Changes for v1.5.0

Author: manish2788

README.md

@@ -1,4 +1,4 @@
-# cordova-plugin-oracle-idm-auth 1.4.0
+# cordova-plugin-oracle-idm-auth 1.5.0
 
 ## About the cordova-plugin-oracle-idm-auth
 The plugin provides authentication and authorization functionality for cordova based mobile applications,

RELEASENOTES.md

@@ -1,5 +1,8 @@
 # Release Notes
 
+## 1.5.0 (11 May, 2020)
+* Support for CSRF Protection for token relay service.
+
 ## 1.4.0 (8 Apr, 2020)
 * Removing the referencing of UIWebView as per Apple guideline.
 

plugin.xml

@@ -6,7 +6,7 @@
 <plugin xmlns="http://apache.org/cordova/ns/plugins/1.0"
         xmlns:android="http://schemas.android.com/apk/res/android"
         id="cordova-plugin-oracle-idm-auth"
-        version="1.4.0">
+        version="1.5.0">
   <name>cordova-plugin-oracle-idm-auth</name>
   <description>Provides authentication and authorization functionality using the Oracle IDM SDK, supporting standard protocols like Basic Auth, OAUTH, OpenID Connect and WebSSO</description>
   <keywords>cordova,idm,authentication,auth</keywords>
@@ -121,6 +121,7 @@
     <source-file src="src/android/sdk/oracle/idm/mobile/auth/RefreshTokenAuthenticationService.java" target-dir="src/oracle/idm/mobile/auth/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/auth/TimeoutManager.java" target-dir="src/oracle/idm/mobile/auth/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/auth/TwoWaySSLCompletionHandler.java" target-dir="src/oracle/idm/mobile/auth/"/>
+    <source-file src="src/android/sdk/oracle/idm/mobile/auth/UsernamePasswdAuthServiceInputCallbackImpl.java" target-dir="src/oracle/idm/mobile/auth/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/auth/local/AndroidKeyStoreKeyProvider.java" target-dir="src/oracle/idm/mobile/auth/local/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/auth/local/DefaultKeyProvider.java" target-dir="src/oracle/idm/mobile/auth/local/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/auth/local/KeyProvider.java" target-dir="src/oracle/idm/mobile/auth/local/"/>
@@ -178,6 +179,7 @@
     <source-file src="src/android/sdk/oracle/idm/mobile/connection/SSLExceptionEvent.java" target-dir="src/oracle/idm/mobile/connection/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/credentialstore/OMCredential.java" target-dir="src/oracle/idm/mobile/credentialstore/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/credentialstore/OMCredentialStore.java" target-dir="src/oracle/idm/mobile/credentialstore/"/>
+    <source-file src="src/android/sdk/oracle/idm/mobile/credentialstore/OMClassicCredentialStore.java" target-dir="src/oracle/idm/mobile/credentialstore/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/crypto/Base64.java" target-dir="src/oracle/idm/mobile/crypto/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/crypto/CryptoException.java" target-dir="src/oracle/idm/mobile/crypto/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/crypto/CryptoScheme.java" target-dir="src/oracle/idm/mobile/crypto/"/>
@@ -202,6 +204,7 @@
     <source-file src="src/android/sdk/oracle/idm/mobile/util/OMVersion.java" target-dir="src/oracle/idm/mobile/util/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/util/StringUtils.java" target-dir="src/oracle/idm/mobile/util/"/>
     <source-file src="src/android/sdk/oracle/idm/mobile/util/URLUtils.java" target-dir="src/oracle/idm/mobile/util/"/>
+    <source-file src="src/android/sdk/oracle/idm/mobile/util/ArrayUtils.java" target-dir="src/oracle/idm/mobile/util/"/>
   </platform>
 
   <!-- ios -->

src/android/sdk/oracle/idm/mobile/OMErrorCode.java

@@ -134,8 +134,9 @@ public enum OMErrorCode {
      * This seems to be a bug in emulator. This should not arise in a device.
      */
     NO_FINGERPRINT_ENROLLED("10536", "At least one fingerprint must be enrolled to create keys requiring user authentication for every use"),
-    DISABLE_AUTHENTICATOR_INSTANCE("60014", "Disable Authentication for all instances of authenticator.");
+    DISABLE_AUTHENTICATOR_INSTANCE("60014", "Disable Authentication for all instances of authenticator."),
 
+    INCORRECT_CURRENT_AUTHDATA("70009", "Cannot authenticate using currentAuthData");
 
     String mErrorCode;
     String mErrorMessage;
@@ -179,7 +180,7 @@ public static OMErrorCode[] getRecoverableErrorCodes() {
         if (mRecoverableCodes == null) {
             mRecoverableCodes = new OMErrorCode[]{OMErrorCode.USERNAME_REQUIRED, OMErrorCode.PASSWORD_REQUIRED,
                     OMErrorCode.IDENTITY_DOMAIN_REQUIRED, OMErrorCode.USERNAME_AND_IDENTITY_DOMAIN_REQUIRED,
-                    OMErrorCode.UN_PWD_INVALID, OMErrorCode.UNABLE_TO_CONNECT_TO_SERVER};
+                    OMErrorCode.UN_PWD_INVALID, OMErrorCode.UN_PWD_TENANT_INVALID, OMErrorCode.UNABLE_TO_CONNECT_TO_SERVER};
         }
         return mRecoverableCodes;
     }

src/android/sdk/oracle/idm/mobile/OMMobileSecurityService.java

@@ -803,7 +803,7 @@ public OMMobileSecurityService(Context context,
      */
     public OMMobileSecurityService(Context context,
                                    String configurationPropertiesKey, OMMobileSecurityServiceCallback callback)
-            throws JSONException, OMMobileSecurityException {
+            throws OMMobileSecurityException {
         this(context, OMMobileSecurityConfiguration.getInitializationConfiguration(context,
                 configurationPropertiesKey), callback);
     }
@@ -930,6 +930,8 @@ protected void onPostExecute(OMMobileSecurityException e) {
                             .UNTRUSTED_SERVER_CERTIFICATE_AUTH_TYPE_KEY, sslEvent.getAuthType());
                     sslChallenge.addChallengeField(OMSecurityConstants.Challenge
                             .UNTRUSTED_SERVER_CERTIFICATE_CHAIN_KEY, sslEvent.getCertificateChain());
+                    sslChallenge.addChallengeField(OMSecurityConstants.Challenge
+                            .UNTRUSTED_SERVER_URL_KEY, sslEvent.getURL());
                     new Setup1WaySSLCompletionHandler(sMSS.getMobileSecurityConfig(), sMSS.getCallback()).createChallengeRequest(sMSS, sslChallenge, null);
                     //handle 1-way SSL
                     return;
@@ -1067,21 +1069,29 @@ public Context getApplicationContext() {
 
     /**
      * This method removes all session cookies when authenticate is called for
-     * first time after app launch. This is done, because android sometimes
-     * retains some session cookies even after app restart. E.g: User is logged
-     * in using Federated Authentication, and then the app is force stopped. The
-     * next time app is launched, if the session cookies are not removed, the
+     * first time after app launch. This is done, because android webview
+     * retains session cookies even after app restart.
+     * Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Session_cookies
+     * E.g: User is logged in using Federated Authentication, and
+     * then the app is force stopped. The next time app is launched,
+     * if the session cookies are not removed, the
      * federated authentication flow will fail.
      */
     @TargetApi(Build.VERSION_CODES.LOLLIPOP)
     private void removeSessionCookies() {
         if (!authenticateCalledForFirstTime) {
             authenticateCalledForFirstTime = true;
-            if (!getMobileSecurityConfig().isAuthContextPersistenceAllowed()) {
-                OMLog.debug(TAG,
-                        "Authenticate API called for first time after app launch -> Removing session cookies");
-                OMCookieManager.getInstance().removeSessionCookies(getApplicationContext());
-            }
+            /*Session cookies are being cleared irrespective of
+            OM_PROP_SESSION_ACTIVE_ON_RESTART. This is because
+            once SDK indicates authContext is invalid after app-restart,
+            say based on access token expiry, authenticate() should prompt
+            for login screen. If session cookies are not cleared here,
+            user will not be prompted for authentication, if session cookies
+            are still valid. This will also make the behavior similar
+            to iOS.*/
+            OMLog.debug(TAG,
+                    "Authenticate API called for first time after app launch -> Removing session cookies");
+            OMCookieManager.getInstance().removeSessionCookies(getApplicationContext());
         }
     }
 
@@ -1325,6 +1335,20 @@ public void onLogoutCompleted() {
                 timeoutManager.stopTimers();
             }
             authenticationContext.deleteCookies();
+            /**This is called with all parameters passed as true
+             * to make sure that if authentication context is retrieved
+             * by app in onLogoutCompleted, it will be null. Actual
+             * authContext to be persisted is written in
+             * {@link OMAuthenticationContext#deleteAuthContext(boolean, boolean, boolean, boolean)}
+             * by calling {@link OMAuthenticationContext#deletePersistedAuthContext(boolean, boolean, boolean)}.
+             * This is done because before {@link OMMobileSecurityService#logout(boolean)}l is executed completely,
+             * onLogoutCompleted() can be called.
+             * e.g: Google OpenID logout, external browser flow.*/
+            boolean authContextPersistenceAllowed = getMobileSecurityConfig()
+                    .isAuthContextPersistenceAllowed();
+            if (authContextPersistenceAllowed) {
+                authenticationContext.deletePersistedAuthContext(true, true, true);
+            }
         }
         removeSessionCookiesOnLogout();
         resetAuthServiceManager();

src/android/sdk/oracle/idm/mobile/OMSecurityConstants.java

@@ -13,7 +13,7 @@ public class OMSecurityConstants {
 
     /**
      * Change this boolean to enable/disable debug logging in SDK.
-     *
+     * <p>
      * Cannot use {@link BuildConfig#DEBUG} in library project because of
      * https://issuetracker.google.com/issues/36967265
      * <p>
@@ -24,6 +24,7 @@ public class OMSecurityConstants {
      */
     public static boolean DEBUG = false;
 
+    public static final String UTF_8 = "UTF-8";
     public static final char COLON = ':';
     public static final char EQUAL = '=';
     public static final char AMPERSAND = '&';
@@ -59,17 +60,38 @@ public class OMSecurityConstants {
 
     /*TODO Documentation*/
     //TODO Add javadoc for every constant following the format specified for CLIENT_CERTIFICATE_HOST
+
     /**
      * Holds constants specific to OMAuthenticationChallenge
      */
     public static class Challenge {
         public static final String USERNAME_KEY = "username_key";
+        /**
+         * The key against which the following is present or MUST be provided:
+         * the password of the end user.
+         * <p/>
+         * The value is of type {@link String}.
+         *
+         * @deprecated This accepts or provides password as String which leads to security issues.
+         * This field will be removed in a future release. This is maintained now just to have
+         * backward compatibility. Instead of this field, use {@link #PASSWORD_KEY_2}.
+         */
+        @Deprecated
         public static final String PASSWORD_KEY = "password_key";
+
+        /**
+         * The key against which the following is present or MUST be provided:
+         * the password of the end user.
+         * <p/>
+         * The value is of type char[].
+         */
+        public static final String PASSWORD_KEY_2 = "password_as_char_array_key";
+
         public static final String IDENTITY_DOMAIN_KEY = "iddomain_key";
         public static final String OFFLINE_CREDENTIAL_KEY = "offline_credential_key";
-        public static final String IS_FORCE_AUTHENTICATION ="isForceAuthentication";
+        public static final String IS_FORCE_AUTHENTICATION = "isForceAuthentication";
         /**
-         * The key against the following is present:
+         * The key against which the following is present:
          * Exception thrown in the authentication attempt
          * <p/>
          * The value is of type {@link OMMobileSecurityException}.
@@ -78,7 +100,7 @@ public static class Challenge {
         public static final String MOBILE_SECURITY_EXCEPTION = "mobileSecurityException";
 
         /**
-         * The key against the following is present:
+         * The key against which the following is present:
          * the host name of the server requesting the certificate
          * <p/>
          * The value is of type {@link String}.
@@ -89,7 +111,7 @@ public static class Challenge {
         public static final String CLIENT_CERTIFICATE_HOST = "client_certificate_host_key";
 
         /**
-         * The key against the following is present:
+         * The key against which the following is present:
          * the port number of the server requesting the certificate
          * <p/>
          * The value is of type {@link Integer}.
@@ -100,7 +122,7 @@ public static class Challenge {
         public static final String CLIENT_CERTIFICATE_PORT = "client_certificate_port_key";
 
         /**
-         * The key against the following is present:
+         * The key against which the following is present:
          * the acceptable certificate issuers for the certificate matching the private key (can be null)
          * null implies any issuer will do.
          * <p/>
@@ -112,22 +134,22 @@ public static class Challenge {
         public static final String CLIENT_CERTIFICATE_ISSUERS_KEY = "client_certificate_issuer_names_key";
 
         /**
-         * The key against the following is present:
+         * The key against which the following is present:
          * the acceptable types of asymmetric keys (can be null) or in other words: the list of public key algorithm names
-         *
+         * <p>
          * The value is of type {@link String}[].
-         *
+         * <p>
          * <b>Note:</b> Client certificate authentication in embedded browser [Fed Auth, OAuth] is supported only from LOLLIPOP onwards.
          * Refer {@link oracle.idm.mobile.OMMobileSecurityService.AuthServerType} for more details.
          */
         public static final String CLIENT_CERTIFICATE_KEYTYPES_KEY = "client_certificate_keytypes_key";
 
         /**
-         * The key against the following MUST BE provided by the developer:
+         * The key against which the following MUST BE provided by the developer:
          * the alias for the client side of an SSL connection to authenticate it with the specified public key type and certificate issuers
-         *
+         * <p>
          * The value MUST be of type {@link String}
-         *
+         * <p>
          * <b>Note:</b> Client certificate authentication in embedded browser [Fed Auth, OAuth] is supported only from LOLLIPOP onwards.
          * Refer {@link oracle.idm.mobile.OMMobileSecurityService.AuthServerType} for more details.
          */
@@ -144,6 +166,15 @@ public static class Challenge {
         public static final String CLIENT_CERTIFICATE_STORAGE_PREFERENCE_KEY = "client_certificate_storage_pref_key";
         public static final String UNTRUSTED_SERVER_CERTIFICATE_AUTH_TYPE_KEY = "untrusted_certificate_authtype_key";
         public static final String UNTRUSTED_SERVER_CERTIFICATE_CHAIN_KEY = "untrusted_server_certificate_chain_key";
+        /**
+         * The key against which the following is present:
+         * The URL of the server being accessed which resulted
+         * in {@link javax.net.ssl.SSLHandshakeException}.
+         * <p>
+         * The value is of type {@link java.net.URL}.
+         * <p>
+         */
+        public static final String UNTRUSTED_SERVER_URL_KEY = "untrusted_server_url_key";
         public static final String INVALID_REDIRECT_TYPE_KEY = "invalid_redirect_type_key";
 
 
@@ -170,6 +201,7 @@ public static class Challenge {
     public static final String EXPIRY_DATE = "expiresdate";
     public static final String EXPIRES_IN = "expires_in";
     public static final String IS_SECURE = "issecure";
+
     /**
      * Constants to represent parameter keys used internally in SDK.
      *
@@ -179,6 +211,7 @@ public static class Param {
         public static final String OAUTH_REFRESH_TOKEN_VALUE = "ParamOAuthRefreshTokenValue";
         public static final String OAUTH_FRONT_CHANNEL_RESPONSE_JSON = "ParamFrontChannelResponseJSON";
         public static final String COLLECT_OFFLINE_CREDENTIAL = "collectOfflineCredential";
+        public static final String CLEAR_PASSWORD = "clearPassword";
         //Begin: Fed Auth
         public static final String LOGIN_FAILURE_URL_HIT = "login_failure_url_hit";
         public static final String VISITED_URLS = "visited_urls";
@@ -244,4 +277,6 @@ public class Flags {
         public static final int CONNECTION_ALLOW_HTTPS_TO_HTTP_REDIRECT = 103;
         public static final int CONNECTION_ALLOW_HTTP_TO_HTTPS_REDIRECT = 104;
     }
+
+    public static final String OM_CREDENTIAL = "_Credential";
 }