openam-jp · i7a7467 · Mar 7, 2021
diff --git a/openam-core/src/main/java/org/forgerock/openam/oauth2/OAuth2Constants.java b/openam-core/src/main/java/org/forgerock/openam/oauth2/OAuth2Constants.java
@@ -14,6 +14,7 @@
  * Copyright 2012-2016 ForgeRock AS.
  * Portions Copyrighted 2015 Nomura Research Institute, Ltd.
  * Portions Copyrighted 2018-2019 Open Source Solution Technology Corporation
+ * Portions Copyrighted 2021 i7a7467
  */
 
 package org.forgerock.openam.oauth2;
@@ -993,6 +994,7 @@ public class OAuth2Client {
         public static final String CLIENT_NAME = "com.forgerock.openam.oauth2provider.clientName";
         public static final String IS_CONSENT_IMPLIED = "isConsentImplied";
         public static final String IS_POLICY_BASED_PROTECTION_ENABLED = "isPolicyBasedProtectionEnabled";
+        public static final String IS_PASSWORD_CREDENTIALS_GRANT_DISABLED = "isPasswordCredentialsGrantDisabled";
 
         public static final String JWKS_URI = "com.forgerock.openam.oauth2provider.jwksURI";
         public static final String JWKS = "com.forgerock.openam.oauth2provider.jwks";

diff --git a/openam-core/src/main/resources/agentService.properties b/openam-core/src/main/resources/agentService.properties
@@ -28,6 +28,7 @@
 # Portions Copyrighted 2011-2016 ForgeRock AS.
 # Portions Copyrighted 2013-2015 Nomura Research Institute, Ltd.
 # Portions Copyrighted 2019 Open Source Solution Technology Corporation.
+# Portions Copyrighted 2021 i7a7467
 
 label.Empty=---EMPTY----
 a10=USER_ID
@@ -806,6 +807,8 @@ a758.help=When enabled, the resource owner will not be asked for consent during
   Provider must be configured to allow clients to skip consent.
 a759=Policy Based Endpoint Protection
 a759.help=When enabled, the resource owner session must satisfy the conditions specified by the policy.
+a761=Disable Resource Owner Password Credentials Grant
+a761.help=When enabled, OpenAM OAuth 2.0 Provider rejects token request of grant_type password.
 a7001=OAuth2 Client Settings
 
 # UI properties

diff --git a/openam-core/src/main/resources/ja_JP/agentService_ja.properties b/openam-core/src/main/resources/ja_JP/agentService_ja.properties
@@ -28,6 +28,7 @@
 # Portions Copyrighted 2012-2015 ForgeRock AS.
 # Portions Copyrighted 2012-2019 Open Source Solution Technology Corporation.
 # Portions Copyrighted 2013-2015 Nomura Research Institute, Ltd.
+# Portions Copyrighted 2021 i7a7467
 
 label.Empty=---\u7a7a----
 a10=USER_ID
@@ -683,6 +684,8 @@ a758.help=\u6709\u52b9\u306a\u5834\u5408\u3001\u8a8d\u53ef\u30d5\u30ed\u30fc\u30
 OAuth2 \u30d7\u30ed\u30d0\u30a4\u30c0\u306f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u540c\u610f\u3092\u30b9\u30ad\u30c3\u30d7\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002
 a759=\u30dd\u30ea\u30b7\u30fc\u306b\u57fa\u3065\u304f\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306e\u4fdd\u8b77
 a759.help=\u6709\u52b9\u306a\u5834\u5408\u3001\u30ea\u30bd\u30fc\u30b9\u30aa\u30fc\u30ca\u30fc\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u306f\u30dd\u30ea\u30b7\u30fc\u3067\u898f\u5b9a\u3055\u308c\u305f\u6761\u4ef6\u3092\u6e80\u3059\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002
+a761=Resource Owner Password Credentials Grant \u306e\u7121\u52b9\u5316
+a761.help=\u6709\u52b9\u306a\u5834\u5408\u3001OpenAM OAuth 2.0 Provider \u306f grant_type \u304c password \u306e\u30c8\u30fc\u30af\u30f3\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u53d7\u3051\u4ed8\u3051\u307e\u305b\u3093\u3002
 
 a7001=OAuth2 \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a2d\u5b9a
 

diff --git a/openam-oauth2/src/main/java/org/forgerock/oauth2/core/ClientRegistration.java b/openam-oauth2/src/main/java/org/forgerock/oauth2/core/ClientRegistration.java
@@ -13,6 +13,7 @@
  *
  * Copyright 2014-2016 ForgeRock AS.
  * Portions Copyrighted 2019 Open Source Solution Technology Corporation.
+ * Portions Copyrighted 2021 i7a7467
  */
 
 package org.forgerock.oauth2.core;
@@ -158,4 +159,10 @@ public interface ClientRegistration {
       */
     boolean isPolicyBasedProtectionEnabled();
 
+    /**
+     * Gets whether or not Resource Owner Password Credentials Grant is disabled.
+     *
+     * @return true if disabled.
+     */
+    boolean isPasswordCredentialsGrantDisabled();
 }
diff --git a/...m-oauth2/src/main/java/org/forgerock/oauth2/core/PasswordCredentialsGrantTypeHandler.java b/...m-oauth2/src/main/java/org/forgerock/oauth2/core/PasswordCredentialsGrantTypeHandler.java
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2014-2016 ForgeRock AS.
+ * Portions Copyrighted 2021 i7a7467
  */
 
 package org.forgerock.oauth2.core;
@@ -76,6 +77,13 @@ public AccessToken handle(OAuth2Request request, ClientRegistration clientRegist
             InvalidRequestException, UnauthorizedClientException, InvalidGrantException, ServerException,
             InvalidScopeException, NotFoundException {
 
+        if (clientRegistration.isPasswordCredentialsGrantDisabled()) {
+            logger.error("The client is not allowed to request using this grant type.");
+            throw new UnauthorizedClientException(
+                "The client is not allowed to request using this grant type."
+            );            
+        }
+
         for (final PasswordCredentialsRequestValidator requestValidator : requestValidators) {
             requestValidator.validateRequest(request, clientRegistration);
         }

diff --git a/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMClientRegistration.java b/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMClientRegistration.java
@@ -14,6 +14,7 @@
  * Copyright 2014-2016 ForgeRock AS.
  * Portions Copyrighted 2015 Nomura Research Institute, Ltd.
  * Portions Copyrighted 2019 Open Source Solution Technology Corporation.
+ * Portions Copyrighted 2021 i7a7467
  */
 
 package org.forgerock.openam.oauth2;
@@ -694,6 +695,11 @@ public boolean isPolicyBasedProtectionEnabled() {
         return Boolean.parseBoolean(getAttribute(OAuth2Constants.OAuth2Client.IS_POLICY_BASED_PROTECTION_ENABLED));
     }
 
+    @Override
+    public boolean isPasswordCredentialsGrantDisabled() {
+        return Boolean.parseBoolean(getAttribute(OAuth2Constants.OAuth2Client.IS_PASSWORD_CREDENTIALS_GRANT_DISABLED));
+    }
+
     private boolean verifyJwtBySharedSecret(final OAuth2Jwt jwt) {
         final String issuer = jwt.getSignedJwt().getClaimsSet().getIssuer();
         OpenIdResolver resolver = new SharedSecretOpenIdResolverImpl(issuer, getClientSecret());

diff --git a/openam-server-only/src/main/resources/services/AgentService.xml b/openam-server-only/src/main/resources/services/AgentService.xml
@@ -29,6 +29,7 @@
    Portions Copyrighted 2011-2016 ForgeRock AS.
    Portions Copyrighted 2015 Nomura Research Institute, Ltd.
    Portions Copyrighted 2019 Open Source Solution Technology Corporation.
+   Portions Copyrighted 2021 i7a7467
 -->
 
 <!DOCTYPE ServicesConfiguration
@@ -461,6 +462,20 @@
                             <Value>false</Value>
                         </DefaultValues>
                     </AttributeSchema>
+                    <AttributeSchema
+                            name="isPasswordCredentialsGrantDisabled"
+                            type="single"
+                            syntax="boolean"
+                            i18nKey="a761"
+                            order="26203">
+                        <BooleanValues>
+                            <BooleanTrueValue i18nKey="i18nTrue">true</BooleanTrueValue>
+                            <BooleanFalseValue i18nKey="i18nFalse">false</BooleanFalseValue>
+                        </BooleanValues>
+                        <DefaultValues>
+                            <Value>false</Value>
+                        </DefaultValues>
+                    </AttributeSchema>
                 </SubSchema>
                 <SubSchema name="WebAgent" inheritance="multiple">
                     <AttributeSchema