wso2-extensions · ivantha · Apr 15, 2020
diff --git a/...tity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java b/...tity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
@@ -118,6 +118,7 @@ public final class OAuthConstants {
     //Constants used for OAuth/OpenID Connect Configuration UI
     public static final String CALLBACK_URL_REGEXP_PREFIX = "regexp=";
 
+    public static final String AUTHORIZATION_CODE_VALIDITY_PERIOD = "authorizationCodeValidityPeriod";
     public static final String AUTHORIZATION_CODE_STORE_TABLE = "IDN_OAUTH2_AUTHORIZATION_CODE";
 
     //Constants used for OAuth Secret Revoke and Regeneration

diff --git a/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl b/components/org.wso2.carbon.identity.oauth.stub/src/main/resources/OAuthAdminService.wsdl
@@ -318,6 +318,18 @@
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="getAuthorizationCodeValidityPeriod">
+                <xs:complexType>
+                    <xs:sequence/>
+                </xs:complexType>
+            </xs:element>
+            <xs:element name="getAuthorizationCodeValidityPeriodResponse">
+                <xs:complexType>
+                    <xs:sequence>
+                        <xs:element minOccurs="0" name="return" type="xs:long"/>
+                    </xs:sequence>
+                </xs:complexType>
+            </xs:element>
             <xs:element name="getTokenExpiryTimes">
                 <xs:complexType>
                     <xs:sequence/>
@@ -397,6 +409,7 @@
                     <xs:element minOccurs="0" name="applicationAccessTokenExpiryTime" type="xs:long"/>
                     <xs:element minOccurs="0" name="applicationName" nillable="true" type="xs:string"/>
                     <xs:element maxOccurs="unbounded" minOccurs="0" name="audiences" nillable="true" type="xs:string"/>
+                    <xs:element minOccurs="0" name="authorizationCodeValidityPeriod" type="xs:long"/>
                     <xs:element minOccurs="0" name="backChannelLogoutUrl" nillable="true" type="xs:string"/>
                     <xs:element minOccurs="0" name="bypassClientCredentials" type="xs:boolean"/>
                     <xs:element minOccurs="0" name="callbackUrl" nillable="true" type="xs:string"/>
@@ -525,6 +538,12 @@
     <wsdl:message name="isPKCESupportEnabledResponse">
         <wsdl:part name="parameters" element="ns1:isPKCESupportEnabledResponse"/>
     </wsdl:message>
+    <wsdl:message name="getAuthorizationCodeValidityPeriodRequest">
+        <wsdl:part name="parameters" element="ns1:getAuthorizationCodeValidityPeriod"/>
+    </wsdl:message>
+    <wsdl:message name="getAuthorizationCodeValidityPeriodResponse">
+        <wsdl:part name="parameters" element="ns1:getAuthorizationCodeValidityPeriodResponse"/>
+    </wsdl:message>
     <wsdl:message name="isRefreshTokenRenewalEnabledRequest">
         <wsdl:part name="parameters" element="ns1:isRefreshTokenRenewalEnabled"/>
     </wsdl:message>
@@ -689,6 +708,10 @@
             <wsdl:input message="tns:isPKCESupportEnabledRequest" wsaw:Action="urn:isPKCESupportEnabled"/>
             <wsdl:output message="tns:isPKCESupportEnabledResponse" wsaw:Action="urn:isPKCESupportEnabledResponse"/>
         </wsdl:operation>
+        <wsdl:operation name="getAuthorizationCodeValidityPeriod">
+            <wsdl:input message="tns:getAuthorizationCodeValidityPeriodRequest" wsaw:Action="urn:getAuthorizationCodeValidityPeriod"/>
+            <wsdl:output message="tns:getAuthorizationCodeValidityPeriodResponse" wsaw:Action="urn:getAuthorizationCodeValidityPeriodResponse"/>
+        </wsdl:operation>
         <wsdl:operation name="isRefreshTokenRenewalEnabled">
             <wsdl:input message="tns:isRefreshTokenRenewalEnabledRequest" wsaw:Action="urn:isRefreshTokenRenewalEnabled"/>
             <wsdl:output message="tns:isRefreshTokenRenewalEnabledResponse" wsaw:Action="urn:isRefreshTokenRenewalEnabledResponse"/>
@@ -912,6 +935,15 @@
                 <soap:body use="literal"/>
             </wsdl:output>
         </wsdl:operation>
+        <wsdl:operation name="getAuthorizationCodeValidityPeriod">
+            <soap:operation soapAction="urn:getAuthorizationCodeValidityPeriod" style="document"/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+            </wsdl:output>
+        </wsdl:operation>
         <wsdl:operation name="isRefreshTokenRenewalEnabled">
             <soap:operation soapAction="urn:isRefreshTokenRenewalEnabled" style="document"/>
             <wsdl:input>
@@ -1266,6 +1298,15 @@
                 <soap12:body use="literal"/>
             </wsdl:output>
         </wsdl:operation>
+        <wsdl:operation name="getAuthorizationCodeValidityPeriod">
+            <soap12:operation soapAction="urn:getAuthorizationCodeValidityPeriod" style="document"/>
+            <wsdl:input>
+                <soap12:body use="literal"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap12:body use="literal"/>
+            </wsdl:output>
+        </wsdl:operation>
         <wsdl:operation name="isRefreshTokenRenewalEnabled">
             <soap12:operation soapAction="urn:isRefreshTokenRenewalEnabled" style="document"/>
             <wsdl:input>
@@ -1596,6 +1637,15 @@
                 <mime:content type="text/xml" part="parameters"/>
             </wsdl:output>
         </wsdl:operation>
+        <wsdl:operation name="getAuthorizationCodeValidityPeriod">
+            <http:operation location="getAuthorizationCodeValidityPeriod"/>
+            <wsdl:input>
+                <mime:content type="text/xml" part="parameters"/>
+            </wsdl:input>
+            <wsdl:output>
+                <mime:content type="text/xml" part="parameters"/>
+            </wsdl:output>
+        </wsdl:operation>
         <wsdl:operation name="isRefreshTokenRenewalEnabled">
             <http:operation location="isRefreshTokenRenewalEnabled"/>
             <wsdl:input>

diff --git a/...ity.oauth.ui/src/main/java/org/wso2/carbon/identity/oauth/ui/client/OAuthAdminClient.java b/...ity.oauth.ui/src/main/java/org/wso2/carbon/identity/oauth/ui/client/OAuthAdminClient.java
@@ -186,6 +186,11 @@ public void updateOauthApplicationState(String consumerKey, String newState) thr
         stub.updateConsumerAppState(consumerKey, newState);
     }
 
+    public long getAuthorizationCodeValidityPeriod() throws RemoteException {
+
+        return stub.getAuthorizationCodeValidityPeriod();
+    }
+
     public OAuthTokenExpiryTimeDTO getOAuthTokenExpiryTimeDTO() throws RemoteException {
 
         return stub.getTokenExpiryTimes();

diff --git a/...y.oauth.ui/src/main/resources/org/wso2/carbon/identity/oauth/ui/i18n/Resources.properties b/...y.oauth.ui/src/main/resources/org/wso2/carbon/identity/oauth/ui/i18n/Resources.properties
@@ -87,10 +87,12 @@ error.while.revoking.authorization=Error while revoking authorization for {0}
 revocation.success=Authorization successfully revoked for {0}
 next=Next
 prev=prev
+authorization.code.validity.period=Authorization Code Validity Period
 user.access.token.expiry.time=User Access Token Expiry Time
 application.access.token.expiry.time=Application Access Token Expiry Time
 refresh.token.expiry.time=Refresh Token Expiry Time
 id.token.expiry.time=Id Token Expiry Time
+invalid.authorization.code.validity.period=Invalid value for Authorization Code Validity Period
 invalid.user.access.token.expiry.time=Invalid value for User Access Token Expiry Time
 invalid.application.access.token.expiry.time=Invalid value for Application Access Token Expiry Time
 invalid.refresh.token.expiry.time=Invalid value for Refresh Token Expiry Time

diff --git a/...g.wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/add-finish-ajaxprocessor.jsp b/...g.wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/add-finish-ajaxprocessor.jsp
@@ -54,6 +54,7 @@
     String applicationName = request.getParameter("application");
     String callback = request.getParameter("callback");
     String oauthVersion = request.getParameter("oauthVersion");
+    String authorizationCodeValidityPeriod = request.getParameter("authorizationCodeValidityPeriod");
     String userAccessTokenExpiryTime = request.getParameter("userAccessTokenExpiryTime");
     String applicationAccessTokenExpiryTime = request.getParameter("applicationAccessTokenExpiryTime");
     String refreshTokenExpiryTime = request.getParameter("refreshTokenExpiryTime");
@@ -109,6 +110,7 @@
             app.setApplicationName(applicationName);
             app.setCallbackUrl(callback);
             app.setOAuthVersion(oauthVersion);
+            app.setAuthorizationCodeValidityPeriod(Long.parseLong(authorizationCodeValidityPeriod));
             app.setUserAccessTokenExpiryTime(Long.parseLong(userAccessTokenExpiryTime));
             app.setApplicationAccessTokenExpiryTime(Long.parseLong(applicationAccessTokenExpiryTime));
             app.setRefreshTokenExpiryTime(Long.parseLong(refreshTokenExpiryTime));

diff --git a/components/org.wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/add.jsp b/components/org.wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/add.jsp
@@ -149,6 +149,7 @@
                     var callbackUrl = document.getElementById('callback').value;
                     var oidcLogoutType = $('input[name=logoutMechanism]:checked').val();
                     var oidcLogoutUrl = document.getElementById('logout_url').value;
+                    var authorizationCodeValidityPeriod = document.getElementById("authorizationCodeValidityPeriod").value;
                     var userTokenExpiryTime = document.getElementById("userAccessTokenExpiryTime").value;
                     var applicationTokenExpiryTime = document.getElementById("userAccessTokenExpiryTime").value;
                     var refreshTokenExpiryTime = document.getElementById("refreshTokenExpiryTime").value;
@@ -199,6 +200,10 @@
                                 }
                             }
                         }
+                        if (!isWhiteListed(authorizationCodeValidityPeriod, ["digits-only"])) {
+                            CARBON.showWarningDialog('<fmt:message key="invalid.authorization.code.validity.period"/>');
+                            return false;
+                        }
                         if (!isWhiteListed(userTokenExpiryTime, ["digits-only"])) {
                             CARBON.showWarningDialog('<fmt:message key="invalid.user.access.token.expiry.time"/>');
                             return false;
@@ -236,6 +241,7 @@
                         $(jQuery('#access_token_type_row')).hide();
                         $(jQuery("#pkce_enable").hide());
                         $(jQuery("#pkce_support_plain").hide());
+                        $(jQuery('#authorizationCodePlain').hide());
                         $(jQuery('#userAccessTokenPlain').hide());
                         $(jQuery('#applicationAccessTokenPlain').hide());
                         $(jQuery('#refreshTokenPlain').hide());
@@ -261,6 +267,7 @@
                         $(jQuery('#access_token_type_row')).show();
                         $(jQuery("#pkce_enable").show());
                         $(jQuery("#pkce_support_plain").show());
+                        $(jQuery('#authorizationCodePlain').show());
                         $(jQuery('#userAccessTokenPlain').show());
                         $(jQuery('#applicationAccessTokenPlain').show());
                         $(jQuery('#refreshTokenPlain').show());
@@ -685,6 +692,14 @@
                                         </table>
                                     </td>
                                 </tr>
+                                <tr id="authorizationCodePlain">
+                                    <td class="leftCol-med"><fmt:message key='authorization.code.validity.period'/></td>
+                                    <td><input id="authorizationCodeValidityPeriod" name="authorizationCodeValidityPeriod"
+                                               type="text"
+                                               value="<%=client.getAuthorizationCodeValidityPeriod()%>"/>
+                                        <fmt:message key='seconds'/>
+                                    </td>
+                                </tr>
                                 <tr id="userAccessTokenPlain">
                                     <td class="leftCol-med"><fmt:message key='user.access.token.expiry.time'/></td>
                                     <td><input id="userAccessTokenExpiryTime" name="userAccessTokenExpiryTime"

diff --git a/....wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/edit-finish-ajaxprocessor.jsp b/....wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/edit-finish-ajaxprocessor.jsp
@@ -56,6 +56,7 @@
     String applicationName = request.getParameter("application");
     String consumersecret = request.getParameter("consumersecret");
     String oauthVersion = request.getParameter("oauthVersion");
+    String authorizationCodeValidityPeriod = request.getParameter("authorizationCodeValidityPeriod");
     String userAccessTokenExpiryTime = request.getParameter("userAccessTokenExpiryTime");
     String applicationAccessTokenExpiryTime = request.getParameter("applicationAccessTokenExpiryTime");
     String refreshTokenExpiryTime = request.getParameter("refreshTokenExpiryTime");
@@ -116,6 +117,7 @@
             app.setOAuthVersion(oauthVersion);
             app.setPkceMandatory(pkceMandatory);
             app.setPkceSupportPlain(pkceSupportPlain);
+            app.setAuthorizationCodeValidityPeriod(Long.parseLong(authorizationCodeValidityPeriod));
             app.setUserAccessTokenExpiryTime(Long.parseLong(userAccessTokenExpiryTime));
             app.setApplicationAccessTokenExpiryTime(Long.parseLong(applicationAccessTokenExpiryTime));
             app.setRefreshTokenExpiryTime(Long.parseLong(refreshTokenExpiryTime));

diff --git a/components/org.wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/edit.jsp b/components/org.wso2.carbon.identity.oauth.ui/src/main/resources/web/oauth/edit.jsp
@@ -351,6 +351,7 @@
                         $(jQuery('#access_token_type_row')).hide();
                         $(jQuery("#pkce_enable").hide());
                         $(jQuery("#pkce_support_plain").hide());
+                        $(jQuery('#authorizationCodePlain').hide());
                         $(jQuery('#userAccessTokenPlain').hide());
                         $(jQuery('#applicationAccessTokenPlain').hide());
                         $(jQuery('#refreshTokenPlain').hide());
@@ -374,6 +375,7 @@
                         $(jQuery('#grant_row')).show();
                         $(jQuery('#scope_validator_row')).show();
                         $(jQuery('#access_token_type_row')).show();
+                        $(jQuery('#authorizationCodePlain').show());
                         $(jQuery('#userAccessTokenPlain').show());
                         $(jQuery('#applicationAccessTokenPlain').show());
                         $(jQuery('#refreshTokenPlain').show());
@@ -832,6 +834,14 @@
                                         </table>
                                     </td>
                                 </tr>
+                                <tr id="authorizationCodePlain">
+                                    <td class="leftCol-med"><fmt:message key='authorization.code.validity.period'/></td>
+                                    <td><input id="authorizationCodeValidityPeriod" name="authorizationCodeValidityPeriod"
+                                               type="text"
+                                               value="<%=Encode.forHtmlAttribute(Long.toString(app.getAuthorizationCodeValidityPeriod()))%>"/>
+                                        <fmt:message key='seconds'/>
+                                    </td>
+                                </tr>
                                 <tr id="userAccessTokenPlain">
                                     <td class="leftCol-med"><fmt:message key='user.access.token.expiry.time'/></td>
                                     <td><input id="userAccessTokenExpiryTime" name="userAccessTokenExpiryTime"

diff --git a/...carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java b/...carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java
@@ -425,6 +425,16 @@ public boolean isPKCESupportEnabled() {
         return oAuthAdminServiceImpl.isPKCESupportEnabled();
     }
 
+    /**
+     * Get the authorization code validity period property value from identity.xml file.
+     *
+     * @return authorization code validity period property value
+     */
+    public long getAuthorizationCodeValidityPeriod() {
+
+        return oAuthAdminServiceImpl.getAuthorizationCodeValidityPeriod();
+    }
+
     public OAuthTokenExpiryTimeDTO getTokenExpiryTimes() {
 
         return oAuthAdminServiceImpl.getTokenExpiryTimes();

diff --git a/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
@@ -269,6 +269,9 @@ public OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumer
                     app.setAudiences(application.getAudiences());
                     app.setPkceMandatory(application.getPkceMandatory());
                     app.setPkceSupportPlain(application.getPkceSupportPlain());
+                    // Validate authorization code validity period configuration.
+                    validateAuthorizationCodeValidityPeriodConfiguration(application);
+                    app.setAuthorizationCodeValidityPeriod(application.getAuthorizationCodeValidityPeriod());
                     // Validate access token expiry configurations.
                     validateTokenExpiryConfigurations(application);
                     app.setUserAccessTokenExpiryTime(application.getUserAccessTokenExpiryTime());
@@ -1223,6 +1226,16 @@ public List<TokenBindingMetaDataDTO> getSupportedTokenBindingsMetaData() {
         return OAuthComponentServiceHolder.getInstance().getTokenBindingMetaDataDTOs();
     }
 
+    /**
+     * Get the authorization code validity period property value from identity.xml file.
+     *
+     * @return authorization code validity period property value
+     */
+    public long getAuthorizationCodeValidityPeriod() {
+
+        return OAuthServerConfiguration.getInstance().getAuthorizationCodeValidityPeriodInSeconds();
+    }
+
     public OAuthTokenExpiryTimeDTO getTokenExpiryTimes() {
 
         OAuthTokenExpiryTimeDTO tokenExpiryTime = new OAuthTokenExpiryTimeDTO();
@@ -1246,38 +1259,51 @@ AuthenticatedUser buildAuthenticatedUser(String tenantAwareUser, String tenantDo
         return user;
     }
 
+    void validateAuthorizationCodeValidityPeriodConfiguration(OAuthConsumerAppDTO oAuthConsumerAppDTO) {
+
+        if (oAuthConsumerAppDTO.getAuthorizationCodeValidityPeriod() == 0) {
+            oAuthConsumerAppDTO.setAuthorizationCodeValidityPeriod(
+                    OAuthServerConfiguration.getInstance().getAuthorizationCodeValidityPeriodInSeconds());
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Invalid value '0' set for authorization code validity period in ServiceProvider: "
+                        + oAuthConsumerAppDTO.getApplicationName() + ". Defaulting to expiry value: "
+                        + oAuthConsumerAppDTO.getAuthorizationCodeValidityPeriod() + " seconds.");
+            }
+        }
+    }
+
     void validateTokenExpiryConfigurations(OAuthConsumerAppDTO oAuthConsumerAppDTO) {
 
         if (oAuthConsumerAppDTO.getUserAccessTokenExpiryTime() == 0) {
             oAuthConsumerAppDTO.setUserAccessTokenExpiryTime(
                     OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds());
-            logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "user access token",
+            logOnInvalidTokenExpiryConfig(oAuthConsumerAppDTO.getApplicationName(), "user access token",
                     oAuthConsumerAppDTO.getUserAccessTokenExpiryTime());
         }
 
         if (oAuthConsumerAppDTO.getApplicationAccessTokenExpiryTime() == 0) {
             oAuthConsumerAppDTO.setApplicationAccessTokenExpiryTime(
                     OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds());
-            logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "application access token",
+            logOnInvalidTokenExpiryConfig(oAuthConsumerAppDTO.getApplicationName(), "application access token",
                     oAuthConsumerAppDTO.getApplicationAccessTokenExpiryTime());
         }
 
         if (oAuthConsumerAppDTO.getRefreshTokenExpiryTime() == 0) {
             oAuthConsumerAppDTO.setRefreshTokenExpiryTime(
                     OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds());
-            logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "refresh token",
+            logOnInvalidTokenExpiryConfig(oAuthConsumerAppDTO.getApplicationName(), "refresh token",
                     oAuthConsumerAppDTO.getRefreshTokenExpiryTime());
         }
 
         if (oAuthConsumerAppDTO.getIdTokenExpiryTime() == 0) {
             oAuthConsumerAppDTO.setIdTokenExpiryTime(
                     OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenExpiryTimeInSeconds());
-            logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "id token",
+            logOnInvalidTokenExpiryConfig(oAuthConsumerAppDTO.getApplicationName(), "id token",
                     oAuthConsumerAppDTO.getIdTokenExpiryTime());
         }
     }
 
-    void logOnInvalidConfig(String appName, String tokenType, long defaultValue) {
+    void logOnInvalidTokenExpiryConfig(String appName, String tokenType, long defaultValue) {
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("Invalid expiry time value '0' set for token type: " + tokenType + " in ServiceProvider: " +