Additional Configuration Parameter for OIDC with Auth0, fix for AD-Schema Import in AD

server/src/main/java/password/pwm/config/DomainConfig.java

@@ -57,6 +57,7 @@
 import password.pwm.util.secure.PwmHashAlgorithm;
 import password.pwm.util.secure.PwmSecurityKey;
 import password.pwm.util.secure.SecureEngine;
+import password.pwm.http.HttpMethod;
 
 import java.io.StringWriter;
 import java.security.cert.X509Certificate;
@@ -233,6 +234,14 @@ public PrivateKeyCertificate readSettingAsPrivateKey( final PwmSetting setting )
         return settingReader.readSettingAsPrivateKey( setting );
     }
 
+    public HttpMethod readSettingAsHttpMethod( final PwmSetting setting )
+    {
+        return settingReader.readSettingAsEnum( setting,
+                password.pwm.config.option.HttpMethod.class ) == password.pwm.config.option.HttpMethod.POST
+                        ? HttpMethod.POST
+                        : HttpMethod.GET;
+    }
+
     public PwmSecurityKey getSecurityKey( ) throws PwmUnrecoverableException
     {
         //return configurationSuppliers.pwmSecurityKey.call();

server/src/main/java/password/pwm/config/PwmSetting.java

@@ -822,6 +822,8 @@ public enum PwmSetting
             "recovery.oauth.idserver.codeResolveUrl", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH ),
     RECOVERY_OAUTH_ID_ATTRIBUTES_URL(
             "recovery.oauth.idserver.attributesUrl", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH ),
+    RECOVERY_OAUTH_ID_ATTRIBUTES_METHOD(
+            "recovery.oauth.idserver.attributesMethod", PwmSettingSyntax.SELECT, PwmSettingCategory.RECOVERY_OAUTH ),
     RECOVERY_OAUTH_ID_CERTIFICATE(
             "recovery.oauth.idserver.serverCerts", PwmSettingSyntax.X509CERT, PwmSettingCategory.RECOVERY_OAUTH ),
     RECOVERY_OAUTH_ID_CLIENTNAME(
@@ -1190,6 +1192,8 @@ public enum PwmSetting
             "oauth.idserver.codeResolveUrl", PwmSettingSyntax.STRING, PwmSettingCategory.OAUTH ),
     OAUTH_ID_ATTRIBUTES_URL(
             "oauth.idserver.attributesUrl", PwmSettingSyntax.STRING, PwmSettingCategory.OAUTH ),
+    OAUTH_ID_ATTRIBUTES_METHOD(
+            "oauth.idserver.attributesMethod", PwmSettingSyntax.SELECT, PwmSettingCategory.OAUTH ),
     OAUTH_ID_CERTIFICATE(
             "oauth.idserver.serverCerts", PwmSettingSyntax.X509CERT, PwmSettingCategory.OAUTH ),
     OAUTH_ID_CLIENTNAME(

server/src/main/java/password/pwm/config/option/HttpMethod.java

@@ -0,0 +1,27 @@
+/*
+ * Password Management Servlets (PWM)
+ * http://www.pwm-project.org
+ *
+ * Copyright (c) 2006-2009 Novell, Inc.
+ * Copyright (c) 2009-2021 The PWM Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package password.pwm.config.option;
+
+public enum HttpMethod implements ConfigurationOption
+{
+    POST,
+    GET,
+}

server/src/main/java/password/pwm/http/PwmResponse.java

@@ -289,9 +289,19 @@ public void sendRedirect( final String url, final RedirectType redirectType )
         preCommitActions();
 
         final String basePath = pwmRequest.getBasePath();
-        final String effectiveUrl = url.startsWith( basePath )
-                ? url
-                : basePath + url;
+        final String effectiveUrl;
+
+        // a redirect can either be internal and already include the basePath,
+        // or internal without basePath, in this case we add the basePath
+        // or external with preceding protocol, in this case we use the url as is
+        if ( url.startsWith( basePath ) || url.matches( "^https?://.*" ) )
+        {
+            effectiveUrl  = url;
+        }
+        else
+        {
+            effectiveUrl = basePath + url;
+        }
 
         // http "other" redirect
         final HttpServletResponse resp = pwmRequest.getPwmResponse().getHttpServletResponse();

server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java

@@ -160,7 +160,7 @@ OAuthResolveResults makeOAuthResolveRequest(
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), clientID );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_SECRET ), settings.getSecret().getStringValue() );
 
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "oauth code resolver", settings, requestUrl, requestParams, null );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "oauth code resolver", settings, requestUrl, requestParams, null, HttpMethod.POST );
 
         final OAuthResolveResults results = resolveResultsFromResponseBody( pwmRequest, restResults.getBody() );
 
@@ -204,7 +204,7 @@ private OAuthResolveResults makeOAuthRefreshRequest(
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN ), refreshCode );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
 
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth refresh resolver", settings, requestUrl, requestParams, null );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth refresh resolver", settings, requestUrl, requestParams, null, HttpMethod.POST );
 
         return resolveResultsFromResponseBody( pwmRequest, restResults.getBody() );
     }
@@ -219,10 +219,11 @@ String makeOAuthGetUserInfoRequest(
         {
             final DomainConfig config = pwmRequest.getDomainConfig();
             final String requestUrl = settings.getAttributesUrl();
+            final HttpMethod requestMethod = settings.getAttributesMethod();
             final Map<String, String> requestParams = new HashMap<>();
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
-            restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken );
+            restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken, requestMethod );
         }
 
         final String resultBody = restResults.getBody();
@@ -250,7 +251,8 @@ private static PwmHttpClientResponse makeHttpRequest(
             final OAuthSettings settings,
             final String requestUrl,
             final Map<String, String> requestParams,
-            final String accessToken
+            final String accessToken,
+            final HttpMethod method
     )
             throws PwmUnrecoverableException
     {
@@ -273,7 +275,7 @@ private static PwmHttpClientResponse makeHttpRequest(
             headers.put( HttpHeader.ContentType.getHttpName(), HttpContentType.form.getHeaderValueWithEncoding() );
 
             pwmHttpClientRequest = PwmHttpClientRequest.builder()
-                    .method( HttpMethod.POST )
+                    .method( method )
                     .url( requestUrl )
                     .body( requestBody )
                     .headers( headers )
@@ -316,7 +318,7 @@ private static String figureOauthSelfEndPointUrl( final PwmRequest pwmRequest )
 
         {
             final String returnUrlOverride = pwmRequest.getDomainConfig().readAppProperty( AppProperty.OAUTH_RETURN_URL_OVERRIDE );
-            final String siteURL = pwmRequest.getDomainConfig().readSettingAsString( PwmSetting.PWM_SITE_URL );
+            final String siteURL = pwmRequest.getAppConfig().readSettingAsString( PwmSetting.PWM_SITE_URL );
             if ( returnUrlOverride != null && !returnUrlOverride.trim().isEmpty() )
             {
                 debugSource = "AppProperty(\"" + AppProperty.OAUTH_RETURN_URL_OVERRIDE.getKey() + "\")";
@@ -470,7 +472,8 @@ private Optional<String> figureUsernameGrantParam(
         }
 
         LOGGER.debug( sessionLabel, () -> "preparing to send username to OAuth /sign endpoint for future injection to /grant redirect" );
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth pre-inject username signing service", settings, signUrl, requestPayload, null );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth pre-inject username signing service", settings,
+                                                                    signUrl, requestPayload, null, HttpMethod.POST );
 
         final String resultBody = restResults.getBody();
         final Map<String, String> resultBodyMap = JsonUtil.deserializeStringMap( resultBody );

server/src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java

@@ -26,6 +26,7 @@
 import password.pwm.config.PwmSetting;
 import password.pwm.config.profile.ForgottenPasswordProfile;
 import password.pwm.util.PasswordData;
+import password.pwm.http.HttpMethod;
 
 import java.io.Serializable;
 import java.security.cert.X509Certificate;
@@ -38,6 +39,7 @@ public class OAuthSettings implements Serializable
     private String loginURL;
     private String codeResolveUrl;
     private String attributesUrl;
+    private HttpMethod attributesMethod;
     private String scope;
     private String clientID;
     private PasswordData secret;
@@ -62,6 +64,7 @@ public static OAuthSettings forSSOAuthentication( final DomainConfig config )
                 .loginURL( config.readSettingAsString( PwmSetting.OAUTH_ID_LOGIN_URL ) )
                 .codeResolveUrl( config.readSettingAsString( PwmSetting.OAUTH_ID_CODERESOLVE_URL ) )
                 .attributesUrl( config.readSettingAsString( PwmSetting.OAUTH_ID_ATTRIBUTES_URL ) )
+                .attributesMethod( config.readSettingAsHttpMethod( PwmSetting.OAUTH_ID_ATTRIBUTES_METHOD ) )
                 .clientID( config.readSettingAsString( PwmSetting.OAUTH_ID_CLIENTNAME ) )
                 .secret( config.readSettingAsPassword( PwmSetting.OAUTH_ID_SECRET ) )
                 .dnAttributeName( config.readSettingAsString( PwmSetting.OAUTH_ID_DN_ATTRIBUTE_NAME ) )

server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java

@@ -211,7 +211,8 @@ private static RestResultBean doSetPassword(
             );
 
             StatisticsClient.incrementStat( restRequest.getDomain(), Statistic.REST_SETPASSWORD );
-            final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(), null, random );
+            final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(),
+                            newPassword.getStringValue(), random );
             return RestResultBean.forSuccessMessage( jsonResultData, restRequest, Message.Success_PasswordChange );
         }
         catch ( final PwmException e )

server/src/main/resources/password/pwm/config/PwmSetting.xml

@@ -2509,6 +2509,15 @@
         <example>https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes</example>
         <default/>
     </setting>
+    <setting hidden="false" key="recovery.oauth.idserver.attributesMethod" level="2" required="true">
+        <default>
+            <value>POST</value>
+        </default>
+        <options>
+            <option value="POST">POST</option>
+            <option value="GET">GET</option>
+        </options>
+    </setting>
     <setting hidden="false" key="recovery.oauth.idserver.serverCerts" level="2">
         <default/>
         <properties>
@@ -4068,6 +4077,15 @@
         <example>https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes</example>
         <default/>
     </setting>
+    <setting hidden="false" key="oauth.idserver.attributesMethod" level="2" required="true">
+        <default>
+            <value>POST</value>
+        </default>
+        <options>
+            <option value="POST">POST</option>
+            <option value="GET">GET</option>
+        </options>
+    </setting>
     <setting hidden="false" key="oauth.idserver.serverCerts" level="2">
         <default/>
         <properties>

server/src/main/resources/password/pwm/i18n/PwmSetting.properties

@@ -547,6 +547,7 @@ Setting_Description_newUser.username.definition=<p>Specify the display name, or
 Setting_Description_newUser.writeAttributes=Specify the actions the system takes when it creates a user.  The actions will be executed just after the user is created in the LDAP directory.    You can use macros in this setting.
 Setting_Description_notes.noteText=Specify any configuration notes about your system. This option allows you to keep notes about any specific configuration options you have made with the system.
 Setting_Description_oauth.idserver.attributesUrl=Specify the URL of the web service provided by the identity server to return attribute data about the user.
+Setting_Description_oauth.idserver.attributesMethod=Select the HTTP method to use when calling the Attributes URL
 Setting_Description_oauth.idserver.scope=Specify the optional OAuth scope. The OAuth identity service provider(IdP) provides this value.  The scope provided, if any, must contain the user attribute to be read for authentication.
 Setting_Description_oauth.idserver.clientName=Specify the OAuth client ID. The OAuth identity service provider(IdP) provides this value.
 Setting_Description_oauth.idserver.codeResolveUrl=Specify the OAuth Code Resolve Service URL. The system uses this web service URL to resolve the artifact returned by the OAuth identity server.
@@ -681,6 +682,7 @@ Setting_Description_recovery.enable=Enable this option to have the forgotten pas
 Setting_Description_recovery.form=Specify the form fields for the activate user module. @PwmAppName@ requires the users to enter each attribute. Ideally, @PwmAppName@ requires the users to enter some personal data that is not publicly known.
 Setting_Description_recovery.minimumPasswordLifetimeOptions=Options to control behavior when a user attempts to use the forgotten password module while their password is within the minimum password policy lifetime window of their effective password policy.  These options are only relevant if the user has an effective minimum password lifetime as part of their password policy.
 Setting_Description_recovery.oauth.idserver.attributesUrl=Specify the web service URL provided by the identity server to return attribute data about the user.
+Setting_Description_recovery.oauth.idserver.attributesMethod=Select the HTTP method to use when calling the Attributes URL
 Setting_Description_recovery.oauth.idserver.clientName=Specify the OAuth client ID. The OAuth identity service provider gives you this value.
 Setting_Description_recovery.oauth.idserver.codeResolveUrl=Specify the OAuth Token / Code Resolve Service URL. @PwmAppName@ uses this web service URL to resolve the artifact returned by the OAuth identity server.
 Setting_Description_recovery.oauth.idserver.dnAttributeName=Specify the attribute to request from the OAuth server that @PwmAppName@ uses as the user name for local authentication. @PwmAppName@ then resolves this value the same as if the user had typed the password at the local authentication page.
@@ -1086,6 +1088,7 @@ Setting_Label_newUser.username.definition=LDAP Entry ID Definition
 Setting_Label_newUser.writeAttributes=New User Actions
 Setting_Label_notes.noteText=Configuration Notes
 Setting_Label_oauth.idserver.attributesUrl=OAuth Profile/UserInfo Service URL
+Setting_Label_oauth.idserver.attributesMethod=OAuth Profile/UserInfo Service HTTP Method
 Setting_Label_oauth.idserver.scope=OAuth Scope
 Setting_Label_oauth.idserver.clientName=OAuth Client ID
 Setting_Label_oauth.idserver.codeResolveUrl=OAuth Token / Code Resolve Service URL
@@ -1220,6 +1223,7 @@ Setting_Label_recovery.enable=Enable Forgotten Password
 Setting_Label_recovery.form=Forgotten Password User Search Form
 Setting_Label_recovery.minimumPasswordLifetimeOptions=Minimum Password Lifetime Options
 Setting_Label_recovery.oauth.idserver.attributesUrl=OAuth Profile Service URL
+Setting_Label_recovery.oauth.idserver.attributesMethod=OAuth Profile Service HTTP Method
 Setting_Label_recovery.oauth.idserver.clientName=OAuth Client ID
 Setting_Label_recovery.oauth.idserver.codeResolveUrl=OAuth Code Resolve Service URL
 Setting_Label_recovery.oauth.idserver.dnAttributeName=OAuth User Name/DN Login Attribute

server/src/test/java/password/pwm/util/java/XmlFactoryTest.java

@@ -41,6 +41,6 @@ public void testLoadXml()
         Assert.assertTrue( configIsEditable.isPresent() );
         Assert.assertEquals( "false", configIsEditable.get().getText().orElseThrow() );
         final List<XmlElement> allSettings = xmlDocument.evaluateXpathToElements( "//setting" );
-        Assert.assertEquals( 279, allSettings.size() );
+        Assert.assertEquals( 281, allSettings.size() );
     }
 }

server/src/test/resources/password/pwm/config/stored/ConfigurationCleanerTest.xml

@@ -681,6 +681,10 @@
             <label>OAuth Profile Service URL</label>
             <value><![CDATA[http://ldap.example.com:8180/osp/a/idm/auth/oauth2/getattributes]]></value>
         </setting>
+        <setting key="oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+            <label>OAuth Profile Service HTTP Method</label>
+            <value><![CDATA[POST]]></value>
+        </setting>
         <setting key="oauth.idserver.serverCerts" syntax="X509CERT" syntaxVersion="0" modifyTime="2016-11-07T16:57:44Z" modifyUser="default|cn=testuser,ou=example,o=org">
             <default />
         </setting>
@@ -736,6 +740,10 @@
             <label>OAuth Profile Service URL</label>
             <value><![CDATA[https://db.example.org44/osp/a/TOP/auth/oauth2/getattributes]]></value>
         </setting>
+        <setting key="recovery.oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+            <label>OAuth Profile Service HTTP Method</label>
+            <value><![CDATA[POST]]></value>
+        </setting>
         <setting key="recovery.oauth.idserver.clientName" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2016-11-14T19:55:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
             <label>OAuth Client ID</label>
             <value><![CDATA[id-jUE41S73VVGoIetABWUKwBmYzM4B51yb]]></value>

server/src/test/resources/password/pwm/util/java/XmlFactoryTest.xml

@@ -683,6 +683,10 @@
       <label>OAuth Profile Service URL</label>
       <value><![CDATA[http://ldap.example.com:8180/osp/a/idm/auth/oauth2/getattributes]]></value>
     </setting>
+    <setting key="oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+      <label>OAuth Profile Service HTTP Method</label>
+      <value><![CDATA[POST]]></value>
+    </setting>
     <setting key="oauth.idserver.serverCerts" syntax="X509CERT" syntaxVersion="0" modifyTime="2016-11-07T16:57:44Z" modifyUser="default|cn=testuser,ou=example,o=org">
       <default />
     </setting>
@@ -738,6 +742,10 @@
       <label>OAuth Profile Service URL</label>
       <value><![CDATA[https://db.example.org44/osp/a/TOP/auth/oauth2/getattributes]]></value>
     </setting>
+    <setting key="recovery.oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+      <label>OAuth Profile Service HTTP Method</label>
+      <value><![CDATA[POST]]></value>
+    </setting>
     <setting key="recovery.oauth.idserver.clientName" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2016-11-14T19:55:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
       <label>OAuth Client ID</label>
       <value><![CDATA[id-jUE41S73VVGoIetABWUKwBmYzM4B51yb]]></value>

webapp/src/build/ldif/AD-schema.ldif

@@ -156,7 +156,7 @@ searchFlags: 1
 #------------------------------------------------------
 #--  Update the schema now
 #------------------------------------------------------
-dn: 
+dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
@@ -192,7 +192,7 @@ adminDescription: pwmUser Auxiliary class
 #------------------------------------------------------
 #--  Update the schema now
 #------------------------------------------------------
-dn: 
+dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
@@ -222,7 +222,7 @@ mayContain: pwmData
 #------------------------------------------------------
 #--  Update the schema now
 #------------------------------------------------------
-dn: 
+dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1