wso2 · VimukthiRajapaksha · Oct 30, 2024 · Oct 30, 2024
diff --git a/...ob-is/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2 b/...ob-is/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2
@@ -79,6 +79,13 @@
                 <ResponseTypeHandler>com.wso2.openbanking.accelerator.identity.auth.extensions.response.handler.impl.OBDefaultResponseTypeHandlerImpl</ResponseTypeHandler>
             {% endif %}
         </Extensions>
+        <RequestObject>
+            {% if open_banking.identity.request_object.mandate_nbf_claim is defined %}
+                <MandateNBF>{{open_banking.identity.request_object.mandate_nbf_claim}}</MandateNBF>
+            {% else %}
+                <MandateNBF>true</MandateNBF>
+            {% endif %}
+        </RequestObject>
         <Filters>
             {% if open_banking.identity.filters.token_filter is defined %}
             <TokenFilter>{{open_banking.identity.filters.token_filter}}</TokenFilter>

diff --git a/...banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml b/...banking-accelerator/accelerators/ob-is/repository/resources/wso2is-5.11.0-deployment.toml
@@ -576,6 +576,10 @@ request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensi
 #request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.FapiRequestObjectValidator"
 push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator"
 
+# Use mandate_nbf_claim=true For FAPI plain flow validations
+#[open_banking.identity.request_object]
+#mandate_nbf_claim=true
+
 [open_banking.identity.application_information_webapp]
 sp_metadata_filter="com.wso2.openbanking.accelerator.identity.sp.metadata.extension.impl.DefaultSPMetadataFilter"
 

diff --git a/...-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml b/...-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.0.0-deployment.toml
@@ -622,6 +622,10 @@ request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensi
 #request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.FapiRequestObjectValidator"
 push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator"
 
+# Use mandate_nbf_claim=true For FAPI plain flow validations
+#[open_banking.identity.request_object]
+#mandate_nbf_claim=true
+
 [open_banking.identity.application_information_webapp]
 sp_metadata_filter="com.wso2.openbanking.accelerator.identity.sp.metadata.extension.impl.DefaultSPMetadataFilter"
 

diff --git a/...-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml b/...-banking-accelerator/accelerators/ob-is/repository/resources/wso2is-6.1.0-deployment.toml
@@ -576,6 +576,10 @@ request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensi
 #request_object_validator="com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.FapiRequestObjectValidator"
 push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator"
 
+# Use mandate_nbf_claim=true For FAPI plain flow validations
+#[open_banking.identity.request_object]
+#mandate_nbf_claim=true
+
 [open_banking.identity.application_information_webapp]
 sp_metadata_filter="com.wso2.openbanking.accelerator.identity.sp.metadata.extension.impl.DefaultSPMetadataFilter"
 

diff --git a/...src/main/java/com/wso2/openbanking/accelerator/common/config/OpenBankingConfigParser.java b/...src/main/java/com/wso2/openbanking/accelerator/common/config/OpenBankingConfigParser.java
@@ -1480,4 +1480,13 @@ public String getIdempotencyAllowedTime() {
                 (String) getConfigElementFromKey(OpenBankingConstants.IDEMPOTENCY_ALLOWED_TIME);
     }
 
+    /**
+     * Method to get mandate/optional nbf configuration for FAPI 1 Advance backward compatibility.
+     * @return isNbfClaimMandatory
+     */
+    public boolean isNbfClaimMandatory() {
+        return getConfigElementFromKey(OpenBankingConstants.MANDATE_NBF_CLAIM) == null || Boolean.parseBoolean(((String)
+                getConfigElementFromKey(OpenBankingConstants.MANDATE_NBF_CLAIM)).trim());
+    }
+
 }
diff --git a/.../src/main/java/com/wso2/openbanking/accelerator/common/constant/OpenBankingConstants.java b/.../src/main/java/com/wso2/openbanking/accelerator/common/constant/OpenBankingConstants.java
@@ -268,5 +268,7 @@ public class OpenBankingConstants {
     public static final String IDEMPOTENCY_IS_ENABLED = "Consent.Idempotency.Enabled";
     public static final String IDEMPOTENCY_ALLOWED_TIME = "Consent.Idempotency.AllowedTimeDuration";
     public static final String DOT_SEPARATOR = ".";
+    public static final String MANDATE_NBF_CLAIM = "Identity.RequestObject.MandateNBF";
+
 }
 
diff --git a/...ommon/src/test/java/com/wso2/openbanking/accelerator/common/test/OBConfigParserTests.java b/...ommon/src/test/java/com/wso2/openbanking/accelerator/common/test/OBConfigParserTests.java
@@ -467,4 +467,13 @@ public void testGetOBKeyManagerExtensionImpl() {
 
         Assert.assertEquals(className, "com.wso2.openbanking.accelerator.keymanager.OBKeyManagerImpl");
     }
+
+    @Test(priority = 36)
+    public void testNbfClaimMandatory() {
+        String dummyConfigFile = absolutePathForTestResources + "/open-banking.xml";
+        OpenBankingConfigParser openBankingConfigParser = OpenBankingConfigParser.getInstance(dummyConfigFile);
+
+        boolean nbfClaimMandatory = openBankingConfigParser.isNbfClaimMandatory();
+        Assert.assertTrue(nbfClaimMandatory);
+    }
 }
diff --git a/...or/components/com.wso2.openbanking.accelerator.common/src/test/resources/open-banking.xml b/...or/components/com.wso2.openbanking.accelerator.common/src/test/resources/open-banking.xml
@@ -37,6 +37,9 @@
                 sampleRequestObjectValidator
             </RequestObjectValidator>
         </Extensions>
+        <RequestObject>
+            <MandateNBF>true</MandateNBF>
+        </RequestObject>
         <AuthenticationWebApp>
             <ServletExtension>
                 sampleServletExtension

diff --git a/...celerator/identity/auth/extensions/request/validator/annotations/ExpirationValidator.java b/...celerator/identity/auth/extensions/request/validator/annotations/ExpirationValidator.java
@@ -18,7 +18,6 @@
 
 package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations;
 
-import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants;
 import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
 import org.apache.commons.beanutils.BeanUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -59,14 +58,6 @@ public boolean isValid(Object object, ConstraintValidatorContext constraintValid
                 long timeStampSkewMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
                 long expirationTimeInMillis = expirationDate.getTime();
                 long currentTimeInMillis = System.currentTimeMillis();
-                // exp parameter should not be over 1 hour in the future.
-                if ((expirationTimeInMillis - (currentTimeInMillis + timeStampSkewMillis)) >
-                        PushAuthRequestConstants.ONE_HOUR_IN_MILLIS) {
-                    errorMessage = "exp parameter in the request object is over 1 hour in the future";
-                    log.debug(errorMessage);
-                    IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage);
-                    return false;
-                }
                 // exp parameter should not be in the past.
                 if ((currentTimeInMillis + timeStampSkewMillis) > expirationTimeInMillis) {
                     errorMessage = "Request object expired";

diff --git a/...dator/annotations/NotBeforeValidator.java → ...or/annotations/NbfExpClaimsValidator.java b/...dator/annotations/NotBeforeValidator.java → ...or/annotations/NbfExpClaimsValidator.java
@@ -18,6 +18,7 @@
 
 package com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations;
 
+import com.wso2.openbanking.accelerator.common.config.OpenBankingConfigParser;
 import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants;
 import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
 import org.apache.commons.beanutils.BeanUtils;
@@ -36,15 +37,17 @@
 /**
  * To validate if the not before claim provided is valid.
  */
-public class NotBeforeValidator implements ConstraintValidator<ValidNotBefore, Object> {
+public class NbfExpClaimsValidator implements ConstraintValidator<ValidNbfExpClaims, Object> {
 
+    private static Log log = LogFactory.getLog(NbfExpClaimsValidator.class);
     private String notBeforeXPath;
-    private static Log log = LogFactory.getLog(NotBeforeValidator.class);
+    private String expirationXPath;
 
     @Override
-    public void initialize(ValidNotBefore constraintAnnotation) {
+    public void initialize(ValidNbfExpClaims constraintAnnotation) {
 
         this.notBeforeXPath = constraintAnnotation.notBefore();
+        this.expirationXPath = constraintAnnotation.expiration();
     }
 
     @Override
@@ -53,6 +56,7 @@ public boolean isValid(Object object, ConstraintValidatorContext constraintValid
         String errorMessage;
         try {
             final String nbfClaimInDateTimeFormat = BeanUtils.getProperty(object, notBeforeXPath);
+            final String expClaimInDateTimeFormat = BeanUtils.getProperty(object, expirationXPath);
 
             if (StringUtils.isNotBlank(nbfClaimInDateTimeFormat)) {
                 Date notBeforeDate = IdentityCommonUtil.parseStringToDate(nbfClaimInDateTimeFormat);
@@ -74,7 +78,22 @@ public boolean isValid(Object object, ConstraintValidatorContext constraintValid
                     IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage);
                     return false;
                 }
+
+                // exp time should not be older than 1 hour from nbf time.
+                Date expirationDate = IdentityCommonUtil.parseStringToDate(expClaimInDateTimeFormat);
+                long expirationTimeInMillis = expirationDate.getTime();
+                if ((expirationTimeInMillis - notBeforeTimeInMillis) > PushAuthRequestConstants.ONE_HOUR_IN_MILLIS) {
+                    errorMessage = "Request Object expiry time is too far in the future than not before time.";
+                    log.debug(errorMessage);
+                    IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext, errorMessage);
+                    return false;
+                }
+
             } else {
+                if (!OpenBankingConfigParser.getInstance().isNbfClaimMandatory()) {
+                    // This config added to preserve backward compatibility when moving from FAPI ID2 to FAPI 1 Advance.
+                    return true;
+                }
                 errorMessage = "nbf parameter is missing in the request object";
                 log.debug(errorMessage);
                 IdentityCommonUtil.setCustomErrorMessage(constraintValidatorContext,

diff --git a/...validator/annotations/ValidNotBefore.java → ...idator/annotations/ValidNbfExpClaims.java b/...validator/annotations/ValidNotBefore.java → ...idator/annotations/ValidNbfExpClaims.java
@@ -34,8 +34,8 @@
 @Target(ElementType.TYPE)
 @Retention(RUNTIME)
 @Documented
-@Constraint(validatedBy = {NotBeforeValidator.class})
-public @interface ValidNotBefore {
+@Constraint(validatedBy = {NbfExpClaimsValidator.class})
+public @interface ValidNbfExpClaims {
 
     String message() default "Invalid not before claim";
 
@@ -44,4 +44,6 @@
     Class<? extends Payload>[] payload() default {};
 
     String notBefore() default "nbf";
+
+    String expiration() default "exp";
 }
diff --git a/...king/accelerator/identity/auth/extensions/request/validator/models/FapiRequestObject.java b/...king/accelerator/identity/auth/extensions/request/validator/models/FapiRequestObject.java
@@ -21,7 +21,7 @@
 import com.wso2.openbanking.accelerator.common.validator.annotation.RequiredParameter;
 import com.wso2.openbanking.accelerator.common.validator.annotation.RequiredParameters;
 import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations.ValidExpiration;
-import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations.ValidNotBefore;
+import com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.annotations.ValidNbfExpClaims;
 
 /**
  * Model class for FAPI request object.
@@ -32,12 +32,10 @@
         @RequiredParameter(param = "claimsSet.claims.nonce",
                 message = "nonce parameter is missing in the request object"),
         @RequiredParameter(param = "claimsSet.claims.exp",
-                message = "exp parameter is missing in the request object"),
-        @RequiredParameter(param = "claimsSet.claims.nbf",
-                message = "nbf parameter is missing in the request object")
+                message = "exp parameter is missing in the request object")
 })
 @ValidExpiration(expiration = "claimsSet.claims.exp")
-@ValidNotBefore(notBefore = "claimsSet.claims.nbf")
+@ValidNbfExpClaims(notBefore = "claimsSet.claims.nbf", expiration = "claimsSet.claims.exp")
 public class FapiRequestObject extends OBRequestObject {
 
     private static final long serialVersionUID = -83973857804232423L;