Issue 21826: Initial data structures and metatype for OIDC Private Key JWT client authn

dev/com.ibm.ws.security.openidconnect.client/resources/OSGI-INF/l10n/metatype.properties

@@ -186,6 +186,8 @@ validationEndpointUrl.desc=The endpoint URL for validating the token inbound pro
 tokenEndpointAuthMethod=Authentication method of token endpoint
 tokenEndpointAuthMethod.desc=The method to use for sending credentials to the token endpoint of the OpenID Connect provider in order to authenticate the client.
 
+tokenEndpointAuthMethod.privateKeyJwt=Private key JWT client authentication.
+
 authnSessionDisabled=Authentication session cookie disabled
 authnSessionDisabled.desc=An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request.
 

dev/com.ibm.ws.security.openidconnect.client/resources/OSGI-INF/metatype/metatype.xml

@@ -17,7 +17,7 @@
          name="%openidConnectClient" description="%openidConnectClient.desc">
          <AD id="scope" name="%scope" description="%scope.desc" required="true" type="String"  default="openid profile"  ibm:type="token"/>
          <AD id="clientId" name="%clientId" description="%clientId.desc" required="false" type="String" />
-  		 <AD id="clientSecret" name="%clientSecret" description="%clientSecret.desc" required="false" type="String" ibm:type="password"/>		 
+  		 <AD id="clientSecret" name="%clientSecret" description="%clientSecret.desc" required="false" type="String" ibm:type="password"/>
 		 <AD id="redirectToRPHostAndPort" name="%redirectToRPHostAndPort" description="%redirectToRPHostAndPort.desc" required="false" type="String" />
 		 <AD id="redirectJunctionPath" name="%redirectJunctionPath" description="%redirectJunctionPath.desc" required="false" type="String" />
 		 <AD id="isClientSideRedirectSupported" name="%isClientSideRedirectSupported" description="%isClientSideRedirectSupported.desc" required="false" type="Boolean" default="true" />
@@ -28,17 +28,15 @@
 	     <AD id="trustStoreRef" name="%trustStoreRef" description="%trustStoreRef.desc" required="false" type="String" ibmui:uiReference="com.ibm.ws.ssl.keystore" />
 	     <AD id="trustAliasName" name="%trustAliasName" description="%trustAliasName.desc" required="false" type="String" />
 		 <AD id="httpsRequired" name="%httpsRequired" description="%httpsRequired.desc" required="true" type="Boolean" default="true"/>
-  		 <AD id="nonceEnabled" name="%nonceEnabled" description="%nonceEnabled.desc" required="false" type="Boolean" default="false"/> 
+  		 <AD id="nonceEnabled" name="%nonceEnabled" description="%nonceEnabled.desc" required="false" type="Boolean" default="false"/>
   		 <AD id="realmName" name="%realmName" description="%realmName.desc" required="false" type="String" />
-
-
+
          <!--<AD id="sslRef" name="%sslRef" description="%sslRef.desc" required="false" type="String" ibmui:uiReference="com.ibm.ws.ssl.repertoire" />-->
          <AD id="sslRef" name="%sslRef" description="%sslRef.desc" required="false" type="String" ibm:type="pid" ibm:reference="com.ibm.ws.ssl.repertoire" ibmui:uiReference="com.ibm.ws.ssl.repertoire" />
-         <!-- following lines are supposed to make sure ssl is fully activated before we are --> 
+         <!-- following lines are supposed to make sure ssl is fully activated before we are -->
          <AD id="SSLSupport.cardinality.minimum" name="internal" description="internal use only" type="String" default="${count(sslRef)}"/>
-         <AD id="SSLSupport.target" name="internal" description="internal use only"  type="String" default="(repertoirePIDs=${sslRef})"/>  
-
-
+         <AD id="SSLSupport.target" name="internal" description="internal use only"  type="String" default="(repertoirePIDs=${sslRef})"/>
+
          <AD id="signatureAlgorithm" required="false" type="String" name="%signatureAlgorithm" description="%signatureAlgorithm.desc" default="HS256">
              <Option label="%tokenSignAlgorithm.NONE" value="none" />
              <Option label="%tokenSignAlgorithm.RS256" value="RS256" />
@@ -51,10 +49,10 @@
              <Option label="%tokenSignAlgorithm.ES384" value="ES384" />
              <Option label="%tokenSignAlgorithm.ES512" value="ES512" />
          </AD>
-  		 
+
   		 <AD id="includeIdTokenInSubject" name="%includeIdTokenInSubject" description="%includeIdTokenInSubject.desc"  required="false" type="Boolean" default="true"/>
   		 <AD id="accessTokenInLtpaCookie" name="%accessTokenInLtpaCookie" description="%accessTokenInLtpaCookie.desc"  required="false" type="Boolean" default="false"/>
-         <AD id="initialStateCacheCapacity" name="%initialStateCacheCapacity" description="%initialStateCacheCapacity.desc" required="false" type="Integer" min="0" default="3000" />             
+         <AD id="initialStateCacheCapacity" name="%initialStateCacheCapacity" description="%initialStateCacheCapacity.desc" required="false" type="Integer" min="0" default="3000" />
          <AD id="hostNameVerificationEnabled" name="%hostNameVerificationEnabled" description="%hostNameVerificationEnabled.desc" required="false" type="Boolean" default="false"/>
          <AD id="discoveryEndpointUrl" name="%discoveryEndpointUrl" description="%discoveryEndpointUrl.desc" required="false" type="String" />
          <AD id="authorizationEndpointUrl" name="%authorizationEndpointUrl" description="%authorizationEndpointUrl.desc" required="false" type="String" />
@@ -63,7 +61,7 @@
      	 		<Option label="access_token" value="access_token" />
 		 </AD>
          <AD id="userInfoEndpointUrl" name="%userInfoEndpointUrl" description="%userInfoEndpointUrl.desc"
-            required="false" type="String" />  
+            required="false" type="String" />
          <AD id="userInfoEndpointEnabled" name="%userInfoEndpointEnabled" description="%userInfoEndpointEnabled.desc"
             required="false" type="Boolean" default="false" />
          <AD id="jwkEndpointUrl" name="%jwkEndpointUrl" description="%jwkEndpointUrl.desc" required="false"  type="String" />
@@ -75,33 +73,29 @@
          		<Option label="%grantType.authorization_code" value="authorization_code" />
             	<Option label="%grantType.implicit" value="implicit" />
          </AD>
-         
+
          <!--  sent by the browser to tell the OP what kind of response it wants.  Preferred to grantType -->
          <AD id="responseType" name="%responseType" description="%responseType.desc" required="false" type="String">
                 <!--  code is an authorization code flow, the other three are implicit code flows. -->
                 <Option label="%responseType.code" value="code" />
             	<Option label="%responseType.idToken" value="id_token" />
             	<Option label="%responseType.idTokenToken" value="id_token token" />
             	<Option label="%responseType.Token" value="token" />
-         </AD> 
+         </AD>
          <AD id="userIdentifier" name="%userIdentifier" description="%userIdentifier.desc"
             required="false" type="String"/>
          <AD id="groupIdentifier" name="%groupIdentifier" description="%groupIdentifier.desc" required="false" type="String" default="groupIds" />
          <AD id="realmIdentifier" name="%realmIdentifier" description="%realmIdentifier.desc" required="false" type="String" default="realmName" />
          <AD id="uniqueUserIdentifier" name="%userUniqueIdentifier" description="%userUniqueIdentifier.desc" required="false" type="String" default="uniqueSecurityName" />
-         <AD id="tokenEndpointAuthMethod" name="%tokenEndpointAuthMethod" description="%tokenEndpointAuthMethod.desc" required="false" 
+         <AD id="tokenEndpointAuthMethod" name="%tokenEndpointAuthMethod" description="%tokenEndpointAuthMethod.desc" required="false"
              type="String" default="post" >
-                <!-- support basic or post -->
                 <Option label="basic" value="basic" />
-            	<Option label="post"  value="post" />
-            	<!-- future maybe exclusive or, bad, adding cardinality to 3 or 4.  
-            	<Option label="jwt"   value="jwt" />
-            	<Option label="saml"  value="saml" />
-            	-->
+                <Option label="post"  value="post" />
+                <Option label="%tokenEndpointAuthMethod.privateKeyJwt" value="private_key_jwt" />
          </AD>
          <AD id="jsonWebKey" name="internal" description="internal use only" required="false" type="String" />
          <AD id="prompt" name="internal" description="internal use only" required="false" type="String" />
-          <AD id="jwt" name="internal" description="internal use only" ibm:type="pid" ibm:reference="com.ibm.ws.security.openidconnect.client.jwt" 
+          <AD id="jwt" name="internal" description="internal use only" ibm:type="pid" ibm:reference="com.ibm.ws.security.openidconnect.client.jwt"
              required="false" type="String"  />
          <AD id="inboundPropagation" name="%inboundPropagation" description="%inboundPropagation.desc" required="false" type="String" default="none" >
                 <Option label="%inboundPropagation.supported" value="supported" />
@@ -131,7 +125,7 @@
          <AD id="useSystemPropertiesForHttpClientConnections" name ="%useSystemPropertiesForHttpClientConnections" description="%useSystemPropertiesForHttpClientConnections.desc"
             required="false" type="Boolean" default="false"/>
          <AD id="reAuthnOnAccessTokenExpire" name="%reAuthnOnAccessTokenExpire" description="%reAuthnOnAccessTokenExpire.desc" required="false" type="Boolean" default="true" />
-         <AD id="reAuthnCushion" name="%reAuthnCushion" description="%reAuthnCushion.desc" required="false" type="String" ibm:type="duration" default="0s"/>            
+         <AD id="reAuthnCushion" name="%reAuthnCushion" description="%reAuthnCushion.desc" required="false" type="String" ibm:type="duration" default="0s"/>
 		 <AD id="validateAccessTokenLocally" name="internal" description="internal use only" required="false" type="Boolean" default="true"/>
 		 <AD id="sharedKey" name="internal" description="internal use only" required="false" type="String" ibm:type="password" />
          <AD id="includeCustomCacheKeyInSubject" name="internal" description="internal use only"  required="false" type="Boolean" default="true"/>
@@ -142,9 +136,9 @@
          <AD id="authFilterRef" name="%authFilterRef" description="%authFilterRef.desc" ibm:type="pid" ibm:reference="com.ibm.ws.security.authentication.filter" required="false" type="String"  />
          <AD id="createSession" name ="%createSession" description="%createSession.desc"
             required="false" type="Boolean" default="true"/>
-         <AD id="resource" name="%resource" description="%resource.desc" required="false" type="String" cardinality="2147483647" /> 
+         <AD id="resource" name="%resource" description="%resource.desc" required="false" type="String" cardinality="2147483647" />
          <AD id="authenticationTimeLimit" name="%authenticationTimeLimit" description="%authenticationTimeLimit.desc" required="false" type="String" default="420s" ibm:type="duration" />
-         <AD id="discoveryPollingRate" name="%discoveryPollingRate" description="%discoveryPollingRate.desc" required="false" type="String" default="300s" ibm:type="duration" /> 
+         <AD id="discoveryPollingRate" name="%discoveryPollingRate" description="%discoveryPollingRate.desc" required="false" type="String" default="300s" ibm:type="duration" />
          <AD id="useAccessTokenAsIdToken" name="internal" description="internal use only" required="false" type="Boolean" default="false"/>
          <AD id="tokenReuse" name="%tokenReuse" description="%tokenReuse.desc" required="false" type="Boolean" default="false" />
          <AD id="forwardLoginParameter" name="%forwardLoginParameter" description="%forwardLoginParameter.desc" required="false" type="String" cardinality="2147483647" />
@@ -162,8 +156,8 @@
     <Designate factoryPid="com.ibm.ws.security.openidconnect.client.oidcClientConfig">
                 <Object ocdref="com.ibm.ws.security.openidconnect.client.oidcClientConfig.metatype" />
     </Designate>
-    
-     <OCD id="com.ibm.ws.security.openidconnect.client.jwt.metatype" name="internal" description="internal use only" 
+
+     <OCD id="com.ibm.ws.security.openidconnect.client.jwt.metatype" name="internal" description="internal use only"
          ibmui:localization="OSGI-INF/l10n/metatype" >
      	 <AD id="builder" name="internal" description="internal use only" required="false" type="String" />
          <AD id="claims" name="internal" description="internal use only" required="false" type="String" cardinality="400" />
@@ -172,8 +166,8 @@
     <Designate factoryPid="com.ibm.ws.security.openidconnect.client.jwt">
         <Object ocdref="com.ibm.ws.security.openidconnect.client.jwt.metatype" />
     </Designate>
-    
-    <OCD id="com.ibm.ws.security.openidconnect.client.param.metatype" name="%oidcClientCustomRequestParam" description="%oidcClientCustomRequestParam.desc" 
+
+    <OCD id="com.ibm.ws.security.openidconnect.client.param.metatype" name="%oidcClientCustomRequestParam" description="%oidcClientCustomRequestParam.desc"
          ibmui:localization="OSGI-INF/l10n/metatype" >
      	 <AD id="name" name="%oidcClientCustomRequestParamName" description="%oidcClientCustomRequestParamName.desc" required="false" type="String" />
          <AD id="value" name="%oidcClientCustomRequestParamValue" description="%oidcClientCustomRequestParamValue.desc" required="false" type="String" />
@@ -182,14 +176,14 @@
     <Designate factoryPid="com.ibm.ws.security.openidconnect.client.param">
         <Object ocdref="com.ibm.ws.security.openidconnect.client.param.metatype" />
     </Designate>
-    
-    <OCD description="%oidcClientWebapp.desc" name="%oidcClientWebapp.name" 
-         id="com.ibm.ws.security.openidconnect.client.webapp" 
-         ibm:alias="oidcClientWebapp" ibmui:localization="OSGI-INF/l10n/metatype">   
-         <!--    <AD  name="%contextPath" description="%contextPath.desc" id="contextPath" required="false" type="String" default="/oidcclient" /> -->                 
+
+    <OCD description="%oidcClientWebapp.desc" name="%oidcClientWebapp.name"
+         id="com.ibm.ws.security.openidconnect.client.webapp"
+         ibm:alias="oidcClientWebapp" ibmui:localization="OSGI-INF/l10n/metatype">
+         <!--    <AD  name="%contextPath" description="%contextPath.desc" id="contextPath" required="false" type="String" default="/oidcclient" /> -->
          <AD  name="%oidcClientWebapp.contextPath.name" description="%oidcClientWebapp.desc" id="contextPath" required="true" type="String" default="/oidcclient" />
          <AD name="internal" id="contextName" ibm:final="true" type="String"   description="internal" default="oidcClientWebapp" />
-    </OCD>    
+    </OCD>
     <Designate pid="com.ibm.ws.security.openidconnect.client.webapp"> <!--  needs to match pid in WabConfiguration impl -->
         <!--  just needs to ref the id in the OCD element.  -->
         <Object ocdref="com.ibm.ws.security.openidconnect.client.webapp"/>

dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OidcClientUtil.java

@@ -1,14 +1,11 @@
 /*******************************************************************************
- * Copyright (c) 2013, 2022 IBM Corporation and others.
+ * Copyright (c) 2013, 2023 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-2.0/
- * 
- * SPDX-License-Identifier: EPL-2.0
  *
- * Contributors:
- * IBM Corporation - initial API and implementation
+ * SPDX-License-Identifier: EPL-2.0
  *******************************************************************************/
 package com.ibm.ws.security.openidconnect.clients.common;
 
@@ -115,17 +112,6 @@ public Map<String, Object> getUserinfo(String userInfor, String accessToken, SSL
         // return userinfoResponse;
     }
 
-    Map<String, Object> postToTokenEndpoint(String tokenEnpoint,
-            @Sensitive List<NameValuePair> params,
-            String baUsername,
-            @Sensitive String baPassword,
-            SSLSocketFactory sslSocketFactory,
-            boolean isHostnameVerification,
-            String authMethod, boolean useSystemPropertiesForHttpClientConnections)
-            throws Exception {
-        return oidcHttpUtil.postToEndpoint(tokenEnpoint, params, baUsername, baPassword, null, sslSocketFactory, isHostnameVerification, authMethod, useSystemPropertiesForHttpClientConnections);
-    }
-
     Map<String, Object> postToCheckTokenEndpoint(String tokenEnpoint,
             @Sensitive List<NameValuePair> params,
             String baUsername,