Merge develop to master

.github/workflows/codeql-analysis.yml

@@ -19,4 +19,5 @@ jobs:
       # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
       # Use only 'java' to analyze code written in Java, Kotlin or both
       # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
-      # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+      # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+      java_version: 21

.github/workflows/maven-deploy.yml

@@ -34,6 +34,7 @@ jobs:
     with:
       environment: internal-publish
       release_type: snapshot
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
@@ -45,6 +46,7 @@ jobs:
     with:
       environment: ${{ inputs.environment }}
       release_type: ${{ inputs.release_type }}
+      java_version: 21
     secrets:
       username: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
       password: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}

.github/workflows/maven-test.yml

@@ -15,4 +15,6 @@ on:
 jobs:
   maven-tests:
     uses: wultra/wultra-infrastructure/.github/workflows/maven-test.yml@develop
-    secrets: inherit
+    secrets: inherit
+    with:
+      java_version: 21

.github/workflows/scp-deploy.yml

@@ -7,9 +7,9 @@ jobs:
   scp-deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up JDK 21
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           java-version: 21
           distribution: 'temurin'

.run/NextStepApplication.run.xml

@@ -1,9 +1,11 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="NextStepApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
     <option name="ACTIVE_PROFILES" value="dev" />
+    <option name="DEBUG_MODE" value="true" />
     <module name="powerauth-nextstep" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.powerauth.app.nextstep.NextStepApplication" />
     <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/powerauth-nextstep -Dserver.port=9082" />
+    <option name="WORKING_DIRECTORY" value="file://$MODULE_WORKING_DIR$" />
     <method v="2">
       <option name="Make" enabled="true" />
       <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-nextstep/pom.xml" goal="process-resources" />

.run/TppEngineApplication.run.xml

@@ -1,9 +1,11 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="TppEngineApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
     <option name="ACTIVE_PROFILES" value="dev" />
+    <option name="DEBUG_MODE" value="true" />
     <module name="powerauth-tpp-engine" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.powerauth.app.tppengine.TppEngineApplication" />
     <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/tpp-engine -Dserver.port=9081" />
+    <option name="WORKING_DIRECTORY" value="file://$MODULE_WORKING_DIR$" />
     <method v="2">
       <option name="Make" enabled="true" />
       <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-tpp-engine/pom.xml" goal="process-resources" />

docs/Migration-Instructions.md

@@ -2,6 +2,7 @@
 
 This page contains PowerAuth Web Flow migration instructions.
 
+- [PowerAuth Web Flow 1.7.0](./Web-Flow-1.7.0.md)
 - [PowerAuth Web Flow 1.6.0](./Web-Flow-1.6.0.md)
 - [PowerAuth Web Flow 1.5.0](./Web-Flow-1.5.0.md)
 - [PowerAuth Web Flow 1.4.0](./Web-Flow-1.4.0.md)

docs/Next-Step-Server.md

@@ -68,3 +68,16 @@ Next Step Server implements following functionality:
 REST services are available for all Next Step functionality listed above.
 
 The Next Step Server functionality is described in details in [Next Step Server REST API Reference](./Next-Step-Server-REST-API-Reference.md).
+
+
+## OpenID Connect (OIDC)
+
+You may configure OpenID Connect (OIDC) authentication.
+
+| Property                                                | Default value | Description                                                                           |
+|---------------------------------------------------------|---------------|---------------------------------------------------------------------------------------|
+| `powerauth.nextstep.security.auth.type`                 |               | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
+| `spring.security.oauth2.resource-server.jwt.issuer-uri` |               | URL of the provider, e.g. `https://sts.windows.net/example/`                          |
+| `spring.security.oauth2.resource-server.jwt.audiences`  |               | A comma-separated list of allowed `aud` JWT claim values to be validated.             |
+
+See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details. 

docs/Used-Push-Message-Extras.md

@@ -1,17 +1,18 @@
 # Used Push Message Extras
 
-During the Mobile Token authentication and authorization, PowerAuth Web Flow may send following push messages to the Mobile Token app:
+During the Mobile Token authentication and authorization, PowerAuth Web Flow may send the following push messages to the Mobile Token app:
 
 - `messageType` (required) - message type, one of the following values:
-    - `mtoken.operationInit` - in case new operation was triggerred
-    - `mtoken.operationFinished` - in case operation was finished, successfully or non-successfully
+    - `mtoken.operationInit` - in case a new operation was triggered
+    - `mtoken.operationFinished` - in case the operation was finished, successfully or non-successfully
 - `mtokenOperationResult` (required only in case of a finished operation, `messageType` = `mtoken.operationFinished`, otherwise ignored) - this key contains more information about the operation finish result, namely one of the following values:
-    - `authentication.success` - operation was successfully confirmed
-    - `authentication.fail` - operation failed to confirm
-    - `operation.timeout` - operation expired
-    - `operation.canceled` - operation was cancelled by the user
-    - `operation.methodNotAvailable` - (rare) mToken authentication method was removed from the user
+    - `authentication.success` - the operation was successfully confirmed
+    - `authentication.fail` - the operation failed to confirm
+    - `operation.timeout` - the operation expired
+    - `operation.canceled` - the operation was canceled by the user
+    - `operation.methodNotAvailable` - (rare) mobile token authentication method was removed from the user
 - `operationId` (required) - operation ID, in UUID format
-- `operationName` (required) - operation name, for example "login" or "authorize_payment"
+- `operationName` (required) - operation name, for example, "login" or "authorize_payment"
+- `activationId` (optional) - activation ID representing the activation to which the push notification was sent (if known)
 
-Please note that push notifications work on "best effort" principle and therefore, application must not rely on them. It can use the notification for example to deliver more prompt response on events in desktop web browser.
+Please note that push notifications work on the "best effort" principle, so applications must not rely on them. For example, apps can use notifications to respond more promptly to events on the desktop web browser (i.e., canceling the operation by clicking the "Cancel" button on the web).

docs/Web-Flow-1.6.0.md

@@ -2,4 +2,16 @@
 
 This guide contains instructions for migration from PowerAuth WebFlow version `1.5.x` to version `1.6.0`.
 
-No migration steps nor database changes are required.
+## Database Changes
+
+For convenience you can use liquibase for your database migration.
+
+For manual changes use SQL scripts:
+
+- [PostgreSQL script](./sql/postgresql/migration_1.5.1_1.6.0.sql)
+- [Oracle script](./sql/oracle/migration_1.5.1_1.6.0.sql)
+
+### Fix DB Bug for Creating OTP without User ID
+
+The column `user_id` in table `ns_otp_storage` is nullable now.
+

docs/Web-Flow-1.7.0.md

@@ -0,0 +1,5 @@
+# Migration from 1.6.0 to 1.7.0
+
+This guide contains instructions for migration from PowerAuth WebFlow version `1.6.x` to version `1.7.0`.
+
+There are no database changes needed for this version.

docs/Web-Flow-Configuration.md

@@ -46,15 +46,13 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
 spring.datasource.hikari.auto-commit=false
-spring.datasource.driver-class-name=org.postgresql.Driver
 spring.jpa.properties.hibernate.connection.characterEncoding=utf8
 spring.jpa.properties.hibernate.connection.useUnicode=true
 
 # Database Configuration - Oracle
 #spring.datasource.url=jdbc:oracle:thin:@//localhost:1521/powerauth
 #spring.datasource.username=powerauth
 #spring.datasource.password=
-#spring.datasource.driver-class-name=oracle.jdbc.OracleDriver
 
 # Application Service Configuration
 powerauth.webflow.service.applicationName=powerauth-webflow
@@ -181,15 +179,13 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
 spring.datasource.hikari.auto-commit=false
-spring.datasource.driver-class-name=org.postgresql.Driver
 spring.jpa.properties.hibernate.connection.characterEncoding=utf8
 spring.jpa.properties.hibernate.connection.useUnicode=true
 
 # Database Configuration - Oracle
 #spring.datasource.url=jdbc:oracle:thin:@//localhost:1521/powerauth
 #spring.datasource.username=powerauth
 #spring.datasource.password=
-#spring.datasource.driver-class-name=oracle.jdbc.OracleDriver
 
 # Data Adapter Server Service URL
 powerauth.dataAdapter.service.url=http://localhost:8080/powerauth-data-adapter
@@ -281,15 +277,13 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/powerauth
 spring.datasource.username=powerauth
 spring.datasource.password=
 spring.datasource.hikari.auto-commit=false
-spring.datasource.driver-class-name=org.postgresql.Driver
 spring.jpa.properties.hibernate.connection.characterEncoding=utf8
 spring.jpa.properties.hibernate.connection.useUnicode=true
 
 # Database Configuration - Oracle
 #spring.datasource.url=jdbc:oracle:thin:@//localhost:1521/powerauth
 #spring.datasource.username=powerauth
 #spring.datasource.password=
-#spring.datasource.driver-class-name=oracle.jdbc.OracleDriver
 
 # SMS OTP expiration time in seconds
 powerauth.authorization.sms-otp.expiration-time-in-seconds=300

docs/Web-Flow-Installation-Manual.md

@@ -145,7 +145,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver
     <Parameter name="spring.datasource.url" value="jdbc:oracle:thin:@//hostname:1523/SID"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="********"/>
-    <Parameter name="spring.datasource.driver-class-name" value="oracle.jdbc.OracleDriver"/>
     <Parameter name="spring.jpa.hibernate.ddl-auto" value="none"/>
     <Parameter name="spring.jpa.properties.hibernate.default_schema" value="powerauth"/>
 
@@ -162,7 +161,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver
     <Parameter name="spring.datasource.url" value="jdbc:oracle:thin:@//hostname:1523/SID"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="********"/>
-    <Parameter name="spring.datasource.driver-class-name" value="oracle.jdbc.OracleDriver"/>
     <Parameter name="spring.jpa.hibernate.ddl-auto" value="none"/>
     <Parameter name="spring.jpa.properties.hibernate.default_schema" value="powerauth"/>
 
@@ -207,7 +205,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver
     <Parameter name="spring.datasource.url" value="jdbc:oracle:thin:@//hostname:1523/SID"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="********"/>
-    <Parameter name="spring.datasource.driver-class-name" value="oracle.jdbc.OracleDriver"/>
     <Parameter name="spring.jpa.hibernate.ddl-auto" value="none"/>
     <Parameter name="spring.jpa.properties.hibernate.default_schema" value="powerauth"/>
 
@@ -232,7 +229,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver
     <Parameter name="spring.datasource.url" value="jdbc:oracle:thin:@//hostname:1523/SID"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="********"/>
-    <Parameter name="spring.datasource.driver-class-name" value="oracle.jdbc.OracleDriver"/>
     <Parameter name="spring.jpa.hibernate.ddl-auto" value="none"/>
     <Parameter name="spring.jpa.properties.hibernate.default_schema" value="powerauth"/>
 
@@ -252,7 +248,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver
     <Parameter name="spring.datasource.url" value="jdbc:oracle:thin:@//hostname:1523/SID"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="********"/>
-    <Parameter name="spring.datasource.driver-class-name" value="oracle.jdbc.OracleDriver"/>
     <Parameter name="spring.jpa.hibernate.ddl-auto" value="none"/>
     <Parameter name="spring.jpa.properties.hibernate.default_schema" value="powerauth"/>
 ​
@@ -279,7 +274,6 @@ Note that the JDBC settings differ based on used database vendor and JDBC driver
     <Parameter name="spring.datasource.url" value="jdbc:oracle:thin:@//hostname:1523/SID"/>
     <Parameter name="spring.datasource.username" value="powerauth"/>
     <Parameter name="spring.datasource.password" value="********"/>
-    <Parameter name="spring.datasource.driver-class-name" value="oracle.jdbc.OracleDriver"/>
     <Parameter name="spring.jpa.hibernate.ddl-auto" value="none"/>
     <Parameter name="spring.jpa.properties.hibernate.default_schema" value="powerauth"/>
 

docs/db/changelog/changesets/powerauth-nextstep/1.6.x/20240116-add-tag-1.6.0.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.9.xsd">
+
+    <changeSet id="1" logicalFilePath="powerauth-nextstep/1.6.x/20240116-add-tag-1.6.0.xml" author="Zdenek Cerny">
+        <tagDatabase tag="powerauth-nextstep/1.6.0"/>
+    </changeSet>
+
+</databaseChangeLog>

docs/db/changelog/changesets/powerauth-nextstep/1.6.x/20240116-correct-userid-nullable.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.9.xsd">
+
+    <changeSet id="1" logicalFilePath="powerauth-nextstep/1.6.x/20240116-correct-userid-nullable.xml" author="Zdenek Cerny">
+        <preConditions onFail="MARK_RAN">
+            <tableExists tableName="ns_otp_storage"/>
+            <columnExists tableName="ns_otp_storage" columnName="user_id"/>
+        </preConditions>
+        <comment>Make user_id column in table ns_otp_storage nullable</comment>
+        <dropNotNullConstraint tableName="ns_otp_storage" columnName="user_id" columnDataType="varchar(255)" />
+    </changeSet>
+
+</databaseChangeLog>

docs/db/changelog/changesets/powerauth-nextstep/1.6.x/db.changelog-version.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.9.xsd">
+
+    <include file="20240116-correct-userid-nullable.xml" relativeToChangelogFile="true" />
+    <include file="20240116-add-tag-1.6.0.xml" relativeToChangelogFile="true" />
+
+</databaseChangeLog>

docs/db/changelog/changesets/powerauth-nextstep/db.changelog-module.xml

@@ -12,5 +12,6 @@
 
     <include file="1.4.x/db.changelog-version.xml" relativeToChangelogFile="true" />
     <include file="1.5.x/db.changelog-version.xml" relativeToChangelogFile="true" />
+    <include file="1.6.x/db.changelog-version.xml" relativeToChangelogFile="true" />
 
 </databaseChangeLog>

docs/sql/oracle/create_schema.sql

@@ -73,7 +73,8 @@ CREATE TABLE oauth2_registered_client (
     scopes VARCHAR(1000) NOT NULL,
     client_settings VARCHAR(2000) NOT NULL,
     token_settings VARCHAR(2000) NOT NULL,
-    PRIMARY KEY (id)
+    PRIMARY KEY (id),
+    CONSTRAINT client_id_unique UNIQUE (client_id)
 );
 
 -- Table oauth2_registered_client stores information about OAuth 2.1 consents
@@ -628,7 +629,6 @@ CREATE INDEX wf_websocket_session ON wf_operation_session (websocket_session_id)
 CREATE INDEX ns_operation_pending ON ns_operation (user_id, result);
 CREATE UNIQUE INDEX ns_operation_afs_unique on ns_operation_afs (operation_id, request_afs_action, request_step_index);
 CREATE INDEX wf_certificate_operation ON wf_certificate_verification (operation_id);
-CREATE UNIQUE INDEX oauth2_client_unique ON oauth2_registered_client (client_id);
 CREATE UNIQUE INDEX ns_application_name ON ns_application (name);
 CREATE UNIQUE INDEX ns_credential_policy_name ON ns_credential_policy (name);
 CREATE UNIQUE INDEX ns_otp_policy_name ON ns_otp_policy (name);

docs/sql/oracle/migration_1.5.1_1.6.0.sql

@@ -0,0 +1,3 @@
+-- Changeset powerauth-nextstep/1.6.x/20240116-correct-userid-nullable.xml::1::Zdenek Cerny
+-- Make user_id column in table ns_otp_storage nullable
+ALTER TABLE ns_otp_storage MODIFY user_id NULL;

docs/sql/postgresql/create_schema.sql

@@ -76,6 +76,8 @@ CREATE TABLE oauth2_registered_client (
     PRIMARY KEY (id)
 );
 
+CREATE UNIQUE INDEX oauth2_client_unique ON oauth2_registered_client (client_id);
+
 -- Table oauth2_registered_client stores information about OAuth 2.1 consents
 -- Source: https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/resources/org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql
 CREATE TABLE oauth2_authorization_consent (
@@ -623,7 +625,6 @@ CREATE INDEX wf_websocket_session ON wf_operation_session (websocket_session_id)
 CREATE INDEX ns_operation_pending ON ns_operation (user_id, result);
 CREATE UNIQUE INDEX ns_operation_afs_unique ON ns_operation_afs (operation_id, request_afs_action, request_step_index);
 CREATE INDEX wf_certificate_operation ON wf_certificate_verification (operation_id);
-CREATE UNIQUE INDEX oauth2_client_unique ON oauth2_registered_client (client_id);
 CREATE UNIQUE INDEX ns_application_name ON ns_application (name);
 CREATE UNIQUE INDEX ns_credential_policy_name ON ns_credential_policy (name);
 CREATE UNIQUE INDEX ns_otp_policy_name ON ns_otp_policy (name);

docs/sql/postgresql/migration_1.5.1_1.6.0.sql

@@ -0,0 +1,3 @@
+-- Changeset powerauth-nextstep/1.6.x/20240116-correct-userid-nullable.xml::1::Zdenek Cerny
+-- Make user_id column in table ns_otp_storage nullable
+ALTER TABLE ns_otp_storage ALTER COLUMN  user_id DROP NOT NULL;