sarahcec
diff --git a/‎openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java‎
Lines changed: 24 additions & 1 deletion b/‎openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java‎
Lines changed: 24 additions & 1 deletion
diff --git a/‎openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql‎
Lines changed: 5 additions & 0 deletions b/‎openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql‎
Lines changed: 5 additions & 0 deletions b/‎openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql‎
Lines changed: 5 additions & 0 deletions b/‎openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java‎
Lines changed: 6 additions & 0 deletions b/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java‎
Lines changed: 9 additions & 2 deletions b/‎uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java‎
Lines changed: 9 additions & 2 deletions
@@ -141,6 +141,9 @@ public class ClientDetailsEntity implements ClientDetails {
 private Integer idTokenValiditySeconds; //timeout for id tokens
 private Date createdAt; // time the client was created
 private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh?
+
+/** fields for UMA */
+private Set<String> claimsRedirectUris;
 
 public enum AuthMethod {
 SECRET_POST("client_secret_post"),
@@ -964,5 +967,25 @@ public boolean isClearAccessTokensOnRefresh() {
 public void setClearAccessTokensOnRefresh(boolean clearAccessTokensOnRefresh) {
 this.clearAccessTokensOnRefresh = clearAccessTokensOnRefresh;
 }
-
+
+/**
+ * @return the claimsRedirectUris
+ */
+@ElementCollection(fetch = FetchType.EAGER)
+@CollectionTable(
+name="client_claims_redirect_uri",
+joinColumns=@JoinColumn(name="owner_id")
+)
+@Column(name="redirect_uri")
+public Set<String> getClaimsRedirectUris() {
+return claimsRedirectUris;
+}
+
+/**
+ * @param claimsRedirectUris the claimsRedirectUris to set
+ */
+public void setClaimsRedirectUris(Set<String> claimsRedirectUris) {
+this.claimsRedirectUris = claimsRedirectUris;
+}
+
 }
@@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri (
 redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+owner_id BIGINT, 
+redirect_uri VARCHAR(2048) 
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
 id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
 token_value VARCHAR(4096),
 
@@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri (
 redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+owner_id BIGINT, 
+redirect_uri VARCHAR(2048) 
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
 id BIGINT AUTO_INCREMENT PRIMARY KEY,
 token_value VARCHAR(4096),
 
@@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri (
 redirect_uri VARCHAR(2048) 
 );
 
+CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
+owner_id BIGINT, 
+redirect_uri VARCHAR(2048) 
+);
+
 CREATE TABLE IF NOT EXISTS refresh_token (
 id SERIAL PRIMARY KEY,
 token_value VARCHAR(4096),
 
@@ -143,6 +143,7 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements
 private static final String AUTHENTICATION_HOLDER_ID = "authenticationHolderId";
 private static final String CLIENT_ID = "clientId";
 private static final String EXPIRATION = "expiration";
+private static final String CLAIMS_REDIRECT_URIS = "claimsRedirectUris";
 private static final String ID = "id";
 /**
  * Logger for this class
@@ -432,6 +433,8 @@ private void writeClients(JsonWriter writer) {
 writer.name(REFRESH_TOKEN_VALIDITY_SECONDS).value(client.getRefreshTokenValiditySeconds());
 writer.name(REDIRECT_URIS);
 writeNullSafeArray(writer, client.getRedirectUris());
+writer.name(CLAIMS_REDIRECT_URIS);
+writeNullSafeArray(writer, client.getClaimsRedirectUris());
 writer.name(NAME).value(client.getClientName());
 writer.name(URI).value(client.getClientUri());
 writer.name(LOGO_URI).value(client.getLogoUri());
@@ -1034,6 +1037,9 @@ private void readClients(JsonReader reader) throws IOException {
 } else if (name.equals(REDIRECT_URIS)) {
 Set<String> redirectUris = readSet(reader);
 client.setRedirectUris(redirectUris);
+} else if (name.equals(CLAIMS_REDIRECT_URIS)) {
+Set<String> claimsRedirectUris = readSet(reader);
+client.setClaimsRedirectUris(claimsRedirectUris);
 } else if (name.equals(NAME)) {
 client.setClientName(reader.nextString());
 } else if (name.equals(URI)) {
 
@@ -32,6 +32,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -116,9 +117,15 @@ public String collectClaims(@RequestParam("client_id") String clientId, @Request
 PermissionTicket updatedTicket = permissionService.updateTicket(ticket);
 
 if (Strings.isNullOrEmpty(redirectUri)) {
-if (client.getRedirectUris().size() == 1) {
-redirectUri = client.getRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here
+if (client.getClaimsRedirectUris().size() == 1) {
+redirectUri = client.getClaimsRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here
 logger.info("No redirect URI passed in, using registered value: " + redirectUri);
+} else {
+throw new RedirectMismatchException("Unable to find redirect URI and none passed in.");
+}
+} else {
+if (!client.getClaimsRedirectUris().contains(redirectUri)) {
+throw new RedirectMismatchException("Claims redirect did not match the registered values.");
 }
 }