Merge pull request #4 from indigo-iam/merge-remote

Merge updates from source repo into our development branch
2023-07-12 19:12:01 +02:00 · 2023-07-12 19:12:01 +02:00 · d58c826937
parent bd24a3b85d 66caae9589
commit d58c826937
37 changed files with 30398 additions and 20444 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,7 +1,11 @@
 language: java
 jdk:
-  - oraclejdk8
+  - oraclejdk11
 sudo: false

 after_success:
  - bash <(curl -s https://codecov.io/bash)
+
+cache:
+  directories:
+  - $HOME/.m2
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,4 +1,6 @@
 Unreleased:
+
+*1.3.3*:
 - Authorization codes are now longer
 - Client/RS can parse the "sub" and "user_id" claims in introspection response
 - Database-direct queries for fetching tokens by user (optimization)
@ -6,9 +8,12 @@ Unreleased:
 - Long scopes display properly and are still checkable
 - Language system remebers when it can't find a file and stops throwing so many errors
 - Index added for refresh tokens
- Updated to Spring Security 4.2.4
+- Updated to Spring Security 4.2.11
+- Updated Spring to 4.3.22
+- Change approve pages to use issuer instead of page context
+- Updated oracle database scripts

-*1.3.2:
+*1.3.2*:
 - Added changelog
 - Set default redirect URI resolver strict matching to true
 - Fixed XSS vulnerability on redirect URI display on approval page
--- a/README.md
+++ b/README.md
@ -28,4 +28,4 @@ The authors and key contributors of the project include:
 * [Mark Janssen](https://github.com/praseodym)


-Copyright &copy;2018, [MIT Internet Trust Consortium](http://www.trust.mit.edu/). Licensed under the Apache 2.0 license, for details see `LICENSE.txt`. 
+Licensed under the Apache 2.0 license, for details see `LICENSE.txt`. 
--- a/openid-connect-common/pom.xml
+++ b/openid-connect-common/pom.xml
@ -87,6 +87,26 @@
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk15on</artifactId>
 		</dependency>
+		<dependency>
+			  <groupId>javax.annotation</groupId>
+			  <artifactId>javax.annotation-api</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>jakarta.xml.bind</groupId>
+			<artifactId>jakarta.xml.bind-api</artifactId>
+		</dependency>
+		<dependency>
+    		<groupId>javax.xml.bind</groupId>
+    		<artifactId>jaxb-api</artifactId>
+		</dependency>
+		<dependency>
+		    <groupId>javax.activation</groupId>
+		    <artifactId>activation</artifactId>
+		</dependency>
+		<dependency>
+		    <groupId>org.glassfish.jaxb</groupId>
+		    <artifactId>jaxb-runtime</artifactId>
+		</dependency>
 	</dependencies>

 	<packaging>jar</packaging>
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
@ -90,7 +90,7 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
 			} else {
 				throw new UsernameNotFoundException("Client not found: " + clientId);
 			}
-          } catch (InvalidClientException e) {
+		} catch (InvalidClientException e) {
 			throw new UsernameNotFoundException("Client not found: " + clientId);
 		}

--- a/openid-connect-server-webapp/pom.xml
+++ b/openid-connect-server-webapp/pom.xml
@ -21,7 +21,7 @@
 	<parent>
 		<groupId>org.mitre</groupId>
 		<artifactId>openid-connect-parent</artifactId>
-		<version>1.3.3-SNAPSHOT</version>
+		<version>1.3.5-SNAPSHOT</version>
 	</parent>
 	<artifactId>openid-connect-server-webapp</artifactId>
 	<packaging>war</packaging>
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@ -25,12 +25,12 @@
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xmlns:util="http://www.springframework.org/schema/util"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 	<!-- Scan for components -->
 	<context:component-scan annotation-config="true" base-package="org.mitre" />
@ -246,9 +246,15 @@
 		<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
 	</bean>

+	<bean id="noOpPasswordEncoder" class="org.springframework.security.crypto.password.NoOpPasswordEncoder"/>
+	
 	<security:authentication-manager id="clientAuthenticationManager">
-		<security:authentication-provider user-service-ref="clientUserDetailsService" />
-		<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
+		<security:authentication-provider user-service-ref="clientUserDetailsService">
+			<security:password-encoder ref="noOpPasswordEncoder"/>
+		</security:authentication-provider>
+		<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService">
+			<security:password-encoder ref="noOpPasswordEncoder"/>
+		</security:authentication-provider>
 	</security:authentication-manager>

 	<security:authentication-manager id="clientAssertionAuthenticationManager">
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/assertion-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/assertion-config.xml
@ -22,11 +22,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 	<!-- validate incoming tokens for JWT assertions -->
 	<bean id="jwtAssertionValidator" class="org.mitre.jwt.assertion.impl.NullAssertionValidator" />
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
@ -22,11 +22,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">


 	<oauth:authorization-server 
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml
@ -24,11 +24,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
 		<property name="location" value="classpath:keystore.jwks" />
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml
@ -19,8 +19,8 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
 	   xmlns:jdbc="http://www.springframework.org/schema/jdbc"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-       						http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.3.xsd">
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+       						http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc.xsd">

 	<bean id="dataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close">
 		<property name="driverClassName" value="org.hsqldb.jdbcDriver" />
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
@ -22,11 +22,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">


 <!-- This file allows you to define additional endpoints, it's normally empty in the OIDC server and has entries in the UMA server -->
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml
@ -22,11 +22,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 	<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
 		<property name="entityManagerFactory" ref="entityManagerFactory" />
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/local-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/local-config.xml
@ -24,11 +24,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">


 <!-- Empty: Override this file in your local project to change configuration options. -->
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml
@ -24,11 +24,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 	<bean id="configBean" class="org.mitre.openid.connect.config.ConfigurationPropertiesBean">
 	    
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/spring-servlet.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/spring-servlet.xml
@ -24,11 +24,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 <!-- This file has been left blank -->
 <!-- Feel free to override this by using a maven overlay. -->
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/tags/header.tag
@ -14,6 +14,7 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="">
+    <meta name="referrer" content="strict-origin-when-cross-origin"/>

    <!-- stylesheets -->
    <link href="resources/bootstrap2/css/bootstrap.css" rel="stylesheet">
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/task-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/task-config.xml
@ -19,8 +19,8 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:task="http://www.springframework.org/schema/task"
-	xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

 	<!-- Configuration for scheduled tasks -->
 	<task:scheduler id="taskScheduler" pool-size="10" /> 
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/ui-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/ui-config.xml
@ -22,11 +22,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">


 <!-- This file allows you to define components to the UI -->
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@ -24,15 +24,16 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 	<security:authentication-manager id="authenticationManager">
 		<security:authentication-provider>
 			<security:jdbc-user-service data-source-ref="dataSource"/>
+			<security:password-encoder ref="noOpPasswordEncoder"/>
 		</security:authentication-provider>
 	</security:authentication-manager>
 		
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@ -37,7 +37,7 @@
 		</h1>

 		<form name="confirmationForm"
-			action="${pageContext.request.contextPath.endsWith('/') ? pageContext.request.contextPath : pageContext.request.contextPath.concat('/') }authorize" method="post">
+			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post">

 			<div class="row">
 				<div class="span5 offset1 well-small" style="text-align: left">
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
@ -37,7 +37,7 @@
 		</h1>

 		<form name="confirmationForm"
-			action="${pageContext.request.contextPath.endsWith('/') ? pageContext.request.contextPath : pageContext.request.contextPath.concat('/') }device/approve" method="post">
+			action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approve" method="post">

 			<div class="row">
 				<div class="span5 offset1 well-small" style="text-align: left">
--- a/openid-connect-server-webapp/src/main/webapp/resources/js/lib/backbone.js
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/lib/backbone.js
--- a/openid-connect-server-webapp/src/main/webapp/resources/js/lib/jquery.js
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/lib/jquery.js
--- a/openid-connect-server-webapp/src/main/webapp/resources/js/lib/moment-with-locales.js
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/lib/moment-with-locales.js
--- a/openid-connect-server-webapp/src/main/webapp/resources/js/lib/underscore.js
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/lib/underscore.js
--- a/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java
@ -304,7 +304,7 @@ public class DiscoveryEndpoint {
 				JWSAlgorithm.ES256, JWSAlgorithm.ES384, JWSAlgorithm.ES512,
 				JWSAlgorithm.PS256, JWSAlgorithm.PS384, JWSAlgorithm.PS512,
 				Algorithm.NONE);
-		ArrayList<String> grantTypes = Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "urn:ietf:params:oauth:grant_type:redelegate", "urn:ietf:params:oauth:grant-type:device_code");
+		ArrayList<String> grantTypes = Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "urn:ietf:params:oauth:grant_type:redelegate", "urn:ietf:params:oauth:grant-type:device_code","refresh_token");

 		Map<String, Object> m = new HashMap<>();
 		m.put("issuer", config.getIssuer());
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
@ -103,9 +103,9 @@ public class OAuthConfirmationController {

 	@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping("/oauth/confirm_access")
-	public String confimAccess(Map<String, Object> model, @ModelAttribute("authorizationRequest") AuthorizationRequest authRequest,
-			Principal p) {
+	public String confirmAccess(Map<String, Object> model, Principal p) {

+		AuthorizationRequest authRequest = (AuthorizationRequest) model.get("authorizationRequest");
 		// Check the "prompt" parameter to see if we need to do special processing

 		String prompt = (String)authRequest.getExtensions().get(PROMPT);
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
@ -58,431 +58,397 @@ import com.google.gson.JsonSyntaxException;
@RequestMapping(value = ProtectedResourceRegistrationEndpoint.URL)
 public class ProtectedResourceRegistrationEndpoint {

-  /**
-   *
-   */
-  public static final String URL = "resource";
-
-  @Autowired
-  private ClientDetailsEntityService clientService;
-
-  @Autowired
-  private OAuth2TokenEntityService tokenService;
-
-  @Autowired
-  private SystemScopeService scopeService;
-
-  @Autowired
-  private ConfigurationPropertiesBean config;
-
-  @Autowired
-  private OIDCTokenService connectTokenService;
-
-  /**
-   * Logger for this class
-   */
-  private static final Logger logger =
-      LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class);
-
-  /**
-   * Create a new Client, issue a client ID, and create a registration access token.
-   * 
-   * @param jsonString
-   * @param m
-   * @param p
-   * @return
-   */
-  @RequestMapping(method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE,
-      produces = MediaType.APPLICATION_JSON_VALUE)
-  public String registerNewProtectedResource(@RequestBody String jsonString, Model m) {
-
-    ClientDetailsEntity newClient = null;
-    try {
-      newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
-    } catch (JsonSyntaxException e) {
-      // bad parse
-      // didn't parse, this is a bad request
-      logger.error("registerNewProtectedResource failed; submitted JSON is malformed");
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
-      return HttpCodeView.VIEWNAME;
-    }
-
-    if (newClient != null) {
-      // it parsed!
-
-      //
-      // Now do some post-processing consistency checks on it
-      //
-
-      // clear out any spurious id/secret (clients don't get to pick)
-      newClient.setClientId(null);
-      newClient.setClientSecret(null);
-
-      // do validation on the fields
-      try {
-        newClient = validateScopes(newClient);
-        newClient = validateAuth(newClient);
-      } catch (ValidationException ve) {
-        // validation failed, return an error
-        m.addAttribute(JsonErrorView.ERROR, ve.getError());
-        m.addAttribute(JsonErrorView.ERROR_MESSAGE, ve.getErrorDescription());
-        m.addAttribute(HttpCodeView.CODE, ve.getStatus());
-        return JsonErrorView.VIEWNAME;
-      }
-
-
-      // no grant types are allowed
-      newClient.setGrantTypes(new HashSet<String>());
-      newClient.setResponseTypes(new HashSet<String>());
-      newClient.setRedirectUris(new HashSet<String>());
-
-      // don't issue tokens to this client
-      newClient.setAccessTokenValiditySeconds(0);
-      newClient.setIdTokenValiditySeconds(0);
-      newClient.setRefreshTokenValiditySeconds(0);
-
-      // clear out unused fields
-      newClient.setDefaultACRvalues(new HashSet<String>());
-      newClient.setDefaultMaxAge(null);
-      newClient.setIdTokenEncryptedResponseAlg(null);
-      newClient.setIdTokenEncryptedResponseEnc(null);
-      newClient.setIdTokenSignedResponseAlg(null);
-      newClient.setInitiateLoginUri(null);
-      newClient.setPostLogoutRedirectUris(null);
-      newClient.setRequestObjectSigningAlg(null);
-      newClient.setRequireAuthTime(null);
-      newClient.setReuseRefreshToken(false);
-      newClient.setSectorIdentifierUri(null);
-      newClient.setSubjectType(null);
-      newClient.setUserInfoEncryptedResponseAlg(null);
-      newClient.setUserInfoEncryptedResponseEnc(null);
-      newClient.setUserInfoSignedResponseAlg(null);
-
-      // this client has been dynamically registered (obviously)
-      newClient.setDynamicallyRegistered(true);
-
-      // this client has access to the introspection endpoint
-      newClient.setAllowIntrospection(true);
-
-      // now save it
-      try {
-        ClientDetailsEntity savedClient = clientService.saveNewClient(newClient);
-
-        // generate the registration access token
-        OAuth2AccessTokenEntity token = connectTokenService.createResourceAccessToken(savedClient);
-        tokenService.saveAccessToken(token);
-
-        // send it all out to the view
-
-        RegisteredClient registered =
-            new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/"
-                + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
-        m.addAttribute("client", registered);
-        m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
-
-        return ClientInformationResponseView.VIEWNAME;
-      } catch (IllegalArgumentException e) {
-        logger.error("Couldn't save client", e);
-
-        m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
-        m.addAttribute(JsonErrorView.ERROR_MESSAGE,
-            "Unable to save client due to invalid or inconsistent metadata.");
-        m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
-
-        return JsonErrorView.VIEWNAME;
-      }
-    } else {
-      // didn't parse, this is a bad request
-      logger.error("registerNewClient failed; submitted JSON is malformed");
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
-
-      return HttpCodeView.VIEWNAME;
-    }
-
-  }
-
-  private ClientDetailsEntity validateScopes(ClientDetailsEntity newClient)
-      throws ValidationException {
-    // scopes that the client is asking for
-    Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
-
-    // the scopes that the client can have must be a subset of the dynamically allowed scopes
-    Set<SystemScope> allowedScopes =
-        scopeService.removeRestrictedAndReservedScopes(requestedScopes);
-
-    // if the client didn't ask for any, give them the defaults
-    if (allowedScopes == null || allowedScopes.isEmpty()) {
-      allowedScopes = scopeService.getDefaults();
-    }
-
-    newClient.setScope(scopeService.toStrings(allowedScopes));
-
-    return newClient;
-  }
-
-  /**
-   * Get the meta information for a client.
-   * 
-   * @param clientId
-   * @param m
-   * @param auth
-   * @return
-   */
-  @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
-      + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
-  @RequestMapping(value = "/{id}", method = RequestMethod.GET,
-      produces = MediaType.APPLICATION_JSON_VALUE)
-  public String readResourceConfiguration(@PathVariable("id") String clientId, Model m,
-      OAuth2Authentication auth) {
-
-    ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
-
-    if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
-
-      // possibly update the token
-      OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, client);
-
-      RegisteredClient registered =
-          new RegisteredClient(client, token.getValue(), config.getIssuer() + "resource/"
-              + UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
-
-      // send it all out to the view
-      m.addAttribute("client", registered);
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
-
-      return ClientInformationResponseView.VIEWNAME;
-
-    } else {
-      // client mismatch
-      logger.error("readResourceConfiguration failed, client ID mismatch: " + clientId + " and "
-          + auth.getOAuth2Request().getClientId() + " do not match.");
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
-
-      return HttpCodeView.VIEWNAME;
-    }
-  }
-
-  /**
-   * Update the metainformation for a given client.
-   * 
-   * @param clientId
-   * @param jsonString
-   * @param m
-   * @param auth
-   * @return
-   */
-  @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
-      + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
-  @RequestMapping(value = "/{id}", method = RequestMethod.PUT,
-      produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
-  public String updateProtectedResource(@PathVariable("id") String clientId,
-      @RequestBody String jsonString, Model m, OAuth2Authentication auth) {
-
-
-    ClientDetailsEntity newClient = null;
-    try {
-      newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
-    } catch (JsonSyntaxException e) {
-      // bad parse
-      // didn't parse, this is a bad request
-      logger.error("updateProtectedResource failed; submitted JSON is malformed");
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
-      return HttpCodeView.VIEWNAME;
-    }
-
-    ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
-
-    if (newClient != null && oldClient != null // we have an existing client and the new one parsed
-        && oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client
-                                                                                 // passed in the
-                                                                                 // URI matches the
-                                                                                 // one in the auth
-        && oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body
-                                                                   // matches the one in the URI
-    ) {
-
-      // a client can't ask to update its own client secret to any particular value
-      newClient.setClientSecret(oldClient.getClientSecret());
-
-      newClient.setCreatedAt(oldClient.getCreatedAt());
-
-      // no grant types are allowed
-      newClient.setGrantTypes(new HashSet<String>());
-      newClient.setResponseTypes(new HashSet<String>());
-      newClient.setRedirectUris(new HashSet<String>());
-
-      // don't issue tokens to this client
-      newClient.setAccessTokenValiditySeconds(0);
-      newClient.setIdTokenValiditySeconds(0);
-      newClient.setRefreshTokenValiditySeconds(0);
-
-      // clear out unused fields
-      newClient.setDefaultACRvalues(new HashSet<String>());
-      newClient.setDefaultMaxAge(null);
-      newClient.setIdTokenEncryptedResponseAlg(null);
-      newClient.setIdTokenEncryptedResponseEnc(null);
-      newClient.setIdTokenSignedResponseAlg(null);
-      newClient.setInitiateLoginUri(null);
-      newClient.setPostLogoutRedirectUris(null);
-      newClient.setRequestObjectSigningAlg(null);
-      newClient.setRequireAuthTime(null);
-      newClient.setReuseRefreshToken(false);
-      newClient.setSectorIdentifierUri(null);
-      newClient.setSubjectType(null);
-      newClient.setUserInfoEncryptedResponseAlg(null);
-      newClient.setUserInfoEncryptedResponseEnc(null);
-      newClient.setUserInfoSignedResponseAlg(null);
-
-      // this client has been dynamically registered (obviously)
-      newClient.setDynamicallyRegistered(true);
-
-      // this client has access to the introspection endpoint
-      newClient.setAllowIntrospection(true);
-
-      // do validation on the fields
-      try {
-        newClient = validateScopes(newClient);
-        newClient = validateAuth(newClient);
-      } catch (ValidationException ve) {
-        // validation failed, return an error
-        m.addAttribute(JsonErrorView.ERROR, ve.getError());
-        m.addAttribute(JsonErrorView.ERROR_MESSAGE, ve.getErrorDescription());
-        m.addAttribute(HttpCodeView.CODE, ve.getStatus());
-        return JsonErrorView.VIEWNAME;
-      }
-
-
-      try {
-        // save the client
-        ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient);
-
-        // possibly update the token
-        OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, savedClient);
-
-        RegisteredClient registered =
-            new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/"
-                + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
-
-        // send it all out to the view
-        m.addAttribute("client", registered);
-        m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
-
-        return ClientInformationResponseView.VIEWNAME;
-
-      } catch (IllegalArgumentException e) {
-        logger.error("Couldn't save client", e);
-
-        m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
-        m.addAttribute(JsonErrorView.ERROR_MESSAGE,
-            "Unable to save client due to invalid or inconsistent metadata.");
-        m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
-
-        return JsonErrorView.VIEWNAME;
-      }
-    } else {
-      // client mismatch
-      logger.error("updateProtectedResource" + " failed, client ID mismatch: " + clientId + " and "
-          + auth.getOAuth2Request().getClientId() + " do not match.");
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
-
-      return HttpCodeView.VIEWNAME;
-    }
-  }
-
-  /**
-   * Delete the indicated client from the system.
-   * 
-   * @param clientId
-   * @param m
-   * @param auth
-   * @return
-   */
-  @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
-      + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
-  @RequestMapping(value = "/{id}", method = RequestMethod.DELETE,
-      produces = MediaType.APPLICATION_JSON_VALUE)
-  public String deleteResource(@PathVariable("id") String clientId, Model m,
-      OAuth2Authentication auth) {
-
-    ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
-
-    if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
-
-      clientService.deleteClient(client);
-
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT); // http 204
-
-      return HttpCodeView.VIEWNAME;
-    } else {
-      // client mismatch
-      logger.error("readClientConfiguration failed, client ID mismatch: " + clientId + " and "
-          + auth.getOAuth2Request().getClientId() + " do not match.");
-      m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
-
-      return HttpCodeView.VIEWNAME;
-    }
-  }
-
-  private ClientDetailsEntity validateAuth(ClientDetailsEntity newClient)
-      throws ValidationException {
-    if (newClient.getTokenEndpointAuthMethod() == null) {
-      newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
-    }
-
-    if (newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_BASIC
-        || newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_JWT
-        || newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_POST) {
-
-      if (Strings.isNullOrEmpty(newClient.getClientSecret())) {
-        // no secret yet, we need to generate a secret
-        newClient = clientService.generateClientSecret(newClient);
-      }
-    } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
-      if (Strings.isNullOrEmpty(newClient.getJwksUri()) && newClient.getJwks() == null) {
-        throw new ValidationException("invalid_client_metadata",
-            "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
-      }
-
-      newClient.setClientSecret(null);
-    } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
-      newClient.setClientSecret(null);
-    } else {
-      throw new ValidationException("invalid_client_metadata", "Unknown authentication method",
-          HttpStatus.BAD_REQUEST);
-    }
-    return newClient;
-  }
-
-  private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth,
-      ClientDetailsEntity client) {
-
-    OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
-    OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
-
-    if (config.getRegTokenLifeTime() != null) {
-
-      try {
-        // Re-issue the token if it has been issued before [currentTime - validity]
-        Date validToDate =
-            new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
-        if (token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) {
-          logger.info("Rotating the registration access token for " + client.getClientId());
-          tokenService.revokeAccessToken(token);
-          OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client);
-          tokenService.saveAccessToken(newToken);
-          return newToken;
-        } else {
-          // it's not expired, keep going
-          return token;
-        }
-      } catch (ParseException e) {
-        logger.error("Couldn't parse a known-valid token?", e);
-        return token;
-      }
-    } else {
-      // tokens don't expire, just return it
-      return token;
-    }
-  }
+	/**
+	 *
+	 */
+	public static final String URL = "resource";
+
+	@Autowired
+	private ClientDetailsEntityService clientService;
+
+	@Autowired
+	private OAuth2TokenEntityService tokenService;
+
+	@Autowired
+	private SystemScopeService scopeService;
+
+	@Autowired
+	private ConfigurationPropertiesBean config;
+
+	@Autowired
+	private OIDCTokenService connectTokenService;
+
+	/**
+	 * Logger for this class
+	 */
+	private static final Logger logger = LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class);
+
+	/**
+	 * Create a new Client, issue a client ID, and create a registration access token.
+	 * @param jsonString
+	 * @param m
+	 * @param p
+	 * @return
+	 */
+	@RequestMapping(method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+	public String registerNewProtectedResource(@RequestBody String jsonString, Model m) {
+
+		ClientDetailsEntity newClient = null;
+		try {
+			newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
+		} catch (JsonSyntaxException e) {
+			// bad parse
+			// didn't parse, this is a bad request
+			logger.error("registerNewProtectedResource failed; submitted JSON is malformed");
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
+			return HttpCodeView.VIEWNAME;
+		}
+
+		if (newClient != null) {
+			// it parsed!
+
+			//
+			// Now do some post-processing consistency checks on it
+			//
+
+			// clear out any spurious id/secret (clients don't get to pick)
+			newClient.setClientId(null);
+			newClient.setClientSecret(null);
+
+			// do validation on the fields
+			try {
+				newClient = validateScopes(newClient);
+				newClient = validateAuth(newClient);
+			} catch (ValidationException ve) {
+				// validation failed, return an error
+				m.addAttribute(JsonErrorView.ERROR, ve.getError());
+				m.addAttribute(JsonErrorView.ERROR_MESSAGE, ve.getErrorDescription());
+				m.addAttribute(HttpCodeView.CODE, ve.getStatus());
+				return JsonErrorView.VIEWNAME;
+			}
+
+
+			// no grant types are allowed
+			newClient.setGrantTypes(new HashSet<String>());
+			newClient.setResponseTypes(new HashSet<String>());
+			newClient.setRedirectUris(new HashSet<String>());
+
+			// don't issue tokens to this client
+			newClient.setAccessTokenValiditySeconds(0);
+			newClient.setIdTokenValiditySeconds(0);
+			newClient.setRefreshTokenValiditySeconds(0);
+
+			// clear out unused fields
+			newClient.setDefaultACRvalues(new HashSet<String>());
+			newClient.setDefaultMaxAge(null);
+			newClient.setIdTokenEncryptedResponseAlg(null);
+			newClient.setIdTokenEncryptedResponseEnc(null);
+			newClient.setIdTokenSignedResponseAlg(null);
+			newClient.setInitiateLoginUri(null);
+			newClient.setPostLogoutRedirectUris(null);
+			newClient.setRequestObjectSigningAlg(null);
+			newClient.setRequireAuthTime(null);
+			newClient.setReuseRefreshToken(false);
+			newClient.setSectorIdentifierUri(null);
+			newClient.setSubjectType(null);
+			newClient.setUserInfoEncryptedResponseAlg(null);
+			newClient.setUserInfoEncryptedResponseEnc(null);
+			newClient.setUserInfoSignedResponseAlg(null);
+
+			// this client has been dynamically registered (obviously)
+			newClient.setDynamicallyRegistered(true);
+
+			// this client has access to the introspection endpoint
+			newClient.setAllowIntrospection(true);
+
+			// now save it
+			try {
+				ClientDetailsEntity savedClient = clientService.saveNewClient(newClient);
+
+				// generate the registration access token
+				OAuth2AccessTokenEntity token = connectTokenService.createResourceAccessToken(savedClient);
+				tokenService.saveAccessToken(token);
+
+				// send it all out to the view
+
+				RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
+				m.addAttribute("client", registered);
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
+
+				return ClientInformationResponseView.VIEWNAME;
+			} catch (IllegalArgumentException e) {
+				logger.error("Couldn't save client", e);
+
+				m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
+				m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
+
+				return JsonErrorView.VIEWNAME;
+			}
+		} else {
+			// didn't parse, this is a bad request
+			logger.error("registerNewClient failed; submitted JSON is malformed");
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
+
+			return HttpCodeView.VIEWNAME;
+		}
+
+	}
+
+	private ClientDetailsEntity validateScopes(ClientDetailsEntity newClient) throws ValidationException {
+		// scopes that the client is asking for
+		Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
+
+		// the scopes that the client can have must be a subset of the dynamically allowed scopes
+		Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);
+
+		// if the client didn't ask for any, give them the defaults
+		if (allowedScopes == null || allowedScopes.isEmpty()) {
+			allowedScopes = scopeService.getDefaults();
+		}
+
+		newClient.setScope(scopeService.toStrings(allowedScopes));
+
+		return newClient;
+	}
+
+	/**
+	 * Get the meta information for a client.
+	 * @param clientId
+	 * @param m
+	 * @param auth
+	 * @return
+	 */
+	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
+	@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
+	public String readResourceConfiguration(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
+
+		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
+
+		if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
+			
+			// possibly update the token
+			OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, client);
+
+			RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "resource/" +  UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
+
+			// send it all out to the view
+			m.addAttribute("client", registered);
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
+
+			return ClientInformationResponseView.VIEWNAME;
+			
+		} else {
+			// client mismatch
+			logger.error("readResourceConfiguration failed, client ID mismatch: "
+					+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
+
+			return HttpCodeView.VIEWNAME;
+		}
+	}
+
+	/**
+	 * Update the metainformation for a given client.
+	 * @param clientId
+	 * @param jsonString
+	 * @param m
+	 * @param auth
+	 * @return
+	 */
+	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
+	@RequestMapping(value = "/{id}", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
+	public String updateProtectedResource(@PathVariable("id") String clientId, @RequestBody String jsonString, Model m, OAuth2Authentication auth) {
+
+
+		ClientDetailsEntity newClient = null;
+		try {
+			newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
+		} catch (JsonSyntaxException e) {
+			// bad parse
+			// didn't parse, this is a bad request
+			logger.error("updateProtectedResource failed; submitted JSON is malformed");
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
+			return HttpCodeView.VIEWNAME;
+		}
+
+		ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
+
+		if (newClient != null && oldClient != null  // we have an existing client and the new one parsed
+				&& oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client passed in the URI matches the one in the auth
+				&& oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI
+				) {
+
+			// a client can't ask to update its own client secret to any particular value
+			newClient.setClientSecret(oldClient.getClientSecret());
+
+			newClient.setCreatedAt(oldClient.getCreatedAt());
+
+			// no grant types are allowed
+			newClient.setGrantTypes(new HashSet<String>());
+			newClient.setResponseTypes(new HashSet<String>());
+			newClient.setRedirectUris(new HashSet<String>());
+
+			// don't issue tokens to this client
+			newClient.setAccessTokenValiditySeconds(0);
+			newClient.setIdTokenValiditySeconds(0);
+			newClient.setRefreshTokenValiditySeconds(0);
+
+			// clear out unused fields
+			newClient.setDefaultACRvalues(new HashSet<String>());
+			newClient.setDefaultMaxAge(null);
+			newClient.setIdTokenEncryptedResponseAlg(null);
+			newClient.setIdTokenEncryptedResponseEnc(null);
+			newClient.setIdTokenSignedResponseAlg(null);
+			newClient.setInitiateLoginUri(null);
+			newClient.setPostLogoutRedirectUris(null);
+			newClient.setRequestObjectSigningAlg(null);
+			newClient.setRequireAuthTime(null);
+			newClient.setReuseRefreshToken(false);
+			newClient.setSectorIdentifierUri(null);
+			newClient.setSubjectType(null);
+			newClient.setUserInfoEncryptedResponseAlg(null);
+			newClient.setUserInfoEncryptedResponseEnc(null);
+			newClient.setUserInfoSignedResponseAlg(null);
+
+			// this client has been dynamically registered (obviously)
+			newClient.setDynamicallyRegistered(true);
+
+			// this client has access to the introspection endpoint
+			newClient.setAllowIntrospection(true);
+
+			// do validation on the fields
+			try {
+				newClient = validateScopes(newClient);
+				newClient = validateAuth(newClient);
+			} catch (ValidationException ve) {
+				// validation failed, return an error
+				m.addAttribute(JsonErrorView.ERROR, ve.getError());
+				m.addAttribute(JsonErrorView.ERROR_MESSAGE, ve.getErrorDescription());
+				m.addAttribute(HttpCodeView.CODE, ve.getStatus());
+				return JsonErrorView.VIEWNAME;
+			}
+
+
+			try {
+				// save the client
+				ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient);
+
+				// possibly update the token
+				OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, savedClient);
+
+				RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
+
+				// send it all out to the view
+				m.addAttribute("client", registered);
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
+
+				return ClientInformationResponseView.VIEWNAME;
+			} catch (IllegalArgumentException e) {
+				logger.error("Couldn't save client", e);
+
+				m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
+				m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
+				m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
+
+				return JsonErrorView.VIEWNAME;
+			}
+		} else {
+			// client mismatch
+			logger.error("updateProtectedResource" +
+					" failed, client ID mismatch: "
+					+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
+
+			return HttpCodeView.VIEWNAME;
+		}
+	}
+
+	/**
+	 * Delete the indicated client from the system.
+	 * @param clientId
+	 * @param m
+	 * @param auth
+	 * @return
+	 */
+	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
+	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MediaType.APPLICATION_JSON_VALUE)
+	public String deleteResource(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
+
+		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
+
+		if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
+
+			clientService.deleteClient(client);
+
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT); // http 204
+
+			return HttpCodeView.VIEWNAME;
+		} else {
+			// client mismatch
+			logger.error("readClientConfiguration failed, client ID mismatch: "
+					+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
+			m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
+
+			return HttpCodeView.VIEWNAME;
+		}
+	}
+
+	private ClientDetailsEntity validateAuth(ClientDetailsEntity newClient) throws ValidationException {
+		if (newClient.getTokenEndpointAuthMethod() == null) {
+			newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
+		}
+
+		if (newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_BASIC ||
+				newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_JWT ||
+				newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_POST) {
+
+			if (Strings.isNullOrEmpty(newClient.getClientSecret())) {
+				// no secret yet, we need to generate a secret
+				newClient = clientService.generateClientSecret(newClient);
+			}
+		} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
+			if (Strings.isNullOrEmpty(newClient.getJwksUri()) && newClient.getJwks() == null) {
+				throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
+			}
+
+			newClient.setClientSecret(null);
+		} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
+			newClient.setClientSecret(null);
+		} else {
+			throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
+		}
+		return newClient;
+	}
+
+	private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) {
+
+		OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
+		OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
+
+		if (config.getRegTokenLifeTime() != null) {
+
+			try {
+				// Re-issue the token if it has been issued before [currentTime - validity]
+				Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
+				if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) {
+					logger.info("Rotating the registration access token for " + client.getClientId());
+					tokenService.revokeAccessToken(token);
+					OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client);
+					tokenService.saveAccessToken(newToken);
+					return newToken;
+				} else {
+					// it's not expired, keep going
+					return token;
+				}
+			} catch (ParseException e) {
+				logger.error("Couldn't parse a known-valid token?", e);
+				return token;
+			}
+		} else {
+			// tokens don't expire, just return it
+			return token;
+		}
+	}

 }
--- a/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_0.java
+++ b/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_0.java
@ -141,7 +141,8 @@ public class TestMITREidDataService_1_0 {

 	@Test
 	public void testImportRefreshTokens() throws IOException, ParseException {
-      Date expirationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
+
+		Date expirationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
 		when(mockedClient1.getClientId()).thenReturn("mocked_client_1");
@ -156,7 +157,7 @@ public class TestMITREidDataService_1_0 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(mockedAuthHolder1);

-        Date expirationDate2 = formatter.parse("2015-01-07T18:31:50.079Z", Locale.ENGLISH);
+		Date expirationDate2 = formatter.parse("2015-01-07T18:31:50.079+00:00", Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
 		when(mockedClient2.getClientId()).thenReturn("mocked_client_2");
@ -181,9 +182,9 @@ public class TestMITREidDataService_1_0 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
@ -258,7 +259,8 @@ public class TestMITREidDataService_1_0 {

 	@Test
 	public void testImportAccessTokens() throws IOException, ParseException {
-      Date expirationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
+
+		Date expirationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
 		when(mockedClient1.getClientId()).thenReturn("mocked_client_1");
@ -275,7 +277,7 @@ public class TestMITREidDataService_1_0 {
 		token1.setScope(ImmutableSet.of("id-token"));
 		token1.setTokenType("Bearer");

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -307,10 +309,10 @@ public class TestMITREidDataService_1_0 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.ACCESSTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"refreshTokenId\":null,\"idTokenId\":null,\"scope\":[\"id-token\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3ODk5NjgsInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwiYXRfaGFzaCI6InptTmt1QmNRSmNYQktNaVpFODZqY0EiLCJhdWQiOlsiY2xpZW50Il0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo4MDgwXC9vcGVuaWQtY29ubmVjdC1zZXJ2ZXItd2ViYXBwXC8iLCJpYXQiOjE0MTI3ODkzNjh9.xkEJ9IMXpH7qybWXomfq9WOOlpGYnrvGPgey9UQ4GLzbQx7JC0XgJK83PmrmBZosvFPCmota7FzI_BtwoZLgAZfFiH6w3WIlxuogoH-TxmYbxEpTHoTsszZppkq9mNgOlArV4jrR9y3TPo4MovsH71dDhS_ck-CvAlJunHlqhs0\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"refreshTokenId\":1,\"idTokenId\":1,\"scope\":[\"openid\",\"offline_access\",\"email\",\"profile\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3OTI5NjgsImF1ZCI6WyJjbGllbnQiXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6IjBmZGE5ZmRiLTYyYzItNGIzZS05OTdiLWU0M2VhMDUwMzNiOSIsImlhdCI6MTQxMjc4OTM2OH0.xgaVpRLYE5MzbgXfE0tZt823tjAm6Oh3_kdR1P2I9jRLR6gnTlBQFlYi3Y_0pWNnZSerbAE8Tn6SJHZ9k-curVG0-ByKichV7CNvgsE5X_2wpEaUzejvKf8eZ-BammRY-ie6yxSkAarcUGMvGGOLbkFcz5CtrBpZhfd75J49BIQ\"}" +

@ -573,8 +575,9 @@ public class TestMITREidDataService_1_0 {

 	@Test
 	public void testImportGrants() throws IOException, ParseException {
-      Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
-      Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090Z", Locale.ENGLISH);
+
+		Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090+00:00", Locale.ENGLISH);

 		OAuth2AccessTokenEntity mockToken1 = mock(OAuth2AccessTokenEntity.class);
 		when(mockToken1.getId()).thenReturn(1L);
@ -588,9 +591,9 @@ public class TestMITREidDataService_1_0 {
 		site1.setAllowedScopes(ImmutableSet.of("openid", "phone"));
 		when(mockToken1.getApprovedSite()).thenReturn(site1);

-        Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090Z", Locale.ENGLISH);
-        Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090Z", Locale.ENGLISH);
-        Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090Z", Locale.ENGLISH);
+		Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090+00:00", Locale.ENGLISH);
+		Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090+00:00", Locale.ENGLISH);

 		ApprovedSite site2 = new ApprovedSite();
 		site2.setId(2L);
@ -611,11 +614,11 @@ public class TestMITREidDataService_1_0 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.GRANTS + "\": [" +

-            "{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090Z\",\"accessDate\":\"2014-09-10T23:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090+00:00\",\"accessDate\":\"2014-09-10T23:49:44.090+00:00\","
 				+ "\"userId\":\"user1\",\"whitelistedSiteId\":null,\"allowedScopes\":[\"openid\",\"phone\"], \"whitelistedSiteId\":1,"
 				+ "\"approvedAccessTokens\":[1]}," +
-            "{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090Z\",\"accessDate\":\"2014-09-11T20:49:44.090Z\","
-            + "\"timeoutDate\":\"2014-10-01T20:49:44.090Z\",\"userId\":\"user2\","
+				"{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090+00:00\",\"accessDate\":\"2014-09-11T20:49:44.090+00:00\","
+				+ "\"timeoutDate\":\"2014-10-01T20:49:44.090+00:00\",\"userId\":\"user2\","
 				+ "\"allowedScopes\":[\"openid\",\"offline_access\",\"email\",\"profile\"]}" +

 				"  ]" +
@ -828,7 +831,8 @@ public class TestMITREidDataService_1_0 {

 	@Test
 	public void testFixRefreshTokenAuthHolderReferencesOnImport() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -851,7 +855,7 @@ public class TestMITREidDataService_1_0 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(holder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -890,9 +894,9 @@ public class TestMITREidDataService_1_0 {
 				"  ]," +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
--- a/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_1.java
+++ b/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_1.java
@ -142,7 +142,8 @@ public class TestMITREidDataService_1_1 {

 	@Test
 	public void testImportRefreshTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -158,7 +159,7 @@ public class TestMITREidDataService_1_1 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(mockedAuthHolder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -184,9 +185,9 @@ public class TestMITREidDataService_1_1 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
@ -261,7 +262,8 @@ public class TestMITREidDataService_1_1 {

 	@Test
 	public void testImportAccessTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -279,7 +281,7 @@ public class TestMITREidDataService_1_1 {
 		token1.setScope(ImmutableSet.of("id-token"));
 		token1.setTokenType("Bearer");

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -311,10 +313,10 @@ public class TestMITREidDataService_1_1 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.ACCESSTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"refreshTokenId\":null,\"idTokenId\":null,\"scope\":[\"id-token\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3ODk5NjgsInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwiYXRfaGFzaCI6InptTmt1QmNRSmNYQktNaVpFODZqY0EiLCJhdWQiOlsiY2xpZW50Il0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo4MDgwXC9vcGVuaWQtY29ubmVjdC1zZXJ2ZXItd2ViYXBwXC8iLCJpYXQiOjE0MTI3ODkzNjh9.xkEJ9IMXpH7qybWXomfq9WOOlpGYnrvGPgey9UQ4GLzbQx7JC0XgJK83PmrmBZosvFPCmota7FzI_BtwoZLgAZfFiH6w3WIlxuogoH-TxmYbxEpTHoTsszZppkq9mNgOlArV4jrR9y3TPo4MovsH71dDhS_ck-CvAlJunHlqhs0\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"refreshTokenId\":1,\"idTokenId\":1,\"scope\":[\"openid\",\"offline_access\",\"email\",\"profile\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3OTI5NjgsImF1ZCI6WyJjbGllbnQiXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6IjBmZGE5ZmRiLTYyYzItNGIzZS05OTdiLWU0M2VhMDUwMzNiOSIsImlhdCI6MTQxMjc4OTM2OH0.xgaVpRLYE5MzbgXfE0tZt823tjAm6Oh3_kdR1P2I9jRLR6gnTlBQFlYi3Y_0pWNnZSerbAE8Tn6SJHZ9k-curVG0-ByKichV7CNvgsE5X_2wpEaUzejvKf8eZ-BammRY-ie6yxSkAarcUGMvGGOLbkFcz5CtrBpZhfd75J49BIQ\"}" +

@ -576,8 +578,9 @@ public class TestMITREidDataService_1_1 {

 	@Test
 	public void testImportGrants() throws IOException, ParseException {
-      Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
-      Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090Z", Locale.ENGLISH);
+
+		Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090+00:00", Locale.ENGLISH);

 		OAuth2AccessTokenEntity mockToken1 = mock(OAuth2AccessTokenEntity.class);
 		when(mockToken1.getId()).thenReturn(1L);
@ -591,9 +594,9 @@ public class TestMITREidDataService_1_1 {
 		site1.setAllowedScopes(ImmutableSet.of("openid", "phone"));
 		when(mockToken1.getApprovedSite()).thenReturn(site1);

-        Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090Z", Locale.ENGLISH);
-        Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090Z", Locale.ENGLISH);
-        Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090Z", Locale.ENGLISH);
+		Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090+00:00", Locale.ENGLISH);
+		Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090+00:00", Locale.ENGLISH);

 		ApprovedSite site2 = new ApprovedSite();
 		site2.setId(2L);
@ -614,11 +617,11 @@ public class TestMITREidDataService_1_1 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.GRANTS + "\": [" +

-            "{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090Z\",\"accessDate\":\"2014-09-10T23:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090+00:00\",\"accessDate\":\"2014-09-10T23:49:44.090+00:00\","
 				+ "\"userId\":\"user1\",\"whitelistedSiteId\":null,\"allowedScopes\":[\"openid\",\"phone\"], \"whitelistedSiteId\":1,"
 				+ "\"approvedAccessTokens\":[1]}," +
-            "{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090Z\",\"accessDate\":\"2014-09-11T20:49:44.090Z\","
-            + "\"timeoutDate\":\"2014-10-01T20:49:44.090Z\",\"userId\":\"user2\","
+				"{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090+00:00\",\"accessDate\":\"2014-09-11T20:49:44.090+00:00\","
+				+ "\"timeoutDate\":\"2014-10-01T20:49:44.090+00:00\",\"userId\":\"user2\","
 				+ "\"allowedScopes\":[\"openid\",\"offline_access\",\"email\",\"profile\"]}" +

 				"  ]" +
@ -830,7 +833,8 @@ public class TestMITREidDataService_1_1 {

 	@Test
 	public void testFixRefreshTokenAuthHolderReferencesOnImport() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -853,7 +857,7 @@ public class TestMITREidDataService_1_1 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(holder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -892,9 +896,9 @@ public class TestMITREidDataService_1_1 {
 				"  ]," +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
--- a/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_2.java
+++ b/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_2.java
@ -144,7 +144,8 @@ public class TestMITREidDataService_1_2 {

 	@Test
 	public void testImportRefreshTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -160,7 +161,7 @@ public class TestMITREidDataService_1_2 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(mockedAuthHolder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -186,9 +187,9 @@ public class TestMITREidDataService_1_2 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
@ -263,7 +264,8 @@ public class TestMITREidDataService_1_2 {

 	@Test
 	public void testImportAccessTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -281,7 +283,7 @@ public class TestMITREidDataService_1_2 {
 		token1.setScope(ImmutableSet.of("id-token"));
 		token1.setTokenType("Bearer");

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -313,10 +315,10 @@ public class TestMITREidDataService_1_2 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.ACCESSTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"refreshTokenId\":null,\"idTokenId\":null,\"scope\":[\"id-token\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3ODk5NjgsInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwiYXRfaGFzaCI6InptTmt1QmNRSmNYQktNaVpFODZqY0EiLCJhdWQiOlsiY2xpZW50Il0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo4MDgwXC9vcGVuaWQtY29ubmVjdC1zZXJ2ZXItd2ViYXBwXC8iLCJpYXQiOjE0MTI3ODkzNjh9.xkEJ9IMXpH7qybWXomfq9WOOlpGYnrvGPgey9UQ4GLzbQx7JC0XgJK83PmrmBZosvFPCmota7FzI_BtwoZLgAZfFiH6w3WIlxuogoH-TxmYbxEpTHoTsszZppkq9mNgOlArV4jrR9y3TPo4MovsH71dDhS_ck-CvAlJunHlqhs0\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"refreshTokenId\":1,\"idTokenId\":1,\"scope\":[\"openid\",\"offline_access\",\"email\",\"profile\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3OTI5NjgsImF1ZCI6WyJjbGllbnQiXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6IjBmZGE5ZmRiLTYyYzItNGIzZS05OTdiLWU0M2VhMDUwMzNiOSIsImlhdCI6MTQxMjc4OTM2OH0.xgaVpRLYE5MzbgXfE0tZt823tjAm6Oh3_kdR1P2I9jRLR6gnTlBQFlYi3Y_0pWNnZSerbAE8Tn6SJHZ9k-curVG0-ByKichV7CNvgsE5X_2wpEaUzejvKf8eZ-BammRY-ie6yxSkAarcUGMvGGOLbkFcz5CtrBpZhfd75J49BIQ\"}" +

@ -578,8 +580,9 @@ public class TestMITREidDataService_1_2 {

 	@Test
 	public void testImportGrants() throws IOException, ParseException {
-      Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
-      Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090Z", Locale.ENGLISH);
+
+		Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090+00:00", Locale.ENGLISH);

 		OAuth2AccessTokenEntity mockToken1 = mock(OAuth2AccessTokenEntity.class);
 		when(mockToken1.getId()).thenReturn(1L);
@ -593,9 +596,9 @@ public class TestMITREidDataService_1_2 {
 		site1.setAllowedScopes(ImmutableSet.of("openid", "phone"));
 		when(mockToken1.getApprovedSite()).thenReturn(site1);

-        Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090Z", Locale.ENGLISH);
-        Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090Z", Locale.ENGLISH);
-        Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090Z", Locale.ENGLISH);
+		Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090+00:00", Locale.ENGLISH);
+		Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090+00:00", Locale.ENGLISH);

 		ApprovedSite site2 = new ApprovedSite();
 		site2.setId(2L);
@ -616,11 +619,11 @@ public class TestMITREidDataService_1_2 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.GRANTS + "\": [" +

-            "{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090Z\",\"accessDate\":\"2014-09-10T23:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090+00:00\",\"accessDate\":\"2014-09-10T23:49:44.090+00:00\","
 				+ "\"userId\":\"user1\",\"whitelistedSiteId\":null,\"allowedScopes\":[\"openid\",\"phone\"], \"whitelistedSiteId\":1,"
 				+ "\"approvedAccessTokens\":[1]}," +
-            "{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090Z\",\"accessDate\":\"2014-09-11T20:49:44.090Z\","
-            + "\"timeoutDate\":\"2014-10-01T20:49:44.090Z\",\"userId\":\"user2\","
+				"{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090+00:00\",\"accessDate\":\"2014-09-11T20:49:44.090+00:00\","
+				+ "\"timeoutDate\":\"2014-10-01T20:49:44.090+00:00\",\"userId\":\"user2\","
 				+ "\"allowedScopes\":[\"openid\",\"offline_access\",\"email\",\"profile\"]}" +

 				"  ]" +
@ -832,7 +835,8 @@ public class TestMITREidDataService_1_2 {

 	@Test
 	public void testFixRefreshTokenAuthHolderReferencesOnImport() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -855,7 +859,7 @@ public class TestMITREidDataService_1_2 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(holder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -894,9 +898,9 @@ public class TestMITREidDataService_1_2 {
 				"  ]," +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
--- a/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_3.java
+++ b/openid-connect-server/src/test/java/org/mitre/openid/connect/service/impl/TestMITREidDataService_1_3.java
@ -147,7 +147,8 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testExportRefreshTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -163,7 +164,7 @@ public class TestMITREidDataService_1_3 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(mockedAuthHolder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -270,7 +271,8 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testImportRefreshTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -286,7 +288,7 @@ public class TestMITREidDataService_1_3 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(mockedAuthHolder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -312,9 +314,9 @@ public class TestMITREidDataService_1_3 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
@ -382,7 +384,8 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testExportAccessTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -400,7 +403,7 @@ public class TestMITREidDataService_1_3 {
 		token1.setScope(ImmutableSet.of("id-token"));
 		token1.setTokenType("Bearer");

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -520,7 +523,8 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testImportAccessTokens() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -538,7 +542,7 @@ public class TestMITREidDataService_1_3 {
 		token1.setScope(ImmutableSet.of("id-token"));
 		token1.setTokenType("Bearer");

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -570,10 +574,10 @@ public class TestMITREidDataService_1_3 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.ACCESSTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"refreshTokenId\":null,\"idTokenId\":null,\"scope\":[\"id-token\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3ODk5NjgsInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwiYXRfaGFzaCI6InptTmt1QmNRSmNYQktNaVpFODZqY0EiLCJhdWQiOlsiY2xpZW50Il0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo4MDgwXC9vcGVuaWQtY29ubmVjdC1zZXJ2ZXItd2ViYXBwXC8iLCJpYXQiOjE0MTI3ODkzNjh9.xkEJ9IMXpH7qybWXomfq9WOOlpGYnrvGPgey9UQ4GLzbQx7JC0XgJK83PmrmBZosvFPCmota7FzI_BtwoZLgAZfFiH6w3WIlxuogoH-TxmYbxEpTHoTsszZppkq9mNgOlArV4jrR9y3TPo4MovsH71dDhS_ck-CvAlJunHlqhs0\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"refreshTokenId\":1,\"idTokenId\":1,\"scope\":[\"openid\",\"offline_access\",\"email\",\"profile\"],\"type\":\"Bearer\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MTI3OTI5NjgsImF1ZCI6WyJjbGllbnQiXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6IjBmZGE5ZmRiLTYyYzItNGIzZS05OTdiLWU0M2VhMDUwMzNiOSIsImlhdCI6MTQxMjc4OTM2OH0.xgaVpRLYE5MzbgXfE0tZt823tjAm6Oh3_kdR1P2I9jRLR6gnTlBQFlYi3Y_0pWNnZSerbAE8Tn6SJHZ9k-curVG0-ByKichV7CNvgsE5X_2wpEaUzejvKf8eZ-BammRY-ie6yxSkAarcUGMvGGOLbkFcz5CtrBpZhfd75J49BIQ\"}" +

@ -1128,8 +1132,9 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testExportGrants() throws IOException, ParseException {
-      Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
-      Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090Z", Locale.ENGLISH);
+
+		Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090+00:00", Locale.ENGLISH);

 		OAuth2AccessTokenEntity mockToken1 = mock(OAuth2AccessTokenEntity.class);
 		when(mockToken1.getId()).thenReturn(1L);
@ -1143,9 +1148,9 @@ public class TestMITREidDataService_1_3 {
 		site1.setAllowedScopes(ImmutableSet.of("openid", "phone"));
 		when(mockToken1.getApprovedSite()).thenReturn(site1);

-        Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090Z", Locale.ENGLISH);
-        Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090Z", Locale.ENGLISH);
-        Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090Z", Locale.ENGLISH);
+		Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090+00:00", Locale.ENGLISH);
+		Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090+00:00", Locale.ENGLISH);

 		ApprovedSite site2 = new ApprovedSite();
 		site2.setId(2L);
@ -1243,8 +1248,9 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testImportGrants() throws IOException, ParseException {
-      Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090Z", Locale.ENGLISH);
-      Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090Z", Locale.ENGLISH);
+
+		Date creationDate1 = formatter.parse("2014-09-10T22:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate1 = formatter.parse("2014-09-10T23:49:44.090+00:00", Locale.ENGLISH);

 		OAuth2AccessTokenEntity mockToken1 = mock(OAuth2AccessTokenEntity.class);
 		when(mockToken1.getId()).thenReturn(1L);
@ -1258,9 +1264,9 @@ public class TestMITREidDataService_1_3 {
 		site1.setAllowedScopes(ImmutableSet.of("openid", "phone"));
 		when(mockToken1.getApprovedSite()).thenReturn(site1);

-        Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090Z", Locale.ENGLISH);
-        Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090Z", Locale.ENGLISH);
-        Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090Z", Locale.ENGLISH);
+		Date creationDate2 = formatter.parse("2014-09-11T18:49:44.090+00:00", Locale.ENGLISH);
+		Date accessDate2 = formatter.parse("2014-09-11T20:49:44.090+00:00", Locale.ENGLISH);
+		Date timeoutDate2 = formatter.parse("2014-10-01T20:49:44.090+00:00", Locale.ENGLISH);

 		ApprovedSite site2 = new ApprovedSite();
 		site2.setId(2L);
@ -1281,11 +1287,11 @@ public class TestMITREidDataService_1_3 {
 				"\"" + MITREidDataService.AUTHENTICATIONHOLDERS + "\": [], " +
 				"\"" + MITREidDataService.GRANTS + "\": [" +

-            "{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090Z\",\"accessDate\":\"2014-09-10T23:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"foo\",\"creationDate\":\"2014-09-10T22:49:44.090+00:00\",\"accessDate\":\"2014-09-10T23:49:44.090+00:00\","
 				+ "\"userId\":\"user1\",\"whitelistedSiteId\":null,\"allowedScopes\":[\"openid\",\"phone\"], \"whitelistedSiteId\":1,"
 				+ "\"approvedAccessTokens\":[1]}," +
-            "{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090Z\",\"accessDate\":\"2014-09-11T20:49:44.090Z\","
-            + "\"timeoutDate\":\"2014-10-01T20:49:44.090Z\",\"userId\":\"user2\","
+				"{\"id\":2,\"clientId\":\"bar\",\"creationDate\":\"2014-09-11T18:49:44.090+00:00\",\"accessDate\":\"2014-09-11T20:49:44.090+00:00\","
+				+ "\"timeoutDate\":\"2014-10-01T20:49:44.090+00:00\",\"userId\":\"user2\","
 				+ "\"allowedScopes\":[\"openid\",\"offline_access\",\"email\",\"profile\"]}" +

 				"  ]" +
@ -1714,7 +1720,8 @@ public class TestMITREidDataService_1_3 {

 	@Test
 	public void testFixRefreshTokenAuthHolderReferencesOnImport() throws IOException, ParseException {
-      String expiration1 = "2014-09-10T22:49:44.090Z";
+
+		String expiration1 = "2014-09-10T22:49:44.090+00:00";
 		Date expirationDate1 = formatter.parse(expiration1, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient1 = mock(ClientDetailsEntity.class);
@ -1737,7 +1744,7 @@ public class TestMITREidDataService_1_3 {
 		token1.setJwt(JWTParser.parse("eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ."));
 		token1.setAuthenticationHolder(holder1);

-        String expiration2 = "2015-01-07T18:31:50.079Z";
+		String expiration2 = "2015-01-07T18:31:50.079+00:00";
 		Date expirationDate2 = formatter.parse(expiration2, Locale.ENGLISH);

 		ClientDetailsEntity mockedClient2 = mock(ClientDetailsEntity.class);
@ -1776,9 +1783,9 @@ public class TestMITREidDataService_1_3 {
 				"  ]," +
 				"\"" + MITREidDataService.REFRESHTOKENS + "\": [" +

-            "{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090Z\","
+				"{\"id\":1,\"clientId\":\"mocked_client_1\",\"expiration\":\"2014-09-10T22:49:44.090+00:00\","
 				+ "\"authenticationHolderId\":1,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJmOTg4OWQyOS0xMTk1LTQ4ODEtODgwZC1lZjVlYzAwY2Y4NDIifQ.\"}," +
-            "{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079Z\","
+				"{\"id\":2,\"clientId\":\"mocked_client_2\",\"expiration\":\"2015-01-07T18:31:50.079+00:00\","
 				+ "\"authenticationHolderId\":2,\"value\":\"eyJhbGciOiJub25lIn0.eyJqdGkiOiJlYmEyYjc3My0xNjAzLTRmNDAtOWQ3MS1hMGIxZDg1OWE2MDAifQ.\"}" +

 				"  ]" +
--- a/pom.xml
+++ b/pom.xml
@ -67,7 +67,7 @@
 	</mailingLists>

 	<properties>
-		<java-version>1.8</java-version>
+		<java-version>11</java-version>
 		<org.slf4j-version>1.7.25</org.slf4j-version>
 	</properties>
 	<description>A reference implementation of OpenID Connect (http://openid.net/connect/), OAuth 2.0, and UMA built on top of Java, Spring, and Spring Security. The project contains a fully functioning server, client, and utility library.</description>
@ -93,7 +93,7 @@
 				<plugin>
 					<groupId>org.jacoco</groupId>
 					<artifactId>jacoco-maven-plugin</artifactId>
-					<version>0.7.9</version>
+					<version>0.8.7</version>
 				</plugin>
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
@ -175,7 +175,7 @@
 				<plugin>
 					<groupId>ro.isdc.wro4j</groupId>
 					<artifactId>wro4j-maven-plugin</artifactId>
-					<version>1.8.0</version>
+					<version>1.10.0</version>
 					<executions>
 						<execution>
 							<phase>compile</phase>
@ -188,7 +188,7 @@
 						<dependency>
 							<groupId>ro.isdc.wro4j</groupId>
 							<artifactId>wro4j-extensions</artifactId>
-							<version>1.8.0</version>
+							<version>1.10.0</version>
 						</dependency>
 					</dependencies>
 				</plugin>
@ -460,12 +460,12 @@
 			<dependency>
 				<groupId>org.eclipse.persistence</groupId>
 				<artifactId>org.eclipse.persistence.jpa</artifactId>
-				<version>2.5.1</version>
+				<version>2.7.4</version>
 			</dependency>
 			<dependency>
 				<groupId>org.eclipse.persistence</groupId>
 				<artifactId>javax.persistence</artifactId>
-				<version>2.1.1</version>
+				<version>2.2.1</version>
 			</dependency>
 			<dependency>
 				<groupId>com.zaxxer</groupId>
@ -585,7 +585,7 @@
 			<dependency>
 				<groupId>com.google.guava</groupId>
 				<artifactId>guava</artifactId>
-				<version>21.0</version>
+				<version>27.0-jre</version>
 			</dependency>
 			<dependency>
 				<groupId>com.google.code.gson</groupId>
@ -616,7 +616,7 @@
 			<dependency>
 				<groupId>org.eclipse.persistence</groupId>
 				<artifactId>org.eclipse.persistence.core</artifactId>
-				<version>2.5.1</version>
+				<version>2.7.4</version>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.commons</groupId>
@ -626,7 +626,34 @@
 			<dependency>
 				<groupId>ro.isdc.wro4j</groupId>
 				<artifactId>wro4j-extensions</artifactId>
-				<version>1.8.0</version>
+				<version>1.10.0</version>
+			</dependency>
+			
+			<!-- java11 -->
+			<dependency>
+			  <groupId>javax.annotation</groupId>
+			  <artifactId>javax.annotation-api</artifactId>
+			  <version>1.3.2</version>
+			</dependency>
+			<dependency>
+				<groupId>jakarta.xml.bind</groupId>
+				<artifactId>jakarta.xml.bind-api</artifactId>
+				<version>3.0.0</version>
+			</dependency>
+			<dependency>
+	    		<groupId>javax.xml.bind</groupId>
+	    		<artifactId>jaxb-api</artifactId>
+	    		<version>2.3.1</version>
+			</dependency>
+			<dependency>
+			    <groupId>javax.activation</groupId>
+			    <artifactId>activation</artifactId>
+			    <version>1.1</version>
+			</dependency>
+			<dependency>
+			    <groupId>org.glassfish.jaxb</groupId>
+			    <artifactId>jaxb-runtime</artifactId>
+			    <version>2.3.0-b170127.1453</version>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
--- a/uma-server-webapp/pom.xml
+++ b/uma-server-webapp/pom.xml
@ -19,7 +19,7 @@
 	 <parent>
 		<groupId>org.mitre</groupId>
 		<artifactId>openid-connect-parent</artifactId>
-		<version>1.3.3-SNAPSHOT</version>
+		<version>1.3.5-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	 </parent>
 	 <artifactId>uma-server-webapp</artifactId>
--- a/uma-server/pom.xml
+++ b/uma-server/pom.xml
@ -19,7 +19,7 @@
 	<parent>
 		<groupId>org.mitre</groupId>
 		<artifactId>openid-connect-parent</artifactId>
-		<version>1.3.3-SNAPSHOT</version>
+		<version>1.3.5-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>uma-server</artifactId>
@ -47,4 +47,4 @@
 			<artifactId>openid-connect-client</artifactId>
 		</dependency>
 	</dependencies>
-</project>
+</project>