Refactoring common submodule - part 2

2020-03-30 20:48:22 +02:00 · 2020-03-30 20:48:22 +02:00 · 380a2fbcb8
parent 6fe33c1ed7
commit 380a2fbcb8
34 changed files with 423 additions and 1643 deletions
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java
@ -18,7 +18,6 @@ package org.mitre.oauth2.exception;
 /**
 * @author jricher
 *
 */
 public class DeviceCodeCreationException extends Exception {
@ -30,21 +29,13 @@ public class DeviceCodeCreationException extends Exception {
 		super(message);
 		this.error = error;
 	}
-	
+
 	/**
 	 * @return the error
 	 */
 	public String getError() {
 		return error;
 	}
 	/**
 	 * @param error the error to set
 	 */
 	public void setError(String error) {
 		this.error = error;
 	}
-	
+
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java
@ -64,30 +64,18 @@ public class AuthenticationHolderEntity {
 	public static final String QUERY_ALL = "AuthenticationHolderEntity.getAll";
 	private Long id;
 	private SavedUserAuthentication userAuth;
 	private Collection<GrantedAuthority> authorities;
 	private Set<String> resourceIds;
 	private boolean approved;
 	private String redirectUri;
 	private Set<String> responseTypes;
 	private Map<String, Serializable> extensions;
 	private String clientId;
 	private Set<String> scope;
 	private Map<String, String> requestParameters;
-	public AuthenticationHolderEntity() {
+	public AuthenticationHolderEntity() { }
 	}
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
@ -106,15 +94,11 @@ public class AuthenticationHolderEntity {
 		return new OAuth2Authentication(createOAuth2Request(), getUserAuth());
 	}
 	/**
 	 * @return
 	 */
 	private OAuth2Request createOAuth2Request() {
 		return new OAuth2Request(requestParameters, clientId, authorities, approved, scope, resourceIds, redirectUri, responseTypes, extensions);
 	}
 	public void setAuthentication(OAuth2Authentication authentication) {
 		// pull apart the request and save its bits
 		OAuth2Request o2Request = authentication.getOAuth2Request();
 		setAuthorities(o2Request.getAuthorities() == null ? null : new HashSet<>(o2Request.getAuthorities()));
@ -134,123 +118,72 @@ public class AuthenticationHolderEntity {
 		}
 	}
 	/**
 	 * @return the userAuth
 	 */
 	@OneToOne(cascade=CascadeType.ALL)
 	@JoinColumn(name = "user_auth_id")
 	public SavedUserAuthentication getUserAuth() {
 		return userAuth;
 	}
 	/**
 	 * @param userAuth the userAuth to set
 	 */
 	public void setUserAuth(SavedUserAuthentication userAuth) {
 		this.userAuth = userAuth;
 	}
 	/**
 	 * @return the authorities
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="authentication_holder_authority", joinColumns=@JoinColumn(name="owner_id"))
 			name="authentication_holder_authority",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Convert(converter = SimpleGrantedAuthorityStringConverter.class)
 	@Column(name="authority")
 	public Collection<GrantedAuthority> getAuthorities() {
 		return authorities;
 	}
 	/**
 	 * @param authorities the authorities to set
 	 */
 	public void setAuthorities(Collection<GrantedAuthority> authorities) {
 		this.authorities = authorities;
 	}
 	/**
 	 * @return the resourceIds
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="authentication_holder_resource_id", joinColumns=@JoinColumn(name="owner_id"))
 			name="authentication_holder_resource_id",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="resource_id")
 	public Set<String> getResourceIds() {
 		return resourceIds;
 	}
 	/**
 	 * @param resourceIds the resourceIds to set
 	 */
 	public void setResourceIds(Set<String> resourceIds) {
 		this.resourceIds = resourceIds;
 	}
 	/**
 	 * @return the approved
 	 */
 	@Basic
 	@Column(name="approved")
 	public boolean isApproved() {
 		return approved;
 	}
 	/**
 	 * @param approved the approved to set
 	 */
 	public void setApproved(boolean approved) {
 		this.approved = approved;
 	}
 	/**
 	 * @return the redirectUri
 	 */
 	@Basic
 	@Column(name="redirect_uri")
 	public String getRedirectUri() {
 		return redirectUri;
 	}
 	/**
 	 * @param redirectUri the redirectUri to set
 	 */
 	public void setRedirectUri(String redirectUri) {
 		this.redirectUri = redirectUri;
 	}
 	/**
 	 * @return the responseTypes
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="authentication_holder_response_type", joinColumns=@JoinColumn(name="owner_id"))
 			name="authentication_holder_response_type",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="response_type")
 	public Set<String> getResponseTypes() {
 		return responseTypes;
 	}
 	/**
 	 * @param responseTypes the responseTypes to set
 	 */
 	public void setResponseTypes(Set<String> responseTypes) {
 		this.responseTypes = responseTypes;
 	}
 	/**
 	 * @return the extensions
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="authentication_holder_extension", joinColumns=@JoinColumn(name="owner_id"))
 			name="authentication_holder_extension",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="val")
 	@MapKeyColumn(name="extension")
 	@Convert(converter=SerializableStringConverter.class)
@ -258,70 +191,41 @@ public class AuthenticationHolderEntity {
 		return extensions;
 	}
 	/**
 	 * @param extensions the extensions to set
 	 */
 	public void setExtensions(Map<String, Serializable> extensions) {
 		this.extensions = extensions;
 	}
 	/**
 	 * @return the clientId
 	 */
 	@Basic
 	@Column(name="client_id")
 	public String getClientId() {
 		return clientId;
 	}
 	/**
 	 * @param clientId the clientId to set
 	 */
 	public void setClientId(String clientId) {
 		this.clientId = clientId;
 	}
 	/**
 	 * @return the scope
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="authentication_holder_scope", joinColumns=@JoinColumn(name="owner_id"))
 			name="authentication_holder_scope",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="scope")
 	public Set<String> getScope() {
 		return scope;
 	}
 	/**
 	 * @param scope the scope to set
 	 */
 	public void setScope(Set<String> scope) {
 		this.scope = scope;
 	}
 	/**
 	 * @return the requestParameters
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="authentication_holder_request_parameter", joinColumns=@JoinColumn(name="owner_id"))
 			name="authentication_holder_request_parameter",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="val")
 	@MapKeyColumn(name="param")
 	public Map<String, String> getRequestParameters() {
 		return requestParameters;
 	}
 	/**
 	 * @param requestParameters the requestParameters to set
 	 */
 	public void setRequestParameters(Map<String, String> requestParameters) {
 		this.requestParameters = requestParameters;
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java
@ -36,7 +36,6 @@ import javax.persistence.Temporal;
 * Entity class for authorization codes
 *
 * @author aanganes
 *
 */
@Entity
@Table(name = "authorization_code")
@ -52,35 +51,18 @@ public class AuthorizationCodeEntity {
 	public static final String PARAM_DATE = "date";
 	private Long id;
 	private String code;
 	private AuthenticationHolderEntity authenticationHolder;
 	private Date expiration;
-	/**
+	public AuthorizationCodeEntity() { }
 	 * Default constructor.
 	 */
 	public AuthorizationCodeEntity() {
 	}
 	/**
 	 * Create a new AuthorizationCodeEntity with the given code and AuthorizationRequestHolder.
 	 *
 	 * @param code 			the authorization code
 	 * @param authRequest	the AuthoriztionRequestHolder associated with the original code request
 	 */
 	public AuthorizationCodeEntity(String code, AuthenticationHolderEntity authenticationHolder, Date expiration) {
 		this.code = code;
 		this.authenticationHolder = authenticationHolder;
 		this.expiration = expiration;
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
@ -88,42 +70,26 @@ public class AuthorizationCodeEntity {
 		return id;
 	}
 	/**
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
 	/**
 	 * @return the code
 	 */
 	@Basic
 	@Column(name = "code")
 	public String getCode() {
 		return code;
 	}
 	/**
 	 * @param code the code to set
 	 */
 	public void setCode(String code) {
 		this.code = code;
 	}
 	/**
 	 * The authentication in place when this token was created.
 	 * @return the authentication
 	 */
 	@ManyToOne
 	@JoinColumn(name = "auth_holder_id")
 	public AuthenticationHolderEntity getAuthenticationHolder() {
 		return authenticationHolder;
 	}
 	/**
 	 * @param authentication the authentication to set
 	 */
 	public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
 		this.authenticationHolder = authenticationHolder;
 	}
@ -138,4 +104,5 @@ public class AuthorizationCodeEntity {
 	public void setExpiration(Date expiration) {
 		this.expiration = expiration;
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
@ -86,76 +86,55 @@ public class ClientDetailsEntity implements ClientDetails {
 	private static final long serialVersionUID = -1617727085733786296L;
 	private Long id;
-
+	private String clientId = null;
-	/** Fields from the OAuth2 Dynamic Registration Specification */
+	private String clientSecret = null;
-	private String clientId = null; // client_id
+	private Set<String> redirectUris = new HashSet<>();
-	private String clientSecret = null; // client_secret
+	private String clientName;
-	private Set<String> redirectUris = new HashSet<>(); // redirect_uris
+	private String clientUri;
-	private String clientName; // client_name
+	private String logoUri;
-	private String clientUri; // client_uri
+	private Set<String> contacts;
-	private String logoUri; // logo_uri
+	private String tosUri;
-	private Set<String> contacts; // contacts
+	private AuthMethod tokenEndpointAuthMethod = AuthMethod.SECRET_BASIC;
-	private String tosUri; // tos_uri
+	private Set<String> scope = new HashSet<>();
-	private AuthMethod tokenEndpointAuthMethod = AuthMethod.SECRET_BASIC; // token_endpoint_auth_method
+	private Set<String> grantTypes = new HashSet<>();
-	private Set<String> scope = new HashSet<>(); // scope
+	private Set<String> responseTypes = new HashSet<>();
 	private Set<String> grantTypes = new HashSet<>(); // grant_types
 	private Set<String> responseTypes = new HashSet<>(); // response_types
 	private String policyUri;
-	private String jwksUri; // URI pointer to keys
+	private String jwksUri;
-	private JWKSet jwks; // public key stored by value
+	private JWKSet jwks;
 	private String softwareId;
 	private String softwareVersion;
-
+	private AppType applicationType;
-	/** Fields from OIDC Client Registration Specification **/
+	private String sectorIdentifierUri;
-	private AppType applicationType; // application_type
+	private SubjectType subjectType;
-	private String sectorIdentifierUri; // sector_identifier_uri
+	private JWSAlgorithm requestObjectSigningAlg = null;
-	private SubjectType subjectType; // subject_type
+	private JWSAlgorithm userInfoSignedResponseAlg = null;
-
+	private JWEAlgorithm userInfoEncryptedResponseAlg = null;
-	private JWSAlgorithm requestObjectSigningAlg = null; // request_object_signing_alg
+	private EncryptionMethod userInfoEncryptedResponseEnc = null;
-
+	private JWSAlgorithm idTokenSignedResponseAlg = null;
-	private JWSAlgorithm userInfoSignedResponseAlg = null; // user_info_signed_response_alg
+	private JWEAlgorithm idTokenEncryptedResponseAlg = null;
-	private JWEAlgorithm userInfoEncryptedResponseAlg = null; // user_info_encrypted_response_alg
+	private EncryptionMethod idTokenEncryptedResponseEnc = null;
-	private EncryptionMethod userInfoEncryptedResponseEnc = null; // user_info_encrypted_response_enc
+	private JWSAlgorithm tokenEndpointAuthSigningAlg = null;
-
+	private Integer defaultMaxAge;
-	private JWSAlgorithm idTokenSignedResponseAlg = null; // id_token_signed_response_alg
+	private Boolean requireAuthTime;
-	private JWEAlgorithm idTokenEncryptedResponseAlg = null; // id_token_encrypted_response_alg
+	private Set<String> defaultACRvalues;
-	private EncryptionMethod idTokenEncryptedResponseEnc = null; // id_token_encrypted_response_enc
+	private String initiateLoginUri;
-
+	private Set<String> postLogoutRedirectUris;
-	private JWSAlgorithm tokenEndpointAuthSigningAlg = null; // token_endpoint_auth_signing_alg
+	private Set<String> requestUris;
 	private Integer defaultMaxAge; // default_max_age
 	private Boolean requireAuthTime; // require_auth_time
 	private Set<String> defaultACRvalues; // default_acr_values
 	private String initiateLoginUri; // initiate_login_uri
 	private Set<String> postLogoutRedirectUris; // post_logout_redirect_uris
 	private Set<String> requestUris; // request_uris
 	/** Fields to support the ClientDetails interface **/
 	private Set<GrantedAuthority> authorities = new HashSet<>();
-	private Integer accessTokenValiditySeconds = 0; // in seconds
+	private Integer accessTokenValiditySeconds = 0;
-	private Integer refreshTokenValiditySeconds = 0; // in seconds
+	private Integer refreshTokenValiditySeconds = 0;
 	private Set<String> resourceIds = new HashSet<>();
 	private Map<String, Object> additionalInformation = new HashMap<>();
-
+	private String clientDescription = "";
-	/** Our own fields **/
+	private boolean reuseRefreshToken = true;
-	private String clientDescription = ""; // human-readable description
+	private boolean dynamicallyRegistered = false;
-	private boolean reuseRefreshToken = true; // do we let someone reuse a refresh token?
+	private boolean allowIntrospection = false;
-	private boolean dynamicallyRegistered = false; // was this client dynamically registered?
+	private Integer idTokenValiditySeconds;
-	private boolean allowIntrospection = false; // do we let this client call the introspection endpoint?
+	private Date createdAt;
-	private Integer idTokenValiditySeconds; //timeout for id tokens
+	private boolean clearAccessTokensOnRefresh = true;
-	private Date createdAt; // time the client was created
+	private Integer deviceCodeValiditySeconds;
 	private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh?
 	private Integer deviceCodeValiditySeconds; // timeout for device codes
 	/** fields for UMA */
 	private Set<String> claimsRedirectUris;
 	/** Software statement **/
 	private JWT softwareStatement;
 	/** PKCE **/
 	private PKCEAlgorithm codeChallengeMethod;
 	public enum AuthMethod {
@ -240,9 +219,6 @@ public class ClientDetailsEntity implements ClientDetails {
 		}
 	}
 	/**
 	 * Create a blank ClientDetailsEntity
 	 */
 	public ClientDetailsEntity() {
 	}
@ -250,15 +226,11 @@ public class ClientDetailsEntity implements ClientDetails {
 	@PrePersist
 	@PreUpdate
 	private void prePersist() {
 		// make sure that ID tokens always time out, default to 5 minutes
 		if (getIdTokenValiditySeconds() == null) {
 			setIdTokenValiditySeconds(DEFAULT_ID_TOKEN_VALIDITY_SECONDS);
 		}
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
@ -266,33 +238,20 @@ public class ClientDetailsEntity implements ClientDetails {
 		return id;
 	}
 	/**
 	 *
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
 	/**
 	 * @return the clientDescription
 	 */
 	@Basic
 	@Column(name="client_description")
 	public String getClientDescription() {
 		return clientDescription;
 	}
 	/**
 	 * @param clientDescription Human-readable long description of the client (optional)
 	 */
 	public void setClientDescription(String clientDescription) {
 		this.clientDescription = clientDescription;
 	}
 	/**
 	 * @return the allowRefresh
 	 */
 	@Transient
 	public boolean isAllowRefresh() {
 		if (grantTypes != null) {
@ -312,89 +271,51 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.reuseRefreshToken = reuseRefreshToken;
 	}
 	/**
 	 * Number of seconds ID token is valid for. MUST be a positive integer, can not be null.
 	 *
 	 * @return the idTokenValiditySeconds
 	 */
 	@Basic
 	@Column(name="id_token_validity_seconds")
 	public Integer getIdTokenValiditySeconds() {
 		return idTokenValiditySeconds;
 	}
 	/**
 	 * @param idTokenValiditySeconds the idTokenValiditySeconds to set
 	 */
 	public void setIdTokenValiditySeconds(Integer idTokenValiditySeconds) {
 		this.idTokenValiditySeconds = idTokenValiditySeconds;
 	}
 	/**
 	 * @return the dynamicallyRegistered
 	 */
 	@Basic
 	@Column(name="dynamically_registered")
 	public boolean isDynamicallyRegistered() {
 		return dynamicallyRegistered;
 	}
 	/**
 	 * @param dynamicallyRegistered the dynamicallyRegistered to set
 	 */
 	public void setDynamicallyRegistered(boolean dynamicallyRegistered) {
 		this.dynamicallyRegistered = dynamicallyRegistered;
 	}
 	/**
 	 * @return the allowIntrospection
 	 */
 	@Basic
 	@Column(name="allow_introspection")
 	public boolean isAllowIntrospection() {
 		return allowIntrospection;
 	}
 	/**
 	 * @param allowIntrospection the allowIntrospection to set
 	 */
 	public void setAllowIntrospection(boolean allowIntrospection) {
 		this.allowIntrospection = allowIntrospection;
 	}
 	/**
 	 *
 	 */
 	@Override
 	@Transient
 	public boolean isSecretRequired() {
-		if (getTokenEndpointAuthMethod() != null &&
+		return getTokenEndpointAuthMethod() != null &&
-				(getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
+			(getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
-						getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) ||
+				getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) ||
-						getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
+				getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT));
 			return true;
 		} else {
 			return false;
 		}
 	}
 	/**
 	 * If the scope list is not null or empty, then this client has been scoped.
 	 */
 	@Override
 	@Transient
 	public boolean isScoped() {
 		return getScope() != null && !getScope().isEmpty();
 	}
 	/**
 	 * @return the clientId
 	 */
 	@Basic
 	@Override
 	@Column(name="client_id")
@ -402,16 +323,10 @@ public class ClientDetailsEntity implements ClientDetails {
 		return clientId;
 	}
 	/**
 	 * @param clientId The OAuth2 client_id, must be unique to this client
 	 */
 	public void setClientId(String clientId) {
 		this.clientId = clientId;
 	}
 	/**
 	 * @return the clientSecret
 	 */
 	@Basic
 	@Override
 	@Column(name="client_secret")
@ -419,71 +334,41 @@ public class ClientDetailsEntity implements ClientDetails {
 		return clientSecret;
 	}
 	/**
 	 * @param clientSecret the OAuth2 client_secret (optional)
 	 */
 	public void setClientSecret(String clientSecret) {
 		this.clientSecret = clientSecret;
 	}
 	/**
 	 * @return the scope
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_scope", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_scope",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Override
 	@Column(name="scope")
 	public Set<String> getScope() {
 		return scope;
 	}
 	/**
 	 * @param scope the set of scopes allowed to be issued to this client
 	 */
 	public void setScope(Set<String> scope) {
 		this.scope = scope;
 	}
 	/**
 	 * @return the authorizedGrantTypes
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_grant_type", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_grant_type",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="grant_type")
 	public Set<String> getGrantTypes() {
 		return grantTypes;
 	}
 	/**
 	 * @param authorizedGrantTypes the OAuth2 grant types that this client is allowed to use
 	 */
 	public void setGrantTypes(Set<String> grantTypes) {
 		this.grantTypes = grantTypes;
 	}
 	/**
 	 * passthrough for SECOAUTH api
 	 */
 	@Override
 	@Transient
 	public Set<String> getAuthorizedGrantTypes() {
 		return getGrantTypes();
 	}
 	/**
 	 * @return the authorities
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_authority", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_authority",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Override
 	@Convert(converter = SimpleGrantedAuthorityStringConverter.class)
 	@Column(name="authority")
@ -491,9 +376,6 @@ public class ClientDetailsEntity implements ClientDetails {
 		return authorities;
 	}
 	/**
 	 * @param authorities the Spring Security authorities this client is given
 	 */
 	public void setAuthorities(Set<GrantedAuthority> authorities) {
 		this.authorities = authorities;
 	}
@ -505,9 +387,6 @@ public class ClientDetailsEntity implements ClientDetails {
 		return accessTokenValiditySeconds;
 	}
 	/**
 	 * @param accessTokenTimeout the accessTokenTimeout to set
 	 */
 	public void setAccessTokenValiditySeconds(Integer accessTokenValiditySeconds) {
 		this.accessTokenValiditySeconds = accessTokenValiditySeconds;
 	}
@ -519,81 +398,45 @@ public class ClientDetailsEntity implements ClientDetails {
 		return refreshTokenValiditySeconds;
 	}
 	/**
 	 * @param refreshTokenTimeout Lifetime of refresh tokens, in seconds (optional - leave null for no timeout)
 	 */
 	public void setRefreshTokenValiditySeconds(Integer refreshTokenValiditySeconds) {
 		this.refreshTokenValiditySeconds = refreshTokenValiditySeconds;
 	}
 	/**
 	 * @return the registeredRedirectUri
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_redirect_uri", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_redirect_uri",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="redirect_uri")
 	public Set<String> getRedirectUris() {
 		return redirectUris;
 	}
 	/**
 	 * @param registeredRedirectUri the registeredRedirectUri to set
 	 */
 	public void setRedirectUris(Set<String> redirectUris) {
 		this.redirectUris = redirectUris;
 	}
 	/**
 	 * Pass-through method to fulfill the ClientDetails interface with a bad name
 	 */
 	@Override
 	@Transient
 	public Set<String> getRegisteredRedirectUri() {
 		return getRedirectUris();
 	}
 	/**
 	 * @return the resourceIds
 	 */
 	@Override
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_resource", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_resource",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="resource_id")
 	public Set<String> getResourceIds() {
 		return resourceIds;
 	}
 	/**
 	 * @param resourceIds the resourceIds to set
 	 */
 	public void setResourceIds(Set<String> resourceIds) {
 		this.resourceIds = resourceIds;
 	}
 	/**
 	 * This library does not make use of this field, so it is not
 	 * stored using our persistence layer.
 	 *
 	 * However, it's somehow required by SECOUATH.
 	 *
 	 * @return an empty map
 	 */
 	@Override
 	@Transient
 	public Map<String, Object> getAdditionalInformation() {
 		return this.additionalInformation;
 	}
 	@Enumerated(EnumType.STRING)
 	@Column(name="application_type")
 	public AppType getApplicationType() {
@ -635,10 +478,7 @@ public class ClientDetailsEntity implements ClientDetails {
 	}
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_contact", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_contact",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="contact")
 	public Set<String> getContacts() {
 		return contacts;
@ -668,34 +508,22 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.policyUri = policyUri;
 	}
 	/**
 	 * @return the clientUrl
 	 */
 	@Basic
 	@Column(name="client_uri")
 	public String getClientUri() {
 		return clientUri;
 	}
 	/**
 	 * @param clientUrl the clientUrl to set
 	 */
 	public void setClientUri(String clientUri) {
 		this.clientUri = clientUri;
 	}
 	/**
 	 * @return the tosUrl
 	 */
 	@Basic
 	@Column(name="tos_uri")
 	public String getTosUri() {
 		return tosUri;
 	}
 	/**
 	 * @param tosUrl the tosUrl to set
 	 */
 	public void setTosUri(String tosUri) {
 		this.tosUri = tosUri;
 	}
@ -710,9 +538,6 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.jwksUri = jwksUri;
 	}
 	/**
 	 * @return the jwks
 	 */
 	@Basic
 	@Column(name="jwks")
 	@Convert(converter = JWKSetStringConverter.class)
@ -720,9 +545,6 @@ public class ClientDetailsEntity implements ClientDetails {
 		return jwks;
 	}
 	/**
 	 * @param jwks the jwks to set
 	 */
 	public void setJwks(JWKSet jwks) {
 		this.jwks = jwks;
 	}
@ -845,165 +667,96 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.requireAuthTime = requireAuthTime;
 	}
 	/**
 	 * @return the responseTypes
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_response_type", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_response_type",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="response_type")
 	public Set<String> getResponseTypes() {
 		return responseTypes;
 	}
 	/**
 	 * @param responseTypes the responseTypes to set
 	 */
 	public void setResponseTypes(Set<String> responseTypes) {
 		this.responseTypes = responseTypes;
 	}
 	/**
 	 * @return the defaultACRvalues
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_default_acr_value", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_default_acr_value",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="default_acr_value")
 	public Set<String> getDefaultACRvalues() {
 		return defaultACRvalues;
 	}
 	/**
 	 * @param defaultACRvalues the defaultACRvalues to set
 	 */
 	public void setDefaultACRvalues(Set<String> defaultACRvalues) {
 		this.defaultACRvalues = defaultACRvalues;
 	}
 	/**
 	 * @return the initiateLoginUri
 	 */
 	@Basic
 	@Column(name="initiate_login_uri")
 	public String getInitiateLoginUri() {
 		return initiateLoginUri;
 	}
 	/**
 	 * @param initiateLoginUri the initiateLoginUri to set
 	 */
 	public void setInitiateLoginUri(String initiateLoginUri) {
 		this.initiateLoginUri = initiateLoginUri;
 	}
 	/**
 	 * @return the postLogoutRedirectUri
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_post_logout_redirect_uri", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_post_logout_redirect_uri",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="post_logout_redirect_uri")
 	public Set<String> getPostLogoutRedirectUris() {
 		return postLogoutRedirectUris;
 	}
 	/**
 	 * @param postLogoutRedirectUri the postLogoutRedirectUri to set
 	 */
 	public void setPostLogoutRedirectUris(Set<String> postLogoutRedirectUri) {
 		this.postLogoutRedirectUris = postLogoutRedirectUri;
 	}
 	/**
 	 * @return the requestUris
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_request_uri", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_request_uri",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="request_uri")
 	public Set<String> getRequestUris() {
 		return requestUris;
 	}
 	/**
 	 * @param requestUris the requestUris to set
 	 */
 	public void setRequestUris(Set<String> requestUris) {
 		this.requestUris = requestUris;
 	}
 	/**
 	 * @return the createdAt
 	 */
 	@Temporal(TemporalType.TIMESTAMP)
 	@Column(name="created_at")
 	public Date getCreatedAt() {
 		return createdAt;
 	}
 	/**
 	 * @param createdAt the createdAt to set
 	 */
 	public void setCreatedAt(Date createdAt) {
 		this.createdAt = createdAt;
 	}
 	/**
 	 * Our framework doesn't use this construct, we use WhitelistedSites and ApprovedSites instead.
 	 */
 	@Override
 	public boolean isAutoApprove(String scope) {
 		return false;
 	}
 	/**
 	 * @return the clearAccessTokensOnRefresh
 	 */
 	@Basic
 	@Column(name = "clear_access_tokens_on_refresh")
 	public boolean isClearAccessTokensOnRefresh() {
 		return clearAccessTokensOnRefresh;
 	}
 	/**
 	 * @param clearAccessTokensOnRefresh the clearAccessTokensOnRefresh to set
 	 */
 	public void setClearAccessTokensOnRefresh(boolean clearAccessTokensOnRefresh) {
 		this.clearAccessTokensOnRefresh = clearAccessTokensOnRefresh;
 	}
 	/**
 	 * @return the claimsRedirectUris
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="client_claims_redirect_uri", joinColumns=@JoinColumn(name="owner_id"))
 			name="client_claims_redirect_uri",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="redirect_uri")
 	public Set<String> getClaimsRedirectUris() {
 		return claimsRedirectUris;
 	}
 	/**
 	 * @param claimsRedirectUris the claimsRedirectUris to set
 	 */
 	public void setClaimsRedirectUris(Set<String> claimsRedirectUris) {
 		this.claimsRedirectUris = claimsRedirectUris;
 	}
 	/**
 	 * @return the softwareStatement
 	 */
 	@Basic
 	@Column(name = "software_statement")
 	@Convert(converter = JWTStringConverter.class)
@ -1011,16 +764,10 @@ public class ClientDetailsEntity implements ClientDetails {
 		return softwareStatement;
 	}
 	/**
 	 * @param softwareStatement the softwareStatement to set
 	 */
 	public void setSoftwareStatement(JWT softwareStatement) {
 		this.softwareStatement = softwareStatement;
 	}
 	/**
 	 * @return the codeChallengeMethod
 	 */
 	@Basic
 	@Column(name = "code_challenge_method")
 	@Convert(converter = PKCEAlgorithmStringConverter.class)
@ -1028,57 +775,36 @@ public class ClientDetailsEntity implements ClientDetails {
 		return codeChallengeMethod;
 	}
 	/**
 	 * @param codeChallengeMethod the codeChallengeMethod to set
 	 */
 	public void setCodeChallengeMethod(PKCEAlgorithm codeChallengeMethod) {
 		this.codeChallengeMethod = codeChallengeMethod;
 	}
 	/**
 	 * @return the deviceCodeValiditySeconds
 	 */
 	@Basic
 	@Column(name="device_code_validity_seconds")
 	public Integer getDeviceCodeValiditySeconds() {
 		return deviceCodeValiditySeconds;
 	}
 	/**
 	 * @param deviceCodeValiditySeconds the deviceCodeValiditySeconds to set
 	 */
 	public void setDeviceCodeValiditySeconds(Integer deviceCodeValiditySeconds) {
 		this.deviceCodeValiditySeconds = deviceCodeValiditySeconds;
 	}
 	/**
 	 * @return the softwareId
 	 */
 	@Basic
 	@Column(name="software_id")
 	public String getSoftwareId() {
 		return softwareId;
 	}
 	/**
 	 * @param softwareId the softwareId to set
 	 */
 	public void setSoftwareId(String softwareId) {
 		this.softwareId = softwareId;
 	}
 	/**
 	 * @return the softwareVersion
 	 */
 	@Basic
 	@Column(name="software_version")
 	public String getSoftwareVersion() {
 		return softwareVersion;
 	}
 	/**
 	 * @param softwareVersion the softwareVersion to set
 	 */
 	public void setSoftwareVersion(String softwareVersion) {
 		this.softwareVersion = softwareVersion;
 	}
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/DeviceCode.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/DeviceCode.java
@ -39,7 +39,6 @@ import javax.persistence.Temporal;
 /**
 * @author jricher
 *
 */
@Entity
@Table(name = "device_code")
@ -68,9 +67,7 @@ public class DeviceCode {
 	private boolean approved;
 	private AuthenticationHolderEntity authenticationHolder;
-	public DeviceCode() {
+	public DeviceCode() { }
 	}
 	public DeviceCode(String deviceCode, String userCode, Set<String> scope, String clientId, Map<String, String> params) {
 		this.deviceCode = deviceCode;
@ -80,9 +77,6 @@ public class DeviceCode {
 		this.requestParameters = params;
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
@ -90,61 +84,37 @@ public class DeviceCode {
 		return id;
 	}
 	/**
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
 	/**
 	 * @return the deviceCode
 	 */
 	@Basic
 	@Column(name = "device_code")
 	public String getDeviceCode() {
 		return deviceCode;
 	}
 	/**
 	 * @param deviceCode the deviceCode to set
 	 */
 	public void setDeviceCode(String deviceCode) {
 		this.deviceCode = deviceCode;
 	}
 	/**
 	 * @return the userCode
 	 */
 	@Basic
 	@Column(name = "user_code")
 	public String getUserCode() {
 		return userCode;
 	}
 	/**
 	 * @param userCode the userCode to set
 	 */
 	public void setUserCode(String userCode) {
 		this.userCode = userCode;
 	}
 	/**
 	 * @return the scope
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="device_code_scope", joinColumns=@JoinColumn(name="owner_id"))
 			name="device_code_scope",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="scope")
 	public Set<String> getScope() {
 		return scope;
 	}
 	/**
 	 * @param scope the scope to set
 	 */
 	public void setScope(Set<String> scope) {
 		this.scope = scope;
 	}
@ -160,75 +130,46 @@ public class DeviceCode {
 		this.expiration = expiration;
 	}
 	/**
 	 * @return the clientId
 	 */
 	@Basic
 	@Column(name = "client_id")
 	public String getClientId() {
 		return clientId;
 	}
 	/**
 	 * @param clientId the clientId to set
 	 */
 	public void setClientId(String clientId) {
 		this.clientId = clientId;
 	}
 	/**
 	 * @return the params
 	 */
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="device_code_request_parameter", joinColumns=@JoinColumn(name="owner_id"))
 			name="device_code_request_parameter",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Column(name="val")
 	@MapKeyColumn(name="param")
 	public Map<String, String> getRequestParameters() {
 		return requestParameters;
 	}
 	/**
 	 * @param params the params to set
 	 */
 	public void setRequestParameters(Map<String, String> params) {
 		this.requestParameters = params;
 	}
 	/**
 	 * @return the approved
 	 */
 	@Basic
 	@Column(name = "approved")
 	public boolean isApproved() {
 		return approved;
 	}
 	/**
 	 * @param approved the approved to set
 	 */
 	public void setApproved(boolean approved) {
 		this.approved = approved;
 	}
 	/**
 	 * The authentication in place when this token was created.
 	 * @return the authentication
 	 */
 	@ManyToOne
 	@JoinColumn(name = "auth_holder_id")
 	public AuthenticationHolderEntity getAuthenticationHolder() {
 		return authenticationHolder;
 	}
 	/**
 	 * @param authentication the authentication to set
 	 */
 	public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
 		this.authenticationHolder = authenticationHolder;
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
@ -100,37 +100,19 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	public static final String ID_TOKEN_FIELD_NAME = "id_token";
 	private Long id;
 	private ClientDetailsEntity client;
-
+	private AuthenticationHolderEntity authenticationHolder;
-	private AuthenticationHolderEntity authenticationHolder; // the authentication that made this access
+	private JWT jwtValue;
 	private JWT jwtValue; // JWT-encoded access token value
 	private Date expiration;
 	private String tokenType = OAuth2AccessToken.BEARER_TYPE;
 	private OAuth2RefreshTokenEntity refreshToken;
 	private Set<String> scope;
 	private Set<Permission> permissions;
 	private ApprovedSite approvedSite;
 	private Map<String, Object> additionalInformation = new HashMap<>();
-	private Map<String, Object> additionalInformation = new HashMap<>(); // ephemeral map of items to be added to the OAuth token response
+	public OAuth2AccessTokenEntity() { }
 	/**
 	 * Create a new, blank access token
 	 */
 	public OAuth2AccessTokenEntity() {
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
@ -138,59 +120,36 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 		return id;
 	}
 	/**
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
 	/**
 	 * Get all additional information to be sent to the serializer as part of the token response.
 	 * This map is not persisted to the database.
 	 */
 	@Override
 	@Transient
 	public Map<String, Object> getAdditionalInformation() {
 		return additionalInformation;
 	}
 	/**
 	 * The authentication in place when this token was created.
 	 * @return the authentication
 	 */
 	@ManyToOne
 	@JoinColumn(name = "auth_holder_id")
 	public AuthenticationHolderEntity getAuthenticationHolder() {
 		return authenticationHolder;
 	}
 	/**
 	 * @param authentication the authentication to set
 	 */
 	public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
 		this.authenticationHolder = authenticationHolder;
 	}
 	/**
 	 * @return the client
 	 */
 	@ManyToOne
 	@JoinColumn(name = "client_id")
 	public ClientDetailsEntity getClient() {
 		return client;
 	}
 	/**
 	 * @param client the client to set
 	 */
 	public void setClient(ClientDetailsEntity client) {
 		this.client = client;
 	}
 	/**
 	 * Get the string-encoded value of this access token.
 	 */
 	@Override
 	@Transient
 	public String getValue() {
@ -235,16 +194,12 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 		if (!(refreshToken instanceof OAuth2RefreshTokenEntity)) {
 			throw new IllegalArgumentException("Not a storable refresh token entity!");
 		}
 		// force a pass through to the entity version
 		setRefreshToken((OAuth2RefreshTokenEntity)refreshToken);
 	}
 	@Override
 	@ElementCollection(fetch=FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(joinColumns=@JoinColumn(name="owner_id"), name="token_scope")
 			joinColumns=@JoinColumn(name="owner_id"),
 			name="token_scope"
 			)
 	public Set<String> getScope() {
 		return scope;
 	}
@ -256,12 +211,9 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@Override
 	@Transient
 	public boolean isExpired() {
-		return getExpiration() == null ? false : System.currentTimeMillis() > getExpiration().getTime();
+		return getExpiration() != null && System.currentTimeMillis() > getExpiration().getTime();
 	}
 	/**
 	 * @return the jwtValue
 	 */
 	@Basic
 	@Column(name="token_value")
 	@Convert(converter = JWTStringConverter.class)
@ -269,9 +221,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 		return jwtValue;
 	}
 	/**
 	 * @param jwtValue the jwtValue to set
 	 */
 	public void setJwt(JWT jwt) {
 		this.jwtValue = jwt;
 	}
@ -279,35 +228,24 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	@Override
 	@Transient
 	public int getExpiresIn() {
 		if (getExpiration() == null) {
 			return -1; // no expiration time
 		} else {
 			int secondsRemaining = (int) ((getExpiration().getTime() - System.currentTimeMillis()) / 1000);
 			if (isExpired()) {
 				return 0; // has an expiration time and expired
 			} else { // has an expiration time and not expired
-				return secondsRemaining;
+				return (int) ((getExpiration().getTime() - System.currentTimeMillis()) / 1000);
 			}
 		}
 	}
 	/**
 	 * @return the permissions
 	 */
 	@OneToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
-	@JoinTable(
+	@JoinTable(name = "access_token_permissions", joinColumns = @JoinColumn(name = "access_token_id"),
-			name = "access_token_permissions",
+		inverseJoinColumns = @JoinColumn(name = "permission_id"))
 			joinColumns = @JoinColumn(name = "access_token_id"),
 			inverseJoinColumns = @JoinColumn(name = "permission_id")
 			)
 	public Set<Permission> getPermissions() {
 		return permissions;
 	}
 	/**
 	 * @param permissions the permissions to set
 	 */
 	public void setPermissions(Set<Permission> permissions) {
 		this.permissions = permissions;
 	}
@ -322,14 +260,11 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 		this.approvedSite = approvedSite;
 	}
 	/**
 	 * Add the ID Token to the additionalInformation map for a token response.
 	 * @param idToken
 	 */
 	@Transient
 	public void setIdToken(JWT idToken) {
 		if (idToken != null) {
 			additionalInformation.put(ID_TOKEN_FIELD_NAME, idToken.serialize());
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java
@ -45,7 +45,6 @@ import com.nimbusds.jwt.JWT;
 /**
 * @author jricher
 *
 */
@Entity
@Table(name = "refresh_token")
@ -70,27 +69,13 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 	public static final String PARAM_NAME = "name";
 	private Long id;
 	private AuthenticationHolderEntity authenticationHolder;
 	private ClientDetailsEntity client;
 	//JWT-encoded representation of this access token entity
 	private JWT jwt;
 	// our refresh tokens might expire
 	private Date expiration;
-	/**
+	public OAuth2RefreshTokenEntity() { }
 	 *
 	 */
 	public OAuth2RefreshTokenEntity() {
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
@ -98,35 +83,20 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 		return id;
 	}
 	/**
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
 	/**
 	 * The authentication in place when the original access token was
 	 * created
 	 *
 	 * @return the authentication
 	 */
 	@ManyToOne
 	@JoinColumn(name = "auth_holder_id")
 	public AuthenticationHolderEntity getAuthenticationHolder() {
 		return authenticationHolder;
 	}
 	/**
 	 * @param authentication the authentication to set
 	 */
 	public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
 		this.authenticationHolder = authenticationHolder;
 	}
 	/**
 	 * Get the JWT-encoded value of this token
 	 */
 	@Override
 	@Transient
 	public String getValue() {
@ -140,43 +110,25 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 		return expiration;
 	}
 	/* (non-Javadoc)
 	 * @see org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken#setExpiration(java.util.Date)
 	 */
 	public void setExpiration(Date expiration) {
 		this.expiration = expiration;
 	}
 	/**
 	 * Has this token expired?
 	 * @return true if it has a timeout set and the timeout has passed
 	 */
 	@Transient
 	public boolean isExpired() {
-		return getExpiration() == null ? false : System.currentTimeMillis() > getExpiration().getTime();
+		return getExpiration() != null && System.currentTimeMillis() > getExpiration().getTime();
 	}
 	/**
 	 * @return the client
 	 */
 	@ManyToOne(fetch = FetchType.EAGER)
 	@JoinColumn(name = "client_id")
 	public ClientDetailsEntity getClient() {
 		return client;
 	}
 	/**
 	 * @param client the client to set
 	 */
 	public void setClient(ClientDetailsEntity client) {
 		this.client = client;
 	}
 	/**
 	 * Get the JWT object directly
 	 * @return the jwt
 	 */
 	@Basic
 	@Column(name="token_value")
 	@Convert(converter = JWTStringConverter.class)
@ -184,9 +136,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 		return jwt;
 	}
 	/**
 	 * @param jwt the jwt to set
 	 */
 	public void setJwt(JWT jwt) {
 		this.jwt = jwt;
 	}
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java
@ -21,17 +21,12 @@ import com.nimbusds.jose.Requirement;
 /**
 * @author jricher
 *
 */
 public final class PKCEAlgorithm extends Algorithm {
 	/**
 	 *
 	 */
 	private static final long serialVersionUID = 7752852583210088925L;
 	public static final PKCEAlgorithm plain = new PKCEAlgorithm("plain", Requirement.REQUIRED);
 	public static final PKCEAlgorithm S256 = new PKCEAlgorithm("S256", Requirement.OPTIONAL);
 	public PKCEAlgorithm(String name, Requirement req) {
@ -52,6 +47,4 @@ public final class PKCEAlgorithm extends Algorithm {
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java
@ -38,11 +38,9 @@ import com.nimbusds.jwt.JWT;
 /**
 * @author jricher
 *
 */
 public class RegisteredClient {
 	// these fields are needed in addition to the ones in ClientDetailsEntity
 	private String registrationAccessToken;
 	private String registrationClientUri;
 	private Date clientSecretExpiresAt;
@ -50,851 +48,474 @@ public class RegisteredClient {
 	private ClientDetailsEntity client;
 	private JsonObject src;
 	/**
 	 *
 	 */
 	public RegisteredClient() {
 		this.client = new ClientDetailsEntity();
 	}
 	/**
 	 * @param client
 	 */
 	public RegisteredClient(ClientDetailsEntity client) {
 		this.client = client;
 	}
 	/**
 	 * @param client
 	 * @param registrationAccessToken
 	 * @param registrationClientUri
 	 */
 	public RegisteredClient(ClientDetailsEntity client, String registrationAccessToken, String registrationClientUri) {
 		this.client = client;
 		this.registrationAccessToken = registrationAccessToken;
 		this.registrationClientUri = registrationClientUri;
 	}
 	/**
 	 * @return the client
 	 */
 	public ClientDetailsEntity getClient() {
 		return client;
 	}
-	/**
+
 	 * @param client the client to set
 	 */
 	public void setClient(ClientDetailsEntity client) {
 		this.client = client;
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getClientDescription()
 	 */
 	public String getClientDescription() {
 		return client.getClientDescription();
 	}
-	/**
+
 	 * @param clientDescription
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setClientDescription(java.lang.String)
 	 */
 	public void setClientDescription(String clientDescription) {
 		client.setClientDescription(clientDescription);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#isAllowRefresh()
 	 */
 	public boolean isAllowRefresh() {
 		return client.isAllowRefresh();
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#isReuseRefreshToken()
 	 */
 	public boolean isReuseRefreshToken() {
 		return client.isReuseRefreshToken();
 	}
-	/**
+
 	 * @param reuseRefreshToken
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setReuseRefreshToken(boolean)
 	 */
 	public void setReuseRefreshToken(boolean reuseRefreshToken) {
 		client.setReuseRefreshToken(reuseRefreshToken);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getIdTokenValiditySeconds()
 	 */
 	public Integer getIdTokenValiditySeconds() {
 		return client.getIdTokenValiditySeconds();
 	}
-	/**
+
 	 * @param idTokenValiditySeconds
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setIdTokenValiditySeconds(java.lang.Integer)
 	 */
 	public void setIdTokenValiditySeconds(Integer idTokenValiditySeconds) {
 		client.setIdTokenValiditySeconds(idTokenValiditySeconds);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#isDynamicallyRegistered()
 	 */
 	public boolean isDynamicallyRegistered() {
 		return client.isDynamicallyRegistered();
 	}
-	/**
+
 	 * @param dynamicallyRegistered
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setDynamicallyRegistered(boolean)
 	 */
 	public void setDynamicallyRegistered(boolean dynamicallyRegistered) {
 		client.setDynamicallyRegistered(dynamicallyRegistered);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#isAllowIntrospection()
 	 */
 	public boolean isAllowIntrospection() {
 		return client.isAllowIntrospection();
 	}
-	/**
+
 	 * @param allowIntrospection
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setAllowIntrospection(boolean)
 	 */
 	public void setAllowIntrospection(boolean allowIntrospection) {
 		client.setAllowIntrospection(allowIntrospection);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#isSecretRequired()
 	 */
 	public boolean isSecretRequired() {
 		return client.isSecretRequired();
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#isScoped()
 	 */
 	public boolean isScoped() {
 		return client.isScoped();
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getClientId()
 	 */
 	public String getClientId() {
 		return client.getClientId();
 	}
-	/**
+
 	 * @param clientId
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setClientId(java.lang.String)
 	 */
 	public void setClientId(String clientId) {
 		client.setClientId(clientId);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getClientSecret()
 	 */
 	public String getClientSecret() {
 		return client.getClientSecret();
 	}
-	/**
+
 	 * @param clientSecret
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setClientSecret(java.lang.String)
 	 */
 	public void setClientSecret(String clientSecret) {
 		client.setClientSecret(clientSecret);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getScope()
 	 */
 	public Set<String> getScope() {
 		return client.getScope();
 	}
-	/**
+
 	 * @param scope
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setScope(java.util.Set)
 	 */
 	public void setScope(Set<String> scope) {
 		client.setScope(scope);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getGrantTypes()
 	 */
 	public Set<String> getGrantTypes() {
 		return client.getGrantTypes();
 	}
-	/**
+
 	 * @param grantTypes
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setGrantTypes(java.util.Set)
 	 */
 	public void setGrantTypes(Set<String> grantTypes) {
 		client.setGrantTypes(grantTypes);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getAuthorizedGrantTypes()
 	 */
 	public Set<String> getAuthorizedGrantTypes() {
 		return client.getAuthorizedGrantTypes();
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getAuthorities()
 	 */
 	public Set<GrantedAuthority> getAuthorities() {
 		return client.getAuthorities();
 	}
-	/**
+
 	 * @param authorities
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setAuthorities(java.util.Set)
 	 */
 	public void setAuthorities(Set<GrantedAuthority> authorities) {
 		client.setAuthorities(authorities);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getAccessTokenValiditySeconds()
 	 */
 	public Integer getAccessTokenValiditySeconds() {
 		return client.getAccessTokenValiditySeconds();
 	}
-	/**
+
 	 * @param accessTokenValiditySeconds
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setAccessTokenValiditySeconds(java.lang.Integer)
 	 */
 	public void setAccessTokenValiditySeconds(Integer accessTokenValiditySeconds) {
 		client.setAccessTokenValiditySeconds(accessTokenValiditySeconds);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getRefreshTokenValiditySeconds()
 	 */
 	public Integer getRefreshTokenValiditySeconds() {
 		return client.getRefreshTokenValiditySeconds();
 	}
-	/**
+
 	 * @param refreshTokenValiditySeconds
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setRefreshTokenValiditySeconds(java.lang.Integer)
 	 */
 	public void setRefreshTokenValiditySeconds(Integer refreshTokenValiditySeconds) {
 		client.setRefreshTokenValiditySeconds(refreshTokenValiditySeconds);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getRedirectUris()
 	 */
 	public Set<String> getRedirectUris() {
 		return client.getRedirectUris();
 	}
-	/**
+
 	 * @param redirectUris
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setRedirectUris(java.util.Set)
 	 */
 	public void setRedirectUris(Set<String> redirectUris) {
 		client.setRedirectUris(redirectUris);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getRegisteredRedirectUri()
 	 */
 	public Set<String> getRegisteredRedirectUri() {
 		return client.getRegisteredRedirectUri();
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getResourceIds()
 	 */
 	public Set<String> getResourceIds() {
 		return client.getResourceIds();
 	}
-	/**
+
 	 * @param resourceIds
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setResourceIds(java.util.Set)
 	 */
 	public void setResourceIds(Set<String> resourceIds) {
 		client.setResourceIds(resourceIds);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getAdditionalInformation()
 	 */
 	public Map<String, Object> getAdditionalInformation() {
 		return client.getAdditionalInformation();
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getApplicationType()
 	 */
 	public AppType getApplicationType() {
 		return client.getApplicationType();
 	}
-	/**
+
 	 * @param applicationType
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setApplicationType(org.mitre.oauth2.model.ClientDetailsEntity.AppType)
 	 */
 	public void setApplicationType(AppType applicationType) {
 		client.setApplicationType(applicationType);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getClientName()
 	 */
 	public String getClientName() {
 		return client.getClientName();
 	}
-	/**
+
 	 * @param clientName
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setClientName(java.lang.String)
 	 */
 	public void setClientName(String clientName) {
 		client.setClientName(clientName);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getTokenEndpointAuthMethod()
 	 */
 	public AuthMethod getTokenEndpointAuthMethod() {
 		return client.getTokenEndpointAuthMethod();
 	}
-	/**
+
 	 * @param tokenEndpointAuthMethod
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setTokenEndpointAuthMethod(org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod)
 	 */
 	public void setTokenEndpointAuthMethod(AuthMethod tokenEndpointAuthMethod) {
 		client.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSubjectType()
 	 */
 	public SubjectType getSubjectType() {
 		return client.getSubjectType();
 	}
-	/**
+
 	 * @param subjectType
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSubjectType(org.mitre.oauth2.model.ClientDetailsEntity.SubjectType)
 	 */
 	public void setSubjectType(SubjectType subjectType) {
 		client.setSubjectType(subjectType);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getContacts()
 	 */
 	public Set<String> getContacts() {
 		return client.getContacts();
 	}
-	/**
+
 	 * @param contacts
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setContacts(java.util.Set)
 	 */
 	public void setContacts(Set<String> contacts) {
 		client.setContacts(contacts);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getLogoUri()
 	 */
 	public String getLogoUri() {
 		return client.getLogoUri();
 	}
-	/**
+
 	 * @param logoUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setLogoUri(java.lang.String)
 	 */
 	public void setLogoUri(String logoUri) {
 		client.setLogoUri(logoUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getPolicyUri()
 	 */
 	public String getPolicyUri() {
 		return client.getPolicyUri();
 	}
-	/**
+
 	 * @param policyUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setPolicyUri(java.lang.String)
 	 */
 	public void setPolicyUri(String policyUri) {
 		client.setPolicyUri(policyUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getClientUri()
 	 */
 	public String getClientUri() {
 		return client.getClientUri();
 	}
-	/**
+
 	 * @param clientUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setClientUri(java.lang.String)
 	 */
 	public void setClientUri(String clientUri) {
 		client.setClientUri(clientUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getTosUri()
 	 */
 	public String getTosUri() {
 		return client.getTosUri();
 	}
-	/**
+
 	 * @param tosUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setTosUri(java.lang.String)
 	 */
 	public void setTosUri(String tosUri) {
 		client.setTosUri(tosUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getJwksUri()
 	 */
 	public String getJwksUri() {
 		return client.getJwksUri();
 	}
-	/**
+
 	 * @param jwksUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setJwksUri(java.lang.String)
 	 */
 	public void setJwksUri(String jwksUri) {
 		client.setJwksUri(jwksUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getJwks()
 	 */
 	public JWKSet getJwks() {
 		return client.getJwks();
 	}
 	/**
 	 * @param jwks
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setJwks(com.nimbusds.jose.jwk.JWKSet)
 	 */
 	public void setJwks(JWKSet jwks) {
 		client.setJwks(jwks);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSectorIdentifierUri()
 	 */
 	public String getSectorIdentifierUri() {
 		return client.getSectorIdentifierUri();
 	}
-	/**
+
 	 * @param sectorIdentifierUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSectorIdentifierUri(java.lang.String)
 	 */
 	public void setSectorIdentifierUri(String sectorIdentifierUri) {
 		client.setSectorIdentifierUri(sectorIdentifierUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getDefaultMaxAge()
 	 */
 	public Integer getDefaultMaxAge() {
 		return client.getDefaultMaxAge();
 	}
-	/**
+
 	 * @param defaultMaxAge
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setDefaultMaxAge(java.lang.Integer)
 	 */
 	public void setDefaultMaxAge(Integer defaultMaxAge) {
 		client.setDefaultMaxAge(defaultMaxAge);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getRequireAuthTime()
 	 */
 	public Boolean getRequireAuthTime() {
 		return client.getRequireAuthTime();
 	}
-	/**
+
 	 * @param requireAuthTime
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setRequireAuthTime(java.lang.Boolean)
 	 */
 	public void setRequireAuthTime(Boolean requireAuthTime) {
 		client.setRequireAuthTime(requireAuthTime);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getResponseTypes()
 	 */
 	public Set<String> getResponseTypes() {
 		return client.getResponseTypes();
 	}
-	/**
+
 	 * @param responseTypes
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setResponseTypes(java.util.Set)
 	 */
 	public void setResponseTypes(Set<String> responseTypes) {
 		client.setResponseTypes(responseTypes);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getDefaultACRvalues()
 	 */
 	public Set<String> getDefaultACRvalues() {
 		return client.getDefaultACRvalues();
 	}
-	/**
+
 	 * @param defaultACRvalues
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setDefaultACRvalues(java.util.Set)
 	 */
 	public void setDefaultACRvalues(Set<String> defaultACRvalues) {
 		client.setDefaultACRvalues(defaultACRvalues);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getInitiateLoginUri()
 	 */
 	public String getInitiateLoginUri() {
 		return client.getInitiateLoginUri();
 	}
-	/**
+
 	 * @param initiateLoginUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setInitiateLoginUri(java.lang.String)
 	 */
 	public void setInitiateLoginUri(String initiateLoginUri) {
 		client.setInitiateLoginUri(initiateLoginUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getPostLogoutRedirectUris()
 	 */
 	public Set<String> getPostLogoutRedirectUris() {
 		return client.getPostLogoutRedirectUris();
 	}
-	/**
+
 	 * @param postLogoutRedirectUri
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setPostLogoutRedirectUris(java.lang.String)
 	 */
 	public void setPostLogoutRedirectUris(Set<String> postLogoutRedirectUri) {
 		client.setPostLogoutRedirectUris(postLogoutRedirectUri);
 	}
-	/**
+
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getRequestUris()
 	 */
 	public Set<String> getRequestUris() {
 		return client.getRequestUris();
 	}
-	/**
+
 	 * @param requestUris
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setRequestUris(java.util.Set)
 	 */
 	public void setRequestUris(Set<String> requestUris) {
 		client.setRequestUris(requestUris);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getRequestObjectSigningAlg()
 	 */
 	public JWSAlgorithm getRequestObjectSigningAlg() {
 		return client.getRequestObjectSigningAlg();
 	}
 	/**
 	 * @param requestObjectSigningAlg
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setRequestObjectSigningAlg(com.nimbusds.jose.JWSAlgorithm)
 	 */
 	public void setRequestObjectSigningAlg(JWSAlgorithm requestObjectSigningAlg) {
 		client.setRequestObjectSigningAlg(requestObjectSigningAlg);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getUserInfoSignedResponseAlg()
 	 */
 	public JWSAlgorithm getUserInfoSignedResponseAlg() {
 		return client.getUserInfoSignedResponseAlg();
 	}
 	/**
 	 * @param userInfoSignedResponseAlg
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setUserInfoSignedResponseAlg(com.nimbusds.jose.JWSAlgorithm)
 	 */
 	public void setUserInfoSignedResponseAlg(JWSAlgorithm userInfoSignedResponseAlg) {
 		client.setUserInfoSignedResponseAlg(userInfoSignedResponseAlg);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getUserInfoEncryptedResponseAlg()
 	 */
 	public JWEAlgorithm getUserInfoEncryptedResponseAlg() {
 		return client.getUserInfoEncryptedResponseAlg();
 	}
 	/**
 	 * @param userInfoEncryptedResponseAlg
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setUserInfoEncryptedResponseAlg(com.nimbusds.jose.JWEAlgorithm)
 	 */
 	public void setUserInfoEncryptedResponseAlg(JWEAlgorithm userInfoEncryptedResponseAlg) {
 		client.setUserInfoEncryptedResponseAlg(userInfoEncryptedResponseAlg);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getUserInfoEncryptedResponseEnc()
 	 */
 	public EncryptionMethod getUserInfoEncryptedResponseEnc() {
 		return client.getUserInfoEncryptedResponseEnc();
 	}
 	/**
 	 * @param userInfoEncryptedResponseEnc
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setUserInfoEncryptedResponseEnc(com.nimbusds.jose.EncryptionMethod)
 	 */
 	public void setUserInfoEncryptedResponseEnc(EncryptionMethod userInfoEncryptedResponseEnc) {
 		client.setUserInfoEncryptedResponseEnc(userInfoEncryptedResponseEnc);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getIdTokenSignedResponseAlg()
 	 */
 	public JWSAlgorithm getIdTokenSignedResponseAlg() {
 		return client.getIdTokenSignedResponseAlg();
 	}
 	/**
 	 * @param idTokenSignedResponseAlg
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setIdTokenSignedResponseAlg(com.nimbusds.jose.JWSAlgorithm)
 	 */
 	public void setIdTokenSignedResponseAlg(JWSAlgorithm idTokenSignedResponseAlg) {
 		client.setIdTokenSignedResponseAlg(idTokenSignedResponseAlg);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getIdTokenEncryptedResponseAlg()
 	 */
 	public JWEAlgorithm getIdTokenEncryptedResponseAlg() {
 		return client.getIdTokenEncryptedResponseAlg();
 	}
 	/**
 	 * @param idTokenEncryptedResponseAlg
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setIdTokenEncryptedResponseAlg(com.nimbusds.jose.JWEAlgorithm)
 	 */
 	public void setIdTokenEncryptedResponseAlg(JWEAlgorithm idTokenEncryptedResponseAlg) {
 		client.setIdTokenEncryptedResponseAlg(idTokenEncryptedResponseAlg);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getIdTokenEncryptedResponseEnc()
 	 */
 	public EncryptionMethod getIdTokenEncryptedResponseEnc() {
 		return client.getIdTokenEncryptedResponseEnc();
 	}
 	/**
 	 * @param idTokenEncryptedResponseEnc
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setIdTokenEncryptedResponseEnc(com.nimbusds.jose.EncryptionMethod)
 	 */
 	public void setIdTokenEncryptedResponseEnc(EncryptionMethod idTokenEncryptedResponseEnc) {
 		client.setIdTokenEncryptedResponseEnc(idTokenEncryptedResponseEnc);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getTokenEndpointAuthSigningAlg()
 	 */
 	public JWSAlgorithm getTokenEndpointAuthSigningAlg() {
 		return client.getTokenEndpointAuthSigningAlg();
 	}
 	/**
 	 * @param tokenEndpointAuthSigningAlg
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setTokenEndpointAuthSigningAlg(com.nimbusds.jose.JWSAlgorithm)
 	 */
 	public void setTokenEndpointAuthSigningAlg(JWSAlgorithm tokenEndpointAuthSigningAlg) {
 		client.setTokenEndpointAuthSigningAlg(tokenEndpointAuthSigningAlg);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getCreatedAt()
 	 */
 	public Date getCreatedAt() {
 		return client.getCreatedAt();
 	}
-	/**
+
 	 * @param createdAt
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setCreatedAt(java.util.Date)
 	 */
 	public void setCreatedAt(Date createdAt) {
 		client.setCreatedAt(createdAt);
 	}
-	/**
+
 	 * @return the registrationAccessToken
 	 */
 	public String getRegistrationAccessToken() {
 		return registrationAccessToken;
 	}
-	/**
+
 	 * @param registrationAccessToken the registrationAccessToken to set
 	 */
 	public void setRegistrationAccessToken(String registrationAccessToken) {
 		this.registrationAccessToken = registrationAccessToken;
 	}
-	/**
+
 	 * @return the registrationClientUri
 	 */
 	public String getRegistrationClientUri() {
 		return registrationClientUri;
 	}
-	/**
+
 	 * @param registrationClientUri the registrationClientUri to set
 	 */
 	public void setRegistrationClientUri(String registrationClientUri) {
 		this.registrationClientUri = registrationClientUri;
 	}
-	/**
+
 	 * @return the clientSecretExpiresAt
 	 */
 	public Date getClientSecretExpiresAt() {
 		return clientSecretExpiresAt;
 	}
-	/**
+
 	 * @param clientSecretExpiresAt the clientSecretExpiresAt to set
 	 */
 	public void setClientSecretExpiresAt(Date expiresAt) {
 		this.clientSecretExpiresAt = expiresAt;
 	}
-	/**
+
 	 * @return the clientIdIssuedAt
 	 */
 	public Date getClientIdIssuedAt() {
 		return clientIdIssuedAt;
 	}
-	/**
+
 	 * @param clientIdIssuedAt the clientIdIssuedAt to set
 	 */
 	public void setClientIdIssuedAt(Date issuedAt) {
 		this.clientIdIssuedAt = issuedAt;
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getClaimsRedirectUris()
 	 */
 	public Set<String> getClaimsRedirectUris() {
 		return client.getClaimsRedirectUris();
 	}
 	/**
 	 * @param claimsRedirectUris
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setClaimsRedirectUris(java.util.Set)
 	 */
 	public void setClaimsRedirectUris(Set<String> claimsRedirectUris) {
 		client.setClaimsRedirectUris(claimsRedirectUris);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareStatement()
 	 */
 	public JWT getSoftwareStatement() {
 		return client.getSoftwareStatement();
 	}
 	/**
 	 * @param softwareStatement
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareStatement(com.nimbusds.jwt.JWT)
 	 */
 	public void setSoftwareStatement(JWT softwareStatement) {
 		client.setSoftwareStatement(softwareStatement);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getCodeChallengeMethod()
 	 */
 	public PKCEAlgorithm getCodeChallengeMethod() {
 		return client.getCodeChallengeMethod();
 	}
 	/**
 	 * @param codeChallengeMethod
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setCodeChallengeMethod(org.mitre.oauth2.model.PKCEAlgorithm)
 	 */
 	public void setCodeChallengeMethod(PKCEAlgorithm codeChallengeMethod) {
 		client.setCodeChallengeMethod(codeChallengeMethod);
 	}
 	/**
 	 * @return the src
 	 */
 	public JsonObject getSource() {
 		return src;
 	}
 	/**
 	 * @param src the src to set
 	 */
 	public void setSource(JsonObject src) {
 		this.src = src;
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getDeviceCodeValiditySeconds()
 	 */
 	public Integer getDeviceCodeValiditySeconds() {
 		return client.getDeviceCodeValiditySeconds();
 	}
 	/**
 	 * @param deviceCodeValiditySeconds
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setDeviceCodeValiditySeconds(java.lang.Integer)
 	 */
 	public void setDeviceCodeValiditySeconds(Integer deviceCodeValiditySeconds) {
 		client.setDeviceCodeValiditySeconds(deviceCodeValiditySeconds);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareId()
 	 */
 	public String getSoftwareId() {
 		return client.getSoftwareId();
 	}
 	/**
 	 * @param softwareId
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareId(java.lang.String)
 	 */
 	public void setSoftwareId(String softwareId) {
 		client.setSoftwareId(softwareId);
 	}
 	/**
 	 * @return
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareVersion()
 	 */
 	public String getSoftwareVersion() {
 		return client.getSoftwareVersion();
 	}
 	/**
 	 * @param softwareVersion
 	 * @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareVersion(java.lang.String)
 	 */
 	public void setSoftwareVersion(String softwareVersion) {
 		client.setSoftwareVersion(softwareVersion);
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java
@ -16,46 +16,48 @@
 package org.mitre.oauth2.model;
 public interface RegisteredClientFields {
-	public String SOFTWARE_ID = "software_id";
+
-	public String SOFTWARE_VERSION = "software_version";
+	String SOFTWARE_ID = "software_id";
-	public String SOFTWARE_STATEMENT = "software_statement";
+	String SOFTWARE_VERSION = "software_version";
-	public String CLAIMS_REDIRECT_URIS = "claims_redirect_uris";
+	String SOFTWARE_STATEMENT = "software_statement";
-	public String CLIENT_SECRET_EXPIRES_AT = "client_secret_expires_at";
+	String CLAIMS_REDIRECT_URIS = "claims_redirect_uris";
-	public String CLIENT_ID_ISSUED_AT = "client_id_issued_at";
+	String CLIENT_SECRET_EXPIRES_AT = "client_secret_expires_at";
-	public String REGISTRATION_CLIENT_URI = "registration_client_uri";
+	String CLIENT_ID_ISSUED_AT = "client_id_issued_at";
-	public String REGISTRATION_ACCESS_TOKEN = "registration_access_token";
+	String REGISTRATION_CLIENT_URI = "registration_client_uri";
-	public String REQUEST_URIS = "request_uris";
+	String REGISTRATION_ACCESS_TOKEN = "registration_access_token";
-	public String POST_LOGOUT_REDIRECT_URIS = "post_logout_redirect_uris";
+	String REQUEST_URIS = "request_uris";
-	public String INITIATE_LOGIN_URI = "initiate_login_uri";
+	String POST_LOGOUT_REDIRECT_URIS = "post_logout_redirect_uris";
-	public String DEFAULT_ACR_VALUES = "default_acr_values";
+	String INITIATE_LOGIN_URI = "initiate_login_uri";
-	public String REQUIRE_AUTH_TIME = "require_auth_time";
+	String DEFAULT_ACR_VALUES = "default_acr_values";
-	public String DEFAULT_MAX_AGE = "default_max_age";
+	String REQUIRE_AUTH_TIME = "require_auth_time";
-	public String TOKEN_ENDPOINT_AUTH_SIGNING_ALG = "token_endpoint_auth_signing_alg";
+	String DEFAULT_MAX_AGE = "default_max_age";
-	public String ID_TOKEN_ENCRYPTED_RESPONSE_ENC = "id_token_encrypted_response_enc";
+	String TOKEN_ENDPOINT_AUTH_SIGNING_ALG = "token_endpoint_auth_signing_alg";
-	public String ID_TOKEN_ENCRYPTED_RESPONSE_ALG = "id_token_encrypted_response_alg";
+	String ID_TOKEN_ENCRYPTED_RESPONSE_ENC = "id_token_encrypted_response_enc";
-	public String ID_TOKEN_SIGNED_RESPONSE_ALG = "id_token_signed_response_alg";
+	String ID_TOKEN_ENCRYPTED_RESPONSE_ALG = "id_token_encrypted_response_alg";
-	public String USERINFO_ENCRYPTED_RESPONSE_ENC = "userinfo_encrypted_response_enc";
+	String ID_TOKEN_SIGNED_RESPONSE_ALG = "id_token_signed_response_alg";
-	public String USERINFO_ENCRYPTED_RESPONSE_ALG = "userinfo_encrypted_response_alg";
+	String USERINFO_ENCRYPTED_RESPONSE_ENC = "userinfo_encrypted_response_enc";
-	public String USERINFO_SIGNED_RESPONSE_ALG = "userinfo_signed_response_alg";
+	String USERINFO_ENCRYPTED_RESPONSE_ALG = "userinfo_encrypted_response_alg";
-	public String REQUEST_OBJECT_SIGNING_ALG = "request_object_signing_alg";
+	String USERINFO_SIGNED_RESPONSE_ALG = "userinfo_signed_response_alg";
-	public String SUBJECT_TYPE = "subject_type";
+	String REQUEST_OBJECT_SIGNING_ALG = "request_object_signing_alg";
-	public String SECTOR_IDENTIFIER_URI = "sector_identifier_uri";
+	String SUBJECT_TYPE = "subject_type";
-	public String APPLICATION_TYPE = "application_type";
+	String SECTOR_IDENTIFIER_URI = "sector_identifier_uri";
-	public String JWKS_URI = "jwks_uri";
+	String APPLICATION_TYPE = "application_type";
-	public String JWKS = "jwks";
+	String JWKS_URI = "jwks_uri";
-	public String SCOPE_SEPARATOR = " ";
+	String JWKS = "jwks";
-	public String POLICY_URI = "policy_uri";
+	String SCOPE_SEPARATOR = " ";
-	public String RESPONSE_TYPES = "response_types";
+	String POLICY_URI = "policy_uri";
-	public String GRANT_TYPES = "grant_types";
+	String RESPONSE_TYPES = "response_types";
-	public String SCOPE = "scope";
+	String GRANT_TYPES = "grant_types";
-	public String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method";
+	String SCOPE = "scope";
-	public String TOS_URI = "tos_uri";
+	String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method";
-	public String CONTACTS = "contacts";
+	String TOS_URI = "tos_uri";
-	public String LOGO_URI = "logo_uri";
+	String CONTACTS = "contacts";
-	public String CLIENT_URI = "client_uri";
+	String LOGO_URI = "logo_uri";
-	public String CLIENT_NAME = "client_name";
+	String CLIENT_URI = "client_uri";
-	public String REDIRECT_URIS = "redirect_uris";
+	String CLIENT_NAME = "client_name";
-	public String CLIENT_SECRET = "client_secret";
+	String REDIRECT_URIS = "redirect_uris";
-	public String CLIENT_ID = "client_id";
+	String CLIENT_SECRET = "client_secret";
-	public String CODE_CHALLENGE_METHOD = "code_challenge_method";
+	String CLIENT_ID = "client_id";
 	String CODE_CHALLENGE_METHOD = "code_challenge_method";
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java
@ -41,7 +41,6 @@ import org.springframework.security.core.GrantedAuthority;
 * This class stands in for an original Authentication object.
 *
 * @author jricher
 *
 */
@Entity
@Table(name="saved_user_auth")
@ -50,18 +49,11 @@ public class SavedUserAuthentication implements Authentication {
 	private static final long serialVersionUID = -1804249963940323488L;
 	private Long id;
 	private String name;
 	private Collection<GrantedAuthority> authorities;
 	private boolean authenticated;
 	private String sourceClass;
 	/**
 	 * Create a Saved Auth from an existing Auth token
 	 */
 	public SavedUserAuthentication(Authentication src) {
 		setName(src.getName());
 		setAuthorities(new HashSet<>(src.getAuthorities()));
@ -75,16 +67,8 @@ public class SavedUserAuthentication implements Authentication {
 		}
 	}
-	/**
+	public SavedUserAuthentication() { }
 	 * Create an empty saved auth
 	 */
 	public SavedUserAuthentication() {
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
@ -92,9 +76,6 @@ public class SavedUserAuthentication implements Authentication {
 		return id;
 	}
 	/**
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
@ -108,10 +89,7 @@ public class SavedUserAuthentication implements Authentication {
 	@Override
 	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
+	@CollectionTable(name="saved_user_auth_authority", joinColumns=@JoinColumn(name="owner_id"))
 			name="saved_user_auth_authority",
 			joinColumns=@JoinColumn(name="owner_id")
 			)
 	@Convert(converter = SimpleGrantedAuthorityStringConverter.class)
 	@Column(name="authority")
 	public Collection<GrantedAuthority> getAuthorities() {
@ -148,35 +126,22 @@ public class SavedUserAuthentication implements Authentication {
 		this.authenticated = isAuthenticated;
 	}
 	/**
 	 * @return the sourceClass
 	 */
 	@Basic
 	@Column(name="source_class")
 	public String getSourceClass() {
 		return sourceClass;
 	}
 	/**
 	 * @param sourceClass the sourceClass to set
 	 */
 	public void setSourceClass(String sourceClass) {
 		this.sourceClass = sourceClass;
 	}
 	/**
 	 * @param name the name to set
 	 */
 	public void setName(String name) {
 		this.name = name;
 	}
 	/**
 	 * @param authorities the authorities to set
 	 */
 	public void setAuthorities(Collection<GrantedAuthority> authorities) {
 		this.authorities = authorities;
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/SystemScope.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/SystemScope.java
@ -32,7 +32,6 @@ import javax.persistence.Table;
 /**
 * @author jricher
 *
 */
@Entity
@Table(name = "system_scope")
@ -54,114 +53,73 @@ public class SystemScope {
 	private boolean defaultScope = false; // is this a default scope for newly-registered clients?
 	private boolean restricted = false; // is this scope restricted to admin-only registration access?
-	/**
+	public SystemScope() { }
 	 * Make a blank system scope with no value
 	 */
 	public SystemScope() {
 	}
 	/**
 	 * Make a system scope with the given scope value
 	 * @param value
 	 */
 	public SystemScope(String value) {
 		this.value = value;
 	}
 	/**
 	 * @return the id
 	 */
 	@Id
 	@GeneratedValue(strategy = GenerationType.IDENTITY)
 	@Column(name = "id")
 	public Long getId() {
 		return id;
 	}
-	/**
+
 	 * @param id the id to set
 	 */
 	public void setId(Long id) {
 		this.id = id;
 	}
-	/**
+
 	 * @return the value
 	 */
 	@Basic
 	@Column(name = "scope")
 	public String getValue() {
 		return value;
 	}
-	/**
+
 	 * @param value the value to set
 	 */
 	public void setValue(String value) {
 		this.value = value;
 	}
-	/**
+
 	 * @return the description
 	 */
 	@Basic
 	@Column(name = "description")
 	public String getDescription() {
 		return description;
 	}
-	/**
+
 	 * @param description the description to set
 	 */
 	public void setDescription(String description) {
 		this.description = description;
 	}
-	/**
+
 	 * @return the icon
 	 */
 	@Basic
 	@Column(name = "icon")
 	public String getIcon() {
 		return icon;
 	}
-	/**
+
 	 * @param icon the icon to set
 	 */
 	public void setIcon(String icon) {
 		this.icon = icon;
 	}
 	/**
 	 * @return the defaultScope
 	 */
 	@Basic
 	@Column(name = "default_scope")
 	public boolean isDefaultScope() {
 		return defaultScope;
 	}
 	/**
 	 * @param defaultScope the defaultScope to set
 	 */
 	public void setDefaultScope(boolean defaultScope) {
 		this.defaultScope = defaultScope;
 	}
 	/**
 	 * @return the restricted
 	 */
 	@Basic
 	@Column(name = "restricted")
 	public boolean isRestricted() {
 		return restricted;
 	}
 	/**
 	 * @param restricted the restricted to set
 	 */
 	public void setRestricted(boolean restricted) {
 		this.restricted = restricted;
 	}
 	/* (non-Javadoc)
 	 * @see java.lang.Object#hashCode()
 	 */
 	@Override
 	public int hashCode() {
 		final int prime = 31;
@ -176,9 +134,6 @@ public class SystemScope {
 		return result;
 	}
 	/* (non-Javadoc)
 	 * @see java.lang.Object#equals(java.lang.Object)
 	 */
 	@Override
 	public boolean equals(Object obj) {
 		if (this == obj) {
@ -219,18 +174,12 @@ public class SystemScope {
 			return false;
 		}
 		if (value == null) {
-			if (other.value != null) {
+			return other.value == null;
-				return false;
+		} else {
-			}
+			return value.equals(other.value);
 		} else if (!value.equals(other.value)) {
 			return false;
 		}
 		return true;
 	}
 	/* (non-Javadoc)
 	 * @see java.lang.Object#toString()
 	 */
 	@Override
 	public String toString() {
 		return "SystemScope [id=" + id + ", value=" + value + ", description="
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java
@ -26,22 +26,12 @@ public class JWEAlgorithmStringConverter implements AttributeConverter<JWEAlgori
 	@Override
 	public String convertToDatabaseColumn(JWEAlgorithm attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.getName() : null;
 			return attribute.getName();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public JWEAlgorithm convertToEntityAttribute(String dbData) {
-		if (dbData != null) {
+		return dbData != null ? JWEAlgorithm.parse(dbData) : null;
 			return JWEAlgorithm.parse(dbData);
 		} else {
 			return null;
 		}
 	}
-}
+
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java
@ -26,22 +26,12 @@ public class JWEEncryptionMethodStringConverter implements AttributeConverter<En
 	@Override
 	public String convertToDatabaseColumn(EncryptionMethod attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.getName() : null;
 			return attribute.getName();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public EncryptionMethod convertToEntityAttribute(String dbData) {
-		if (dbData != null) {
+		return dbData != null ? EncryptionMethod.parse(dbData) : null;
 			return EncryptionMethod.parse(dbData);
 		} else {
 			return null;
 		}
 	}
-}
+
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java
@ -28,7 +28,6 @@ import com.nimbusds.jose.jwk.JWKSet;
 /**
 * @author jricher
 *
 */
@Converter
 public class JWKSetStringConverter implements AttributeConverter<JWKSet, String> {
@ -37,22 +36,14 @@ public class JWKSetStringConverter implements AttributeConverter<JWKSet, String>
 	@Override
 	public String convertToDatabaseColumn(JWKSet attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.toString() : null;
 			return attribute.toString();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public JWKSet convertToEntityAttribute(String dbData) {
 		if (dbData != null) {
 			try {
-				JWKSet jwks = JWKSet.parse(dbData);
+				return JWKSet.parse(dbData);
 				return jwks;
 			} catch (ParseException e) {
 				logger.error("Unable to parse JWK Set", e);
 				return null;
@ -60,7 +51,6 @@ public class JWKSetStringConverter implements AttributeConverter<JWKSet, String>
 		} else {
 			return null;
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java
@ -26,22 +26,12 @@ public class JWSAlgorithmStringConverter implements AttributeConverter<JWSAlgori
 	@Override
 	public String convertToDatabaseColumn(JWSAlgorithm attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.getName() : null;
 			return attribute.getName();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public JWSAlgorithm convertToEntityAttribute(String dbData) {
-		if (dbData != null) {
+		return dbData != null ? JWSAlgorithm.parse(dbData) : null;
 			return JWSAlgorithm.parse(dbData);
 		} else {
 			return null;
 		}
 	}
-}
+
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java
@ -29,7 +29,6 @@ import com.nimbusds.jwt.JWTParser;
 /**
 * @author jricher
 *
 */
@Converter
 public class JWTStringConverter implements AttributeConverter<JWT, String> {
@ -38,22 +37,14 @@ public class JWTStringConverter implements AttributeConverter<JWT, String> {
 	@Override
 	public String convertToDatabaseColumn(JWT attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.serialize() : null;
 			return attribute.serialize();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public JWT convertToEntityAttribute(String dbData) {
 		if (dbData != null) {
 			try {
-				JWT jwt = JWTParser.parse(dbData);
+				return JWTParser.parse(dbData);
 				return jwt;
 			} catch (ParseException e) {
 				logger.error("Unable to parse JWT", e);
 				return null;
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java
@ -19,13 +19,12 @@ package org.mitre.oauth2.model.convert;
 import javax.persistence.AttributeConverter;
 import javax.persistence.Converter;
 import com.google.common.base.Strings;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonParser;
 import org.springframework.util.StringUtils;
 /**
 * @author jricher
 *
 */
@Converter
 public class JsonElementStringConverter implements AttributeConverter<JsonElement, String> {
@ -34,23 +33,12 @@ public class JsonElementStringConverter implements AttributeConverter<JsonElemen
 	@Override
 	public String convertToDatabaseColumn(JsonElement attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.toString() : null;
 			return attribute.toString();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public JsonElement convertToEntityAttribute(String dbData) {
-		if (!Strings.isNullOrEmpty(dbData)) {
+		return !StringUtils.isEmpty(dbData) ? parser.parse(dbData) : null;
 			return parser.parse(dbData);
 		} else {
 			return null;
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java
@ -30,23 +30,12 @@ public class PKCEAlgorithmStringConverter implements AttributeConverter<PKCEAlgo
 	@Override
 	public String convertToDatabaseColumn(PKCEAlgorithm attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.getName() : null;
 			return attribute.getName();
 		} else {
 			return null;
 		}
 	}
 	/* (non-Javadoc)
 	 * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
 	 */
 	@Override
 	public PKCEAlgorithm convertToEntityAttribute(String dbData) {
-		if (dbData != null) {
+		return dbData != null ? PKCEAlgorithm.parse(dbData) : null;
 			return PKCEAlgorithm.parse(dbData);
 		} else {
 			return null;
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SerializableStringConverter.java
@ -33,7 +33,6 @@ import org.slf4j.LoggerFactory;
 * This class does allow some extension data to be lost.
 *
 * @author jricher
 *
 */
@Converter
 public class SerializableStringConverter implements AttributeConverter<Serializable, String> {
@ -51,7 +50,7 @@ public class SerializableStringConverter implements AttributeConverter<Serializa
 		} else if (attribute instanceof Date) {
 			return Long.toString(((Date)attribute).getTime());
 		} else {
-			logger.warn("Dropping data from request: " + attribute + " :: " + attribute.getClass());
+			logger.warn("Dropping data from request: {} :: {}", attribute, attribute.getClass());
 			return null;
 		}
 	}
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/SimpleGrantedAuthorityStringConverter.java
@ -23,27 +23,18 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 /**
 * @author jricher
 *
 */
@Converter
 public class SimpleGrantedAuthorityStringConverter implements AttributeConverter<SimpleGrantedAuthority, String> {
 	@Override
 	public String convertToDatabaseColumn(SimpleGrantedAuthority attribute) {
-		if (attribute != null) {
+		return attribute != null ? attribute.getAuthority() : null;
 			return attribute.getAuthority();
 		} else {
 			return null;
 		}
 	}
 	@Override
 	public SimpleGrantedAuthority convertToEntityAttribute(String dbData) {
-		if (dbData != null) {
+		return dbData != null ? new SimpleGrantedAuthority(dbData) : null;
 			return new SimpleGrantedAuthority(dbData);
 		} else {
 			return null;
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java
@ -23,15 +23,17 @@ import org.mitre.data.PageCriteria;
 import org.mitre.oauth2.model.AuthenticationHolderEntity;
 public interface AuthenticationHolderRepository {
 	public List<AuthenticationHolderEntity> getAll();
-	public AuthenticationHolderEntity getById(Long id);
+	List<AuthenticationHolderEntity> getAll();
-	public void remove(AuthenticationHolderEntity a);
+	AuthenticationHolderEntity getById(Long id);
-	public AuthenticationHolderEntity save(AuthenticationHolderEntity a);
+	void remove(AuthenticationHolderEntity a);
-	public List<AuthenticationHolderEntity> getOrphanedAuthenticationHolders();
+	AuthenticationHolderEntity save(AuthenticationHolderEntity a);
 	List<AuthenticationHolderEntity> getOrphanedAuthenticationHolders();
 	List<AuthenticationHolderEntity> getOrphanedAuthenticationHolders(PageCriteria pageCriteria);
 	public List<AuthenticationHolderEntity> getOrphanedAuthenticationHolders(PageCriteria pageCriteria);
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java
@ -26,7 +26,6 @@ import org.mitre.oauth2.model.AuthorizationCodeEntity;
 * Interface for saving and consuming OAuth2 authorization codes as AuthorizationCodeEntitys.
 *
 * @author aanganes
 *
 */
 public interface AuthorizationCodeRepository {
@ -36,7 +35,7 @@ public interface AuthorizationCodeRepository {
 	 * @param authorizationCode the AuthorizationCodeEntity to save
 	 * @return					the saved AuthorizationCodeEntity
 	 */
-	public AuthorizationCodeEntity save(AuthorizationCodeEntity authorizationCode);
+	AuthorizationCodeEntity save(AuthorizationCodeEntity authorizationCode);
 	/**
 	 * Get an authorization code from the repository by value.
@ -44,24 +43,24 @@ public interface AuthorizationCodeRepository {
 	 * @param code						the authorization code value
 	 * @return							the authentication associated with the code
 	 */
-	public AuthorizationCodeEntity getByCode(String code);
+	AuthorizationCodeEntity getByCode(String code);
 	/**
 	 * Remove an authorization code from the repository
 	 *
 	 * @param authorizationCodeEntity
 	 */
-	public void remove(AuthorizationCodeEntity authorizationCodeEntity);
+	void remove(AuthorizationCodeEntity authorizationCodeEntity);
 	/**
 	 * @return A collection of all expired codes.
 	 */
-	public Collection<AuthorizationCodeEntity> getExpiredCodes();
+	Collection<AuthorizationCodeEntity> getExpiredCodes();
 	/**
 	 * @return A collection of all expired codes, limited by the given
 	 * PageCriteria.
 	 */
-	public Collection<AuthorizationCodeEntity> getExpiredCodes(PageCriteria pageCriteria);
+	Collection<AuthorizationCodeEntity> getExpiredCodes(PageCriteria pageCriteria);
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2ClientRepository.java
@ -23,17 +23,16 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
 public interface OAuth2ClientRepository {
-	public ClientDetailsEntity getById(Long id);
+	ClientDetailsEntity getById(Long id);
-	public ClientDetailsEntity getClientByClientId(String clientId);
+	ClientDetailsEntity getClientByClientId(String clientId);
-	public ClientDetailsEntity saveClient(ClientDetailsEntity client);
+	ClientDetailsEntity saveClient(ClientDetailsEntity client);
-	public void deleteClient(ClientDetailsEntity client);
+	void deleteClient(ClientDetailsEntity client);
-	public ClientDetailsEntity updateClient(Long id, ClientDetailsEntity client);
+	ClientDetailsEntity updateClient(Long id, ClientDetailsEntity client);
 	public Collection<ClientDetailsEntity> getAllClients();
 	Collection<ClientDetailsEntity> getAllClients();
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java
@ -29,47 +29,47 @@ import org.mitre.uma.model.ResourceSet;
 public interface OAuth2TokenRepository {
-	public OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity token);
+	OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity token);
-	public OAuth2RefreshTokenEntity getRefreshTokenByValue(String refreshTokenValue);
+	OAuth2RefreshTokenEntity getRefreshTokenByValue(String refreshTokenValue);
-	public OAuth2RefreshTokenEntity getRefreshTokenById(Long Id);
+	OAuth2RefreshTokenEntity getRefreshTokenById(Long Id);
-	public void clearAccessTokensForRefreshToken(OAuth2RefreshTokenEntity refreshToken);
+	void clearAccessTokensForRefreshToken(OAuth2RefreshTokenEntity refreshToken);
-	public void removeRefreshToken(OAuth2RefreshTokenEntity refreshToken);
+	void removeRefreshToken(OAuth2RefreshTokenEntity refreshToken);
-	public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken);
+	OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken);
-	public OAuth2AccessTokenEntity getAccessTokenByValue(String accessTokenValue);
+	OAuth2AccessTokenEntity getAccessTokenByValue(String accessTokenValue);
-	public OAuth2AccessTokenEntity getAccessTokenById(Long id);
+	OAuth2AccessTokenEntity getAccessTokenById(Long id);
-	public void removeAccessToken(OAuth2AccessTokenEntity accessToken);
+	void removeAccessToken(OAuth2AccessTokenEntity accessToken);
-	public void clearTokensForClient(ClientDetailsEntity client);
+	void clearTokensForClient(ClientDetailsEntity client);
-	public List<OAuth2AccessTokenEntity> getAccessTokensForClient(ClientDetailsEntity client);
+	List<OAuth2AccessTokenEntity> getAccessTokensForClient(ClientDetailsEntity client);
-	public List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEntity client);
+	List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEntity client);
-	public Set<OAuth2AccessTokenEntity> getAccessTokensByUserName(String name);
+	Set<OAuth2AccessTokenEntity> getAccessTokensByUserName(String name);
-	public Set<OAuth2RefreshTokenEntity> getRefreshTokensByUserName(String name);
+	Set<OAuth2RefreshTokenEntity> getRefreshTokensByUserName(String name);
-	public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
+	Set<OAuth2AccessTokenEntity> getAllAccessTokens();
-	public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
+	Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
-	public Set<OAuth2AccessTokenEntity> getAllExpiredAccessTokens();
+	Set<OAuth2AccessTokenEntity> getAllExpiredAccessTokens();
-	public Set<OAuth2AccessTokenEntity> getAllExpiredAccessTokens(PageCriteria pageCriteria);
+	Set<OAuth2AccessTokenEntity> getAllExpiredAccessTokens(PageCriteria pageCriteria);
-	public Set<OAuth2RefreshTokenEntity> getAllExpiredRefreshTokens();
+	Set<OAuth2RefreshTokenEntity> getAllExpiredRefreshTokens();
-	public Set<OAuth2RefreshTokenEntity> getAllExpiredRefreshTokens(PageCriteria pageCriteria);
+	Set<OAuth2RefreshTokenEntity> getAllExpiredRefreshTokens(PageCriteria pageCriteria);
-	public Set<OAuth2AccessTokenEntity> getAccessTokensForResourceSet(ResourceSet rs);
+	Set<OAuth2AccessTokenEntity> getAccessTokensForResourceSet(ResourceSet rs);
 	/**
 	 * removes duplicate access tokens.
@ -78,10 +78,9 @@ public interface OAuth2TokenRepository {
 	 * so that {code removeAccessToken(OAuth2AccessTokenEntity o)} would not to fail. the
 	 * removeAccessToken method has been updated so as it will not fail in the event that an
 	 * accessToken has been duplicated, so this method is unnecessary.
 	 *
 	 */
 	@Deprecated
-	public void clearDuplicateAccessTokens();
+	void clearDuplicateAccessTokens();
 	/**
 	 * removes duplicate refresh tokens.
@ -90,11 +89,10 @@ public interface OAuth2TokenRepository {
 	 * so that {code removeRefreshToken(OAuth2RefreshTokenEntity o)} would not to fail. the
 	 * removeRefreshToken method has been updated so as it will not fail in the event that
 	 * refreshToken has been duplicated, so this method is unnecessary.
 	 *
 	 */
 	@Deprecated
-	public void clearDuplicateRefreshTokens();
+	void clearDuplicateRefreshTokens();
-	public List<OAuth2AccessTokenEntity> getAccessTokensForApprovedSite(ApprovedSite approvedSite);
+	List<OAuth2AccessTokenEntity> getAccessTokensForApprovedSite(ApprovedSite approvedSite);
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/SystemScopeRepository.java
@ -26,18 +26,17 @@ import org.mitre.oauth2.model.SystemScope;
 /**
 * @author jricher
 *
 */
 public interface SystemScopeRepository {
-	public Set<SystemScope> getAll();
+	Set<SystemScope> getAll();
-	public SystemScope getById(Long id);
+	SystemScope getById(Long id);
-	public SystemScope getByValue(String value);
+	SystemScope getByValue(String value);
-	public void remove(SystemScope scope);
+	void remove(SystemScope scope);
-	public SystemScope save(SystemScope scope);
+	SystemScope save(SystemScope scope);
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/repository/impl/DeviceCodeRepository.java
@ -22,42 +22,19 @@ import org.mitre.oauth2.model.DeviceCode;
 /**
 * @author jricher
 *
 */
 public interface DeviceCodeRepository {
-	/**
+	DeviceCode getById(Long id);
 	 * @param id
 	 * @return
 	 */
 	public DeviceCode getById(Long id);
-	/**
+	DeviceCode getByDeviceCode(String deviceCode);
 	 * @param deviceCode
 	 * @return
 	 */
 	public DeviceCode getByDeviceCode(String deviceCode);
-	/**
+	void remove(DeviceCode scope);
 	 * @param scope
 	 */
 	public void remove(DeviceCode scope);
-	/**
+	DeviceCode save(DeviceCode scope);
 	 * @param scope
 	 * @return
 	 */
 	public DeviceCode save(DeviceCode scope);
-	/**
+	DeviceCode getByUserCode(String userCode);
 	 * @param userCode
 	 * @return
 	 */
 	public DeviceCode getByUserCode(String userCode);
-	/**
+	Collection<DeviceCode> getExpiredCodes();
 	 * @return
 	 */
 	public Collection<DeviceCode> getExpiredCodes();
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/DeviceCodeService.java
@ -27,47 +27,18 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication;
 /**
 * @author jricher
 *
 */
 public interface DeviceCodeService {
-	/**
+	DeviceCode lookUpByUserCode(String userCode);
 	 * @param userCode
 	 * @return
 	 */
 	public DeviceCode lookUpByUserCode(String userCode);
-	/**
+	DeviceCode approveDeviceCode(DeviceCode dc, OAuth2Authentication o2Auth);
 	 * @param dc
 	 * @param o2Auth
 	 */
 	public DeviceCode approveDeviceCode(DeviceCode dc, OAuth2Authentication o2Auth);
-	/**
+	DeviceCode findDeviceCode(String deviceCode, ClientDetails client);
 	 * @param deviceCode
 	 * @param client
 	 * @return
 	 */
 	public DeviceCode findDeviceCode(String deviceCode, ClientDetails client);
 	void clearDeviceCode(String deviceCode, ClientDetails client);
-	/**
+	DeviceCode createNewDeviceCode(Set<String> requestedScopes, ClientDetailsEntity client, Map<String, String> parameters) throws DeviceCodeCreationException;
 	 * 
 	 * @param deviceCode
 	 * @param client
 	 */
 	public void clearDeviceCode(String deviceCode, ClientDetails client);
 	/**
 	 * @param deviceCode
 	 * @param userCode
 	 * @param requestedScopes
 	 * @param client
 	 * @param parameters
 	 * @return
 	 */
 	public DeviceCode createNewDeviceCode(Set<String> requestedScopes, ClientDetailsEntity client, Map<String, String> parameters) throws DeviceCodeCreationException;
-
+	void clearExpiredDeviceCodes();
 	public void clearExpiredDeviceCodes();
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/IntrospectionResultAssembler.java
@ -30,16 +30,16 @@ import org.mitre.openid.connect.model.UserInfo;
 */
 public interface IntrospectionResultAssembler {
-	public String TOKEN_TYPE = "token_type";
+	String TOKEN_TYPE = "token_type";
-	public String CLIENT_ID = "client_id";
+	String CLIENT_ID = "client_id";
-	public String USER_ID = "user_id";
+	String USER_ID = "user_id";
-	public String SUB = "sub";
+	String SUB = "sub";
-	public String EXP = "exp";
+	String EXP = "exp";
-	public String EXPIRES_AT = "expires_at";
+	String EXPIRES_AT = "expires_at";
-	public String SCOPE_SEPARATOR = " ";
+	String SCOPE_SEPARATOR = " ";
-	public String SCOPE = "scope";
+	String SCOPE = "scope";
-	public String ACTIVE = "active";
+	String ACTIVE = "active";
-	public DateFormatter dateFormat = new DateFormatter(new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ"));
+	DateFormatter dateFormat = new DateFormatter(new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ"));
 	/**
 	 * Assemble a token introspection result from the given access token and user info.
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java
@ -30,34 +30,34 @@ import org.springframework.security.oauth2.provider.token.ResourceServerTokenSer
 public interface OAuth2TokenEntityService extends AuthorizationServerTokenServices, ResourceServerTokenServices {
 	@Override
-	public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue);
+	OAuth2AccessTokenEntity readAccessToken(String accessTokenValue);
-	public OAuth2RefreshTokenEntity getRefreshToken(String refreshTokenValue);
+	OAuth2RefreshTokenEntity getRefreshToken(String refreshTokenValue);
-	public void revokeRefreshToken(OAuth2RefreshTokenEntity refreshToken);
+	void revokeRefreshToken(OAuth2RefreshTokenEntity refreshToken);
-	public void revokeAccessToken(OAuth2AccessTokenEntity accessToken);
+	void revokeAccessToken(OAuth2AccessTokenEntity accessToken);
-	public List<OAuth2AccessTokenEntity> getAccessTokensForClient(ClientDetailsEntity client);
+	List<OAuth2AccessTokenEntity> getAccessTokensForClient(ClientDetailsEntity client);
-	public List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEntity client);
+	List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEntity client);
-	public void clearExpiredTokens();
+	void clearExpiredTokens();
-	public OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity accessToken);
+	OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity accessToken);
-	public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken);
+	OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken);
 	@Override
-	public OAuth2AccessTokenEntity getAccessToken(OAuth2Authentication authentication);
+	OAuth2AccessTokenEntity getAccessToken(OAuth2Authentication authentication);
-	public OAuth2AccessTokenEntity getAccessTokenById(Long id);
+	OAuth2AccessTokenEntity getAccessTokenById(Long id);
-	public OAuth2RefreshTokenEntity getRefreshTokenById(Long id);
+	OAuth2RefreshTokenEntity getRefreshTokenById(Long id);
-	public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String name);
+	Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String name);
-	public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String name);
+	Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String name);
-	public OAuth2AccessTokenEntity getRegistrationAccessTokenForClient(ClientDetailsEntity client);
+	OAuth2AccessTokenEntity getRegistrationAccessTokenForClient(ClientDetailsEntity client);
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java
@ -20,6 +20,8 @@
 */
 package org.mitre.oauth2.service;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
 import org.mitre.oauth2.model.SystemScope;
@ -28,30 +30,26 @@ import com.google.common.collect.Sets;
 /**
 * @author jricher
 *
 */
 public interface SystemScopeService {
-	public static final String OFFLINE_ACCESS = "offline_access";
+	String OFFLINE_ACCESS = "offline_access";
-	public static final String OPENID_SCOPE = "openid";
+	String OPENID_SCOPE = "openid";
-	public static final String REGISTRATION_TOKEN_SCOPE = "registration-token"; // this scope manages dynamic client registrations
+	String REGISTRATION_TOKEN_SCOPE = "registration-token"; // this scope manages dynamic client registrations
-	public static final String RESOURCE_TOKEN_SCOPE = "resource-token"; // this scope manages client-style protected resources
+	String RESOURCE_TOKEN_SCOPE = "resource-token"; // this scope manages client-style protected resources
-	public static final String UMA_PROTECTION_SCOPE = "uma_protection";
+	String UMA_PROTECTION_SCOPE = "uma_protection";
-	public static final String UMA_AUTHORIZATION_SCOPE = "uma_authorization";
+	String UMA_AUTHORIZATION_SCOPE = "uma_authorization";
-	public static final Set<SystemScope> reservedScopes =
+	Set<SystemScope> reservedScopes = new HashSet<>(
-			Sets.newHashSet(
+		Arrays.asList(new SystemScope(REGISTRATION_TOKEN_SCOPE), new SystemScope(RESOURCE_TOKEN_SCOPE)));
 					new SystemScope(REGISTRATION_TOKEN_SCOPE),
 					new SystemScope(RESOURCE_TOKEN_SCOPE)
 					);
-	public Set<SystemScope> getAll();
+	Set<SystemScope> getAll();
 	/**
 	 * Get all scopes that are defaulted to new clients on this system
 	 * @return
 	 */
-	public Set<SystemScope> getDefaults();
+	Set<SystemScope> getDefaults();
 	/**
 	 * Get all the reserved system scopes. These can't be used
@ -60,46 +58,46 @@ public interface SystemScopeService {
 	 *
 	 * @return
 	 */
-	public Set<SystemScope> getReserved();
+	Set<SystemScope> getReserved();
 	/**
 	 * Get all the registered scopes that are restricted.
 	 * @return
 	 */
-	public Set<SystemScope> getRestricted();
+	Set<SystemScope> getRestricted();
 	/**
 	 * Get all the registered scopes that aren't restricted.
 	 * @return
 	 */
-	public Set<SystemScope> getUnrestricted();
+	Set<SystemScope> getUnrestricted();
-	public SystemScope getById(Long id);
+	SystemScope getById(Long id);
-	public SystemScope getByValue(String value);
+	SystemScope getByValue(String value);
-	public void remove(SystemScope scope);
+	void remove(SystemScope scope);
-	public SystemScope save(SystemScope scope);
+	SystemScope save(SystemScope scope);
 	/**
 	 * Translate the set of scope strings into a set of SystemScope objects.
 	 * @param scope
 	 * @return
 	 */
-	public Set<SystemScope> fromStrings(Set<String> scope);
+	Set<SystemScope> fromStrings(Set<String> scope);
 	/**
 	 * Pluck the scope values from the set of SystemScope objects and return a list of strings
 	 * @param scope
 	 * @return
 	 */
-	public Set<String> toStrings(Set<SystemScope> scope);
+	Set<String> toStrings(Set<SystemScope> scope);
 	/**
 	 * Test whether the scopes in both sets are compatible. All scopes in "actual" must exist in "expected".
 	 */
-	public boolean scopesMatch(Set<String> expected, Set<String> actual);
+	boolean scopesMatch(Set<String> expected, Set<String> actual);
 	/**
 	 * Remove any system-reserved or registered restricted scopes from the
@ -107,13 +105,13 @@ public interface SystemScopeService {
 	 * @param scopes
 	 * @return
 	 */
-	public Set<SystemScope> removeRestrictedAndReservedScopes(Set<SystemScope> scopes);
+	Set<SystemScope> removeRestrictedAndReservedScopes(Set<SystemScope> scopes);
 	/**
 	 * Remove any system-reserved scopes from the set and return the result.
 	 * @param scopes
 	 * @return
 	 */
-	public Set<SystemScope> removeReservedScopes(Set<SystemScope> scopes);
+	Set<SystemScope> removeReservedScopes(Set<SystemScope> scopes);
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
@ -17,19 +17,12 @@
 *******************************************************************************/
 package org.mitre.oauth2.service.impl;
 import java.math.BigInteger;
 import java.security.SecureRandom;
 import java.util.Collection;
 import java.util.HashSet;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@ -42,55 +35,19 @@ import com.google.common.base.Strings;
 * Shim layer to convert a ClientDetails service into a UserDetails service
 *
 * @author AANGANES
 *
 */
@Service("clientUserDetailsService")
 public class DefaultClientUserDetailsService implements UserDetailsService {
 	private static GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;
 	private final ConfigurationPropertiesBean config;
 	@Autowired
-	private ConfigurationPropertiesBean config;
+	public DefaultClientUserDetailsService(ClientDetailsEntityService clientDetailsService, ConfigurationPropertiesBean config) {
-
+		this.clientDetailsService = clientDetailsService;
-	@Override
+		this.config = config;
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {
 		try {
 			ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientId);
 			if (client != null) {
 				String password = Strings.nullToEmpty(client.getClientSecret());
 				if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
 						(client.getTokenEndpointAuthMethod() != null &&
 						(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
 								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
 					// Issue a random password each time to prevent password auth from being used (or skipped)
 					// for private key or shared key clients, see #715
 					password = new BigInteger(512, new SecureRandom()).toString(16);
 				}
 				boolean enabled = true;
 				boolean accountNonExpired = true;
 				boolean credentialsNonExpired = true;
 				boolean accountNonLocked = true;
 				Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
 				authorities.add(ROLE_CLIENT);
 				return new User(clientId, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
 			} else {
 				throw new UsernameNotFoundException("Client not found: " + clientId);
 			}
 		} catch (InvalidClientException e) {
 			throw new UsernameNotFoundException("Client not found: " + clientId);
 		}
 	}
 	public ClientDetailsEntityService getClientDetailsService() {
@ -101,4 +58,20 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
 		this.clientDetailsService = clientDetailsService;
 	}
 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {
 		try {
 			ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientId);
 			if (client != null) {
 				String password = Strings.nullToEmpty(client.getClientSecret());
 				return ServiceUtils.getUserDetails(clientId, client, password, config, ROLE_CLIENT);
 			} else {
 				throw new UsernameNotFoundException("Client not found: " + clientId);
 			}
 		} catch (InvalidClientException e) {
 			throw new UsernameNotFoundException("Client not found: " + clientId);
 		}
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/ServiceUtils.java
@ -0,0 +1,30 @@
 package org.mitre.oauth2.service.impl;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import java.math.BigInteger;
 import java.security.SecureRandom;
 import java.util.Collection;
 import java.util.HashSet;
 public class ServiceUtils {
 	public static UserDetails getUserDetails(String decodedClientId, ClientDetailsEntity client, String encodedPassword, ConfigurationPropertiesBean config, GrantedAuthority roleClient) {
 		if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
 			(client.getTokenEndpointAuthMethod() != null &&
 				(client.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.PRIVATE_KEY) ||
 					client.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.SECRET_JWT)))) {
 			encodedPassword = new BigInteger(512, new SecureRandom()).toString(16);
 		}
 		Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
 		authorities.add(roleClient);
 		return new User(decodedClientId, encodedPassword, true, true, true, true, authorities);
 	}
 }
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
@ -16,19 +16,13 @@
 package org.mitre.oauth2.service.impl;
 import java.io.UnsupportedEncodingException;
 import java.math.BigInteger;
 import java.security.SecureRandom;
 import java.util.Collection;
 import java.util.HashSet;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@ -44,57 +38,19 @@ import com.google.common.base.Strings;
 *  Should only get called if non-encoded provider fails.
 *
 * @author AANGANES
 *
 */
@Service("uriEncodedClientUserDetailsService")
 public class UriEncodedClientUserDetailsService implements UserDetailsService {
 	private static GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;
 	private final ConfigurationPropertiesBean config;
 	@Autowired
-	private ConfigurationPropertiesBean config;
+	public UriEncodedClientUserDetailsService(ClientDetailsEntityService clientDetailsService, ConfigurationPropertiesBean config) {
-
+		this.clientDetailsService = clientDetailsService;
-	@Override
+		this.config = config;
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {
 		try {
 			String decodedClientId = UriUtils.decode(clientId, "UTF-8");
 			ClientDetailsEntity client = clientDetailsService.loadClientByClientId(decodedClientId);
 			if (client != null) {
 				String encodedPassword = UriUtils.encodePathSegment(Strings.nullToEmpty(client.getClientSecret()), "UTF-8");
 				if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
 						(client.getTokenEndpointAuthMethod() != null &&
 							(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
 								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
 					// Issue a random password each time to prevent password auth from being used (or skipped)
 					// for private key or shared key clients, see #715
 					encodedPassword = new BigInteger(512, new SecureRandom()).toString(16);
 				}
 				boolean enabled = true;
 				boolean accountNonExpired = true;
 				boolean credentialsNonExpired = true;
 				boolean accountNonLocked = true;
 				Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
 				authorities.add(ROLE_CLIENT);
 				return new User(decodedClientId, encodedPassword, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
 			} else {
 				throw new UsernameNotFoundException("Client not found: " + clientId);
 			}
 		} catch (UnsupportedEncodingException | InvalidClientException e) {
 			throw new UsernameNotFoundException("Client not found: " + clientId);
 		}
 	}
 	public ClientDetailsEntityService getClientDetailsService() {
@ -105,4 +61,21 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
 		this.clientDetailsService = clientDetailsService;
 	}
 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {
 		try {
 			String decodedClientId = UriUtils.decode(clientId, "UTF-8");
 			ClientDetailsEntity client = clientDetailsService.loadClientByClientId(decodedClientId);
 			if (client != null) {
 				String encodedPassword = UriUtils.encodePathSegment(Strings.nullToEmpty(client.getClientSecret()), "UTF-8");
 				return ServiceUtils.getUserDetails(decodedClientId, client, encodedPassword, config, ROLE_CLIENT);
 			} else {
 				throw new UsernameNotFoundException("Client not found: " + clientId);
 			}
 		} catch (UnsupportedEncodingException | InvalidClientException e) {
 			throw new UsernameNotFoundException("Client not found: " + clientId);
 		}
 	}
 }