From 0014a274c69beb51245be1dc339f18712cc714e3 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Tue, 31 Aug 2021 18:21:07 +0200 Subject: [PATCH 1/7] Bump version to 1.8.0-SNAPSHOT --- iam-common/pom.xml | 2 +- iam-login-service/pom.xml | 2 +- iam-persistence/pom.xml | 2 +- iam-test-client/pom.xml | 2 +- iam-test-protected-resource/pom.xml | 2 +- pom.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/iam-common/pom.xml b/iam-common/pom.xml index 92334b1ac..a5a954b45 100644 --- a/iam-common/pom.xml +++ b/iam-common/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 1.7.0 + 1.8.0-SNAPSHOT iam-common diff --git a/iam-login-service/pom.xml b/iam-login-service/pom.xml index 8562be416..f2841fc2f 100644 --- a/iam-login-service/pom.xml +++ b/iam-login-service/pom.xml @@ -23,7 +23,7 @@ it.infn.mw iam-parent - 1.7.0 + 1.8.0-SNAPSHOT iam-login-service diff --git a/iam-persistence/pom.xml b/iam-persistence/pom.xml index b263bc577..439e1203e 100644 --- a/iam-persistence/pom.xml +++ b/iam-persistence/pom.xml @@ -23,7 +23,7 @@ it.infn.mw iam-parent - 1.7.0 + 1.8.0-SNAPSHOT iam-persistence jar diff --git a/iam-test-client/pom.xml b/iam-test-client/pom.xml index 414dbfefa..dd80f512e 100644 --- a/iam-test-client/pom.xml +++ b/iam-test-client/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 1.7.0 + 1.8.0-SNAPSHOT iam-test-client diff --git a/iam-test-protected-resource/pom.xml b/iam-test-protected-resource/pom.xml index 909b5640e..8ab09f877 100644 --- a/iam-test-protected-resource/pom.xml +++ b/iam-test-protected-resource/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 1.7.0 + 1.8.0-SNAPSHOT iam-test-protected-resource diff --git a/pom.xml b/pom.xml index 803e856e9..7bc64781c 100644 --- a/pom.xml +++ b/pom.xml @@ -7,7 +7,7 @@ it.infn.mw iam-parent - 1.7.0 + 1.8.0-SNAPSHOT pom INDIGO Identity and Access Manager (IAM) From c855da64dc9a49e66f0a709c7b928f8810afee6c Mon Sep 17 00:00:00 2001 From: rmiccoli Date: Thu, 2 Sep 2021 11:48:13 +0200 Subject: [PATCH 2/7] WIP: Increase the Cookie duration --- .../resources/iam/apps/saml-discovery/discovery.component.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/saml-discovery/discovery.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/saml-discovery/discovery.component.js index 07aa8a57a..8e7665c13 100644 --- a/iam-login-service/src/main/webapp/resources/iam/apps/saml-discovery/discovery.component.js +++ b/iam-login-service/src/main/webapp/resources/iam/apps/saml-discovery/discovery.component.js @@ -48,8 +48,11 @@ }; self.storeIdpChoice = function(){ + var today = new Date(); + var exp = today; + exp.setMonth(today.getMonth() + 12); if ($scope.rememberChoice === 'y'){ - $cookies.putObject(COOKIE_KEY, $scope.idpSelected); + $cookies.putObject(COOKIE_KEY, $scope.idpSelected, { expires: exp }); } }; From 863d5da85e9cd266cc37a8bce5ac814effd4fad3 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Fri, 10 Sep 2021 19:14:47 +0200 Subject: [PATCH 3/7] Allow config option in test client app to avoid disclosing tokens --- .../java/it/infn/mw/tc/IamClientConfig.java | 10 +++ .../infn/mw/tc/IamTestClientApplication.java | 45 ++++++++-- .../it/infn/mw/tc/OpenIDAuthentication.java | 82 +++++++++++++------ .../src/main/resources/application.yml | 3 + .../src/main/resources/templates/index.html | 73 +++++++++++------ 5 files changed, 153 insertions(+), 60 deletions(-) diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamClientConfig.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamClientConfig.java index 542771cd0..8737f976b 100644 --- a/iam-test-client/src/main/java/it/infn/mw/tc/IamClientConfig.java +++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamClientConfig.java @@ -31,6 +31,8 @@ public void setUseGridTrustAnchors(boolean useGridTrustAnchors) { String extAuthnHint; TlsConfig tls; + boolean hideTokens = true; + public IamClientConfig() { setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); } @@ -54,4 +56,12 @@ public void setExtAuthnHint(String extAuthnHint) { public void setOrganizationName(String organizationName) { this.organizationName = organizationName; } + + public boolean isHideTokens() { + return hideTokens; + } + + public void setHideTokens(boolean hideTokens) { + this.hideTokens = hideTokens; + } } diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java index 4df12526b..632fe20bf 100644 --- a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java +++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java @@ -2,6 +2,7 @@ import java.io.IOException; import java.security.Principal; +import java.text.ParseException; import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -53,6 +54,7 @@ import org.springframework.web.util.WebUtils; import com.google.common.base.Strings; +import com.nimbusds.jwt.JWTParser; @SpringBootApplication @EnableAutoConfiguration(exclude = {ErrorMvcAutoConfiguration.class}) @@ -69,7 +71,7 @@ public class IamTestClientApplication extends WebSecurityConfigurerAdapter { @Autowired ClientHttpRequestFactory requestFactory; - + @Value("${iam.extAuthnHint}") String extAuthnHint; @@ -89,15 +91,15 @@ public void commence(HttpServletRequest request, HttpServletResponse response, } } - - public class ExtAuthnRequestOptionsService implements AuthRequestOptionsService{ + + public class ExtAuthnRequestOptionsService implements AuthRequestOptionsService { final String authnHint; - + public ExtAuthnRequestOptionsService(String hint) { this.authnHint = hint; } - + @Override public Map getOptions(ServerConfiguration server, RegisteredClient client, HttpServletRequest request) { @@ -111,16 +113,16 @@ public Map getTokenOptions(ServerConfiguration server, Registere HttpServletRequest request) { return Collections.emptyMap(); } - + } @Override protected void configure(HttpSecurity http) throws Exception { - + if (!Strings.isNullOrEmpty(extAuthnHint)) { oidcFilter.setAuthRequestOptionsService(new ExtAuthnRequestOptionsService(extAuthnHint)); } - + // @formatter:off http.antMatcher("/**").authorizeRequests() .antMatchers("/", "/user", "/error", "/openid_connect_login**", "/webjars/**").permitAll() @@ -172,7 +174,32 @@ public OpenIDAuthentication info(Principal principal) { if (principal instanceof OIDCAuthenticationToken) { OIDCAuthenticationToken token = (OIDCAuthenticationToken) principal; - OpenIDAuthentication auth = new OpenIDAuthentication(token); + OpenIDAuthentication auth = new OpenIDAuthentication(); + + auth.setIssuer(token.getIssuer()); + auth.setSub(token.getSub()); + + if (!clientConfig.isHideTokens()) { + auth.setAccessToken(token.getAccessTokenValue()); + auth.setIdToken(token.getIdToken().getParsedString()); + auth.setRefreshToken(token.getRefreshTokenValue()); + } + + try { + auth.setAccessTokenClaims(JWTParser.parse(token.getAccessTokenValue()) + .getJWTClaimsSet() + .toJSONObject() + .toString()); + + auth.setIdTokenClaims(token.getIdToken().getJWTClaimsSet().toJSONObject().toString()); + } catch (ParseException e) { + LOG.error(e.getMessage(), e); + } + + auth.setName(token.getUserInfo().getName()); + auth.setFamilyName(token.getUserInfo().getFamilyName()); + auth.setUserInfo(token.getUserInfo().toJson().toString()); + return auth; } diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/OpenIDAuthentication.java b/iam-test-client/src/main/java/it/infn/mw/tc/OpenIDAuthentication.java index ca2b0628b..b6dad36ca 100644 --- a/iam-test-client/src/main/java/it/infn/mw/tc/OpenIDAuthentication.java +++ b/iam-test-client/src/main/java/it/infn/mw/tc/OpenIDAuthentication.java @@ -1,35 +1,21 @@ package it.infn.mw.tc; -import org.mitre.openid.connect.model.OIDCAuthenticationToken; - public class OpenIDAuthentication { - String issuer; - String sub; - - String name; - String familyName; - - String accessToken; - String refreshToken; - String idToken; - - String userInfo; + private String issuer; + private String sub; - public OpenIDAuthentication(OIDCAuthenticationToken token) { - issuer = token.getIssuer(); - sub = token.getSub(); + private String name; + private String familyName; - accessToken = token.getAccessTokenValue(); - refreshToken = token.getRefreshTokenValue(); - idToken = token.getIdToken().getParsedString(); + private String accessToken; + private String refreshToken; + private String idToken; + private String idTokenClaims; - name = token.getUserInfo().getName(); - familyName = token.getUserInfo().getFamilyName(); - userInfo = token.getUserInfo().toJson().toString(); - - } + private String userInfo; + private String accessTokenClaims; public String getIssuer() { @@ -71,4 +57,52 @@ public String getFamilyName() { return familyName; } + public String getAccessTokenClaims() { + return accessTokenClaims; + } + + public void setIssuer(String issuer) { + this.issuer = issuer; + } + + public void setSub(String sub) { + this.sub = sub; + } + + public void setName(String name) { + this.name = name; + } + + public void setFamilyName(String familyName) { + this.familyName = familyName; + } + + public void setAccessToken(String accessToken) { + this.accessToken = accessToken; + } + + public void setRefreshToken(String refreshToken) { + this.refreshToken = refreshToken; + } + + public void setIdToken(String idToken) { + this.idToken = idToken; + } + + public void setUserInfo(String userInfo) { + this.userInfo = userInfo; + } + + public void setAccessTokenClaims(String accessTokenClaims) { + this.accessTokenClaims = accessTokenClaims; + } + + public String getIdTokenClaims() { + return idTokenClaims; + } + + public void setIdTokenClaims(String idTokenClaims) { + this.idTokenClaims = idTokenClaims; + } + } diff --git a/iam-test-client/src/main/resources/application.yml b/iam-test-client/src/main/resources/application.yml index 415367607..f3dd35714 100644 --- a/iam-test-client/src/main/resources/application.yml +++ b/iam-test-client/src/main/resources/application.yml @@ -9,10 +9,13 @@ server: use-forward-headers: ${IAM_CLIENT_USE_FORWARD_HEADERS:false} iam: + issuer: ${IAM_CLIENT_ISSUER:http://localhost:8080/} organizationName: ${IAM_CLIENT_ORGANIZATION_NAME:indigo-dc} extAuthnHint: ${IAM_CLIENT_EXT_AUTHN_HINT:} + hide-tokens: ${IAM_CLIENT_HIDE_TOKENS:false} + tls: version: ${IAM_CLIENT_TLS_VERSION:TLSv1.2} ignore-namespace-checks: ${IAM_CLIENT_TLS_IGNORE_NAMESPACE_CHECKS:false} diff --git a/iam-test-client/src/main/resources/templates/index.html b/iam-test-client/src/main/resources/templates/index.html index f79675b2f..23f4b7aeb 100644 --- a/iam-test-client/src/main/resources/templates/index.html +++ b/iam-test-client/src/main/resources/templates/index.html @@ -53,30 +53,44 @@

INDIGO IAM Test Client Application

The authorization request included the following scopes: 


     

+    

+    	This IAM test client application has been configured
+    	to not disclose access, id and refresh tokens. 
+    	
+    	Below you will only see the	claims contained in the tokens returned to the test client application.
+    	
+    	To get direct access to 
+    	tokens, consider registering a client application. 
+    

     
This application has received the following information:

     
    
-      
  • access_token (JWT):
+      
  • access_token (JWT):
         
    {{home.access_token_jwt}}
    
       
    • 
 
-      
  • access_token (decoded):
-        
    {{home.access_token | prettyJSON }}
    
+      
  • access_token (claims):
+        
    {{home.access_token_claims | prettyJSON }}
    
       
    • 
+      
       
  • OAuth2 token introspection endpoint response (invoked on access_token,
         authorized by client credentials):
         
    {{home.introspect_result | prettyJSON}}
    
       
    • 
-      
  • id_token (JWT):
+      
+      
  • id_token (JWT):
         
    {{home.id_token_jwt}}
    
       
    • 
-      
  • id_token (decoded):
-        
    {{home.id_token | prettyJSON }}
    
+      
+      
  • id_token (claims):
+        
    {{home.id_token_claims | prettyJSON }}
    
       
    • 
+      
       
  • OpenID-Connect user info endpoint response (authorized via access_token):
         
    {{home.user_info | prettyJSON }}
    
       
    • 
-      
  • refresh_token:
-        
    {{home.refresh_token}}
    
+      
+      
  • refresh_token:
+        
    {{home.refresh_token_jwt}}
    
       
    • 
     

 
@@ -103,46 +117,51 @@ 
INDIGO IAM Test Client Application

       })
       .controller("home", function ($http, $location, jwtHelper) {
         var self = this;
-        $http.get("/iam-test-client/user").success(function (data) {
+        $http.get("/iam-test-client/user").then(function (response) {
 
-          if (!$.trim(data)) {
+          if (!$.trim(response.data)) {
             self.authenticated = false;
             return;
           }
 
           self.authenticated = true;
 
-          self.user = data.name;
-          self.sub = data.sub;
-          self.issuer = data.issuer;
-          self.access_token_jwt = data.accessToken;
-          self.access_token = jwtHelper.decodeToken(data.accessToken);
-          self.id_token_jwt = data.idToken;
-          self.id_token = jwtHelper.decodeToken(data.idToken);
-          self.user_info = $.parseJSON(data.userInfo);
-
-          if (data.refreshToken) {
+          self.user = response.data.name;
+          self.sub = response.data.sub;
+          self.issuer = response.data.issuer;
+          
+          self.access_token_claims = $.parseJSON(response.data.accessTokenClaims);
+          
+          self.access_token_jwt = response.data.accessToken;
+          
+          self.id_token_claims = $.parseJSON(response.data.idTokenClaims);
+          
+          self.id_token_jwt = response.data.idToken;
+          
+          self.user_info = $.parseJSON(response.data.userInfo);
+
+          if (response.data.refreshToken) {
             self.has_refresh_token = true;
-            self.refresh_token = data.refreshToken;
+            self.refresh_token_jwt = response.data.refreshToken;
           }
 
-          $http.get("/iam-test-client/introspect").success(function (idata) {
+          $http.get("/iam-test-client/introspect").then(function (response) {
 
-            self.introspect_result = idata;
+            self.introspect_result = response.data;
             self.has_introspect_result = true;
 
-          }).error(function () {
+          }).catch(function () {
             self.has_introspect_result = false;
           });
-        }).error(function () {
+        }).catch(function () {
           self.user = "N/A";
           self.authenticated = false;
         });
         self.logout = function () {
-          $http.post('logout', {}).success(function () {
+          $http.post('logout', {}).then(function () {
             self.authenticated = false;
             $location.path("/");
-          }).error(function (data) {
+          }).catch(function (data) {
             console.log("Logout failed")
             self.authenticated = false;
           });

From 62886b599e3980ead40bb875fbeb9a491a3a18eb Mon Sep 17 00:00:00 2001
From: Andrea Ceccanti 
Date: Sat, 11 Sep 2021 08:59:48 +0200
Subject: [PATCH 4/7] Dynamic downscoping in test client app

The test client app has been modified to allow downscoping the
authorization request to only include a subset of the configured scopes.
---
 .../mw/tc/IamAuthRequestOptionsService.java   | 62 +++++++++++++++++++
 .../infn/mw/tc/IamAuthRequestUrlBuilder.java  | 62 +++++++++++++++++++
 .../main/java/it/infn/mw/tc/IamClient.java    |  9 ++-
 .../infn/mw/tc/IamTestClientApplication.java  | 39 ------------
 .../java/it/infn/mw/tc/LocalController.java   |  7 +++
 .../src/main/resources/application.yml        |  4 +-
 .../src/main/resources/templates/index.html   | 45 +++++++++-----
 7 files changed, 165 insertions(+), 63 deletions(-)
 create mode 100644 iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestOptionsService.java
 create mode 100644 iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestUrlBuilder.java

diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestOptionsService.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestOptionsService.java
new file mode 100644
index 000000000..2d3a50c64
--- /dev/null
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestOptionsService.java
@@ -0,0 +1,62 @@
+package it.infn.mw.tc;
+
+import static com.google.common.base.Strings.isNullOrEmpty;
+import static java.util.stream.Collectors.joining;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.mitre.oauth2.model.RegisteredClient;
+import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
+import org.mitre.openid.connect.config.ServerConfiguration;
+
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+
+public class IamAuthRequestOptionsService implements AuthRequestOptionsService {
+
+  IamClientConfig properties;
+
+
+  public IamAuthRequestOptionsService(IamClientConfig properties) {
+    this.properties = properties;
+  }
+
+  private String sanitizeScope(String scope, RegisteredClient client) {
+    List requestedScopes = Splitter.on(" ").splitToList(scope);
+    return requestedScopes.stream().filter(client.getScope()::contains).collect(joining(" "));
+  }
+
+  @Override
+  public Map getOptions(ServerConfiguration server, RegisteredClient client,
+      HttpServletRequest request) {
+    Map options = new HashMap<>();
+
+    if (!isNullOrEmpty(properties.getExtAuthnHint())) {
+      options.put("ext_authn_hint", properties.getExtAuthnHint());
+    }
+
+    if (request.getParameter("scope") != null) {
+      String sanitizedScope = sanitizeScope(request.getParameter("scope"), client);
+
+      if (!Strings.isNullOrEmpty(sanitizedScope)) {
+        options.put("scope", sanitizedScope);
+      }
+
+    }
+
+    return options;
+  }
+
+  @Override
+  public Map getTokenOptions(ServerConfiguration server, RegisteredClient client,
+      HttpServletRequest request) {
+
+    return Collections.emptyMap();
+  }
+
+}
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestUrlBuilder.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestUrlBuilder.java
new file mode 100644
index 000000000..0bdf4e790
--- /dev/null
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamAuthRequestUrlBuilder.java
@@ -0,0 +1,62 @@
+package it.infn.mw.tc;
+
+import java.net.URISyntaxException;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.http.client.utils.URIBuilder;
+import org.mitre.oauth2.model.RegisteredClient;
+import org.mitre.openid.connect.client.service.AuthRequestUrlBuilder;
+import org.mitre.openid.connect.config.ServerConfiguration;
+import org.springframework.security.authentication.AuthenticationServiceException;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
+
+public class IamAuthRequestUrlBuilder implements AuthRequestUrlBuilder {
+
+
+  @Override
+  public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig,
+      String redirectUri, String nonce, String state, Map options,
+      String loginHint) {
+
+    try {
+
+      URIBuilder uriBuilder = new URIBuilder(serverConfig.getAuthorizationEndpointUri());
+      uriBuilder.addParameter("response_type", "code");
+      uriBuilder.addParameter("client_id", clientConfig.getClientId());
+
+      if (options.get("scope") != null) {
+        uriBuilder.addParameter("scope", options.get("scope"));
+      } else {
+        uriBuilder.addParameter("scope", Joiner.on(" ").join(clientConfig.getScope()));
+      }
+
+
+      uriBuilder.addParameter("redirect_uri", redirectUri);
+
+      uriBuilder.addParameter("nonce", nonce);
+
+      uriBuilder.addParameter("state", state);
+
+      // Optional parameters:
+      for (Entry option : options.entrySet()) {
+        uriBuilder.addParameter(option.getKey(), option.getValue());
+      }
+
+      // if there's a login hint, send it
+      if (!Strings.isNullOrEmpty(loginHint)) {
+        uriBuilder.addParameter("login_hint", loginHint);
+      }
+
+      return uriBuilder.build().toString();
+
+    } catch (URISyntaxException e) {
+      throw new AuthenticationServiceException("Malformed Authorization Endpoint Uri", e);
+
+    }
+
+  }
+
+}
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamClient.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamClient.java
index f0283c84f..adf737dc1 100644
--- a/iam-test-client/src/main/java/it/infn/mw/tc/IamClient.java
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamClient.java
@@ -25,9 +25,8 @@
 import org.mitre.oauth2.model.RegisteredClient;
 import org.mitre.openid.connect.client.OIDCAuthenticationFilter;
 import org.mitre.openid.connect.client.OIDCAuthenticationProvider;
+import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
 import org.mitre.openid.connect.client.service.IssuerService;
-import org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder;
-import org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService;
 import org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService;
 import org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -72,7 +71,7 @@ public OIDCAuthenticationFilter openIdConnectAuthenticationFilter()
 
     filter.setClientConfigurationService(staticClientConfiguration());
     filter.setAuthRequestOptionsService(authOptions());
-    filter.setAuthRequestUrlBuilder(new PlainAuthRequestUrlBuilder());
+    filter.setAuthRequestUrlBuilder(new IamAuthRequestUrlBuilder());
     filter.setHttpRequestFactory(httpRequestFactory());
 
 
@@ -120,9 +119,9 @@ private StaticClientConfigurationService staticClientConfiguration() {
     return config;
   }
 
-  private StaticAuthRequestOptionsService authOptions() {
+  private AuthRequestOptionsService authOptions() {
 
-    return new StaticAuthRequestOptionsService();
+    return new IamAuthRequestOptionsService(iamClientConfig);
   }
 
   public X509CertChainValidatorExt certificateValidator() {
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java
index 632fe20bf..592f5a8d5 100644
--- a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientApplication.java
@@ -3,9 +3,6 @@
 import java.io.IOException;
 import java.security.Principal;
 import java.text.ParseException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -14,15 +11,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.mitre.oauth2.model.RegisteredClient;
 import org.mitre.openid.connect.client.OIDCAuthenticationFilter;
-import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
-import org.mitre.openid.connect.config.ServerConfiguration;
 import org.mitre.openid.connect.model.OIDCAuthenticationToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -53,7 +46,6 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.WebUtils;
 
-import com.google.common.base.Strings;
 import com.nimbusds.jwt.JWTParser;
 
 @SpringBootApplication
@@ -72,9 +64,6 @@ public class IamTestClientApplication extends WebSecurityConfigurerAdapter {
   @Autowired
   ClientHttpRequestFactory requestFactory;
 
-  @Value("${iam.extAuthnHint}")
-  String extAuthnHint;
-
   public static void main(String[] args) {
 
     SpringApplication.run(IamTestClientApplication.class, args);
@@ -92,37 +81,9 @@ public void commence(HttpServletRequest request, HttpServletResponse response,
 
   }
 
-  public class ExtAuthnRequestOptionsService implements AuthRequestOptionsService {
-
-    final String authnHint;
-
-    public ExtAuthnRequestOptionsService(String hint) {
-      this.authnHint = hint;
-    }
-
-    @Override
-    public Map getOptions(ServerConfiguration server, RegisteredClient client,
-        HttpServletRequest request) {
-      Map m = new HashMap<>();
-      m.put("ext_authn_hint", authnHint);
-      return m;
-    }
-
-    @Override
-    public Map getTokenOptions(ServerConfiguration server, RegisteredClient client,
-        HttpServletRequest request) {
-      return Collections.emptyMap();
-    }
-
-  }
 
   @Override
   protected void configure(HttpSecurity http) throws Exception {
-
-    if (!Strings.isNullOrEmpty(extAuthnHint)) {
-      oidcFilter.setAuthRequestOptionsService(new ExtAuthnRequestOptionsService(extAuthnHint));
-    }
-
     // @formatter:off
     http.antMatcher("/**").authorizeRequests()
         .antMatchers("/", "/user", "/error", "/openid_connect_login**", "/webjars/**").permitAll()
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/LocalController.java b/iam-test-client/src/main/java/it/infn/mw/tc/LocalController.java
index 1369ef213..7a8cc556f 100644
--- a/iam-test-client/src/main/java/it/infn/mw/tc/LocalController.java
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/LocalController.java
@@ -1,7 +1,9 @@
 package it.infn.mw.tc;
 
 import java.util.stream.Collectors;
+
 import javax.servlet.http.HttpServletRequest;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.web.ErrorController;
 import org.springframework.http.client.ClientHttpRequestFactory;
@@ -35,6 +37,11 @@ public String organizationName() {
     return clientConfig.getOrganizationName();
   }
 
+  @ModelAttribute("hidesTokens")
+  public Boolean hidesTokens() {
+    return clientConfig.isHideTokens();
+  }
+
   @RequestMapping("/")
   public String index(Model model) {
     return "index";
diff --git a/iam-test-client/src/main/resources/application.yml b/iam-test-client/src/main/resources/application.yml
index f3dd35714..4446e9d31 100644
--- a/iam-test-client/src/main/resources/application.yml
+++ b/iam-test-client/src/main/resources/application.yml
@@ -14,12 +14,12 @@ iam:
     organizationName: ${IAM_CLIENT_ORGANIZATION_NAME:indigo-dc}
     extAuthnHint: ${IAM_CLIENT_EXT_AUTHN_HINT:}
     
-    hide-tokens: ${IAM_CLIENT_HIDE_TOKENS:false}
+    hide-tokens: ${IAM_CLIENT_HIDE_TOKENS:true}
     
     tls:
       version: ${IAM_CLIENT_TLS_VERSION:TLSv1.2}
       ignore-namespace-checks: ${IAM_CLIENT_TLS_IGNORE_NAMESPACE_CHECKS:false} 
-      use-grid-trust-anchors: ${IAM_CLIENT_TLS_USE_GRID_TRUST_ANCHORS:true}
+      use-grid-trust-anchors: ${IAM_CLIENT_TLS_USE_GRID_TRUST_ANCHORS:false}
       
     client:
       clientId: ${IAM_CLIENT_ID:client}
diff --git a/iam-test-client/src/main/resources/templates/index.html b/iam-test-client/src/main/resources/templates/index.html
index 23f4b7aeb..5fb482703 100644
--- a/iam-test-client/src/main/resources/templates/index.html
+++ b/iam-test-client/src/main/resources/templates/index.html
@@ -39,29 +39,35 @@ 
INDIGO IAM Test Client Application

     
This is an example OpenID Connect client application for IAM hosted at:
       

     

-    

-      The authorization request will include the following scopes:
-      

-    

-    

-      Login
-    

-  
-
-  

-    
You're now logged in as: {{home.user}}

-    
The authorization request included the following scopes:
-      

-    

-    

+    

     	This IAM test client application has been configured
     	to not disclose access, id and refresh tokens. 
     	
-    	Below you will only see the	claims contained in the tokens returned to the test client application.
+    	After a successful login you will only see the claims contained in the tokens returned to the test client application.
     	
     	To get direct access to 
     	tokens, consider registering a client application. 
     

+    

+    
+    

+    	
+    	
+    	

+    	  Select, among the above scopes, which ones will be included in the authorization request. Note
+      	  that an empty scope value will be replaced by the full list of allowed scopes.
+      	
			
+    

+    
+   	

+   	  
+    

+    
    
+  

+
+  

+    
You're now logged in as: {{home.user}}

+    
     
This application has received the following information:

     
    
       
  • access_token (JWT):
@@ -126,7 +132,12 @@ 
    INDIGO IAM Test Client Application
    
 
           self.authenticated = true;
 
-          self.user = response.data.name;
+          if (response.data.name) {
+        	  self.user = response.data.name;	  
+          } else {
+        	  self.user = response.data.sub;
+          }
+          
           self.sub = response.data.sub;
           self.issuer = response.data.issuer;
           

From f3e0c271bc34c784139e79cd8bf6d4612f264303 Mon Sep 17 00:00:00 2001
From: Andrea Ceccanti 
Date: Sat, 11 Sep 2021 09:14:52 +0200
Subject: [PATCH 5/7] Bumped version to v1.7.1

---
 iam-common/pom.xml                  | 2 +-
 iam-login-service/pom.xml           | 2 +-
 iam-persistence/pom.xml             | 2 +-
 iam-test-client/pom.xml             | 2 +-
 iam-test-protected-resource/pom.xml | 2 +-
 pom.xml                             | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/iam-common/pom.xml b/iam-common/pom.xml
index a5a954b45..2267dafed 100644
--- a/iam-common/pom.xml
+++ b/iam-common/pom.xml
@@ -7,7 +7,7 @@
   
     it.infn.mw
     iam-parent
-    1.8.0-SNAPSHOT
+    1.7.1
   
 
   iam-common
diff --git a/iam-login-service/pom.xml b/iam-login-service/pom.xml
index f2841fc2f..1e7ec0a69 100644
--- a/iam-login-service/pom.xml
+++ b/iam-login-service/pom.xml
@@ -23,7 +23,7 @@
   
     it.infn.mw
     iam-parent
-    1.8.0-SNAPSHOT
+    1.7.1
   
 
   iam-login-service
diff --git a/iam-persistence/pom.xml b/iam-persistence/pom.xml
index 439e1203e..531bdb68c 100644
--- a/iam-persistence/pom.xml
+++ b/iam-persistence/pom.xml
@@ -23,7 +23,7 @@
   
     it.infn.mw
     iam-parent
-    1.8.0-SNAPSHOT
+    1.7.1
   
   iam-persistence
   jar
diff --git a/iam-test-client/pom.xml b/iam-test-client/pom.xml
index dd80f512e..034aec75f 100644
--- a/iam-test-client/pom.xml
+++ b/iam-test-client/pom.xml
@@ -7,7 +7,7 @@
   
     it.infn.mw
     iam-parent
-    1.8.0-SNAPSHOT
+    1.7.1
   
 
   iam-test-client
diff --git a/iam-test-protected-resource/pom.xml b/iam-test-protected-resource/pom.xml
index 8ab09f877..2111d81dd 100644
--- a/iam-test-protected-resource/pom.xml
+++ b/iam-test-protected-resource/pom.xml
@@ -7,7 +7,7 @@
   
     it.infn.mw
     iam-parent
-    1.8.0-SNAPSHOT
+    1.7.1
   
 
   iam-test-protected-resource
diff --git a/pom.xml b/pom.xml
index 7bc64781c..688d9ff91 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
 
   it.infn.mw
   iam-parent
-  1.8.0-SNAPSHOT
+  1.7.1
   pom
   INDIGO Identity and Access Manager (IAM)
 

From a0758e6fc1a787d8f7f9eaf0778703ac2b967816 Mon Sep 17 00:00:00 2001
From: Andrea Ceccanti 
Date: Sat, 11 Sep 2021 12:43:35 +0200
Subject: [PATCH 6/7] v1.7.1 changelog

---
 CHANGELOG.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40c437210..0c48ba42d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## 1.7.1 (2021-09-13)
+
+This release provides only changes and bug fixes to the IAM test client
+application.
+
+### Added
+
+- It's now possible to configure the test client application so that tokens 
+  are not exposed to those accessing the test client app page, but only the
+  claims contained in tokens are presented (#414)
+
+### Fixed
+
+- A problem that prevented the correct behaviour of the IAM test client has
+  been fixed (#415)
 
 ## 1.7.0 (2021-09-02)
 

From f6bb42b4bccace3613dbf0b3b3971d9090f2c5ef Mon Sep 17 00:00:00 2001
From: Andrea Ceccanti 
Date: Sat, 11 Sep 2021 15:44:34 +0200
Subject: [PATCH 7/7] More CHANGELOG tweaks

---
 CHANGELOG.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c48ba42d..ea86043e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,14 +2,14 @@
 
 ## 1.7.1 (2021-09-13)
 
-This release provides only changes and bug fixes to the IAM test client
-application.
+This release provides changes and bug fixes to the IAM test client application.
 
 ### Added
 
-- It's now possible to configure the test client application so that tokens 
-  are not exposed to those accessing the test client app page, but only the
-  claims contained in tokens are presented (#414)
+- The IAM test client application, in its default configuration, no longer
+  exposes tokens, but only the claims contained in tokens. It's possible to
+  revert to the previous behavior by setting the `IAM_CLIENT_HIDE_TOKENS=false`
+  environment variable (#414)
 
 ### Fixed