
+	}
+
+
+
+	/**
+	 * method responsible for fetching
+	 * a page of items.
+	 *
+	 * @return the collection of items
+	 */
+	public abstract Collection<T> fetchPage();
+
+	/**
+	 * method responsible for performing desired
+	 * operation on a fetched page item.
+	 *
+	 * @param item the item
+	 */
+	protected abstract void doOperation(T item);
+
+	/**
+	 * Method responsible for final report of progress.
+	 * @return
+	 */
+	protected void finalReport(int operationsCompleted, int exceptionsSwallowedCount, Set<String> exceptionsSwallowedClasses) {
+		if (operationsCompleted > 0 || exceptionsSwallowedCount > 0) {
+			logger.info("[" + getOperationName() +  "] Paged operation run: completed " + operationsCompleted + "; swallowed " + exceptionsSwallowedCount + " exceptions");
+		}
+		for(String className:  exceptionsSwallowedClasses) {
+			logger.warn("[" + getOperationName() +  "] Paged operation swallowed at least one exception of type " + className);
+		}
+	}
+
+	public int getMaxPages() {
+		return maxPages;
+	}
+
+	public void setMaxPages(int maxPages) {
+		this.maxPages = maxPages;
+	}
+
+	public long getMaxTime() {
+		return maxTime;
+	}
+
+	public void setMaxTime(long maxTime) {
+		this.maxTime = maxTime;
+	}
+
+	public boolean isSwallowExceptions() {
+		return swallowExceptions;
+	}
+
+	public void setSwallowExceptions(boolean swallowExceptions) {
+		this.swallowExceptions = swallowExceptions;
+	}
+
+
+	/**
+	 * @return the operationName
+	 */
+	public String getOperationName() {
+		return operationName;
+	}
+
+
+	/**
+	 * @param operationName the operationName to set
+	 */
+	public void setOperationName(String operationName) {
+		this.operationName = operationName;
+	}
+}

openid-connect-common/src/main/java/org/mitre/data/DefaultPageCriteria.java

@@ -0,0 +1,50 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+package org.mitre.data;
+
+/**
+ * Default implementation of PageCriteria which specifies
+ * both page to be retrieved and page size in the constructor.
+ *
+ * @author Colm Smyth
+ */
+public class DefaultPageCriteria implements PageCriteria {
+
+	private static final int DEFAULT_PAGE_NUMBER = 0;
+	private static final int DEFAULT_PAGE_SIZE = 100;
+
+	private int pageNumber;
+	private int pageSize;
+
+	public DefaultPageCriteria(){
+		this(DEFAULT_PAGE_NUMBER, DEFAULT_PAGE_SIZE);
+	}
+
+	public DefaultPageCriteria(int pageNumber, int pageSize) {
+		this.pageNumber = pageNumber;
+		this.pageSize = pageSize;
+	}
+
+	@Override
+	public int getPageNumber() {
+		return pageNumber;
+	}
+
+	@Override
+	public int getPageSize() {
+		return pageSize;
+	}
+}

openid-connect-common/src/main/java/org/mitre/data/PageCriteria.java

@@ -0,0 +1,28 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+package org.mitre.data;
+
+/**
+ * Interface which defines page criteria for use in
+ * a repository operation.
+ *
+ * @author Colm Smyth
+ */
+public interface PageCriteria {
+
+	public int getPageNumber();
+	public int getPageSize();
+}

openid-connect-common/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +24,7 @@ import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
 
 import com.google.common.base.Strings;
 import com.nimbusds.jwt.JWT;
@@ -37,6 +37,7 @@ import com.nimbusds.jwt.SignedJWT;
  * @author jricher
  *
  */
+@Component("selfAssertionValidator")
 public class SelfAssertionValidator implements AssertionValidator {
 
 	private static Logger logger = LoggerFactory.getLogger(SelfAssertionValidator.class);
@@ -62,16 +63,19 @@ public class SelfAssertionValidator implements AssertionValidator {
 			return false;
 		}
 
+		// make sure the issuer exists
 		if (Strings.isNullOrEmpty(claims.getIssuer())) {
 			logger.debug("No issuer for assertion, rejecting");
 			return false;
 		}
 
-		if (claims.getIssuer().equals(config.getIssuer())) {
+		// make sure the issuer is us
+		if (!claims.getIssuer().equals(config.getIssuer())) {
 			logger.debug("Issuer is not the same as this server, rejecting");
 			return false;
 		}
 
+		// validate the signature based on our public key
 		if (jwtService.validateSignature((SignedJWT) assertion)) {
 			return true;
 		} else {

openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,7 +46,6 @@ import com.nimbusds.jose.crypto.ECDHEncrypter;
 import com.nimbusds.jose.crypto.RSADecrypter;
 import com.nimbusds.jose.crypto.RSAEncrypter;
 import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
-import com.nimbusds.jose.jca.JCAContext;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.OctetSequenceKey;

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,8 +18,6 @@
 package org.mitre.jwt.signer.service.impl;
 
 import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Collection;
 import java.util.HashMap;

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -68,11 +69,11 @@ public class JWKSetCacheService {
 		this.validators = CacheBuilder.newBuilder()
 				.expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch
 				.maximumSize(100)
-				.build(new JWKSetVerifierFetcher());
+				.build(new JWKSetVerifierFetcher(HttpClientBuilder.create().useSystemProperties().build()));
 		this.encrypters = CacheBuilder.newBuilder()
 				.expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch
 				.maximumSize(100)
-				.build(new JWKSetEncryptorFetcher());
+				.build(new JWKSetEncryptorFetcher(HttpClientBuilder.create().useSystemProperties().build()));
 	}
 
 	/**
@@ -104,9 +105,13 @@ public class JWKSetCacheService {
 	 *
 	 */
 	private class JWKSetVerifierFetcher extends CacheLoader<String, JWTSigningAndValidationService> {
-		private HttpClient httpClient = HttpClientBuilder.create().useSystemProperties().build();
+		private HttpComponentsClientHttpRequestFactory httpFactory;
-		private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		private RestTemplate restTemplate;
-		private RestTemplate restTemplate = new RestTemplate(httpFactory);
+
+		JWKSetVerifierFetcher(HttpClient httpClient) {
+			this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+			this.restTemplate = new RestTemplate(httpFactory);
+		}
 
 		/**
 		 * Load the JWK Set and build the appropriate signing service.
@@ -130,9 +135,14 @@ public class JWKSetCacheService {
 	 *
 	 */
 	private class JWKSetEncryptorFetcher extends CacheLoader<String, JWTEncryptionAndDecryptionService> {
-		private HttpClient httpClient = HttpClientBuilder.create().useSystemProperties().build();
+		private HttpComponentsClientHttpRequestFactory httpFactory;
-		private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+		private RestTemplate restTemplate;
-		private RestTemplate restTemplate = new RestTemplate(httpFactory);
+
+		public JWKSetEncryptorFetcher(HttpClient httpClient) {
+			this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
+			this.restTemplate = new RestTemplate(httpFactory);
+		}
+
 		/* (non-Javadoc)
 		 * @see com.google.common.cache.CacheLoader#load(java.lang.Object)
 		 */

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -101,7 +100,7 @@ public class SymmetricKeyJWTValidatorCacheService {
 
 				String id = "SYMMETRIC-KEY";
 
-				JWK jwk = new OctetSequenceKey(Base64URL.encode(key), KeyUse.SIGNATURE, null, null, id, null, null, null);
+				JWK jwk = new OctetSequenceKey(Base64URL.encode(key), KeyUse.SIGNATURE, null, null, id, null, null, null, null);
 				Map<String, JWK> keys = ImmutableMap.of(id, jwk);
 				JWTSigningAndValidationService service = new DefaultJWTSigningAndValidationService(keys);
 

openid-connect-common/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java

@@ -0,0 +1,50 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.oauth2.exception;
+
+/**
+ * @author jricher
+ *
+ */
+public class DeviceCodeCreationException extends Exception {
+
+	private static final long serialVersionUID = 8078568710169208466L;
+
+	private String error;
+
+	public DeviceCodeCreationException(String error, String message) {
+		super(message);
+		this.error = error;
+	}
+	
+	/**
+	 * @return the error
+	 */
+	public String getError() {
+		return error;
+	}
+
+	/**
+	 * @param error the error to set
+	 */
+	public void setError(String error) {
+		this.error = error;
+	}
+	
+	
+	
+}

openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -66,7 +67,7 @@ public class AuthenticationHolderEntity {
 
 	private SavedUserAuthentication userAuth;
 
-	private Collection<? extends GrantedAuthority> authorities;
+	private Collection<GrantedAuthority> authorities;
 
 	private Set<String> resourceIds;
 
@@ -116,14 +117,14 @@ public class AuthenticationHolderEntity {
 
 		// pull apart the request and save its bits
 		OAuth2Request o2Request = authentication.getOAuth2Request();
-		setAuthorities(o2Request.getAuthorities());
+		setAuthorities(o2Request.getAuthorities() == null ? null : new HashSet<>(o2Request.getAuthorities()));
 		setClientId(o2Request.getClientId());
-		setExtensions(o2Request.getExtensions());
+		setExtensions(o2Request.getExtensions() == null ? null : new HashMap<>(o2Request.getExtensions()));
 		setRedirectUri(o2Request.getRedirectUri());
-		setRequestParameters(o2Request.getRequestParameters());
+		setRequestParameters(o2Request.getRequestParameters() == null ? null : new HashMap<>(o2Request.getRequestParameters()));
-		setResourceIds(o2Request.getResourceIds());
+		setResourceIds(o2Request.getResourceIds() == null ? null : new HashSet<>(o2Request.getResourceIds()));
-		setResponseTypes(o2Request.getResponseTypes());
+		setResponseTypes(o2Request.getResponseTypes() == null ? null : new HashSet<>(o2Request.getResponseTypes()));
-		setScope(o2Request.getScope());
+		setScope(o2Request.getScope() == null ? null : new HashSet<>(o2Request.getScope()));
 		setApproved(o2Request.isApproved());
 
 		if (authentication.getUserAuthentication() != null) {
@@ -159,19 +160,15 @@ public class AuthenticationHolderEntity {
 			)
 	@Convert(converter = SimpleGrantedAuthorityStringConverter.class)
 	@Column(name="authority")
-	public Collection<? extends GrantedAuthority> getAuthorities() {
+	public Collection<GrantedAuthority> getAuthorities() {
 		return authorities;
 	}
 
 	/**
 	 * @param authorities the authorities to set
 	 */
-	public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
+	public void setAuthorities(Collection<GrantedAuthority> authorities) {
-		if (authorities != null) {
+		this.authorities = authorities;
-			this.authorities = new HashSet<>(authorities);
-		} else {
-			this.authorities = null;
-		}
 	}
 
 	/**
@@ -191,11 +188,7 @@ public class AuthenticationHolderEntity {
 	 * @param resourceIds the resourceIds to set
 	 */
 	public void setResourceIds(Set<String> resourceIds) {
-		if (resourceIds != null) {
+		this.resourceIds = resourceIds;
-			this.resourceIds = new HashSet<>(resourceIds);
-		} else {
-			this.resourceIds = null;
-		}
 	}
 
 	/**
@@ -247,11 +240,7 @@ public class AuthenticationHolderEntity {
 	 * @param responseTypes the responseTypes to set
 	 */
 	public void setResponseTypes(Set<String> responseTypes) {
-		if (responseTypes != null) {
+		this.responseTypes = responseTypes;
-			this.responseTypes = new HashSet<>(responseTypes);
-		} else {
-			this.responseTypes = null;
-		}
 	}
 
 	/**
@@ -273,11 +262,7 @@ public class AuthenticationHolderEntity {
 	 * @param extensions the extensions to set
 	 */
 	public void setExtensions(Map<String, Serializable> extensions) {
-		if (extensions != null) {
+		this.extensions = extensions;
-			this.extensions = new HashMap<>(extensions);
-		} else {
-			this.extensions = null;
-		}
 	}
 
 	/**
@@ -313,11 +298,7 @@ public class AuthenticationHolderEntity {
 	 * @param scope the scope to set
 	 */
 	public void setScope(Set<String> scope) {
-		if (scope != null) {
+		this.scope = scope;
-			this.scope = new HashSet<>(scope);
-		} else {
-			this.scope = null;
-		}
 	}
 
 	/**
@@ -338,11 +319,7 @@ public class AuthenticationHolderEntity {
 	 * @param requestParameters the requestParameters to set
 	 */
 	public void setRequestParameters(Map<String, String> requestParameters) {
-		if (requestParameters != null) {
+		this.requestParameters = requestParameters;
-			this.requestParameters = new HashMap<>(requestParameters);
-		} else {
-			this.requestParameters = null;
-		}
 	}
 
 

openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -57,7 +58,6 @@ import org.mitre.oauth2.model.convert.SimpleGrantedAuthorityStringConverter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.provider.ClientDetails;
 
-import com.nimbusds.jose.Algorithm;
 import com.nimbusds.jose.EncryptionMethod;
 import com.nimbusds.jose.JWEAlgorithm;
 import com.nimbusds.jose.JWSAlgorithm;
@@ -103,6 +103,8 @@ public class ClientDetailsEntity implements ClientDetails {
 	private String policyUri;
 	private String jwksUri; // URI pointer to keys
 	private JWKSet jwks; // public key stored by value
+	private String softwareId;
+	private String softwareVersion;
 
 	/** Fields from OIDC Client Registration Specification **/
 	private AppType applicationType; // application_type
@@ -145,6 +147,7 @@ public class ClientDetailsEntity implements ClientDetails {
 	private Integer idTokenValiditySeconds; //timeout for id tokens
 	private Date createdAt; // time the client was created
 	private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh?
+	private Integer deviceCodeValiditySeconds; // timeout for device codes
 
 	/** fields for UMA */
 	private Set<String> claimsRedirectUris;
@@ -1032,4 +1035,52 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.codeChallengeMethod = codeChallengeMethod;
 	}
 
+	/**
+	 * @return the deviceCodeValiditySeconds
+	 */
+	@Basic
+	@Column(name="device_code_validity_seconds")
+	public Integer getDeviceCodeValiditySeconds() {
+		return deviceCodeValiditySeconds;
+	}
+
+	/**
+	 * @param deviceCodeValiditySeconds the deviceCodeValiditySeconds to set
+	 */
+	public void setDeviceCodeValiditySeconds(Integer deviceCodeValiditySeconds) {
+		this.deviceCodeValiditySeconds = deviceCodeValiditySeconds;
+	}
+
+	/**
+	 * @return the softwareId
+	 */
+	@Basic
+	@Column(name="software_id")
+	public String getSoftwareId() {
+		return softwareId;
+	}
+
+	/**
+	 * @param softwareId the softwareId to set
+	 */
+	public void setSoftwareId(String softwareId) {
+		this.softwareId = softwareId;
+	}
+
+	/**
+	 * @return the softwareVersion
+	 */
+	@Basic
+	@Column(name="software_version")
+	public String getSoftwareVersion() {
+		return softwareVersion;
+	}
+
+	/**
+	 * @param softwareVersion the softwareVersion to set
+	 */
+	public void setSoftwareVersion(String softwareVersion) {
+		this.softwareVersion = softwareVersion;
+	}
+
 }

openid-connect-common/src/main/java/org/mitre/oauth2/model/DeviceCode.java

@@ -0,0 +1,234 @@
+/*******************************************************************************
+ * Copyright 2017 The MIT Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.oauth2.model;
+
+import java.util.Date;
+import java.util.Map;
+import java.util.Set;
+
+import javax.persistence.Basic;
+import javax.persistence.CollectionTable;
+import javax.persistence.Column;
+import javax.persistence.ElementCollection;
+import javax.persistence.Entity;
+import javax.persistence.FetchType;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToOne;
+import javax.persistence.MapKeyColumn;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Table;
+import javax.persistence.Temporal;
+
+/**
+ * @author jricher
+ *
+ */
+@Entity
+@Table(name = "device_code")
+@NamedQueries({
+	@NamedQuery(name = DeviceCode.QUERY_BY_USER_CODE, query = "select d from DeviceCode d where d.userCode = :" + DeviceCode.PARAM_USER_CODE),
+	@NamedQuery(name = DeviceCode.QUERY_BY_DEVICE_CODE, query = "select d from DeviceCode d where d.deviceCode = :" + DeviceCode.PARAM_DEVICE_CODE),
+	@NamedQuery(name = DeviceCode.QUERY_EXPIRED_BY_DATE, query = "select d from DeviceCode d where d.expiration <= :" + DeviceCode.PARAM_DATE)
+})
+public class DeviceCode {
+
+	public static final String QUERY_BY_USER_CODE = "DeviceCode.queryByUserCode";
+	public static final String QUERY_BY_DEVICE_CODE = "DeviceCode.queryByDeviceCode";
+	public static final String QUERY_EXPIRED_BY_DATE = "DeviceCode.queryExpiredByDate";
+
+	public static final String PARAM_USER_CODE = "userCode";
+	public static final String PARAM_DEVICE_CODE = "deviceCode";
+	public static final String PARAM_DATE = "date";
+
+	private Long id;
+	private String deviceCode;
+	private String userCode;
+	private Set<String> scope;
+	private Date expiration;
+	private String clientId;
+	private Map<String, String> requestParameters;
+	private boolean approved;
+	private AuthenticationHolderEntity authenticationHolder;
+
+	public DeviceCode() {
+
+	}
+
+	public DeviceCode(String deviceCode, String userCode, Set<String> scope, String clientId, Map<String, String> params) {
+		this.deviceCode = deviceCode;
+		this.userCode = userCode;
+		this.scope = scope;
+		this.clientId = clientId;
+		this.requestParameters = params;
+	}
+
+	/**
+	 * @return the id
+	 */
+	@Id
+	@GeneratedValue(strategy = GenerationType.IDENTITY)
+	@Column(name = "id")
+	public Long getId() {
+		return id;
+	}
+
+	/**
+	 * @param id the id to set
+	 */
+	public void setId(Long id) {
+		this.id = id;
+	}
+
+	/**
+	 * @return the deviceCode
+	 */
+	@Basic
+	@Column(name = "device_code")
+	public String getDeviceCode() {
+		return deviceCode;
+	}
+
+	/**
+	 * @param deviceCode the deviceCode to set
+	 */
+	public void setDeviceCode(String deviceCode) {
+		this.deviceCode = deviceCode;
+	}
+
+	/**
+	 * @return the userCode
+	 */
+	@Basic
+	@Column(name = "user_code")
+	public String getUserCode() {
+		return userCode;
+	}
+
+	/**
+	 * @param userCode the userCode to set
+	 */
+	public void setUserCode(String userCode) {
+		this.userCode = userCode;
+	}
+
+	/**
+	 * @return the scope
+	 */
+	@ElementCollection(fetch = FetchType.EAGER)
+	@CollectionTable(
+			name="device_code_scope",
+			joinColumns=@JoinColumn(name="owner_id")
+			)
+	@Column(name="scope")
+	public Set<String> getScope() {
+		return scope;
+	}
+
+	/**
+	 * @param scope the scope to set
+	 */
+	public void setScope(Set<String> scope) {
+		this.scope = scope;
+	}
+
+	@Basic
+	@Temporal(javax.persistence.TemporalType.TIMESTAMP)
+	@Column(name = "expiration")
+	public Date getExpiration() {
+		return expiration;
+	}
+
+	public void setExpiration(Date expiration) {
+		this.expiration = expiration;
+	}
+
+	/**
+	 * @return the clientId
+	 */
+	@Basic
+	@Column(name = "client_id")
+	public String getClientId() {
+		return clientId;
+	}
+
+	/**
+	 * @param clientId the clientId to set
+	 */
+	public void setClientId(String clientId) {
+		this.clientId = clientId;
+	}
+
+	/**
+	 * @return the params
+	 */
+	@ElementCollection(fetch = FetchType.EAGER)
+	@CollectionTable(
+			name="device_code_request_parameter",
+			joinColumns=@JoinColumn(name="owner_id")
+			)
+	@Column(name="val")
+	@MapKeyColumn(name="param")
+	public Map<String, String> getRequestParameters() {
+		return requestParameters;
+	}
+
+	/**
+	 * @param params the params to set
+	 */
+	public void setRequestParameters(Map<String, String> params) {
+		this.requestParameters = params;
+	}
+
+	/**
+	 * @return the approved
+	 */
+	@Basic
+	@Column(name = "approved")
+	public boolean isApproved() {
+		return approved;
+	}
+
+	/**
+	 * @param approved the approved to set
+	 */
+	public void setApproved(boolean approved) {
+		this.approved = approved;
+	}
+
+	/**
+	 * The authentication in place when this token was created.
+	 * @return the authentication
+	 */
+	@ManyToOne
+	@JoinColumn(name = "auth_holder_id")
+	public AuthenticationHolderEntity getAuthenticationHolder() {
+		return authenticationHolder;
+	}
+
+	/**
+	 * @param authentication the authentication to set
+	 */
+	public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
+		this.authenticationHolder = authenticationHolder;
+	}
+
+
+}

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,12 +42,12 @@ import javax.persistence.ManyToOne;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.OneToMany;
-import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.Temporal;
 import javax.persistence.Transient;
 
 import org.mitre.oauth2.model.convert.JWTStringConverter;
+import org.mitre.openid.connect.model.ApprovedSite;
 import org.mitre.uma.model.Permission;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Deserializer;
@@ -64,38 +65,22 @@ import com.nimbusds.jwt.JWT;
 @Entity
 @Table(name = "access_token")
 @NamedQueries({
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_ALL,
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_ALL, query = "select a from OAuth2AccessTokenEntity a"),
-    query = "select a from OAuth2AccessTokenEntity a"),
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_EXPIRED_BY_DATE, query = "select a from OAuth2AccessTokenEntity a where a.expiration <= :" + OAuth2AccessTokenEntity.PARAM_DATE),
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_EXPIRED_BY_DATE,
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_REFRESH_TOKEN, query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :" + OAuth2AccessTokenEntity.PARAM_REFERSH_TOKEN),
-    query = "select a from OAuth2AccessTokenEntity a where a.expiration <= :"
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_CLIENT, query = "select a from OAuth2AccessTokenEntity a where a.client = :" + OAuth2AccessTokenEntity.PARAM_CLIENT),
-      + OAuth2AccessTokenEntity.PARAM_DATE),
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE, query = "select a from OAuth2AccessTokenEntity a where a.jwt = :" + OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE),
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_REFRESH_TOKEN,
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_APPROVED_SITE, query = "select a from OAuth2AccessTokenEntity a where a.approvedSite = :" + OAuth2AccessTokenEntity.PARAM_APPROVED_SITE),
-    query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :"
+	@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET, query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :" + OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID)
-      + OAuth2AccessTokenEntity.PARAM_REFERSH_TOKEN),
+})
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_CLIENT,
+@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2AccessTokenJackson1Serializer.class)
-    query = "select a from OAuth2AccessTokenEntity a where a.client = :"
+@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2AccessTokenJackson1Deserializer.class)
-      + OAuth2AccessTokenEntity.PARAM_CLIENT),
+@com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2AccessTokenJackson2Serializer.class)
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_ID_TOKEN,
+@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2AccessTokenJackson2Deserializer.class)
-    query = "select a from OAuth2AccessTokenEntity a where a.idToken = :"
-      + OAuth2AccessTokenEntity.PARAM_ID_TOKEN),
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE,
-    query = "select a from OAuth2AccessTokenEntity a where a.jwt = :"
-      + OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE),
-  @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET,
-    query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :"
-      + OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID) })
-@org.codehaus.jackson.map.annotate.JsonSerialize(
-  using = OAuth2AccessTokenJackson1Serializer.class)
-@org.codehaus.jackson.map.annotate.JsonDeserialize(
-  using = OAuth2AccessTokenJackson1Deserializer.class)
-@com.fasterxml.jackson.databind.annotation.JsonSerialize(
-  using = OAuth2AccessTokenJackson2Serializer.class)
-@com.fasterxml.jackson.databind.annotation.JsonDeserialize(
-  using = OAuth2AccessTokenJackson2Deserializer.class)
 public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 
+	public static final String QUERY_BY_APPROVED_SITE = "OAuth2AccessTokenEntity.getByApprovedSite";
 	public static final String QUERY_BY_TOKEN_VALUE = "OAuth2AccessTokenEntity.getByTokenValue";
-  public static final String QUERY_BY_ID_TOKEN = "OAuth2AccessTokenEntity.getByIdToken";
 	public static final String QUERY_BY_CLIENT = "OAuth2AccessTokenEntity.getByClient";
 	public static final String QUERY_BY_REFRESH_TOKEN = "OAuth2AccessTokenEntity.getByRefreshToken";
 	public static final String QUERY_EXPIRED_BY_DATE = "OAuth2AccessTokenEntity.getAllExpiredByDate";
@@ -103,26 +88,22 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	public static final String QUERY_BY_RESOURCE_SET = "OAuth2AccessTokenEntity.getByResourceSet";
 
 	public static final String PARAM_TOKEN_VALUE = "tokenValue";
-  public static final String PARAM_ID_TOKEN = "idToken";
 	public static final String PARAM_CLIENT = "client";
 	public static final String PARAM_REFERSH_TOKEN = "refreshToken";
 	public static final String PARAM_DATE = "date";
 	public static final String PARAM_RESOURCE_SET_ID = "rsid";
+	public static final String PARAM_APPROVED_SITE = "approvedSite";
 
-  public static String ID_TOKEN_FIELD_NAME = "id_token";
+	public static final String ID_TOKEN_FIELD_NAME = "id_token";
 
 	private Long id;
 
 	private ClientDetailsEntity client;
 
-  private AuthenticationHolderEntity authenticationHolder; // the authentication
+	private AuthenticationHolderEntity authenticationHolder; // the authentication that made this access
-                                                           // that made this
-                                                           // access
 
 	private JWT jwtValue; // JWT-encoded access token value
 
-  private OAuth2AccessTokenEntity idToken; // JWT-encoded OpenID Connect IdToken
-
 	private Date expiration;
 
 	private String tokenType = OAuth2AccessToken.BEARER_TYPE;
@@ -133,7 +114,9 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 
 	private Set<Permission> permissions;
 
-  private Map<String, Object> additionalInfo = new HashMap<>();
+	private ApprovedSite approvedSite;
+
+	private Map<String, Object> additionalInformation = new HashMap<>(); // ephemeral map of items to be added to the OAuth token response
 
 	/**
 	 * Create a new, blank access token
@@ -149,52 +132,40 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
 	public Long getId() {
-
 		return id;
 	}
 
 	/**
-   * @param id
+	 * @param id the id to set
-   *          the id to set
 	 */
-  public void setId(final Long id) {
+	public void setId(Long id) {
-
 		this.id = id;
 	}
 
 	/**
-   * Get all additional information to be sent to the serializer. Inserts a copy
+	 * Get all additional information to be sent to the serializer as part of the token response.
-   * of the IdToken (in JWT String form).
+	 * This map is not persisted to the database.
 	 */
 	@Override
 	@Transient
 	public Map<String, Object> getAdditionalInformation() {
-
+		return additionalInformation;
-    if (getIdToken() != null) {
-      additionalInfo.put(ID_TOKEN_FIELD_NAME, getIdTokenString());
-    }
-    return additionalInfo;
 	}
 
 	/**
 	 * The authentication in place when this token was created.
-   * 
 	 * @return the authentication
 	 */
 	@ManyToOne
 	@JoinColumn(name = "auth_holder_id")
 	public AuthenticationHolderEntity getAuthenticationHolder() {
-
 		return authenticationHolder;
 	}
 
 	/**
-   * @param authentication
+	 * @param authentication the authentication to set
-   *          the authentication to set
 	 */
-  public void setAuthenticationHolder(
+	public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
-    final AuthenticationHolderEntity authenticationHolder) {
-
 		this.authenticationHolder = authenticationHolder;
 	}
 
@@ -204,16 +175,13 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@ManyToOne
 	@JoinColumn(name = "client_id")
 	public ClientDetailsEntity getClient() {
-
 		return client;
 	}
 
 	/**
-   * @param client
+	 * @param client the client to set
-   *          the client to set
 	 */
-  public void setClient(final ClientDetailsEntity client) {
+	public void setClient(ClientDetailsEntity client) {
-
 		this.client = client;
 	}
 
@@ -223,7 +191,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@Override
 	@Transient
 	public String getValue() {
-
 		return jwtValue.serialize();
 	}
 
@@ -232,12 +199,10 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@Temporal(javax.persistence.TemporalType.TIMESTAMP)
 	@Column(name = "expiration")
 	public Date getExpiration() {
-
 		return expiration;
 	}
 
-  public void setExpiration(final Date expiration) {
+	public void setExpiration(Date expiration) {
-
 		this.expiration = expiration;
 	}
 
@@ -245,12 +210,10 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@Basic
 	@Column(name="token_type")
 	public String getTokenType() {
-
 		return tokenType;
 	}
 
-  public void setTokenType(final String tokenType) {
+	public void setTokenType(String tokenType) {
-
 		this.tokenType = tokenType;
 	}
 
@@ -258,20 +221,16 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@ManyToOne
 	@JoinColumn(name="refresh_token_id")
 	public OAuth2RefreshTokenEntity getRefreshToken() {
-
 		return refreshToken;
 	}
 
-  public void setRefreshToken(final OAuth2RefreshTokenEntity refreshToken) {
+	public void setRefreshToken(OAuth2RefreshTokenEntity refreshToken) {
-
 		this.refreshToken = refreshToken;
 	}
 
-  public void setRefreshToken(final OAuth2RefreshToken refreshToken) {
+	public void setRefreshToken(OAuth2RefreshToken refreshToken) {
-
 		if (!(refreshToken instanceof OAuth2RefreshTokenEntity)) {
-      throw new IllegalArgumentException(
+			throw new IllegalArgumentException("Not a storable refresh token entity!");
-        "Not a storable refresh token entity!");
 		}
 		// force a pass through to the entity version
 		setRefreshToken((OAuth2RefreshTokenEntity)refreshToken);
@@ -279,57 +238,22 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 
 	@Override
 	@ElementCollection(fetch=FetchType.EAGER)
-  @CollectionTable(joinColumns = @JoinColumn(name = "owner_id"),
+	@CollectionTable(
-    name = "token_scope")
+			joinColumns=@JoinColumn(name="owner_id"),
+			name="token_scope"
+			)
 	public Set<String> getScope() {
-
 		return scope;
 	}
 
-  public void setScope(final Set<String> scope) {
+	public void setScope(Set<String> scope) {
-
 		this.scope = scope;
 	}
 
 	@Override
 	@Transient
 	public boolean isExpired() {
-
+		return getExpiration() == null ? false : System.currentTimeMillis() > getExpiration().getTime();
-    return getExpiration() == null ? false
-      : System.currentTimeMillis() > getExpiration().getTime();
-  }
-
-  /**
-   * @return the idToken
-   */
-  @OneToOne(cascade = CascadeType.ALL) // one-to-one mapping for now
-  @JoinColumn(name = "id_token_id")
-  public OAuth2AccessTokenEntity getIdToken() {
-
-    return idToken;
-  }
-
-  /**
-   * @param idToken
-   *          the idToken to set
-   */
-  public void setIdToken(final OAuth2AccessTokenEntity idToken) {
-
-    this.idToken = idToken;
-  }
-
-  /**
-   * @return the idTokenString
-   */
-  @Transient
-  public String getIdTokenString() {
-
-    if (idToken != null) {
-      return idToken.getValue(); // get the JWT string value of the id token
-                                 // entity
-    } else {
-      return null;
-    }
 	}
 
 	/**
@@ -339,16 +263,13 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@Column(name="token_value")
 	@Convert(converter = JWTStringConverter.class)
 	public JWT getJwt() {
-
 		return jwtValue;
 	}
 
 	/**
-   * @param jwtValue
+	 * @param jwtValue the jwtValue to set
-   *          the jwtValue to set
 	 */
-  public void setJwt(final JWT jwt) {
+	public void setJwt(JWT jwt) {
-
 		this.jwtValue = jwt;
 	}
 
@@ -359,8 +280,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 		if (getExpiration() == null) {
 			return -1; // no expiration time
 		} else {
-      int secondsRemaining = (int) ((getExpiration().getTime()
+			int secondsRemaining = (int) ((getExpiration().getTime() - System.currentTimeMillis()) / 1000);
-        - System.currentTimeMillis()) / 1000);
 			if (isExpired()) {
 				return 0; // has an expiration time and expired
 			} else { // has an expiration time and not expired
@@ -373,21 +293,41 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	 * @return the permissions
 	 */
 	@OneToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
-  @JoinTable(name = "access_token_permissions",
+	@JoinTable(
+			name = "access_token_permissions",
 			joinColumns = @JoinColumn(name = "access_token_id"),
-    inverseJoinColumns = @JoinColumn(name = "permission_id"))
+			inverseJoinColumns = @JoinColumn(name = "permission_id")
+			)
 	public Set<Permission> getPermissions() {
-
 		return permissions;
 	}
 
 	/**
-   * @param permissions
+	 * @param permissions the permissions to set
-   *          the permissions to set
 	 */
-  public void setPermissions(final Set<Permission> permissions) {
+	public void setPermissions(Set<Permission> permissions) {
-
 		this.permissions = permissions;
 	}
+>>>>>>> mitre/master
 
+	@ManyToOne
+	@JoinColumn(name="approved_site_id")
+	public ApprovedSite getApprovedSite() {
+		return approvedSite;
+	}
+
+	public void setApprovedSite(ApprovedSite approvedSite) {
+		this.approvedSite = approvedSite;
+	}
+
+	/**
+	 * Add the ID Token to the additionalInformation map for a token response.
+	 * @param idToken
+	 */
+	@Transient
+	public void setIdToken(JWT idToken) {
+		if (idToken != null) {
+			additionalInformation.put(ID_TOKEN_FIELD_NAME, idToken.serialize());
+		}
+	}
 }

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +25,11 @@ import com.nimbusds.jose.Requirement;
  */
 public final class PKCEAlgorithm extends Algorithm {
 
+	/**
+	 *
+	 */
+	private static final long serialVersionUID = 7752852583210088925L;
+
 	public static final PKCEAlgorithm plain = new PKCEAlgorithm("plain", Requirement.REQUIRED);
 
 	public static final PKCEAlgorithm S256 = new PKCEAlgorithm("S256", Requirement.OPTIONAL);

openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -846,6 +847,54 @@ public class RegisteredClient {
 		this.src = src;
 	}
 
+	/**
+	 * @return
+	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getDeviceCodeValiditySeconds()
+	 */
+	public Integer getDeviceCodeValiditySeconds() {
+		return client.getDeviceCodeValiditySeconds();
+	}
+
+	/**
+	 * @param deviceCodeValiditySeconds
+	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setDeviceCodeValiditySeconds(java.lang.Integer)
+	 */
+	public void setDeviceCodeValiditySeconds(Integer deviceCodeValiditySeconds) {
+		client.setDeviceCodeValiditySeconds(deviceCodeValiditySeconds);
+	}
+
+	/**
+	 * @return
+	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareId()
+	 */
+	public String getSoftwareId() {
+		return client.getSoftwareId();
+	}
+
+	/**
+	 * @param softwareId
+	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareId(java.lang.String)
+	 */
+	public void setSoftwareId(String softwareId) {
+		client.setSoftwareId(softwareId);
+	}
+
+	/**
+	 * @return
+	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareVersion()
+	 */
+	public String getSoftwareVersion() {
+		return client.getSoftwareVersion();
+	}
+
+	/**
+	 * @param softwareVersion
+	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareVersion(java.lang.String)
+	 */
+	public void setSoftwareVersion(String softwareVersion) {
+		client.setSoftwareVersion(softwareVersion);
+	}
+
 
 
 }

openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +16,8 @@
 package org.mitre.oauth2.model;
 
 public interface RegisteredClientFields {
+	public String SOFTWARE_ID = "software_id";
+	public String SOFTWARE_VERSION = "software_version";
 	public String SOFTWARE_STATEMENT = "software_statement";
 	public String CLAIMS_REDIRECT_URIS = "claims_redirect_uris";
 	public String CLIENT_SECRET_EXPIRES_AT = "client_secret_expires_at";
@@ -56,5 +57,5 @@ public interface RegisteredClientFields {
 	public String REDIRECT_URIS = "redirect_uris";
 	public String CLIENT_SECRET = "client_secret";
 	public String CLIENT_ID = "client_id";
-
+	public String CODE_CHALLENGE_METHOD = "code_challenge_method";
 }

openid-connect-common/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation and the MIT Internet Trust Consortium
+ * Copyright 2017 The MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License. You may obtain a copy of the License at
@@ -202,6 +202,4 @@ public class SavedUserAuthentication implements Authentication {
   public void setAdditionalInfo(Map<String, String> additionalInfo) {
     this.additionalInfo = additionalInfo;
   }
-
-
 }

openid-connect-common/src/main/java/org/mitre/oauth2/model/SystemScope.java

@@ -1,6 +1,7 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
+ *
+ * Portions copyright 2011-2013 The MITRE Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +29,6 @@ import javax.persistence.Id;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.Table;
-import javax.persistence.Transient;
 
 /**
  * @author jricher
@@ -53,9 +53,6 @@ public class SystemScope {
 	private String icon; // class of the icon to display on the auth page
 	private boolean defaultScope = false; // is this a default scope for newly-registered clients?
 	private boolean restricted = false; // is this scope restricted to admin-only registration access?
-	private boolean structured = false; // is this a default scope for newly-registered clients?
-	private String structuredParamDescription;
-	private String structuredValue;
 
 	/**
 	 * Make a blank system scope with no value
@@ -162,52 +159,6 @@ public class SystemScope {
 		this.restricted = restricted;
 	}
 
-	/**
-	 * @return the isStructured status
-	 */
-	@Basic
-	@Column(name = "structured")
-	public boolean isStructured() {
-		return structured;
-	}
-
-	/**
-	 * @param structured the structured to set
-	 */
-	public void setStructured(boolean structured) {
-		this.structured = structured;
-	}
-
-	@Basic
-	@Column(name = "structured_param_description")
-	public String getStructuredParamDescription() {
-		return structuredParamDescription;
-	}
-
-	/**
-	 * @param isStructured the isStructured to set
-	 */
-	public void setStructuredParamDescription(String d) {
-		this.structuredParamDescription = d;
-	}
-
-
-	/**
-	 * @return the structuredValue
-	 */
-	@Transient // we don't save the value of a system scope separately
-	public String getStructuredValue() {
-		return structuredValue;
-	}
-
-	/**
-	 * @param structuredValue the structuredValue to set
-	 */
-	public void setStructuredValue(String structuredValue) {
-		this.structuredValue = structuredValue;
-	}
-
-
 	/* (non-Javadoc)
 	 * @see java.lang.Object#hashCode()
 	 */
@@ -221,13 +172,6 @@ public class SystemScope {
 		result = prime * result + ((icon == null) ? 0 : icon.hashCode());
 		result = prime * result + ((id == null) ? 0 : id.hashCode());
 		result = prime * result + (restricted ? 1231 : 1237);
-		result = prime * result + (structured ? 1231 : 1237);
-		result = prime
-				* result
-				+ ((structuredParamDescription == null) ? 0
-						: structuredParamDescription.hashCode());
-		result = prime * result
-				+ ((structuredValue == null) ? 0 : structuredValue.hashCode());
 		result = prime * result + ((value == null) ? 0 : value.hashCode());
 		return result;
 	}
@@ -274,24 +218,6 @@ public class SystemScope {
 		if (restricted != other.restricted) {
 			return false;
 		}
-		if (structured != other.structured) {
-			return false;
-		}
-		if (structuredParamDescription == null) {
-			if (other.structuredParamDescription != null) {
-				return false;
-			}
-		} else if (!structuredParamDescription
-				.equals(other.structuredParamDescription)) {
-			return false;
-		}
-		if (structuredValue == null) {
-			if (other.structuredValue != null) {
-				return false;
-			}
-		} else if (!structuredValue.equals(other.structuredValue)) {
-			return false;
-		}
 		if (value == null) {
 			if (other.value != null) {
 				return false;
@@ -309,10 +235,7 @@ public class SystemScope {
 	public String toString() {
 		return "SystemScope [id=" + id + ", value=" + value + ", description="
 				+ description + ", icon=" + icon + ", defaultScope="
-				+ defaultScope + ", restricted=" + restricted + ", structured="
+				+ defaultScope + ", restricted=" + restricted + "]";
-				+ structured + ", structuredParamDescription="
-				+ structuredParamDescription + ", structuredValue="
-				+ structuredValue + "]";
 	}
 
 }

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java

@@ -1,6 +1,5 @@
 /*******************************************************************************
- * Copyright 2016 The MITRE Corporation
+ * Copyright 2017 The MIT Internet Trust Consortium
- *   and the MIT Internet Trust Consortium
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.