Reset the client secret when the authentication is set to none

iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java

@@ -17,6 +17,7 @@
 
 import static it.infn.mw.iam.api.client.util.ClientSuppliers.accountNotFound;
 import static it.infn.mw.iam.api.client.util.ClientSuppliers.clientNotFound;
+import static java.util.Objects.isNull;
 
 import java.text.ParseException;
 import java.time.Clock;
@@ -27,6 +28,7 @@
 import javax.validation.constraints.NotBlank;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.openid.connect.service.OIDCTokenService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -106,13 +108,13 @@ public ListResponseDTO<RegisteredClientDTO> retrieveAllClients(Pageable pageable
 
   @Override
   public Optional<RegisteredClientDTO> retrieveClientByClientId(String clientId) {
-    return clientService.findClientByClientId(clientId).map(converter::registeredClientDtoFromEntity);
+    return clientService.findClientByClientId(clientId)
+      .map(converter::registeredClientDtoFromEntity);
   }
 
   @Validated(OnClientCreation.class)
   @Override
-  public RegisteredClientDTO saveNewClient(RegisteredClientDTO client)
-      throws ParseException {
+  public RegisteredClientDTO saveNewClient(RegisteredClientDTO client) throws ParseException {
 
     ClientDetailsEntity entity = converter.entityFromClientManagementRequest(client);
     entity.setDynamicallyRegistered(false);
@@ -150,6 +152,14 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO cli
     newClient.setAuthorities(oldClient.getAuthorities());
     newClient.setDynamicallyRegistered(oldClient.isDynamicallyRegistered());
 
+    if (newClient.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
+      newClient.setTokenEndpointAuthMethod(AuthMethod.NONE);
+      newClient.setClientSecret(null);
+    } else if (!newClient.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)
+        && isNull(newClient.getClientSecret())) {
+      newClient.setClientSecret(defaultsService.generateClientSecret());
+    }
+
     newClient = clientService.updateClient(newClient);
     eventPublisher.publishEvent(new ClientUpdatedEvent(this, newClient));
     return converter.registeredClientDtoFromEntity(newClient);
@@ -227,15 +237,16 @@ private OAuth2AccessTokenEntity createRegistrationAccessTokenForClient(
     return tokenService.saveAccessToken(token);
 
   }
+
   @Override
   public RegisteredClientDTO rotateRegistrationAccessToken(@NotBlank String clientId) {
     ClientDetailsEntity client =
         clientService.findClientByClientId(clientId).orElseThrow(clientNotFound(clientId));
 
     OAuth2AccessTokenEntity rat =
-    Optional.ofNullable(oidcTokenService.rotateRegistrationAccessTokenForClient(client))
-      .orElse(createRegistrationAccessTokenForClient(client));
-    
+        Optional.ofNullable(oidcTokenService.rotateRegistrationAccessTokenForClient(client))
+          .orElse(createRegistrationAccessTokenForClient(client));
+
     tokenService.saveAccessToken(rat);
 
     eventPublisher.publishEvent(new ClientRegistrationAccessTokenRotatedEvent(this, client));

iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java

@@ -33,6 +33,7 @@
 import javax.validation.constraints.NotBlank;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.service.OIDCTokenService;
@@ -383,7 +384,6 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req
 
     ClientDetailsEntity newClient = converter.entityFromRegistrationRequest(request);
     newClient.setId(oldClient.getId());
-    newClient.setClientSecret(oldClient.getClientSecret());
     newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
     newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
     newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
@@ -394,6 +394,14 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req
     newClient.setCreatedAt(oldClient.getCreatedAt());
     newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
 
+    if (newClient.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
+      newClient.setTokenEndpointAuthMethod(AuthMethod.NONE);
+      newClient.setClientSecret(null);
+    } else if (!newClient.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)
+        && isNull(newClient.getClientSecret())) {
+      newClient.setClientSecret(defaultsService.generateClientSecret());
+    }
+
     ClientDetailsEntity savedClient = clientService.updateClient(newClient);
 
     eventPublisher.publishEvent(new ClientUpdatedEvent(this, savedClient));
@@ -439,7 +447,7 @@ public RegisteredClientDTO redeemClient(@NotBlank String clientId,
 
     final IamAccount account =
         accountUtils.getAuthenticatedUserAccount(authentication).orElseThrow(noAuthUserError());
-    
+
     client = clientService.linkClientToAccount(client, account);
 
     eventPublisher.publishEvent(new AccountClientOwnerAssigned(this, account, client));

iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java

@@ -40,6 +40,7 @@
 import it.infn.mw.iam.config.IamProperties;
 import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties;
 
+
 @Component
 public class ClientConverter {
 
@@ -173,6 +174,10 @@ public RegisteredClientDTO registeredClientDtoFromEntity(ClientDetailsEntity ent
       clientDTO.setRequireAuthTime(false);
     }
 
+    if (entity.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
+      clientDTO.setClientSecret(null);
+    }
+
     return clientDTO;
   }