PageRenderTime 53ms CodeModel.GetById 20ms RepoModel.GetById 1ms app.codeStats 0ms

/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java

https://gitlab.com/jslee1/OpenID-Connect-Java-Spring-Server
Java | 372 lines | 176 code | 37 blank | 159 comment | 19 complexity | b790702e60c36861eec0a523cd20d746 MD5 | raw file
    

  1. /*******************************************************************************
    2. 

  2.  * Copyright 2016 The MITRE Corporation
    3. 

  3.  *   and the MIT Internet Trust Consortium
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.  * you may not use this file except in compliance with the License.
    7. 

  7.  * You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *   http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  *******************************************************************************/
    17. 

  17. package org.mitre.discovery.web;
    18. 

  18. 

  19. import java.util.ArrayList;
    20. 

  20. import java.util.Collection;
    21. 

  21. import java.util.HashMap;
    22. 

  22. import java.util.Map;
    23. 

  23. 

  24. import org.mitre.discovery.util.WebfingerURLNormalizer;
    25. 

  25. import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
    26. 

  26. import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
    27. 

  27. import org.mitre.oauth2.service.SystemScopeService;
    28. 

  28. import org.mitre.oauth2.web.IntrospectionEndpoint;
    29. 

  29. import org.mitre.oauth2.web.RevocationEndpoint;
    30. 

  30. import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
    31. 

  31. import org.mitre.openid.connect.model.UserInfo;
    32. 

  32. import org.mitre.openid.connect.service.UserInfoService;
    33. 

  33. import org.mitre.openid.connect.view.HttpCodeView;
    34. 

  34. import org.mitre.openid.connect.view.JsonEntityView;
    35. 

  35. import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint;
    36. 

  36. import org.mitre.openid.connect.web.JWKSetPublishingEndpoint;
    37. 

  37. import org.mitre.openid.connect.web.UserInfoEndpoint;
    38. 

  38. import org.slf4j.Logger;
    39. 

  39. import org.slf4j.LoggerFactory;
    40. 

  40. import org.springframework.beans.factory.annotation.Autowired;
    41. 

  41. import org.springframework.http.HttpStatus;
    42. 

  42. import org.springframework.http.MediaType;
    43. 

  43. import org.springframework.stereotype.Controller;
    44. 

  44. import org.springframework.ui.Model;
    45. 

  45. import org.springframework.web.bind.annotation.RequestMapping;
    46. 

  46. import org.springframework.web.bind.annotation.RequestParam;
    47. 

  47. import org.springframework.web.util.UriComponents;
    48. 

  48. import org.springframework.web.util.UriComponentsBuilder;
    49. 

  49. 

  50. import com.google.common.base.Function;
    51. 

  51. import com.google.common.base.Strings;
    52. 

  52. import com.google.common.collect.Collections2;
    53. 

  53. import com.google.common.collect.Lists;
    54. 

  54. import com.nimbusds.jose.Algorithm;
    55. 

  55. import com.nimbusds.jose.JWSAlgorithm;
    56. 

  56. 

  57. /**
    58. 

  58.  * 
    59. 

  59.  * Handle OpenID Connect Discovery.
    60. 

  60.  * 
    61. 

  61.  * @author jricher
    62. 

  62.  *
    63. 

  63.  */
    64. 

  64. @Controller
    65. 

  65. public class DiscoveryEndpoint {
    66. 

  66. 

  67. 	public static final String WELL_KNOWN_URL = ".well-known";
    68. 

  68. 	public static final String OPENID_CONFIGURATION_URL = WELL_KNOWN_URL + "/openid-configuration";
    69. 

  69. 	public static final String WEBFINGER_URL = WELL_KNOWN_URL + "/webfinger";
    70. 

  70. 

  71. 	/**
    72. 

  72. 	 * Logger for this class
    73. 

  73. 	 */
    74. 

  74. 	private static final Logger logger = LoggerFactory.getLogger(DiscoveryEndpoint.class);
    75. 

  75. 

  76. 	@Autowired
    77. 

  77. 	private ConfigurationPropertiesBean config;
    78. 

  78. 

  79. 	@Autowired
    80. 

  80. 	private SystemScopeService scopeService;
    81. 

  81. 

  82. 	@Autowired
    83. 

  83. 	private JWTSigningAndValidationService signService;
    84. 

  84. 

  85. 	@Autowired
    86. 

  86. 	private JWTEncryptionAndDecryptionService encService;
    87. 

  87. 

  88. 	@Autowired
    89. 

  89. 	private UserInfoService userService;
    90. 

  90. 

  91. 

  92. 	// used to map JWA algorithms objects to strings
    93. 

  93. 	private Function<Algorithm, String> toAlgorithmName = new Function<Algorithm, String>() {
    94. 

  94. 		@Override
    95. 

  95. 		public String apply(Algorithm alg) {
    96. 

  96. 			if (alg == null) {
    97. 

  97. 				return null;
    98. 

  98. 			} else {
    99. 

  99. 				return alg.getName();
    100. 

  100. 			}
    101. 

  101. 		}
    102. 

  102. 	};
    103. 

  103. 

  104. 	@RequestMapping(value={"/" + WEBFINGER_URL}, produces = MediaType.APPLICATION_JSON_VALUE)
    105. 

  105. 	public String webfinger(@RequestParam("resource") String resource, @RequestParam(value = "rel", required = false) String rel, Model model) {
    106. 

  106. 

  107. 		if (!Strings.isNullOrEmpty(rel) && !rel.equals("http://openid.net/specs/connect/1.0/issuer")) {
    108. 

  108. 			logger.warn("Responding to webfinger request for non-OIDC relation: " + rel);
    109. 

  109. 		}
    110. 

  110. 		
    111. 

  111. 		if (!resource.equals(config.getIssuer())) {
    112. 

  112. 			// it's not the issuer directly, need to check other methods
    113. 

  113. 

  114. 			UriComponents resourceUri = WebfingerURLNormalizer.normalizeResource(resource);
    115. 

  115. 			if (resourceUri != null
    116. 

  116. 					&& resourceUri.getScheme() != null
    117. 

  117. 					&& resourceUri.getScheme().equals("acct")) {
    118. 

  118. 				// acct: URI (email address format)
    119. 

  119. 

  120. 				// check on email addresses first
    121. 

  121. 				UserInfo user = userService.getByEmailAddress(resourceUri.getUserInfo() + "@" + resourceUri.getHost());
    122. 

  122. 

  123. 				if (user == null) {
    124. 

  124. 					// user wasn't found, see if the local part of the username matches, plus our issuer host
    125. 

  125. 

  126. 					user = userService.getByUsername(resourceUri.getUserInfo()); // first part is the username
    127. 

  127. 

  128. 					if (user != null) {
    129. 

  129. 						// username matched, check the host component
    130. 

  130. 						UriComponents issuerComponents = UriComponentsBuilder.fromHttpUrl(config.getIssuer()).build();
    131. 

  131. 						if (!Strings.nullToEmpty(issuerComponents.getHost())
    132. 

  132. 								.equals(Strings.nullToEmpty(resourceUri.getHost()))) {
    133. 

  133. 							logger.info("Host mismatch, expected " + issuerComponents.getHost() + " got " + resourceUri.getHost());
    134. 

  134. 							model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
    135. 

  135. 							return HttpCodeView.VIEWNAME;
    136. 

  136. 						}
    137. 

  137. 

  138. 					} else {
    139. 

  139. 

  140. 						// if the user's still null, punt and say we didn't find them
    141. 

  141. 

  142. 						logger.info("User not found: " + resource);
    143. 

  143. 						model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
    144. 

  144. 						return HttpCodeView.VIEWNAME;
    145. 

  145. 					}
    146. 

  146. 

  147. 				}
    148. 

  148. 

  149. 			} else {
    150. 

  150. 				logger.info("Unknown URI format: " + resource);
    151. 

  151. 				model.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
    152. 

  152. 				return HttpCodeView.VIEWNAME;
    153. 

  153. 			}
    154. 

  154. 		}
    155. 

  155. 

  156. 		// if we got here, then we're good, return ourselves
    157. 

  157. 		model.addAttribute("resource", resource);
    158. 

  158. 		model.addAttribute("issuer", config.getIssuer());
    159. 

  159. 

  160. 		return "webfingerView";
    161. 

  161. 	}
    162. 

  162. 

  163. 	@RequestMapping("/" + OPENID_CONFIGURATION_URL)
    164. 

  164. 	public String providerConfiguration(Model model) {
    165. 

  165. 

  166. 		/*
    167. 

  167. 		    issuer
    168. 

  168. 		        REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
    169. 

  169. 		    authorization_endpoint
    170. 

  170. 		        OPTIONAL. URL of the OP's Authentication and Authorization Endpoint [OpenID.Messages].
    171. 

  171. 		    token_endpoint
    172. 

  172. 		        OPTIONAL. URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Messages].
    173. 

  173. 		    userinfo_endpoint
    174. 

  174. 		        RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Messages]. This URL MUST use the https scheme
    175. 

  175. 		        and MAY contain port, path, and query parameter components.
    176. 

  176. 		    check_session_iframe
    177. 

  177. 		        OPTIONAL. URL of an OP endpoint that provides a page to support cross-origin communications for session state information with
    178. 

  178. 		        the RP Client, using the HTML5 postMessage API. The page is loaded from an invisible iframe embedded in an RP page so that
    179. 

  179. 		        it can run in the OP's security context. See [OpenID.Session].
    180. 

  180. 		    end_session_endpoint
    181. 

  181. 		        OPTIONAL. URL of the OP's endpoint that initiates logging out the End-User. See [OpenID.Session].
    182. 

  182. 		    jwks_uri
    183. 

  183. 		        REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the Client uses to
    184. 

  184. 		        validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s),
    185. 

  185. 		        which are used by Clients to encrypt requests to the Server. When both signing and encryption keys are made available,
    186. 

  186. 		        a use (Key Use) parameter value is REQUIRED for all keys in the document to indicate each key's intended usage.
    187. 

  187. 		    registration_endpoint
    188. 

  188. 		        RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint [OpenID.Registration].
    189. 

  189. 		    scopes_supported
    190. 

  190. 		        RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
    191. 

  191. 		        The server MUST support the openid scope value.
    192. 

  192. 		    response_types_supported
    193. 

  193. 		        REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this server supports.
    194. 

  194. 		        The server MUST support the code, id_token, and the token id_token response type values.
    195. 

  195. 		    grant_types_supported
    196. 

  196. 		        OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this server supports.
    197. 

  197. 		        The server MUST support the authorization_code and implicit grant type values
    198. 

  198. 		        and MAY support the urn:ietf:params:oauth:grant-type:jwt-bearer grant type defined in OAuth JWT Bearer Token Profiles [OAuth.JWT].
    199. 

  199. 		        If omitted, the default value is ["authorization_code", "implicit"].
    200. 

  200. 		    acr_values_supported
    201. 

  201. 		        OPTIONAL. JSON array containing a list of the Authentication Context Class References that this server supports.
    202. 

  202. 		    subject_types_supported
    203. 

  203. 		        REQUIRED. JSON array containing a list of the subject identifier types that this server supports. Valid types include pairwise and public.
    204. 

  204. 		    userinfo_signing_alg_values_supported
    205. 

  205. 		        OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to
    206. 

  206. 		        encode the Claims in a JWT [JWT].
    207. 

  207. 		    userinfo_encryption_alg_values_supported
    208. 

  208. 		        OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to
    209. 

  209. 		        encode the Claims in a JWT [JWT].
    210. 

  210. 		    userinfo_encryption_enc_values_supported
    211. 

  211. 		        OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to
    212. 

  212. 		        encode the Claims in a JWT [JWT].
    213. 

  213. 		    id_token_signing_alg_values_supported
    214. 

  214. 		        REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Authorization Server for the
    215. 

  215. 		        ID Token to encode the Claims in a JWT [JWT].
    216. 

  216. 		    id_token_encryption_alg_values_supported
    217. 

  217. 		        OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the Authorization Server for the
    218. 

  218. 		        ID Token to encode the Claims in a JWT [JWT].
    219. 

  219. 		    id_token_encryption_enc_values_supported
    220. 

  220. 		        OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the Authorization Server for the
    221. 

  221. 		        ID Token to encode the Claims in a JWT [JWT].
    222. 

  222. 		    request_object_signing_alg_values_supported
    223. 

  223. 		        OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Authorization Server for
    224. 

  224. 		        the Request Object described in Section 2.9 of OpenID Connect Messages 1.0 [OpenID.Messages]. These algorithms are used both when
    225. 

  225. 		        the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter).
    226. 

  226. 		        Servers SHOULD support none and RS256.
    227. 

  227. 		    request_object_encryption_alg_values_supported
    228. 

  228. 		        OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the Authorization Server for
    229. 

  229. 		        the Request Object described in Section 2.9 of OpenID Connect Messages 1.0 [OpenID.Messages]. These algorithms are used both when
    230. 

  230. 		        the Request Object is passed by value and when it is passed by reference.
    231. 

  231. 		    request_object_encryption_enc_values_supported
    232. 

  232. 		        OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the Authorization Server for
    233. 

  233. 		        the Request Object described in Section 2.9 of OpenID Connect Messages 1.0 [OpenID.Messages]. These algorithms are used both when
    234. 

  234. 		        the Request Object is passed by value and when it is passed by reference.
    235. 

  235. 		    token_endpoint_auth_methods_supported
    236. 

  236. 		        OPTIONAL. JSON array containing a list of authentication methods supported by this Token Endpoint.
    237. 

  237. 		        The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt,
    238. 

  238. 		        as described in Section 2.2.1 of OpenID Connect Messages 1.0 [OpenID.Messages].
    239. 

  239. 		        Other authentication methods MAY be defined by extensions.
    240. 

  240. 		        If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme as specified in
    241. 

  241. 		        Section 2.3.1 of OAuth 2.0 [RFC6749].
    242. 

  242. 		    token_endpoint_auth_signing_alg_values_supported
    243. 

  243. 		        OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
    244. 

  244. 		        the private_key_jwt and client_secret_jwt methods to encode the JWT [JWT]. Servers SHOULD support RS256.
    245. 

  245. 		    display_values_supported
    246. 

  246. 		        OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports.
    247. 

  247. 		        These values are described in Section 2.1.1 of OpenID Connect Messages 1.0 [OpenID.Messages].
    248. 

  248. 		    claim_types_supported
    249. 

  249. 		        OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports.
    250. 

  250. 		        These Claim Types are described in Section 2.6 of OpenID Connect Messages 1.0 [OpenID.Messages].
    251. 

  251. 		        Values defined by this specification are normal, aggregated, and distributed.
    252. 

  252. 		        If not specified, the implementation supports only normal Claims.
    253. 

  253. 		    claims_supported
    254. 

  254. 		        RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
    255. 

  255. 		        Note that for privacy or other reasons, this might not be an exhaustive list.
    256. 

  256. 		    service_documentation
    257. 

  257. 		        OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
    258. 

  258. 		        In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs
    259. 

  259. 		        to be provided in this documentation.
    260. 

  260. 		    claims_locales_supported
    261. 

  261. 		        OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of
    262. 

  262. 		        BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
    263. 

  263. 		    ui_locales_supported
    264. 

  264. 		        OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values.
    265. 

  265. 		    claims_parameter_supported
    266. 

  266. 		        OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
    267. 

  267. 		        If omitted, the default value is false.
    268. 

  268. 		    request_parameter_supported
    269. 

  269. 		        OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
    270. 

  270. 		        If omitted, the default value is false.
    271. 

  271. 		    request_uri_parameter_supported
    272. 

  272. 		        OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.
    273. 

  273. 		        If omitted, the default value is true.
    274. 

  274. 		    require_request_uri_registration
    275. 

  275. 		        OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using
    276. 

  276. 		        the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false.
    277. 

  277. 		    op_policy_uri
    278. 

  278. 		        OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on
    279. 

  279. 		        how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering
    280. 

  280. 		        the Client if it is given.
    281. 

  281. 		    op_tos_uri
    282. 

  282. 		        OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service.
    283. 

  283. 		        The registration process SHOULD display this URL to the person registering the Client if it is given.
    284. 

  284. 		 */
    285. 

  285. 		String baseUrl = config.getIssuer();
    286. 

  286. 

  287. 		if (!baseUrl.endsWith("/")) {
    288. 

  288. 			logger.warn("Configured issuer doesn't end in /, adding for discovery: " + baseUrl);
    289. 

  289. 			baseUrl = baseUrl.concat("/");
    290. 

  290. 		}
    291. 

  291. 

  292. 		Collection<JWSAlgorithm> serverSigningAlgs = signService.getAllSigningAlgsSupported();
    293. 

  293. 		Collection<JWSAlgorithm> clientSymmetricSigningAlgs = Lists.newArrayList(JWSAlgorithm.HS256, JWSAlgorithm.HS384, JWSAlgorithm.HS512);
    294. 

  294. 		Collection<JWSAlgorithm> clientSymmetricAndAsymmetricSigningAlgs = Lists.newArrayList(JWSAlgorithm.HS256, JWSAlgorithm.HS384, JWSAlgorithm.HS512, 
    295. 

  295. 				JWSAlgorithm.RS256, JWSAlgorithm.RS384, JWSAlgorithm.RS512, 
    296. 

  296. 				JWSAlgorithm.ES256, JWSAlgorithm.ES384, JWSAlgorithm.ES512, 
    297. 

  297. 				JWSAlgorithm.PS256, JWSAlgorithm.PS384, JWSAlgorithm.PS512);
    298. 

  298. 		Collection<Algorithm> clientSymmetricAndAsymmetricSigningAlgsWithNone = Lists.newArrayList(JWSAlgorithm.HS256, JWSAlgorithm.HS384, JWSAlgorithm.HS512, 
    299. 

  299. 				JWSAlgorithm.RS256, JWSAlgorithm.RS384, JWSAlgorithm.RS512, 
    300. 

  300. 				JWSAlgorithm.ES256, JWSAlgorithm.ES384, JWSAlgorithm.ES512, 
    301. 

  301. 				JWSAlgorithm.PS256, JWSAlgorithm.PS384, JWSAlgorithm.PS512, 
    302. 

  302. 				Algorithm.NONE);
    303. 

  303. 		ArrayList<String> grantTypes = Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "urn:ietf:params:oauth:grant_type:redelegate");
    304. 

  304. 

  305. 		Map<String, Object> m = new HashMap<>();
    306. 

  306. 		m.put("issuer", config.getIssuer());
    307. 

  307. 		m.put("authorization_endpoint", baseUrl + "authorize");
    308. 

  308. 		m.put("token_endpoint", baseUrl + "token");
    309. 

  309. 		m.put("userinfo_endpoint", baseUrl + UserInfoEndpoint.URL);
    310. 

  310. 		//check_session_iframe
    311. 

  311. 		//end_session_endpoint
    312. 

  312. 		m.put("jwks_uri", baseUrl + JWKSetPublishingEndpoint.URL);
    313. 

  313. 		m.put("registration_endpoint", baseUrl + DynamicClientRegistrationEndpoint.URL);
    314. 

  314. 		m.put("scopes_supported", scopeService.toStrings(scopeService.getUnrestricted())); // these are the scopes that you can dynamically register for, which is what matters for discovery
    315. 

  315. 		m.put("response_types_supported", Lists.newArrayList("code", "token")); // we don't support these yet: , "id_token", "id_token token"));
    316. 

  316. 		m.put("grant_types_supported", grantTypes);
    317. 

  317. 		//acr_values_supported
    318. 

  318. 		m.put("subject_types_supported", Lists.newArrayList("public", "pairwise"));
    319. 

  319. 		m.put("userinfo_signing_alg_values_supported", Collections2.transform(clientSymmetricAndAsymmetricSigningAlgs, toAlgorithmName));
    320. 

  320. 		m.put("userinfo_encryption_alg_values_supported", Collections2.transform(encService.getAllEncryptionAlgsSupported(), toAlgorithmName));
    321. 

  321. 		m.put("userinfo_encryption_enc_values_supported", Collections2.transform(encService.getAllEncryptionEncsSupported(), toAlgorithmName));
    322. 

  322. 		m.put("id_token_signing_alg_values_supported", Collections2.transform(clientSymmetricAndAsymmetricSigningAlgsWithNone, toAlgorithmName));
    323. 

  323. 		m.put("id_token_encryption_alg_values_supported", Collections2.transform(encService.getAllEncryptionAlgsSupported(), toAlgorithmName));
    324. 

  324. 		m.put("id_token_encryption_enc_values_supported", Collections2.transform(encService.getAllEncryptionEncsSupported(), toAlgorithmName));
    325. 

  325. 		m.put("request_object_signing_alg_values_supported", Collections2.transform(clientSymmetricAndAsymmetricSigningAlgs, toAlgorithmName));
    326. 

  326. 		m.put("request_object_encryption_alg_values_supported", Collections2.transform(encService.getAllEncryptionAlgsSupported(), toAlgorithmName));
    327. 

  327. 		m.put("request_object_encryption_enc_values_supported", Collections2.transform(encService.getAllEncryptionEncsSupported(), toAlgorithmName));
    328. 

  328. 		m.put("token_endpoint_auth_methods_supported", Lists.newArrayList("client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", "none"));
    329. 

  329. 		m.put("token_endpoint_auth_signing_alg_values_supported", Collections2.transform(clientSymmetricAndAsymmetricSigningAlgs, toAlgorithmName));
    330. 

  330. 		//display_types_supported
    331. 

  331. 		m.put("claim_types_supported", Lists.newArrayList("normal" /*, "aggregated", "distributed"*/));
    332. 

  332. 		m.put("claims_supported", Lists.newArrayList(
    333. 

  333. 				"sub",
    334. 

  334. 				"name",
    335. 

  335. 				"preferred_username",
    336. 

  336. 				"given_name",
    337. 

  337. 				"family_name",
    338. 

  338. 				"middle_name",
    339. 

  339. 				"nickname",
    340. 

  340. 				"profile",
    341. 

  341. 				"picture",
    342. 

  342. 				"website",
    343. 

  343. 				"gender",
    344. 

  344. 				"zoneinfo",
    345. 

  345. 				"locale",
    346. 

  346. 				"updated_at",
    347. 

  347. 				"birthdate",
    348. 

  348. 				"email",
    349. 

  349. 				"email_verified",
    350. 

  350. 				"phone_number",
    351. 

  351. 				"phone_number_verified",
    352. 

  352. 				"address"
    353. 

  353. 				));
    354. 

  354. 		m.put("service_documentation", baseUrl + "about");
    355. 

  355. 		//claims_locales_supported
    356. 

  356. 		//ui_locales_supported
    357. 

  357. 		m.put("claims_parameter_supported", false);
    358. 

  358. 		m.put("request_parameter_supported", true);
    359. 

  359. 		m.put("request_uri_parameter_supported", false);
    360. 

  360. 		m.put("require_request_uri_registration", false);
    361. 

  361. 		m.put("op_policy_uri", baseUrl + "about");
    362. 

  362. 		m.put("op_tos_uri", baseUrl + "about");
    363. 

  363. 

  364. 		m.put("introspection_endpoint", baseUrl + IntrospectionEndpoint.URL); // token introspection endpoint for verifying tokens
    365. 

  365. 		m.put("revocation_endpoint", baseUrl + RevocationEndpoint.URL); // token revocation endpoint
    366. 

  366. 

  367. 		model.addAttribute(JsonEntityView.ENTITY, m);
    368. 

  368. 

  369. 		return JsonEntityView.VIEWNAME;
    370. 

  370. 	}
    371. 

  371. 

  372. }
    373. 

  373.