wso2 · Akila94 · Nov 22, 2024 · Nov 25, 2024
diff --git a/...ob-is/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2 b/...ob-is/carbon-home/repository/resources/conf/templates/repository/conf/open-banking.xml.j2
@@ -62,6 +62,9 @@
             {% else %}
                 <PushAuthRequestValidator>com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator</PushAuthRequestValidator>
             {% endif %}
+            {% if open_banking.identity.extensions.push_auth_request_url is defined %}
+                <PushAuthRequestUrl>{{open_banking.identity.extensions.push_auth_request_url}}</PushAuthRequestUrl>
+            {% endif %}
             {% if open_banking.identity.extensions.claim_provider is defined %}
             <ClaimProvider>{{open_banking.identity.extensions.claim_provider}}</ClaimProvider>
             {% else %}

diff --git a/...java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsDataHolder.java b/...java/com/wso2/openbanking/accelerator/identity/internal/IdentityExtensionsDataHolder.java
@@ -36,6 +36,7 @@
 import com.wso2.openbanking.accelerator.identity.token.validators.OBIdentityFilterValidator;
 import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
 import com.wso2.openbanking.accelerator.throttler.service.OBThrottleService;
+import org.apache.commons.lang3.StringUtils;
 import org.wso2.carbon.identity.application.authentication.framework.JsFunctionRegistry;
 import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
 import org.wso2.carbon.identity.oauth.OAuthAdminServiceImpl;
@@ -54,6 +55,7 @@
 import java.util.Map;
 
 import static com.wso2.openbanking.accelerator.common.util.OpenBankingUtils.getClassInstanceFromFQN;
+import static com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants.PUSH_AUTH_REQUEST_URL;
 import static com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants.PUSH_AUTH_REQUEST_VALIDATOR;
 import static com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants.REQUEST_VALIDATOR;
 import static com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants.RESPONSE_HANDLER;
@@ -77,6 +79,7 @@ public class IdentityExtensionsDataHolder {
     private IntrospectionDataProvider introspectionDataProvider;
     private OBRequestObjectValidator obRequestObjectValidator;
     private PushAuthRequestValidator pushAuthRequestValidator;
+    private String pushAuthRequestUrl;
     private KeyStore trustStore = null;
     private OBResponseTypeHandler obResponseTypeHandler;
     private AbstractApplicationUpdater abstractApplicationUpdater;
@@ -217,6 +220,9 @@ public void setOpenBankingConfigurationService(
                 .getConfigurations().get("IdentityCache.CacheAccessExpiry"));
         setIdentityCacheModifiedExpiry((String) openBankingConfigurationService
                 .getConfigurations().get("IdentityCache.CacheModifiedExpiry"));
+        this.pushAuthRequestUrl = openBankingConfigurationService
+                .getConfigurations().get(PUSH_AUTH_REQUEST_URL) != null ? openBankingConfigurationService
+                .getConfigurations().get(PUSH_AUTH_REQUEST_URL).toString() : StringUtils.EMPTY;
 
         Map<String, String> authenticationWorkers = openBankingConfigurationService.getAuthenticationWorkers();
         authenticationWorkers.forEach((key, value) ->
@@ -313,6 +319,14 @@ public void setPushAuthRequestValidator(PushAuthRequestValidator pushAuthRequest
         this.pushAuthRequestValidator = pushAuthRequestValidator;
     }
 
+    public String getPushAuthRequestUrl() {
+        return pushAuthRequestUrl;
+    }
+
+    public void setPushAuthRequestUrl(String pushAuthRequestUrl) {
+        this.pushAuthRequestUrl = pushAuthRequestUrl;
+    }
+
     public void setDcrRegistrationConfigMap(Map<String, Map<String, Object>> dcrRegConfigMap) {
 
         dcrRegistrationConfigMap = dcrRegConfigMap;

diff --git a/...or/identity/push/auth/extension/request/validator/util/PushAuthRequestValidatorUtils.java b/...or/identity/push/auth/extension/request/validator/util/PushAuthRequestValidatorUtils.java
@@ -88,6 +88,8 @@ public class PushAuthRequestValidatorUtils {
     private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
     private static final String OAUTH2_TOKEN_EP_URL = "OAuth2TokenEPUrl";
     private static final String OIDC_ID_TOKEN_ISSUER_ID = "OAuth.OpenIDConnect.IDTokenIssuerID";
+    private static final IdentityExtensionsDataHolder identityExtensionsDataHolder = IdentityExtensionsDataHolder
+            .getInstance();
     private static final ArrayList<String> ALLOWED_FORM_BODY_PARAMS = new ArrayList<String>() {
         {
             add("client_id");
@@ -121,7 +123,7 @@ public static void validateSignatureAlgorithm(Object algorithm) throws PushAuthR
         boolean isValid = false;
         if (algorithm != null && StringUtils.isNotBlank((String) algorithm)) {
             List<String> allowedAlgorithmsList = new ArrayList<>();
-            Object allowedAlgorithms = IdentityExtensionsDataHolder.getInstance()
+            Object allowedAlgorithms = identityExtensionsDataHolder
                     .getConfigurationMap().get(OpenBankingConstants.SIGNATURE_ALGORITHMS);
             if (allowedAlgorithms instanceof List) {
                 allowedAlgorithmsList = (List<String>) allowedAlgorithms;
@@ -562,6 +564,12 @@ private static List<String> getAllowedPARAudienceValues(String tenantDomain)
             URL parEpUrl = new URL(residentIdPUrl, IdentityCommonConstants.PAR_ENDPOINT);
             // add PAR EP URL as a valid "aud" value
             validAudUrls.add(parEpUrl.toString());
+
+            /* If a PAR endpoint URL is configured, add it to the valid audience list.
+               This addresses the scenario of PAR request URL domain is different form the resident IDP URL domain */
+            if (StringUtils.isNotBlank(identityExtensionsDataHolder.getPushAuthRequestUrl())) {
+                validAudUrls.add(identityExtensionsDataHolder.getPushAuthRequestUrl());
+            }
         } catch (MalformedURLException exception) {
             log.error("Error occurred while deriving PAR endpoint URL.", exception);
             throw new PushAuthRequestValidatorException(HttpStatus.SC_INTERNAL_SERVER_ERROR,

diff --git a/...src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonConstants.java b/...src/main/java/com/wso2/openbanking/accelerator/identity/util/IdentityCommonConstants.java
@@ -69,6 +69,7 @@ public class IdentityCommonConstants {
     public static final String IDENTITY_PROVIDER_STEP = "SCA.IdpStep";
     public static final String REQUEST_VALIDATOR = "Identity.Extensions.RequestObjectValidator";
     public static final String PUSH_AUTH_REQUEST_VALIDATOR = "Identity.Extensions.PushAuthRequestValidator";
+    public static final String PUSH_AUTH_REQUEST_URL = "Identity.Extensions.PushAuthRequestUrl";
     public static final String RESPONSE_HANDLER = "Identity.Extensions.ResponseTypeHandler";
     public static final String ENABLE_TRANSPORT_CERT_AS_HEADER = "Identity.ClientTransportCertAsHeaderEnabled";
     public static final String ENABLE_SUBJECT_AS_PPID = "Identity.EnableSubjectPPID";