diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a914d5..8149405 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO. +21.2.0 (04-28-2021) +=================== + +newCAS Production Server Release + 21.1.5 (04-14-2021) =================== diff --git a/README.md b/README.md index fa44031..e2f26e2 100644 --- a/README.md +++ b/README.md @@ -19,14 +19,15 @@ OSF CAS is the centralized authentication and authorization service for the [OSF * OSF username and verification key login * OSF two-factor authentication * Delegated authentication - * ORCiD login - * **WIP** - CAS client: supports CAS protocol based institution SSO - * **WIP** - SAML service provider: supports SAML protocol based institution SSO -* **TBI** - OAuth authorization server for OSF + * OAuth 2.0 client: supports ORCiD login + * CAS client: supports institution SSO using the CAS protocol + * SAML service provider: supports institution SSO using the SAML protocol +* OAuth 2.0 authorization server for OSF +* Authentication failure throttling # Implementations -The implementation of OSF CAS is based on [Apereo CAS 6.2.x](https://github.com/apereo/cas/tree/6.2.x) via [CAS Overlay Template 6.2.x](https://github.com/apereo/cas-overlay-template/tree/6.2). Refer to [CAS Documentaion 6.2.x](https://apereo.github.io/cas/6.2.x/) for more details. +The implementation of OSF CAS is based on [Apereo CAS 6.2.8](https://github.com/apereo/cas/tree/v6.2.8) via [CAS Overlay Template 6.2.x](https://github.com/apereo/cas-overlay-template/tree/6.2). Refer to [CAS Documentation 6.2.x](https://apereo.github.io/cas/6.2.x/) for more details. ## Legacy Implementations @@ -34,20 +35,20 @@ A legacy version can be found at [CAS Overlay](https://github.com/CenterForOpenS # Versions -- OSF CAS `20.0.x` -- Apereo CAS `6.2.x` +- OSF CAS [21.2.x](https://github.com/CenterForOpenScience/osf-cas/releases/latest) +- Apereo CAS `6.2.8` - PostgreSQL `9.6` - JDK `11` # Configure, Build and Run OSF CAS -It is recommended to use the provided scripts to [build](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-build.sh) and [run](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-run.sh) CAS. Refer to Apereo's [README.md](https://github.com/apereo/cas-overlay-template/tree/6.2#cas-overlay-template-) for more options. +It is recommended to use the provided scripts to [build](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-build.sh) and [run](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-run.sh) CAS. Refer to Apereo [README.md](https://github.com/apereo/cas-overlay-template/tree/6.2#cas-overlay-template-) for more options. Use [`cas.properties`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/etc/cas/config/cas.properties) and [`Dockerfile`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/Dockerfile) to configure staging and production servers. Use [`cas-local.properties`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/etc/cas/config/local/cas-local.properties) and [`Dockerfile-local`](https://github.com/CenterForOpenScience/osf-cas/blob/develop/Dockerfile-local) for local development. To accelerate developing OSF CAS, use the [reload](https://github.com/CenterForOpenScience/osf-cas/blob/develop/docker-reload.sh) script to rebuild, reconfigure and restart the running container. ## OSF -OSF CAS requires a working OSF running locally. Refer to OSF's [README-docker-compose.md](https://github.com/CenterForOpenScience/osf.io/blob/develop/README-docker-compose.md) for how to set up and run OSF with `docker-compose`. Must disable `fakeCAS` to free port `8080`. +OSF CAS requires a working OSF running locally. Refer to OSF [README-docker-compose.md](https://github.com/CenterForOpenScience/osf.io/blob/develop/README-docker-compose.md) for how to set up and run OSF with `docker-compose`. Must disable `fakeCAS` to free port `8080` for CAS to use. ### OSF DB @@ -67,7 +68,7 @@ cas.authn.osf-postgres.jpa.dialect=io.cos.cas.osf.hibernate.dialect.OsfPostgresD ## CAS DB -The implementation of OSF CAS uses the [JPA Ticket Registry](https://apereo.github.io/cas/6.2.x/ticketing/Configuring-Ticketing-Components.html#ticket-registry) for durable ticket storage and thus requires a relational database. Set up a `PostgreSQL@9.6` server and review [JPA Ticket Registry settings](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/cas.properties#L90-L138). In most cases, only [Database connections](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/cas.properties#L104-L108) need to be updated. In addition, [JDBC settings](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/cas.properties#L96-L98) can be adjusted if necessary. +The implementation of OSF CAS uses the [JPA Ticket Registry](https://apereo.github.io/cas/6.2.x/ticketing/Configuring-Ticketing-Components.html#ticket-registry) for durable ticket storage and thus requires a relational database. Set up a `PostgreSQL@9.6` server and review [JPA Ticket Registry settings](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L127-L173). In most cases, only [Database connections](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L139-L143) need to be updated. Other JDBC and JPA settings can be adjusted if necessary. Here is an example for local development. Use `192.168.168.167` to access host outside the docker container. Use the port `54321` since the default `5432` one has been used by OSF DB. Update `pg_hba.conf` to grant proper access permission depending on the setup. @@ -90,17 +91,19 @@ host osf-cas longzechen 192.168.168.167/24 trust ## Signing and Encryption Keys -Refer to [signing and encryption settings](https://github.com/CenterForOpenScience/osf-cas/blob/790cac1ac5a19754c67d6ea1f53afc26e1809d23/etc/cas/config/cas.properties#L142-L158) in `cas.properties` for signing and encrypting client sessions and ticket granting cookies. Use the following default keys **for local development only**. +### CAS Server -```yaml -# In `cas-local.properties` +* Refer to [signing and encryption 1](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L175-L190) in `cas.properties` for signing and encrypting client sessions and ticket granting cookies. -cas.webflow.crypto.signing.key=7okipSDHBKuZL2n66cfYU4OH1Z_BRYkmEJazc29hzhXCXbRvws7Hv4_hEVd4E2osMrgIEdykzV2hAVD9CCQpJw -cas.webflow.crypto.encryption.key=1A9hLtxA-Es-hbQsfxqxxw +### OAuth Server -cas.tgc.crypto.signing.key=_WTRQmXGuq-mx2pTjNCXuX5971-e8KOCFOa27Mh5I3oBobYSzyUrLS9rfSiXQQDolJrJrWv7jURID1vtouznHg -cas.tgc.crypto.encryption.key=dcjD5PIfrcqGM8tv4_FGubcay-DbqKPPoz9xQ3IHQi0 -``` +* Refer to [signing and encryption 2](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L291-L295) in `cas.properties` for signing and encrypting OAuth 2.0 registered services. + +* You can optionally enable OAuth JWT access tokens, which requires [signing and encryption 3](https://github.com/CenterForOpenScience/osf-cas/blob/d0a03b51c9b1ce7795a210223c1ce38d5b2742de/etc/cas/config/cas.properties#L273-L282) to be configured. + +### Auto-generate Key Pairs + +Set empty values to the above keys and CAS will generate the key pairs automatically. The keys will be re-generated once server restarts. Follow the server warning logs for further actions. ## Authentication Delegation @@ -112,7 +115,13 @@ For local development, set up a developer app at [ORCiD](https://orcid.org/devel ### Institution Login -( ... WIP ... ) +#### SAML / Shibboleth + +Details coming soon ... + +#### CAS / Pac4j + +Details coming soon ... #### `fakeCAS` Login (Local Development Only) @@ -142,3 +151,7 @@ cas.authn.pac4j.cas[2].client-name=fakecas cas.authn.pac4j.cas[2].protocol=CAS30 cas.authn.pac4j.cas[2].callback-url-type=QUERY_PARAMETER ``` + +### OAuth 2.0 Server + +Details coming soon ... diff --git a/etc/cas/config/instn-authn-prod.xsl b/etc/cas/config/instn-authn-prod.xsl new file mode 100644 index 0000000..0fe3aa6 --- /dev/null +++ b/etc/cas/config/instn-authn-prod.xsl @@ -0,0 +1,679 @@ + + + + + + + + + + + + + + + + + + asu + + + + + + + + + + + + + bt + + + + + + + + + + + + bu + + + + + + + + + + + + brown + + + + + + + + + + + + + callutheran + + + + + + + + + + + + cmu + + + + + + + + + + + + cornell + + + + + + + + + + + + cwru + + + + + + + + + + + + duke + + + + + + + + + + + + ecu + + + + + + + + + + + + ferris + + + + + + + + + + + + fsu + + + + + + + + + + + + gmu + + + + + + + + + + + + gwu + + + + + + + + + + + + iit + + + + + + + + + + + + itb + + + + + + + + + + + + jmu + + + + + + + + + + + + jhu + + + + + + + + + + + + kuleuven + + + + + + + + + + + + mit + + + + + + + + + + + + mq + + + + + + + + + + + + nyu + + + + + + + + + + + + ou + + + + + + + + + + + + pu + + + + + + + + + + + + csic + + + + + + + + + + + + temple + + + + + + + + + + + + tufts + + + + + + + + + + + + ugent + + + + + + + + + + + + ua + + + + + + + + + false + + + + + ubc + + + + + + + + + + + + ucla + + + + + + + + + + + + ucsd + + + + + + + + + + + + ucr + + + + + + + + + + + + uct + + + + + + + + + + + + uc + + + + + + + + + + + + colorado + + + + + + + + + + + + ugoe + + + + + + + + + + + + universityofkent + + + + + + + + + + + + mq + + + + + + + + + + + + umd + + + + + + + + + + + + unc + + + + + + + + + + + + nd + + + + + + + + + + + + usc + + + + + + + + + + + + sc + + + + + + + + + + + + utdallas + + + + + + + + + + + + uva + + + + + + + + + + + + uw + + + + + + + + + + + + uwstout + + + + + + + + + + + + vcu + + + + + + + + + false + + + + + vt + + + + + + + + + + + + wustl + + + + + + + + + + + + Error: Unknown Identity Provider '' + + + + + + + + + + cord + + + + + + + + + + + + okstate + + + + + + + + + + + + Error: Unknown Identity Provider '' + + + + + Error: Unknown Delegation Protocol '' + + + + diff --git a/src/main/java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java b/src/main/java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java index 52db8ae..e149eb5 100644 --- a/src/main/java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java +++ b/src/main/java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java @@ -130,7 +130,12 @@ protected final AuthenticationHandlerExecutionResult authenticateOsfPostgresInte final OsfUser osfUser = jpaOsfDao.findOneUserByEmail(username); if (osfUser == null) { - throw new AccountNotFoundException("User [" + username + "] not found"); + if (StringUtils.isNoneBlank(plainTextPassword) || StringUtils.isNoneBlank(oneTimePassword)) { + throw new AccountNotFoundException("User [" + username + "] not found"); + } + if (StringUtils.isNoneBlank(verificationKey)) { + throw new InvalidVerificationKeyException("User [" + username + "] not found"); + } } final OsfGuid osfGuid = jpaOsfDao.findGuidByUser(osfUser); if (osfGuid == null) { diff --git a/src/main/java/io/cos/cas/osf/web/flow/config/OsfCasWebflowContextConfiguration.java b/src/main/java/io/cos/cas/osf/web/flow/config/OsfCasWebflowContextConfiguration.java index 64ac4ac..f2808fd 100644 --- a/src/main/java/io/cos/cas/osf/web/flow/config/OsfCasWebflowContextConfiguration.java +++ b/src/main/java/io/cos/cas/osf/web/flow/config/OsfCasWebflowContextConfiguration.java @@ -59,4 +59,13 @@ public CasWebflowConfigurer defaultLogoutWebflowConfigurer() { osfCasLogoutWebFlowConfigurer.setOrder(Ordered.HIGHEST_PRECEDENCE); return osfCasLogoutWebFlowConfigurer; } + + // TODO: Move all server-specific URLs, endpoints and other attributes to a dedicated class and initialize it as a + // bean. ThymeLeaf templates can access Spring beans, which solves the issue of CasConfigurationProperties + // accessibility in templates. For more details, refer to section "Spring Beans" in the following guide: + // https://www.thymeleaf.org/doc/articles/springmvcaccessdata.html for details + @Bean(name="casServerLoginUrl") + public String casServerLoginUrl() { + return casProperties.getServer().getName() + "/login"; + } } diff --git a/src/main/java/org/pac4j/scribe/builder/api/OrcidApi20.java b/src/main/java/org/pac4j/scribe/builder/api/OrcidApi20.java index ecb7a6b..5ed3dff 100644 --- a/src/main/java/org/pac4j/scribe/builder/api/OrcidApi20.java +++ b/src/main/java/org/pac4j/scribe/builder/api/OrcidApi20.java @@ -19,7 +19,7 @@ */ public class OrcidApi20 extends DefaultApi20 { - private static final String AUTH_URL = "http://www.orcid.org/oauth/authorize"; + private static final String AUTH_URL = "https://orcid.org/oauth/authorize"; private static final String TOKEN_URL = "https://orcid.org/oauth/token"; @Override diff --git a/src/main/resources/messages.properties b/src/main/resources/messages.properties index 51317f8..99f2066 100644 --- a/src/main/resources/messages.properties +++ b/src/main/resources/messages.properties @@ -593,7 +593,7 @@ screen.institutionlogin.osf=Sign in with your OSF account screen.unsupp-instn.heading=I can't find my institution screen.unsupp-instn.message=Signing into the OSF with institutional credentials is enabled for OSF Institutions members. If your institution is not yet an OSFI member, choose one of the following sign-in methods. screen.unsupp-instn.existing.heading=I already have an OSF account -screen.unsupp-instn.existing.message=If you have already have an OSF password, you can sign in to the OSF +screen.unsupp-instn.existing.message=If you already have an OSF password, you can sign in to the OSF screen.unsupp-instn.existing.button=Sign in with OSF screen.unsupp-instn.existing.setpw.message=If you have not yet set an OSF password for your account, create a password screen.unsupp-instn.existing.setpw.button=Set a password @@ -603,7 +603,7 @@ screen.unsupp-instn.existing.setpw.label.email.accesskey=e # Generic login and logout success page # screen.generic.logoutsuccess.title=Signed-out -screen.generic.logoutsuccess.tip=Oops! Redirection didn't happen ... +screen.generic.logoutsuccess.tips=Auto-redirection didn't happen ... screen.generic.logoutsuccess.heading=Logout successful screen.generic.logoutsuccess.message=You have successfully logged out of OSF. However, you are seeing this page \ because the automatic redirection somehow didn't happen. Please click the button below to go back to OSF. @@ -611,7 +611,7 @@ screen.generic.logoutsuccess.button.continue=Back to OSF screen.generic.logoutsuccess.link.login=Login again # screen.generic.loginsuccess.title=Signed-in -screen.generic.loginsuccess.tips=Oops! Redirection didn't happen ... +screen.generic.loginsuccess.tips=Auto-redirection didn't happen ... screen.generic.loginsuccess.heading=Login successful screen.generic.loginsuccess.message=You have successfully logged into OSF! However, you are seeing this page because \ the automatic redirection somehow didn't happen. Please click the button below to continue to OSF. @@ -647,6 +647,7 @@ screen.authnerror.tips=Oops! Something went wrong ... screen.authnerror.tips.devmode=Developer mode only !!! screen.authnerror.button.resendosfconfirmation=Resend confirmation email screen.authnerror.button.backtoosf=Exit login +screen.authnerror.button.logout=Log out screen.blocked.message=You are being throttled for attempting to login too frequently in a short amount of time. \ Please wait for a few minutes before trying again. If you believe this is an error, please contact \ support@osf.io for help. @@ -676,9 +677,9 @@ screen.service.error.message=The application you attempted to authenticate to is screen.invaliduserstatus.heading=Account not valid screen.invaliduserstatus.message=Cannot log in to an invalid account. If you believe this should not happen, please \ contact OSF Support. -screen.invalidverificationkey.heading=Invalid verification key -screen.invalidverificationkey.message=Automatic login has failed due to invalid one-time verification key. This key \ - may have expired or have already been used. +screen.invalidverificationkey.heading=Verification key login failed +screen.invalidverificationkey.message=Automatic login has failed due to invalid username or verification key. \ + The username may not exist, the one-time verification key may have expired, or it may has already been used. screen.onetimepasswordrequired.heading=OSF Two-factor Authentication screen.onetimepasswordrequired.message=Two-factor authentication has been enabled for this OSF account. Please enter \ the one-time password generated by the authentication app. If you believe this should not happen, please contact - + @@ -33,7 +33,7 @@

-
+
diff --git a/src/main/resources/templates/casAccountNotConfirmedIdPView.html b/src/main/resources/templates/casAccountNotConfirmedIdPView.html index c803b06..78ff2ce 100644 --- a/src/main/resources/templates/casAccountNotConfirmedIdPView.html +++ b/src/main/resources/templates/casAccountNotConfirmedIdPView.html @@ -1,5 +1,5 @@ - + diff --git a/src/main/resources/templates/casAccountNotConfirmedOsfView.html b/src/main/resources/templates/casAccountNotConfirmedOsfView.html index 5e757c0..bde0aa2 100644 --- a/src/main/resources/templates/casAccountNotConfirmedOsfView.html +++ b/src/main/resources/templates/casAccountNotConfirmedOsfView.html @@ -1,5 +1,5 @@ - + diff --git a/src/main/resources/templates/casGenericSuccessView.html b/src/main/resources/templates/casGenericSuccessView.html index c1b5105..2e3d7ac 100644 --- a/src/main/resources/templates/casGenericSuccessView.html +++ b/src/main/resources/templates/casGenericSuccessView.html @@ -1,5 +1,5 @@ - + @@ -19,7 +19,7 @@ -
+
@@ -27,6 +27,13 @@

+
+ 

+                    

+                    

+                    

+                    

+                

                 

                     
                         
@@ -36,8 +43,8 @@ 

                 

                     
                 

+                
                     

                     

                         
@@ -83,6 +90,7 @@ 

                         
                     

                 

+                -->
             
         
 
diff --git a/src/main/resources/templates/casInstitutionLoginView.html b/src/main/resources/templates/casInstitutionLoginView.html
index 56ba4d7..0d84a5f 100644
--- a/src/main/resources/templates/casInstitutionLoginView.html
+++ b/src/main/resources/templates/casInstitutionLoginView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
diff --git a/src/main/resources/templates/casInstitutionSsoFailedView.html b/src/main/resources/templates/casInstitutionSsoFailedView.html
index 7ad60af..ea61c1a 100644
--- a/src/main/resources/templates/casInstitutionSsoFailedView.html
+++ b/src/main/resources/templates/casInstitutionSsoFailedView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
@@ -27,7 +27,7 @@
                     

                     

                 
-                

+                

                     
                         
                     
diff --git a/src/main/resources/templates/casInvalidUserStatusView.html b/src/main/resources/templates/casInvalidUserStatusView.html
index 895975a..e5b4077 100644
--- a/src/main/resources/templates/casInvalidUserStatusView.html
+++ b/src/main/resources/templates/casInvalidUserStatusView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
@@ -33,7 +33,7 @@ 

                     
                 

                 

-                

+                

                     
                 

             

diff --git a/src/main/resources/templates/casInvalidVerificationKeyView.html b/src/main/resources/templates/casInvalidVerificationKeyView.html
index c6fd85d..d2737f1 100644
--- a/src/main/resources/templates/casInvalidVerificationKeyView.html
+++ b/src/main/resources/templates/casInvalidVerificationKeyView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
@@ -33,7 +33,7 @@ 

                     
                 

                 

-                

+                

                     
                 

             

diff --git a/src/main/resources/templates/casLoginView.html b/src/main/resources/templates/casLoginView.html
index db87cd5..8250123 100644
--- a/src/main/resources/templates/casLoginView.html
+++ b/src/main/resources/templates/casLoginView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
diff --git a/src/main/resources/templates/casLogoutView.html b/src/main/resources/templates/casLogoutView.html
index 1e0a5d7..f4c32d3 100644
--- a/src/main/resources/templates/casLogoutView.html
+++ b/src/main/resources/templates/casLogoutView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
@@ -19,8 +19,8 @@
                         
                     
                 
-                

-                    
+                

+                    
                 

                 

                 

@@ -33,7 +33,7 @@ 

                     
                 

                 

-                

+                

                     
                 

             

diff --git a/src/main/resources/templates/casOAuth20ErrorView.html b/src/main/resources/templates/casOAuth20ErrorView.html
index 57e5b3e..0cce26a 100644
--- a/src/main/resources/templates/casOAuth20ErrorView.html
+++ b/src/main/resources/templates/casOAuth20ErrorView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
diff --git a/src/main/resources/templates/casServiceErrorView.html b/src/main/resources/templates/casServiceErrorView.html
index 3b0c12c..588b507 100644
--- a/src/main/resources/templates/casServiceErrorView.html
+++ b/src/main/resources/templates/casServiceErrorView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
@@ -27,7 +27,7 @@
                     

                     

                 

-                

+                

                     
                         
                     
diff --git a/src/main/resources/templates/casTermsOfServiceConsentView.html b/src/main/resources/templates/casTermsOfServiceConsentView.html
index 0dd7163..4fb66e2 100644
--- a/src/main/resources/templates/casTermsOfServiceConsentView.html
+++ b/src/main/resources/templates/casTermsOfServiceConsentView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
diff --git a/src/main/resources/templates/casTwoFactorLoginView.html b/src/main/resources/templates/casTwoFactorLoginView.html
index c630bf1..c559d27 100644
--- a/src/main/resources/templates/casTwoFactorLoginView.html
+++ b/src/main/resources/templates/casTwoFactorLoginView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
diff --git a/src/main/resources/templates/casUnsupportedInstitutionLoginView.html b/src/main/resources/templates/casUnsupportedInstitutionLoginView.html
index 67a3bd3..e41053c 100644
--- a/src/main/resources/templates/casUnsupportedInstitutionLoginView.html
+++ b/src/main/resources/templates/casUnsupportedInstitutionLoginView.html
@@ -1,5 +1,5 @@
 
-
+
 
 
     
diff --git a/src/main/resources/templates/error.html b/src/main/resources/templates/error.html
index d276769..296f7e9 100644
--- a/src/main/resources/templates/error.html
+++ b/src/main/resources/templates/error.html
@@ -27,17 +27,23 @@
                     

                     

                 

-                

+                

+                    

+                    

+                    

+                    

+                

+                

                     
                         
                     
                 

                 

                 

-                    
+                    
                 

+                
                     

                     

                         
@@ -64,11 +70,13 @@ 

                         

                     

                 

+                -->
             

         
 
         
 
         
+
         
 
+                
+
                 
+
                 
 
-    

-        
+    

+        
     

 
     

diff --git a/src/main/resources/templates/protocol/oauth/confirm.html b/src/main/resources/templates/protocol/oauth/confirm.html
index 7093369..822948f 100644
--- a/src/main/resources/templates/protocol/oauth/confirm.html
+++ b/src/main/resources/templates/protocol/oauth/confirm.html
@@ -1,5 +1,5 @@
 
-
+