Merge f1d8c9b37e into d074573de0

openid-connect-server-webapp/src/main/resources/db/oracle11g/clients_oracle.sql

@@ -0,0 +1,51 @@
+--
+-- Insert client information into the temporary tables. To add clients to the Oracle database, edit things here.
+--
+
+INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_sec, access_token_validity_sec, id_token_validity_sec, allow_introspection) VALUES
+	('client', 'secret', 'Test Client', 0, null, 3600, 600, 1);
+
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'openid');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'profile');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'email');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'address');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'phone');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'offline_access');
+
+INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost/');
+INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost:8080/');
+
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'authorization_code');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'urn:ietf:params:oauth:grant_type:redelegate');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'implicit');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'refresh_token');
+
+--
+-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
+--
+
+MERGE INTO client_details
+  USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_sec, access_token_validity_sec, id_token_validity_sec, allow_introspection FROM client_details_TEMP) vals
+  ON (vals.client_id = client_details.client_id)
+  WHEN NOT MATCHED THEN
+    INSERT (id, client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_sec, access_token_validity_sec,
+    id_token_validity_sec, allow_introspection) VALUES(client_details_seq.nextval, vals.client_id, vals.client_secret, vals.client_name, vals.dynamically_registered,
+    vals.refresh_token_validity_sec, vals.access_token_validity_sec, vals.id_token_validity_sec, vals.allow_introspection);
+
+MERGE INTO client_scope
+  USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) vals
+  ON (vals.id = client_scope.owner_id AND vals.scope = client_scope.scope)
+  WHEN NOT MATCHED THEN
+    INSERT (owner_id, scope) values (vals.id, vals.scope);
+
+MERGE INTO client_redirect_uri
+  USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) vals
+  ON (vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri)
+  WHEN NOT MATCHED THEN
+    INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri);
+
+MERGE INTO client_grant_type
+  USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) vals
+  ON (vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type)
+  WHEN NOT MATCHED THEN
+    INSERT (owner_id, grant_type) values (vals.id, vals.grant_type);

openid-connect-server-webapp/src/main/resources/db/oracle11g/create_db-user

@@ -0,0 +1,15 @@
+CREATE TABLESPACE data_ts DATAFILE 'data_ts.dat' SIZE 40M ONLINE;
+CREATE TEMPORARY TABLESPACE temp_ts TEMPFILE 'temp_ts.dbf' SIZE 5M AUTOEXTEND ON;
+drop user oauth cascade;
+create user oauth identified by test DEFAULT TABLESPACE data_ts QUOTA 500K ON data_ts TEMPORARY TABLESPACE temp_ts;
+GRANT CONNECT TO oauth;
+GRANT UNLIMITED TABLESPACE TO oauth;
+grant create session to oauth;
+grant create table to oauth;
+GRANT CREATE TABLESPACE TO oauth;
+GRANT CREATE VIEW TO oauth;
+GRANT CREATE ANY INDEX TO oauth;
+GRANT CREATE SEQUENCE TO oauth;
+GRANT CREATE SYNONYM TO oauth;
+
+

openid-connect-server-webapp/src/main/resources/db/oracle11g/entity-mappings_oracle.xml

@@ -0,0 +1,320 @@
+<!--
+    Copyright 2017 The MIT Internet Trust Consortium
+   
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+   
+      http://www.apache.org/licenses/LICENSE-2.0
+   
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+<entity-mappings xmlns="http://xmlns.jcp.org/xml/ns/persistence/orm"
+				 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+				 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence/orm http://xmlns.jcp.org/xml/ns/persistence/orm_2_0.xsd"
+				 version="2.1">
+
+	<description>OpenID Connect Server entities</description>
+
+	<entity class="org.mitre.oauth2.model.AuthenticationHolderEntity" name="AuthenticationHolderEntity">
+		<table name="auth_holder" />
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="AuthenticationHolderSequenceGenerator"/>
+				<sequence-generator name="AuthenticationHolderSequenceGenerator" sequence-name="auth_holder_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+			<!-- table name too long: authentication_holder_authority -->
+			<element-collection fetch="EAGER" name="authorities">
+				<collection-table name="auth_holder_authority">
+					<join-column name="owner_id"/>
+				</collection-table>
+				<convert converter="org.mitre.oauth2.model.convert.SimpleGrantedAuthorityStringConverter"/>
+				<column name="authority"/>
+			</element-collection>
+			<!-- table name too long: authentication_holder_resource_id -->
+			<element-collection fetch="EAGER" name="resourceIds">
+				<collection-table name="auth_holder_resource_id">
+					<join-column name="owner_id"/>
+				</collection-table>
+				<column name="resource_id"/>
+			</element-collection>
+			<!-- table name too long: authentication_holder_response_type -->
+			<element-collection fetch="EAGER" name="responseTypes">
+				<collection-table name="auth_holder_response_type">
+					<join-column name="owner_id"/>
+				</collection-table>
+				<column name="response_type"/>
+			</element-collection>
+			<!-- table name too long: authentication_holder_extension -->
+			<element-collection fetch="EAGER" name="extensions">
+				<collection-table name="auth_holder_extension">
+					<join-column name="owner_id"/>
+				</collection-table>
+				<column name="val"/>
+				<map-key-column name="extension"/>
+				<convert converter="org.mitre.oauth2.model.convert.SerializableStringConverter"/>
+			</element-collection>
+			<!-- table name too long: authentication_holder_request_parameter -->
+			<element-collection fetch="EAGER" name="requestParameters">
+				<collection-table name="auth_holder_request_parameter">
+					<join-column name="owner_id"/>
+				</collection-table>
+				<column name="val"/>
+				<map-key-column name="param"/>
+			</element-collection>
+			<!-- table name too long: authentication_holder_scope -->
+			<element-collection fetch="EAGER" name="scope">
+				<column name="scope"/>
+				<collection-table name="auth_holder_scope">
+					<join-column name="owner_id" />
+				</collection-table>
+			</element-collection>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.oauth2.model.AuthorizationCodeEntity" name="AuthorizationCodeEntity">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="AuthorizationCodeSequenceGenerator"/>
+				<sequence-generator name="AuthorizationCodeSequenceGenerator" sequence-name="authorization_code_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.oauth2.model.ClientDetailsEntity" name="ClientDetailsEntity">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="ClientDetailsSequenceGenerator"/>
+				<sequence-generator name="ClientDetailsSequenceGenerator" sequence-name="client_details_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+			<!-- column name too long: id_token_validity_seconds -->
+			<basic name="idTokenValiditySeconds">
+				<column name="id_token_validity_sec"/>
+			</basic>
+			<!-- column name too long: access_token_validity_seconds -->
+			<basic name="accessTokenValiditySeconds">
+				<column name="access_token_validity_sec"/>
+			</basic>
+			<!-- column name too long: refresh_token_validity_seconds -->
+			<basic name="refreshTokenValiditySeconds">
+				<column name="refresh_token_validity_sec"/>
+			</basic>
+			<!-- column name too long: device_code_validity_seconds -->
+			<basic name="deviceCodeValiditySeconds">
+				<column name="device_code_validity_sec"/>
+			</basic>
+			<!-- column name too long: request_object_signing_alg -->
+			<basic name="requestObjectSigningAlg">
+				<column name="request_object_sign_alg"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+			</basic>
+			<!-- column name too long: user_info_signed_response_alg -->
+			<basic name="userInfoSignedResponseAlg">
+				<column name="user_info_signed_resp_alg"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+			</basic>
+			<!-- column name too long: user_info_encrypted_response_alg -->
+			<basic name="userInfoEncryptedResponseAlg">
+				<column name="user_info_encr_resp_alg"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+			</basic>
+			<!-- column name too long: user_info_encrypted_response_enc -->
+			<basic name="userInfoEncryptedResponseEnc">
+				<column name="user_info_encr_resp_enc"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
+			</basic>
+			<!-- column name too long: id_token_signed_response_alg -->
+			<basic name="idTokenSignedResponseAlg">
+				<column name="id_token_signed_resp_alg"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+			</basic>
+			<!-- column name too long: id_token_encrypted_response_alg -->
+			<basic name="idTokenEncryptedResponseAlg">
+				<column name="id_token_encr_resp_alg"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEAlgorithmStringConverter"/>
+			</basic>
+			<!-- column name too long: id_token_encrypted_response_enc -->
+			<basic name="idTokenEncryptedResponseEnc">
+				<column name="id_token_encr_resp_enc"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWEEncryptionMethodStringConverter"/>
+			</basic>
+			<!-- column name too long: token_endpoint_auth_signing_alg -->
+			<basic name="tokenEndpointAuthSigningAlg">
+				<column name="token_endpoint_auth_sign_alg"/>
+				<convert converter="org.mitre.oauth2.model.convert.JWSAlgorithmStringConverter"/>
+			</basic>
+			<!-- table name too long: client_post_logout_redirect_uri -->
+			<element-collection fetch="EAGER" name="postLogoutRedirectUris">
+				<column name="post_logout_redirect_uri"/>
+				<collection-table name="client_post_logout_redir_uri">
+					<join-column name="owner_id"/>
+				</collection-table>
+			</element-collection>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.oauth2.model.OAuth2AccessTokenEntity" name="OAuth2AccessTokenEntity">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="OAuth2AccessTokenSequenceGenerator"/>
+				<sequence-generator name="OAuth2AccessTokenSequenceGenerator" sequence-name="access_token_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.oauth2.model.OAuth2RefreshTokenEntity" name="OAuth2RefreshTokenEntity">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="OAuth2RefreshTokenSequenceGenerator"/>
+				<sequence-generator name="OAuth2RefreshTokenSequenceGenerator" sequence-name="refresh_token_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.oauth2.model.SavedUserAuthentication" name="SavedUserAuthentication">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="SavedUserAuthenticationSequenceGenerator"/>
+				<sequence-generator name="SavedUserAuthenticationSequenceGenerator" sequence-name="saved_user_auth_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.oauth2.model.SystemScope" name="SystemScope">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="SystemScopeSequenceGenerator"/>
+				<sequence-generator name="SystemScopeSequenceGenerator" sequence-name="system_scope_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.openid.connect.model.ApprovedSite" name="ApprovedSite">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="ApprovedSiteSequenceGenerator"/>
+				<sequence-generator name="ApprovedSiteSequenceGenerator" sequence-name="approved_site_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.openid.connect.model.BlacklistedSite" name="BlacklistedSite">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="BlacklistedSiteSequenceGenerator"/>
+				<sequence-generator name="BlacklistedSiteSequenceGenerator" sequence-name="blacklisted_site_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.openid.connect.model.PairwiseIdentifier" name="PairwiseIdentifier">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="PairwiseIdentifierSequenceGenerator"/>
+				<sequence-generator name="PairwiseIdentifierSequenceGenerator" sequence-name="pairwise_identifier_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.openid.connect.model.WhitelistedSite" name="WhitelistedSite">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="WhitelistedSiteSequenceGenerator"/>
+				<sequence-generator name="WhitelistedSiteSequenceGenerator" sequence-name="whitelisted_site_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.uma.model.Claim" name="Claim">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="ClaimSequenceGenerator"/>
+				<sequence-generator name="ClaimSequenceGenerator" sequence-name="claim_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.uma.model.Permission" name="Permission">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="PermissionSequenceGenerator"/>
+				<sequence-generator name="PermissionSequenceGenerator" sequence-name="permission_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.uma.model.PermissionTicket" name="PermissionTicket">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="PermissionTicketSequenceGenerator"/>
+				<sequence-generator name="PermissionTicketSequenceGenerator" sequence-name="permission_ticket_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.uma.model.Policy" name="Policy">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="PolicySequenceGenerator"/>
+				<sequence-generator name="PolicySequenceGenerator" sequence-name="policy_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.uma.model.ResourceSet" name="ResourceSet">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="ResourceSetSequenceGenerator"/>
+				<sequence-generator name="ResourceSetSequenceGenerator" sequence-name="resource_set_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+	<entity class="org.mitre.uma.model.SavedRegisteredClient" name="SavedRegisteredClient">
+		<attributes>
+			<!-- changing generated value to sequence strategy (Oracle doesn't support identity) -->
+			<id name="id">
+				<generated-value strategy="SEQUENCE" generator="SavedRegisteredClientSequenceGenerator"/>
+				<sequence-generator name="SavedRegisteredClientSequenceGenerator" sequence-name="saved_registered_client_seq" allocation-size="1"/>
+				<column name="id"/>
+			</id>
+		</attributes>
+	</entity>
+
+</entity-mappings>

openid-connect-server-webapp/src/main/resources/db/oracle11g/loading_temp_tables_oracle.sql

@@ -0,0 +1,77 @@
+--
+-- Temporary tables used during the bootstrapping process to safely load users and clients.
+-- These are not needed if you're not using the users.sql/clients.sql files to bootstrap the database.
+--
+
+CREATE GLOBAL TEMPORARY TABLE authorities_TEMP (
+  username varchar2(50) not null,
+  authority varchar2(50) not null,
+  constraint ix_authority_TEMP unique (username,authority)
+) ON COMMIT PRESERVE ROWS;
+      
+CREATE GLOBAL TEMPORARY TABLE users_TEMP (
+  username VARCHAR2(50) not null primary key,
+  password VARCHAR2(50) not null,
+  enabled NUMBER(1) not null
+) ON COMMIT PRESERVE ROWS;
+
+CREATE GLOBAL TEMPORARY TABLE user_info_TEMP (
+	sub VARCHAR2(256) not null primary key,
+	preferred_username VARCHAR2(256),
+	name VARCHAR2(256),
+	given_name VARCHAR2(256),
+	family_name VARCHAR2(256),
+	middle_name VARCHAR2(256),
+	nickname VARCHAR2(256),
+	profile VARCHAR2(256),
+	picture VARCHAR2(256),
+	website VARCHAR2(256),
+	email VARCHAR2(256),
+	email_verified NUMBER(1),
+	gender VARCHAR2(256),
+	zone_info VARCHAR2(256),
+	locale VARCHAR2(256),
+	phone_number VARCHAR2(256),
+	address_id VARCHAR2(256),
+	updated_time VARCHAR2(256),
+	birthdate VARCHAR2(256)
+) ON COMMIT PRESERVE ROWS;
+
+CREATE GLOBAL TEMPORARY TABLE client_details_TEMP (
+	client_description VARCHAR2(256),
+	dynamically_registered NUMBER(1),
+	id_token_validity_sec NUMBER(19),
+
+	client_id VARCHAR2(256),
+	client_secret VARCHAR2(2048),
+	access_token_validity_sec NUMBER(19),
+	refresh_token_validity_sec NUMBER(19),
+	allow_introspection NUMBER(1),
+	
+	client_name VARCHAR2(256)
+) ON COMMIT PRESERVE ROWS;
+
+CREATE GLOBAL TEMPORARY TABLE client_scope_TEMP (
+	owner_id VARCHAR2(256),
+	scope VARCHAR2(2048)
+) ON COMMIT PRESERVE ROWS;
+
+CREATE GLOBAL TEMPORARY TABLE client_redirect_uri_TEMP (
+	owner_id VARCHAR2(256),
+	redirect_uri VARCHAR2(2048) 
+) ON COMMIT PRESERVE ROWS;
+
+CREATE GLOBAL TEMPORARY TABLE client_grant_type_TEMP (
+	owner_id VARCHAR2(256),
+	grant_type VARCHAR2(2000)
+) ON COMMIT PRESERVE ROWS;
+
+CREATE GLOBAL TEMPORARY TABLE system_scope_TEMP (
+	scope VARCHAR2(256),
+	description VARCHAR2(4000),
+	icon VARCHAR2(256),
+	restricted NUMBER(1),
+	default_scope NUMBER(1),
+	structured NUMBER(1),
+	structured_param_description VARCHAR2(256)
+) ON COMMIT PRESERVE ROWS;

openid-connect-server-webapp/src/main/resources/db/oracle11g/oracle_database_index.sql

@@ -0,0 +1,17 @@
+--
+-- Indexes for Oracle
+--
+
+CREATE INDEX at_tv_idx ON access_token(token_value);
+CREATE INDEX ts_oi_idx ON token_scope(owner_id);
+CREATE INDEX at_exp_idx ON access_token(expiration);
+CREATE INDEX rf_ahi_idx ON refresh_token(auth_holder_id);
+CREATE INDEX at_ahi_idx ON access_token(auth_holder_id);
+CREATE INDEX aha_oi_idx ON auth_holder_authority(owner_id);
+CREATE INDEX ahe_oi_idx ON auth_holder_extension(owner_id);
+CREATE INDEX ahrp_oi_idx ON auth_holder_request_parameter(owner_id);
+CREATE INDEX ahri_oi_idx ON auth_holder_resource_id(owner_id);
+CREATE INDEX ahrt_oi_idx ON auth_holder_response_type(owner_id);
+CREATE INDEX ahs_oi_idx ON auth_holder_scope(owner_id);
+CREATE INDEX ac_ahi_idx ON authorization_code(auth_holder_id);
+CREATE INDEX suaa_oi_idx ON saved_user_auth_authority(owner_id);

openid-connect-server-webapp/src/main/resources/db/oracle11g/oracle_database_tables.sql

@@ -0,0 +1,431 @@
+--
+-- Tables for OIDC Server functionality, Oracle
+--
+
+CREATE TABLE access_token (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  token_value VARCHAR2(4000),
+  expiration TIMESTAMP,
+  token_type VARCHAR2(256),
+  refresh_token_id NUMBER(19),
+  client_id NUMBER(19),
+  auth_holder_id NUMBER(19),
+  approved_site_id NUMBER(19)
+);
+CREATE SEQUENCE access_token_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE access_token_permissions (
+  access_token_id NUMBER(19) NOT NULL,
+  permission_id NUMBER(19) NOT NULL
+);
+
+CREATE TABLE address (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  formatted VARCHAR2(256),
+  street_address VARCHAR2(256),
+  locality VARCHAR2(256),
+  region VARCHAR2(256),
+  postal_code VARCHAR2(256),
+  country VARCHAR2(256)
+);
+CREATE SEQUENCE address_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE approved_site (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  user_id VARCHAR2(256),
+  client_id VARCHAR2(256),
+  creation_date TIMESTAMP,
+  access_date TIMESTAMP,
+  timeout_date TIMESTAMP,
+  whitelisted_site_id NUMBER(19)
+);
+CREATE SEQUENCE approved_site_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE approved_site_scope (
+  owner_id NUMBER(19),
+  scope VARCHAR2(256)
+);
+
+CREATE TABLE auth_holder (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  user_auth_id NUMBER(19),
+  approved NUMBER(1),
+  redirect_uri VARCHAR2(2048),
+  client_id VARCHAR2(256),
+
+  CONSTRAINT approved_check CHECK (approved in (1,0))
+);
+CREATE SEQUENCE auth_holder_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE auth_holder_authority (
+  owner_id NUMBER(19),
+  authority VARCHAR2(256)
+);
+
+CREATE TABLE auth_holder_resource_id (
+  owner_id NUMBER(19),
+  resource_id VARCHAR2(2048)
+);
+
+CREATE TABLE auth_holder_response_type (
+  owner_id NUMBER(19),
+  response_type VARCHAR2(2048)
+);
+
+CREATE TABLE auth_holder_extension (
+  owner_id NUMBER(19),
+  extension VARCHAR2(2048),
+  val VARCHAR2(2048)
+);
+
+CREATE TABLE auth_holder_scope (
+  owner_id NUMBER(19),
+  scope VARCHAR2(2048)
+);
+
+CREATE TABLE auth_holder_request_parameter (
+  owner_id NUMBER(19),
+  param VARCHAR2(2048),
+  val VARCHAR2(2048)
+);
+
+CREATE TABLE saved_user_auth (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  name VARCHAR2(1024),
+  authenticated NUMBER(1),
+  source_class VARCHAR2(2048),
+
+  CONSTRAINT authenticated_check CHECK (authenticated in (1,0))
+);
+CREATE SEQUENCE saved_user_auth_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE saved_user_auth_authority (
+  owner_id NUMBER(19),
+  authority VARCHAR2(256)
+);
+
+CREATE TABLE client_authority (
+  owner_id NUMBER(19),
+  authority VARCHAR2(256)
+);
+
+CREATE TABLE authorization_code (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  code VARCHAR2(256),
+  auth_holder_id NUMBER(19),
+  expiration TIMESTAMP
+);
+CREATE SEQUENCE authorization_code_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE client_grant_type (
+  owner_id NUMBER(19),
+  grant_type VARCHAR2(2000)
+);
+
+CREATE TABLE client_response_type (
+  owner_id NUMBER(19),
+  response_type VARCHAR2(2000)
+);
+
+CREATE TABLE blacklisted_site (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  uri VARCHAR2(2048)
+);
+CREATE SEQUENCE blacklisted_site_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE client_details (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+
+  client_description VARCHAR2(1024),
+  reuse_refresh_tokens NUMBER(1) DEFAULT 1 NOT NULL,
+  dynamically_registered NUMBER(1) DEFAULT 0 NOT NULL,
+  allow_introspection NUMBER(1) DEFAULT 0 NOT NULL,
+  id_token_validity_sec NUMBER(19) DEFAULT 600 NOT NULL,
+
+  client_id VARCHAR2(256),
+  client_secret VARCHAR2(2048),
+  access_token_validity_sec NUMBER(19),
+  refresh_token_validity_sec NUMBER(19),
+  device_code_validity_sec NUMBER(19),
+
+  application_type VARCHAR2(256),
+  client_name VARCHAR2(256),
+  token_endpoint_auth_method VARCHAR2(256),
+  subject_type VARCHAR2(256),
+
+  logo_uri VARCHAR2(2048),
+  policy_uri VARCHAR2(2048),
+  client_uri VARCHAR2(2048),
+  tos_uri VARCHAR2(2048),
+
+  jwks_uri VARCHAR2(2048),
+  jwks CLOB,
+  sector_identifier_uri VARCHAR2(2048),
+
+  request_object_sign_alg VARCHAR2(256),
+
+  user_info_signed_resp_alg VARCHAR2(256),
+  user_info_encr_resp_alg VARCHAR2(256),
+  user_info_encr_resp_enc VARCHAR2(256),
+
+  id_token_signed_resp_alg VARCHAR2(256),
+  id_token_encr_resp_alg VARCHAR2(256),
+  id_token_encr_resp_enc VARCHAR2(256),
+
+  token_endpoint_auth_sign_alg VARCHAR2(256),
+
+  default_max_age NUMBER(19),
+  require_auth_time NUMBER(1),
+  created_at TIMESTAMP,
+  initiate_login_uri VARCHAR2(2048),
+  clear_access_tokens_on_refresh NUMBER(1) DEFAULT 1 NOT NULL,
+
+  software_id VARCHAR(2048),
+  software_statement VARCHAR2(4000),
+  software_version VARCHAR(2048),
+
+  code_challenge_method VARCHAR2(256),
+
+  CONSTRAINT client_details_unique UNIQUE (client_id),
+  CONSTRAINT reuse_refresh_tokens_check CHECK (reuse_refresh_tokens in (1,0)),
+  CONSTRAINT dynamically_registered_check CHECK (dynamically_registered in (1,0)),
+  CONSTRAINT allow_introspection_check CHECK (allow_introspection in (1,0)),
+  CONSTRAINT require_auth_time_check CHECK (require_auth_time in (1,0)),
+  CONSTRAINT clear_acc_tok_on_refresh_check CHECK (clear_access_tokens_on_refresh in (1,0))
+
+);
+CREATE SEQUENCE client_details_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE client_request_uri (
+  owner_id NUMBER(19),
+  request_uri VARCHAR2(2000)
+);
+
+CREATE TABLE client_post_logout_redir_uri (
+  owner_id NUMBER(19),
+  post_logout_redirect_uri VARCHAR2(2000)
+);
+
+CREATE TABLE client_default_acr_value (
+  owner_id NUMBER(19),
+  default_acr_value VARCHAR2(2000)
+);
+
+CREATE TABLE client_contact (
+  owner_id NUMBER(19),
+  contact VARCHAR2(256)
+);
+
+CREATE TABLE client_redirect_uri (
+  owner_id NUMBER(19),
+  redirect_uri VARCHAR2(2048)
+);
+
+CREATE TABLE client_claims_redirect_uri (
+  owner_id NUMBER(19),
+  redirect_uri VARCHAR2(2048)
+);
+
+CREATE TABLE refresh_token (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  token_value VARCHAR2(4000),
+  expiration TIMESTAMP,
+  auth_holder_id NUMBER(19),
+  client_id NUMBER(19)
+);
+CREATE SEQUENCE refresh_token_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE client_resource (
+  owner_id NUMBER(19),
+  resource_id VARCHAR2(256)
+);
+
+CREATE TABLE client_scope (
+  owner_id NUMBER(19),
+  scope VARCHAR2(2048)
+);
+
+CREATE TABLE token_scope (
+  owner_id NUMBER(19),
+  scope VARCHAR2(2048)
+);
+
+CREATE TABLE system_scope (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  scope VARCHAR2(256) NOT NULL,
+  description VARCHAR2(4000),
+  icon VARCHAR2(256),
+  restricted NUMBER(1) DEFAULT 0 NOT NULL,
+  default_scope NUMBER(1) DEFAULT 0 NOT NULL,
+  structured NUMBER(1) DEFAULT 0 NOT NULL,
+  structured_param_description VARCHAR2(256),
+
+  CONSTRAINT system_scope_unique UNIQUE (scope),
+  CONSTRAINT default_scope_check CHECK (default_scope in (1,0)),
+  CONSTRAINT restricted_check CHECK (restricted in (1,0)),
+  CONSTRAINT structured_check CHECK (structured in (1,0))
+);
+CREATE SEQUENCE system_scope_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE user_info (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  sub VARCHAR2(256),
+  preferred_username VARCHAR2(256),
+  name VARCHAR2(256),
+  given_name VARCHAR2(256),
+  family_name VARCHAR2(256),
+  middle_name VARCHAR2(256),
+  nickname VARCHAR2(256),
+  profile VARCHAR2(256),
+  picture VARCHAR2(256),
+  website VARCHAR2(256),
+  email VARCHAR2(256),
+  email_verified NUMBER(1),
+  gender VARCHAR2(256),
+  zone_info VARCHAR2(256),
+  locale VARCHAR2(256),
+  phone_number VARCHAR2(256),
+  phone_number_verified NUMBER(1),
+  address_id VARCHAR2(256),
+  updated_time VARCHAR2(256),
+  birthdate VARCHAR2(256),
+  src VARCHAR2(4000),
+
+  CONSTRAINT email_verified_check CHECK (email_verified in (1,0)),
+  CONSTRAINT phone_number_verified_check CHECK (phone_number_verified in (1,0))
+);
+CREATE SEQUENCE user_info_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE whitelisted_site (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  creator_user_id VARCHAR2(256),
+  client_id VARCHAR2(256)
+);
+CREATE SEQUENCE whitelisted_site_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE whitelisted_site_scope (
+  owner_id NUMBER(19),
+  scope VARCHAR2(256)
+);
+
+CREATE TABLE pairwise_identifier (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  identifier VARCHAR2(256),
+  sub VARCHAR2(256),
+  sector_identifier VARCHAR2(2048)
+);
+CREATE SEQUENCE pairwise_identifier_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE resource_set (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  name VARCHAR2(1024) NOT NULL,
+  uri VARCHAR2(1024),
+  icon_uri VARCHAR2(1024),
+  rs_type VARCHAR2(256),
+  owner VARCHAR2(256) NOT NULL,
+  client_id VARCHAR2(256)
+);
+CREATE SEQUENCE resource_set_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE resource_set_scope (
+  owner_id NUMBER(19) NOT NULL,
+  scope VARCHAR2(256) NOT NULL
+);
+
+CREATE TABLE permission_ticket (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  ticket VARCHAR2(256) NOT NULL,
+  permission_id NUMBER(19) NOT NULL,
+  expiration TIMESTAMP
+);
+CREATE SEQUENCE permission_ticket_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE permission (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  resource_set_id NUMBER(19)
+);
+CREATE SEQUENCE permission_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE permission_scope (
+  owner_id NUMBER(19) NOT NULL,
+  scope VARCHAR2(256) NOT NULL
+);
+
+CREATE TABLE claim (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  name VARCHAR2(256),
+  friendly_name VARCHAR2(1024),
+  claim_type VARCHAR2(1024),
+  claim_value VARCHAR2(1024)
+);
+CREATE SEQUENCE claim_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE claim_to_policy (
+  policy_id NUMBER(19) NOT NULL,
+  claim_id NUMBER(19) NOT NULL
+);
+
+CREATE TABLE claim_to_permission_ticket (
+  permission_ticket_id NUMBER(19) NOT NULL,
+  claim_id NUMBER(19) NOT NULL
+);
+
+CREATE TABLE policy (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  name VARCHAR2(1024),
+  resource_set_id NUMBER(19)
+);
+CREATE SEQUENCE policy_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE policy_scope (
+  owner_id NUMBER(19) NOT NULL,
+  scope VARCHAR2(256) NOT NULL
+);
+
+CREATE TABLE claim_token_format (
+  owner_id NUMBER(19) NOT NULL,
+  claim_token_format VARCHAR2(1024) NOT NULL
+);
+
+CREATE TABLE claim_issuer (
+  owner_id NUMBER(19) NOT NULL,
+  issuer VARCHAR2(1024) NOT NULL
+);
+
+CREATE TABLE launch_context (
+	id NUMBER PRIMARY KEY,
+  access_token_id NUMBER(19),
+	name VARCHAR2(256),
+	value VARCHAR2(256)
+);
+
+CREATE SEQUENCE launch_context_seq START WITH 1;
+
+CREATE SEQUENCE saved_registered_client_seq START WITH 1 INCREMENT BY 1 NOCACHE NOCYCLE;
+
+CREATE TABLE saved_registered_client (
+  id NUMBER(19) NOT NULL PRIMARY KEY,
+  issuer VARCHAR2(1024),
+  registered_client CLOB
+);
+
+CREATE TABLE device_code (
+	id NUMBER(19) NOT NULL PRIMARY KEY,
+	device_code VARCHAR2(1024),
+	user_code VARCHAR2(1024),
+	expiration TIMESTAMP,
+	client_id VARCHAR2(256),
+	approved NUMBER(1),
+	auth_holder_id NUMBER(19)
+);
+
+CREATE TABLE device_code_scope (
+	owner_id NUMBER(19) NOT NULL,
+	scope VARCHAR2(256) NOT NULL
+);
+
+CREATE TABLE device_code_request_parameter (
+	owner_id NUMBER(19),
+	param VARCHAR2(2048),
+	val VARCHAR2(2048)
+);

openid-connect-server-webapp/src/main/resources/db/oracle11g/scopes_oracle.sql

@@ -0,0 +1,21 @@
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'openid', 'log in using your identity', 'user', 0, 1, 0, null);
+
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'profile', 'basic profile information', 'list-alt', 0, 1, 0, null);
+
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'email', 'email address', 'envelope', 0, 1, 0, null);
+
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'address', 'physical address', 'home', 0, 1, 0, null);
+
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'phone', 'telephone number', 'bell', 0, 1, 0, null);
+
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'offline_access', 'offline access', 'time', 0, 0, 0, null);
+
+INSERT INTO system_scope (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  (system_scope_seq.nextval, 'online_access', 'offline access', 'time', 0, 0, 0, null);
+

openid-connect-server-webapp/src/main/resources/db/oracle11g/security-schema_oracle.sql

@@ -0,0 +1,18 @@
+-- 
+-- Tables for Spring Security's user details service
+--
+  
+create table users(
+  username varchar2(50) not null primary key,
+  password varchar2(50) not null,
+  enabled number(1) not null,
+
+  constraint enabled_check check (enabled in (1, 0))
+);
+
+create table authorities (
+  username varchar2(50) not null,
+  authority varchar2(50) not null,
+  constraint fk_authorities_users foreign key(username) references users(username),
+  constraint ix_authority unique (username,authority)
+);

openid-connect-server-webapp/src/main/resources/db/oracle11g/users_oracle.sql

@@ -0,0 +1,39 @@
+--
+-- Insert user information into the temporary tables. To add users to the Oracle database, edit things here.
+-- 
+
+INSERT INTO users_TEMP (username, password, enabled) VALUES ('admin','password',1);
+INSERT INTO users_TEMP (username, password, enabled) VALUES ('user','password',1);
+
+
+INSERT INTO authorities_TEMP (username, authority) VALUES ('admin','ROLE_ADMIN');
+INSERT INTO authorities_TEMP (username, authority) VALUES('admin','ROLE_USER');
+INSERT INTO authorities_TEMP (username, authority) VALUES('user','ROLE_USER');
+    
+-- By default, the username column here has to match the username column in the users table, above
+INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES ('90342.ASDFJWFA','admin','Demo Admin','admin@example.com', 1);
+INSERT INTO user_info_TEMP (sub, preferred_username, name, email, email_verified) VALUES ('01921.FLANRJQW','user','Demo User','user@example.com', 1);
+
+ 
+--
+-- Merge the temporary users safely into the database. This is a two-step process to keep users from being created on every startup with a persistent store.
+--
+
+MERGE INTO users 
+  USING (SELECT username, password, enabled FROM users_TEMP) vals
+  ON (vals.username = users.username)
+  WHEN NOT MATCHED THEN 
+    INSERT (username, password, enabled) VALUES(vals.username, vals.password, vals.enabled);
+
+MERGE INTO authorities 
+  USING (SELECT username, authority FROM authorities_TEMP) vals
+  ON (vals.username = authorities.username AND vals.authority = authorities.authority)
+  WHEN NOT MATCHED THEN 
+    INSERT (username,authority) values (vals.username, vals.authority);
+
+MERGE INTO user_info 
+  USING (SELECT sub, preferred_username, name, email, email_verified FROM user_info_TEMP) vals
+  ON (vals.preferred_username = user_info.preferred_username)
+  WHEN NOT MATCHED THEN 
+    INSERT (id, sub, preferred_username, name, email, email_verified) VALUES (user_info_seq.nextval, vals.sub, vals.preferred_username, vals.name, vals.email,
+    vals.email_verified);