[ES-2740] [ES-2741] [ES-2742] Validations of Open-Id profile configurations

client-management-service-impl/src/main/java/io/mosip/esignet/services/ClientManagementServiceImpl.java

@@ -37,7 +37,7 @@
 import java.time.ZoneId;
 import java.util.*;
 
-import static io.mosip.esignet.core.constants.Constants.CLIENT_ACTIVE_STATUS;
+import static io.mosip.esignet.core.constants.Constants.*;
 
 @Slf4j
 @Service
@@ -321,5 +321,4 @@ public ClientDetail buildClient(String clientId, ClientDetailUpdateRequestV3 cli
         clientDetail.setAdditionalConfig(clientDetailUpdateRequestV3.getAdditionalConfig());
         return clientDetail;
     }
-
 }

client-management-service-impl/src/test/java/io/mosip/esignet/ClientManagementServiceTest.java

@@ -6,6 +6,7 @@
 package io.mosip.esignet;
 
 
+import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.KeyUse;
@@ -23,11 +24,9 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.Mockito;
-import org.mockito.Spy;
+import org.mockito.*;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.test.util.ReflectionTestUtils;
 
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -356,5 +355,4 @@ public static JWK generateJWK_RSA() {
         }
         return null;
     }
-
 }

db_scripts/mosip_esignet/ddl.sql

@@ -8,3 +8,4 @@
 \ir ddl/esignet-consent.sql
 \ir ddl/esignet-consent_history.sql
 \ir ddl/esignet-ca_cert_store.sql
+\ir ddl/esignet-openid_profile.sql

db_scripts/mosip_esignet/ddl/esignet-openid_profile.sql

@@ -0,0 +1,27 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+-- Database Name: mosip_esignet
+-- Table Name : openid_profile
+-- Purpose    : Openid profile: static table to store the profile and feature(as part of profile) mapping
+--
+-- Create By   	: Md Humair K
+-- Created Date	: Nov-2025
+--
+-- Modified Date        Modified By         Comments / Remarks
+-- ------------------------------------------------------------------------------------------
+-- ------------------------------------------------------------------------------------------
+
+-- Table: openid_profile
+CREATE TABLE IF NOT EXISTS openid_profile (
+    profile_name VARCHAR(100) NOT NULL,
+    feature VARCHAR(100) NOT NULL,
+    additional_config_key VARCHAR(200) NOT NULL,
+    CONSTRAINT pk_openid_profile PRIMARY KEY (profile_name, feature)
+);
+
+-- COMMENT ON TABLE openid_profile IS 'Static table for global configuration: profile name and feature mapping.';
+-- COMMENT ON COLUMN openid_profile.profile_name IS 'Profile name for configuration.';
+-- COMMENT ON COLUMN openid_profile.feature IS 'Feature enabled for the profile.';
+-- COMMENT ON COLUMN openid_profile.additional_config_key IS 'Additional config key name for the feature.';

db_scripts/mosip_esignet/dml.sql

@@ -2,5 +2,8 @@
 
 ----- TRUNCATE esignet.client_detail TABLE Data and It's reference Data and insert data from sql file -----
 TRUNCATE TABLE esignet.client_detail cascade ;
+TRUNCATE TABLE esignet.openid_profile CASCADE;
 
-\ir dml/esignet-key_policy_def.sql
+\ir dml/esignet-key_policy_def.sql
+
+\ir dml/esignet-openid_profile.sql

db_scripts/mosip_esignet/dml/esignet-openid_profile.sql

@@ -0,0 +1,4 @@
+INSERT INTO openid_profile (profile_name, feature, additional_config_key) VALUES
+('fapi2.0', 'PAR', 'require_pushed_authorization_requests'),
+('fapi2.0', 'DPOP', 'dpop_bound_access_tokens'),
+('fapi2.0', 'JWE', 'userinfo_response_type');

db_upgrade_script/mosip_esignet/sql/1.7.1_to_1.8.0_rollback.sql

@@ -66,3 +66,5 @@ ALTER TABLE public_key_registry ALTER COLUMN thumbprint TYPE varchar;
 
 END;
 $$;
+
+DROP TABLE IF EXISTS openid_profile;

db_upgrade_script/mosip_esignet/sql/1.7.1_to_1.8.0_upgrade.sql

@@ -139,5 +139,16 @@ ALTER TABLE public_key_registry ALTER COLUMN public_key TYPE varchar(2500);
 ALTER TABLE public_key_registry ALTER COLUMN certificate TYPE varchar(4000);
 ALTER TABLE public_key_registry ALTER COLUMN thumbprint TYPE varchar(128);
 
+CREATE TABLE IF NOT EXISTS openid_profile (
+    profile_name VARCHAR(100) NOT NULL,
+    feature VARCHAR(100) NOT NULL,
+    additional_config_key VARCHAR(200) NOT NULL,
+    CONSTRAINT pk_openid_profile PRIMARY KEY (profile_name, feature)
+);
+
+INSERT INTO esignet.openid_profile(profile_name, feature, additional_config_key) VALUES ('fapi2.0', 'PAR', 'require_pushed_authorization_requests');
+INSERT INTO esignet.openid_profile(profile_name, feature, additional_config_key) VALUES ('fapi2.0', 'DPOP', 'dpop_bound_access_tokens');
+INSERT INTO esignet.openid_profile(profile_name, feature, additional_config_key) VALUES ('fapi2.0', 'JWE', 'userinfo_response_type');
+
 END;
-$$;
+$$;

docker-compose/init.sql

@@ -165,13 +165,23 @@ CREATE TABLE esignet.ca_cert_store(
 	CONSTRAINT cert_thumbprint_unique UNIQUE (cert_thumbprint,partner_domain)
 );
 
+CREATE TABLE IF NOT EXISTS esignet.openid_profile (
+    profile_name VARCHAR(100) NOT NULL,
+    feature VARCHAR(100) NOT NULL,
+    additional_config_key VARCHAR(200) NOT NULL,
+    CONSTRAINT pk_openid_profile PRIMARY KEY (profile_name, feature)
+);
 
 INSERT INTO esignet.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('ROOT', 2920, 1125, 'NA', true, 'mosipadmin', now());
 INSERT INTO esignet.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('OIDC_SERVICE', 1095, 50, 'NA', true, 'mosipadmin', now());
 INSERT INTO esignet.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('OIDC_PARTNER', 1095, 50, 'NA', true, 'mosipadmin', now());
 INSERT INTO esignet.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('BINDING_SERVICE', 1095, 50, 'NA', true, 'mosipadmin', now());
 INSERT INTO esignet.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('MOCK_BINDING_SERVICE', 1095, 50, 'NA', true, 'mosipadmin', now());
 
+INSERT INTO esignet.openid_profile(profile_name, feature, additional_config_key) VALUES ('fapi2.0', 'PAR', 'require_pushed_authorization_requests');
+INSERT INTO esignet.openid_profile(profile_name, feature, additional_config_key) VALUES ('fapi2.0', 'DPOP', 'dpop_bound_access_tokens');
+INSERT INTO esignet.openid_profile(profile_name, feature, additional_config_key) VALUES ('fapi2.0', 'JWE', 'userinfo_response_type');
+
 
 \c mosip_mockidentitysystem postgres
 

esignet-core/src/main/java/io/mosip/esignet/core/constants/Constants.java

@@ -62,4 +62,8 @@ public class Constants {
 
     public static final String PAR_REQUEST_URI_PREFIX = "urn:ietf:params:oauth:request_uri:";
     public static final String JTI_CACHE = "jti";
+
+    public static final String REQUIRE_PAR= "require_pushed_authorization_requests";
+
+    public static final String NONE= "none";
 }

esignet-core/src/main/java/io/mosip/esignet/core/dto/OIDCTransaction.java

@@ -79,7 +79,10 @@ public class OIDCTransaction implements Serializable {
     String[] prompt;
     int consentExpireMinutes;
 
+    boolean requirePushedAuthorizationRequests;
     boolean dpopBoundAccessToken;
+    boolean requirePKCE;
+    Map<String, String> additionalConfigMap;
     String dpopJkt;
     String dpopServerNonce;
     Long dpopServerNonceTTL;

esignet-core/src/main/java/io/mosip/esignet/core/spi/ServerProfileService.java

@@ -0,0 +1,19 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.esignet.core.spi;
+
+import io.mosip.esignet.core.exception.EsignetException;
+import java.util.List;
+
+public interface ServerProfileService {
+
+    /**
+     * Get the features associated with the profile
+     * @param profileName name of the profile - fapi2.0. nisdsp, gov, none etc
+     * @return list of features associated with the profile
+     */
+    List<String> getFeaturesByProfileName(String profileName) throws EsignetException;
+}

esignet-core/src/test/resources/additional_config_request_schema.json

@@ -65,6 +65,9 @@
     },
     "dpop_bound_access_tokens": {
       "type": "boolean"
+    },
+    "require_pkce": {
+      "type": "boolean"
     }
   },
   "additionalProperties": false

esignet-service/pom.xml

@@ -75,7 +75,7 @@
 			<artifactId>consent-service-impl</artifactId>
 			<version>${project.version}</version>
 		</dependency>
-	</dependencies>
+    </dependencies>
 	<dependencyManagement>
 		<dependencies>
 			<dependency>

esignet-service/src/main/resources/additional_config_request_schema.json

@@ -65,6 +65,9 @@
     },
     "dpop_bound_access_tokens": {
       "type": "boolean"
+    },
+    "require_pkce": {
+      "type": "boolean"
     }
   },
   "additionalProperties": false

esignet-service/src/main/resources/application-default.properties

@@ -29,9 +29,15 @@ mosip.esignet.dpop.header-filter.paths-to-validate={'${server.servlet.path}/oaut
   '${server.servlet.path}/oauth/v2/token', \
   '${server.servlet.path}/oidc/userinfo' }
 
+# Server profile can be either of fapi2.0, nisdsp, gov, none etc
+mosip.esignet.server.profile=none
+
 ## Time(in seconds) to keep the KBI spec in cache
 mosip.esignet.kbispec.ttl.seconds=18000
 
+## Time(in seconds) to keep the server profile in cache
+mosip.esignet.server.profile.cache.ttl.seconds=18000
+
 ## Auth challenge type & format mapping. Auth challenge length validations for each auth factor type.
 mosip.esignet.auth-challenge.OTP.format=alpha-numeric
 mosip.esignet.auth-challenge.OTP.min-length=6
@@ -185,7 +191,7 @@ mosip.esignet.cache.security.algorithm-name=AES/ECB/PKCS5Padding
 mosip.esignet.cache.key.hash.algorithm=SHA3-256
 
 mosip.esignet.cache.keyprefix=${mosip.esignet.namespace}
-mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,apiratelimit,blocked,halted,nonce,par,jti,kbispec
+mosip.esignet.cache.names=clientdetails,preauth,authenticated,authcodegenerated,userinfo,linkcodegenerated,linked,linkedcode,linkedauth,consented,authtokens,bindingtransaction,apiratelimit,blocked,halted,nonce,par,jti,kbispec,serverprofile
 
 # 'simple' cache type is only applicable only for Non-Production setup
 spring.cache.type=redis
@@ -215,7 +221,8 @@ mosip.esignet.cache.size={'clientdetails' : 200, \
 'nonce' : 500, \
 'par' : 200, \
 'jti' : 200, \
-'kbispec': 1 }
+'kbispec': 1 ,\
+'serverprofile': 5}
 
 # Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type
 # TTL of 'authtokens' cache depends on the auth token expire time acquired from IAM / MOSIP authmanager.
@@ -237,7 +244,8 @@ mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, \
 'nonce' : 86400, \
 'par' : ${mosip.esignet.par.expire-seconds},\
 'jti' : 86400 , \
-'kbispec': ${mosip.esignet.kbispec.ttl.seconds}}
+'kbispec': ${mosip.esignet.kbispec.ttl.seconds},\
+'serverprofile': ${mosip.esignet.server.profile.cache.ttl.seconds}}
 
 ## ------------------------------------------ Discovery openid-configuration -------------------------------------------
 

esignet-service/src/main/resources/application-local.properties

@@ -27,14 +27,14 @@ kafka.enabled=true
 spring.kafka.bootstrap-servers=localhost:9093
 
 ## Redis configuration
-spring.cache.type=redis
+spring.cache.type=simple
 spring.data.redis.host=localhost
 spring.data.redis.port=6379
 spring.data.redis.password=
 
 ## Database configuration
 mosip.esignet.database.hostname=localhost
-mosip.esignet.database.port=5455
+mosip.esignet.database.port=5432
 mosip.esignet.database.name=mosip_esignet
 mosip.esignet.database.username=postgres
 mosip.esignet.database.password=postgres

esignet-service/src/test/resources/additional_config_request_schema.json

@@ -65,6 +65,9 @@
     },
     "dpop_bound_access_tokens": {
       "type": "boolean"
+    },
+    "require_pkce": {
+      "type": "boolean"
     }
   },
   "additionalProperties": false

oidc-service-impl/src/main/java/io/mosip/esignet/entity/ServerProfile.java

@@ -0,0 +1,32 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.esignet.entity;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import jakarta.persistence.*;
+
+@Data
+@Entity
+@Table(name = "openid_profile")
+@NoArgsConstructor
+@AllArgsConstructor
+@IdClass(ServerProfileId.class)
+public class ServerProfile {
+    @Id
+    @Column(name = "profile_name", length = 100, nullable = false)
+    private String profileName;
+
+    @Id
+    @Column(name = "feature", length = 100, nullable = false)
+    private String feature;
+
+    @Column(name = "additional_config_key", length = 200, nullable = false)
+    private String additionalConfigKey;
+
+}

oidc-service-impl/src/main/java/io/mosip/esignet/entity/ServerProfileId.java

@@ -0,0 +1,43 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.esignet.entity;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import java.io.Serial;
+import java.io.Serializable;
+import java.util.Objects;
+
+@Setter
+@Getter
+public class ServerProfileId implements Serializable {
+    @Serial
+    private static final long serialVersionUID = 1L;
+    private String profileName;
+    private String feature;
+
+    public ServerProfileId() {}
+
+    public ServerProfileId(String profileName, String feature) {
+        this.profileName = profileName;
+        this.feature = feature;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof ServerProfileId)) return false;
+        ServerProfileId that = (ServerProfileId) o;
+        return Objects.equals(profileName, that.profileName) &&
+                Objects.equals(feature, that.feature);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(profileName, feature);
+    }
+}

oidc-service-impl/src/main/java/io/mosip/esignet/repository/ServerProfileRepository.java

@@ -0,0 +1,18 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.esignet.repository;
+
+import io.mosip.esignet.entity.ServerProfile;
+import io.mosip.esignet.entity.ServerProfileId;
+import org.springframework.cache.annotation.Cacheable;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.List;
+
+public interface ServerProfileRepository extends JpaRepository<ServerProfile, ServerProfileId> {
+    @Cacheable(value = "serverprofile", key = "#profileName")
+    List<ServerProfile> findByProfileName(String profileName);
+}