diff --git a/.idea/artifacts/scitokens_client_war_exploded.xml b/.idea/artifacts/scitokens_client_war_exploded.xml
index 72876e70c..9edbf3a77 100644
--- a/.idea/artifacts/scitokens_client_war_exploded.xml
+++ b/.idea/artifacts/scitokens_client_war_exploded.xml
@@ -10,28 +10,28 @@
-
+
-
+
-
+
-
-
-
-
-
+
+
+
+
+
@@ -43,18 +43,18 @@
-
+
-
-
-
-
-
+
+
+
+
+
-
+
diff --git a/.idea/artifacts/scitokens_server_war_exploded.xml b/.idea/artifacts/scitokens_server_war_exploded.xml
index 78ddeec53..20b93c75d 100644
--- a/.idea/artifacts/scitokens_server_war_exploded.xml
+++ b/.idea/artifacts/scitokens_server_war_exploded.xml
@@ -10,10 +10,10 @@
-
-
-
-
+
+
+
+
@@ -24,27 +24,27 @@
-
+
-
-
+
+
-
+
-
-
+
+
-
+
-
+
@@ -52,7 +52,7 @@
-
+
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_myproxy_logon_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_myproxy_logon_4_1_0.xml
similarity index 54%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_myproxy_logon_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_myproxy_logon_4_1_0.xml
index 472478e79..296554d46 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_myproxy_logon_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_myproxy_logon_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_api_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_api_4_1_0.xml
similarity index 62%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_api_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_api_4_1_0.xml
index ae6d0fd19..0ae5e0c0b 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_api_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_api_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth1_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth1_4_1_0.xml
similarity index 56%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth1_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth1_4_1_0.xml
index ead40daa1..5569ca13b 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth1_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth1_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth2_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth2_4_1_0.xml
similarity index 56%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth2_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth2_4_1_0.xml
index 26caae99c..5b2ac2917 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth2_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_loader_oauth2_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_oauth2_war_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_oauth2_war_4_1_0.xml
similarity index 60%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_oauth2_war_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_oauth2_war_4_1_0.xml
index 645e7292a..da97c3d56 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_oauth2_war_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_client_oauth2_war_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_oauth2_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_4_1_0.xml
similarity index 56%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_oauth2_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_4_1_0.xml
index 29d737754..62b6eef8c 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_oauth2_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_oauth2_4_1_0.xml
similarity index 68%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_oauth2_4_1_0.xml
index e35a51b55..394b819a7 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_admin_oauth2_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_api_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_api_4_1_0.xml
similarity index 62%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_api_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_api_4_1_0.xml
index ab399e8ff..142af01a6 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_api_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_api_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth1_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth1_4_1_0.xml
similarity index 56%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth1_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth1_4_1_0.xml
index bbd1005f2..6caafc64c 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth1_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth1_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth2_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth2_4_1_0.xml
similarity index 56%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth2_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth2_4_1_0.xml
index 036870dcf..68ddd17f9 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth2_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_loader_oauth2_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_oauth2_war_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_oauth2_war_4_1_0.xml
similarity index 60%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_oauth2_war_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_oauth2_war_4_1_0.xml
index 401390ea7..f49630f03 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_oauth2_war_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_myproxy_oa4mp_server_oauth2_war_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_1_0a_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_client_4_1_0.xml
similarity index 53%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_1_0a_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_client_4_1_0.xml
index d0f2202b2..61a914e79 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_1_0a_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_client_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_client_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_client_4_1_SNAPSHOT.xml
deleted file mode 100644
index af74c5f69..000000000
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_client_4_1_SNAPSHOT.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_common_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_common_4_1_0.xml
similarity index 50%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_common_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_common_4_1_0.xml
index 41b28eccd..9dbea4c67 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_common_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_common_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_server_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_server_4_1_0.xml
similarity index 50%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_server_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_server_4_1_0.xml
index b64a4b589..ed138c1ec 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_server_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_delegation_server_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_2_0_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_1_0a_4_1_0.xml
similarity index 54%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_2_0_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_1_0a_4_1_0.xml
index e059ae832..9d3278a0d 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_2_0_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_1_0a_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_2_0_4_1_0.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_2_0_4_1_0.xml
new file mode 100644
index 000000000..35eefa47c
--- /dev/null
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_delegation_ncsa_security_oauth_2_0_4_1_0.xml
@@ -0,0 +1,13 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_4_1_0.xml
similarity index 60%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_4_1_0.xml
index 106edda03..dab03b864 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_test_jar_tests_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_test_jar_tests_4_1_0.xml
similarity index 58%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_test_jar_tests_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_test_jar_tests_4_1_0.xml
index df747a2a4..c9f9f15fa 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_test_jar_tests_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_core_test_jar_tests_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_servlet_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_servlet_4_1_0.xml
similarity index 58%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_servlet_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_servlet_4_1_0.xml
index 22f2f34bc..7d1a327e5 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_servlet_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_servlet_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_storage_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_storage_4_1_0.xml
similarity index 58%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_storage_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_storage_4_1_0.xml
index 1d801c29a..643cd5f78 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_storage_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_storage_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_4_1_0.xml
similarity index 60%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_4_1_0.xml
index 4ea531c12..8e9e4584f 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_test_jar_tests_4_1_SNAPSHOT.xml b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_test_jar_tests_4_1_0.xml
similarity index 58%
rename from .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_test_jar_tests_4_1_SNAPSHOT.xml
rename to .idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_test_jar_tests_4_1_0.xml
index 4456529ea..31094f0e8 100644
--- a/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_test_jar_tests_4_1_SNAPSHOT.xml
+++ b/.idea/libraries/Maven__edu_uiuc_ncsa_security_ncsa_security_util_test_jar_tests_4_1_0.xml
@@ -1,13 +1,13 @@
-
+
-
+
-
+
-
+
\ No newline at end of file
diff --git a/scitokens-cli/pom.xml b/scitokens-cli/pom.xml
index 060c313d0..452f89071 100644
--- a/scitokens-cli/pom.xml
+++ b/scitokens-cli/pom.xml
@@ -24,22 +24,22 @@
edu.uiuc.ncsa.myproxyoa4mp-client-loader-oauth2
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.myproxyoa4mp-server-admin
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.myproxyoa4mp-server-admin-oauth2
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.security.delegationncsa-security-oauth-2.0
- 4.1-SNAPSHOT
+ 4.1.0org.mariadb.jdbc
diff --git a/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtil.java b/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtil.java
index ac3ea8ebb..b5e369b2b 100644
--- a/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtil.java
+++ b/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtil.java
@@ -7,9 +7,13 @@
import edu.uiuc.ncsa.security.util.cli.Commands;
import edu.uiuc.ncsa.security.util.cli.ConfigurableCommandsImpl;
import edu.uiuc.ncsa.security.util.cli.InputLine;
+import edu.uiuc.ncsa.security.util.functor.parser.event.ParserUtil;
import org.apache.commons.lang.StringUtils;
-import java.io.*;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.util.List;
import java.util.Vector;
import static edu.uiuc.ncsa.security.util.cli.CommonCommands.BATCH_MODE_FLAG;
@@ -206,7 +210,7 @@ protected void processBatchModeCommand(CLIDriver cli, String[] args) throws Exce
}
- protected void processBatchFile(String fileName, CLIDriver cli) throws Exception {
+ protected void processBatchFile(String fileName, CLIDriver cli) throws Throwable {
if(fileName == null || fileName.isEmpty()){
throw new FileNotFoundException("Error: The file name is missing.");
}
@@ -221,16 +225,42 @@ protected void processBatchFile(String fileName, CLIDriver cli) throws Exception
throw new GeneralException("Error: Cannot read file \"" + fileName + "\". Please check your permissions.");
}
FileReader fis = new FileReader(file);
- BufferedReader br = new BufferedReader(fis);
+ List commands = ParserUtil.processInput(fis);
SciTokensUtilCommands sciTokensCommands = getSciTokensCommands(cli);
if (sciTokensCommands == null) {
throw new NFWException("Error: No SciTokensUtilCommands configured, hence no logging.");
}
sciTokensCommands.setBatchMode(true);
- int lineNumber = 1;
+
+ for(String command : commands){
+ try {
+ int rc = cli.execute(command);
+ switch (rc) {
+ // Hint: The colons in the messages line up (more or less) so that the log file is very easily readable at a glance.
+ case CLIDriver.ABNORMAL_RC:
+ sciTokensCommands.error("Error: \"" + command + "\"");
+ break;
+ case CLIDriver.HELP_RC:
+ sciTokensCommands.info(" Help: invoked.");
+ break;
+ case CLIDriver.OK_RC:
+ default:
+ if(sciTokensCommands.isVerbose()){
+ sciTokensCommands.info(" ok: \"" + command+ "\"");
+ }
+ }
+
+ } catch (Throwable t) {
+ sciTokensCommands.error(t, "Error executing batch file command \"" + command + "\"");
+ }
+
+ }
+// BufferedReader br = new BufferedReader(fis);
+ /* int lineNumber = 1;
String lineIn = br.readLine(); // actual lines in the file, comments and all
boolean isExecuteLine = false;
-
+*/
+/*
String executableLine = "";
while (lineIn != null) {
// strip comment
@@ -282,6 +312,7 @@ protected void processBatchFile(String fileName, CLIDriver cli) throws Exception
lineNumber++;
}
br.close();
+*/
}
diff --git a/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtilCommands.java b/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtilCommands.java
index b745902d5..638bcdd96 100644
--- a/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtilCommands.java
+++ b/scitokens-cli/src/main/java/org/scitokens/tools/SciTokensUtilCommands.java
@@ -37,7 +37,7 @@ public class SciTokensUtilCommands extends CommonCommands {
/**
* If a line contains this character, then the line is truncated at that point before processing.
*/
- public static String BATCH_FILE_COMMENT_CHAR = "//";
+ //public static String BATCH_FILE_COMMENT_CHAR = "//";
/**
* If a line ends with this (after the comment is removed), then glow it on to the
* next input line. In effect this lets you split commands across multiple lines, e.g.
diff --git a/scitokens-cli/src/main/resources/test.cmd b/scitokens-cli/src/main/resources/test.cmd
index 56ec3dd71..09cdc881a 100644
--- a/scitokens-cli/src/main/resources/test.cmd
+++ b/scitokens-cli/src/main/resources/test.cmd
@@ -1,33 +1,32 @@
-// First batch mode test
-// The comment marker is the double slash, //. Anything after that on a line is ignored.
-// If you need to extend a command over several lines, e.g. for readability, you
-// can use the single back slash at the end of a line, \ You cannot have blank lines
-// though if you are using the continuation character.
-//
-// This generally ignores whitespace and blank lines too...
-// And do set a log file and read it. You can get quite a good running
-// commentary.
+# First batch mode test
+# The comment marker is the pound sign, #. If that is the first non-blank character, the line is ignored.
+# Each command ends with a semi-colon ;. This means that lines are concatenated until a line ends with a
+# semi-colon, then that is treated as a command. Note that the semi-colon will be removed.
+# This generally ignores whitespace and blank lines too...
+# And do set a log file and read it. You can get quite a good running
+# commentary.
-set_no_output false // so this spits out results to the screen
+set_no_output false;
-// Print out a JSON webkey file and splay the command over a couple of lines:
-list_keys \ // More commentary:
- /home/ncsa/dev/scitokens-git/test/keys.jwk // And another comment.
+# Print out a JSON webkey file and splay the command over a couple of lines:
+list_keys
+ /home/ncsa/dev/scitokens-git/test/keys.jwk;
-set_keys -file /home/ncsa/dev/scitokens-git/test/keys.jwk
-set_no_output true // Turn off output and try to print -- nothing should show up.
-set_default_id "A60914779FC1C785D3C0E33F1AB6ADFE"
+set_keys -file /home/ncsa/dev/scitokens-git/test/keys.jwk;
+set_no_output true;
+set_default_id "A60914779FC1C785D3C0E33F1AB6ADFE";
print_default_id
-// The next few lines are not a command. This shows that the processor will simply skip any commands
-// it does not recognize.
-fnord \
- blarg \
- *^$$8&
+# The next few lines are not a command. This shows that the processor will simply skip any commands
+# it does not recognize.
+fnord
+ blarg
+ *^$$8&;
-// Create a new set of keys and stash them in a file:
+# Create a new set of keys and stash them in a file:
-create_keys /tmp/keys1.jwk
-set_no_output false // Turn output back on, re-issue the print default id command
-print_default_id
+create_keys /tmp/keys1.jwk;
+# Turn output back on, re-issue the print default id command
+set_no_output false;
+print_default_id;
diff --git a/scitokens-client/pom.xml b/scitokens-client/pom.xml
index 363a92f71..149fa3f98 100644
--- a/scitokens-client/pom.xml
+++ b/scitokens-client/pom.xml
@@ -22,12 +22,12 @@
edu.uiuc.ncsa.myproxyoa4mp-client-api
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.myproxyoa4mp-client-oauth2
- 4.1-SNAPSHOT
+ 4.1.0warruntime
@@ -40,7 +40,7 @@
edu.uiuc.ncsa.myproxyoa4mp-client-loader-oauth2
- 4.1-SNAPSHOT
+ 4.1.0org.mariadb.jdbc
@@ -51,7 +51,7 @@
edu.uiuc.ncsa.securityncsa-security-core
- 4.1-SNAPSHOT
+ 4.1.0test-jartest
@@ -59,28 +59,28 @@
edu.uiuc.ncsa.securityncsa-security-util
- 4.1-SNAPSHOT
+ 4.1.0test-jartestedu.uiuc.ncsa.securityncsa-security-servlet
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.myproxymyproxy-logon
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.security.delegationncsa-security-oauth-2.0
- 4.1-SNAPSHOT
+ 4.1.0javax.servlet
diff --git a/scitokens-client/src/main/java/org/scitokens/client/STStartRequest.java b/scitokens-client/src/main/java/org/scitokens/client/STStartRequest.java
index d14f07ac3..a255c8c91 100644
--- a/scitokens-client/src/main/java/org/scitokens/client/STStartRequest.java
+++ b/scitokens-client/src/main/java/org/scitokens/client/STStartRequest.java
@@ -6,6 +6,7 @@
import edu.uiuc.ncsa.oa4mp.oauth2.client.OA2ClientEnvironment;
import edu.uiuc.ncsa.security.core.Identifier;
import edu.uiuc.ncsa.security.servlet.JSPUtil;
+import org.scitokens.util.TokenExchangeConstants;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
@@ -25,7 +26,7 @@
public class STStartRequest extends ClientServlet {
public static final String SCOPE_CAPUT = "demo:";
// as per https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-00
- public static final String RESOURCE_KEY = "resource:";
+ //public static final String RESOURCE_KEY = "resource:";
@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
@@ -55,9 +56,9 @@ protected void doIt(HttpServletRequest request, HttpServletResponse response) th
}
System.err.println(getClass().getSimpleName() + ": setting scopes to " + newScopes);
oa2ce.setScopes(newScopes);
- String rawAudience = request.getParameter(RESOURCE_KEY);
+ String rawAudience = request.getParameter(TokenExchangeConstants.RESOURCE);
HashMap map = new HashMap<>();
- map.put(RESOURCE_KEY, rawAudience);
+ map.put(TokenExchangeConstants.RESOURCE, rawAudience);
diff --git a/scitokens-client/src/main/webapp/static/index.html b/scitokens-client/src/main/webapp/static/index.html
index b9a24e2c1..db3194286 100644
--- a/scitokens-client/src/main/webapp/static/index.html
+++ b/scitokens-client/src/main/webapp/static/index.html
@@ -16,7 +16,7 @@
The audience for the requested scopes:
-
+
diff --git a/scitokens-common/buildNumber.properties b/scitokens-common/buildNumber.properties
index 41fa58ece..0b3b1a9bd 100644
--- a/scitokens-common/buildNumber.properties
+++ b/scitokens-common/buildNumber.properties
@@ -1,3 +1,3 @@
#maven.buildNumber.plugin properties file
-#Sat Sep 22 17:19:16 CDT 2018
-buildNumber\\d*=360
+#Fri Oct 19 12:57:23 CDT 2018
+buildNumber\\d*=410
diff --git a/scitokens-common/pom.xml b/scitokens-common/pom.xml
index c9d14d13f..d4a0b7eb4 100644
--- a/scitokens-common/pom.xml
+++ b/scitokens-common/pom.xml
@@ -22,21 +22,21 @@
edu.uiuc.ncsa.myproxyoa4mp-server-api
- 4.1-SNAPSHOT
+ 4.1.0javax.ws.rs
@@ -56,19 +56,19 @@
edu.uiuc.ncsa.myproxyoa4mp-server-loader-oauth2
- 4.1-SNAPSHOT
+ 4.1.0
@@ -76,21 +76,21 @@
edu.uiuc.ncsa.security.delegationncsa-security-oauth-2.0
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.securityncsa-security-servlet
- 4.1-SNAPSHOT
+ 4.1.0org.apache.logging.log4j
@@ -106,7 +106,7 @@
edu.uiuc.ncsa.myproxymyproxy-logon
- 4.1-SNAPSHOT
+ 4.1.0
@@ -129,7 +129,7 @@
edu.uiuc.ncsa.security.delegationncsa-security-oauth-1.0a
- 4.1-SNAPSHOT
+ 4.1.0javax.servlet
diff --git a/scitokens-server/buildNumber.properties b/scitokens-server/buildNumber.properties
index 0b57856be..b02515c0b 100644
--- a/scitokens-server/buildNumber.properties
+++ b/scitokens-server/buildNumber.properties
@@ -1,3 +1,3 @@
#maven.buildNumber.plugin properties file
-#Sat Sep 22 17:19:33 CDT 2018
-buildNumber\\d*=259
+#Fri Oct 19 12:57:38 CDT 2018
+buildNumber\\d*=295
diff --git a/scitokens-server/pom.xml b/scitokens-server/pom.xml
index 58a28dc97..a64be0e97 100644
--- a/scitokens-server/pom.xml
+++ b/scitokens-server/pom.xml
@@ -27,7 +27,7 @@
edu.uiuc.ncsa.myproxyoa4mp-server-oauth2
- 4.1-SNAPSHOT
+ 4.1.0warruntime
@@ -35,14 +35,14 @@
edu.uiuc.ncsa.myproxyoa4mp-server-api
- 4.1-SNAPSHOT
+ 4.1.0javax.ws.rs
@@ -62,7 +62,7 @@
edu.uiuc.ncsa.myproxyoa4mp-server-loader-oauth2
- 4.1-SNAPSHOT
+ 4.1.0junit
@@ -73,14 +73,14 @@
edu.uiuc.ncsa.security.delegationncsa-security-oauth-2.0
- 4.1-SNAPSHOT
+ 4.1.0edu.uiuc.ncsa.securityncsa-security-util
- 4.1-SNAPSHOT
+ 4.1.0test-jartestedu.uiuc.ncsa.securityncsa-security-servlet
- 4.1-SNAPSHOT
+ 4.1.0org.apache.logging.log4j
@@ -124,7 +124,7 @@
edu.uiuc.ncsa.myproxymyproxy-logon
- 4.1-SNAPSHOT
+ 4.1.0
@@ -147,7 +147,7 @@
edu.uiuc.ncsa.security.delegationncsa-security-oauth-1.0a
- 4.1-SNAPSHOT
+ 4.1.0javax.servlet
diff --git a/scitokens-server/src/main/java/org/scitokens/servlet/STATServlet.java b/scitokens-server/src/main/java/org/scitokens/servlet/STATServlet.java
index 1c7e67fc3..836d73a12 100644
--- a/scitokens-server/src/main/java/org/scitokens/servlet/STATServlet.java
+++ b/scitokens-server/src/main/java/org/scitokens/servlet/STATServlet.java
@@ -317,7 +317,7 @@ public String getRawSciToken2(STTransaction stTransaction, Map p
if (groups == null) {
throw new NFWException("Unrecognized group structure for class \"" + rawGroups.getClass().getSimpleName() + " = \"" + rawGroups + "\"");
}
- }else{
+ } else {
groups = new Groups(); // so no null pointer exception.
}
if (!isEmpty(stse.getIssuer())) {
@@ -331,9 +331,16 @@ public String getRawSciToken2(STTransaction stTransaction, Map p
sciTokens.put(ISSUED_AT, Long.valueOf(System.currentTimeMillis() / 1000L));
sciTokens.put(NOT_VALID_BEFORE, Long.valueOf((System.currentTimeMillis() - 5000L) / 1000L)); // not before is 5 minutes before current
+ String usernameClaimkey = SUBJECT;
+ ServletDebugUtil.dbg(this, "getting username claim key");
+ if (stClient.getUsernameClaimKey() != null) {
+ usernameClaimkey = stClient.getUsernameClaimKey();
+ }
+ ServletDebugUtil.dbg(this, "Got username claim key=" + usernameClaimkey);
+
// Now to resolve audience and scope requests.
- TemplateResolver templateResolver = new TemplateResolver(claims.getString(SUBJECT), groups);
+ TemplateResolver templateResolver = new TemplateResolver(claims.getString(usernameClaimkey), groups);
LinkedList requestedPermissions = new LinkedList<>();
StringTokenizer st = new StringTokenizer(stTransaction.getStScopes(), " ");
while (st.hasMoreElements()) {
diff --git a/scitokens-server/src/main/java/org/scitokens/servlet/STAuthorizedServletUtil.java b/scitokens-server/src/main/java/org/scitokens/servlet/STAuthorizedServletUtil.java
index f52fe8fac..692b13b51 100644
--- a/scitokens-server/src/main/java/org/scitokens/servlet/STAuthorizedServletUtil.java
+++ b/scitokens-server/src/main/java/org/scitokens/servlet/STAuthorizedServletUtil.java
@@ -9,7 +9,9 @@
import edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Errors;
import edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError;
+import edu.uiuc.ncsa.security.servlet.ServletDebugUtil;
import org.apache.http.HttpStatus;
+import org.scitokens.loader.STSE;
import org.scitokens.util.STClient;
import org.scitokens.util.STTransaction;
import org.scitokens.util.TokenExchangeConstants;
@@ -36,6 +38,12 @@ public void postprocess(TransactionState state) throws Throwable {
STTransaction stTransaction = (STTransaction) state.getTransaction();
// Audience
String rawAudience = state.getRequest().getParameter(TokenExchangeConstants.RESOURCE);
+ ServletDebugUtil.dbg(this, "expected audience key" + TokenExchangeConstants.RESOURCE);
+ ServletDebugUtil.dbg(this, "raw audience = " + rawAudience);
+ if(rawAudience == null || rawAudience.isEmpty()){
+ rawAudience = ""; // this throws it in to the case of no requested audience. If this is missing and there is
+ // a single registered template, just implicity accept they are the same and continue.
+ }
StringTokenizer stringTokenizer = new StringTokenizer(rawAudience, " ");
LinkedList audience = new LinkedList<>();
while (stringTokenizer.hasMoreElements()) {
@@ -59,6 +67,8 @@ public void postprocess(TransactionState state) throws Throwable {
@Override
protected ArrayList resolveScopes(OA2ServiceTransaction st, Map params, String state, String givenRedirect) {
+ STSE stse = (STSE)servlet.getServiceEnvironment();
+ ServletDebugUtil.dbg(this, "oidc enabled? " + stse.isOIDCEnabled());
HTTPHeaderClaimsSource xx = null;
STTransaction stTransaction = (STTransaction) st;
DebugUtil.dbg(this, "scopes before resolveScopes = " + st.getScopes());
diff --git a/scitokens-server/src/main/java/org/scitokens/util/STClient.java b/scitokens-server/src/main/java/org/scitokens/util/STClient.java
index 134d0bbdd..f43719b77 100644
--- a/scitokens-server/src/main/java/org/scitokens/util/STClient.java
+++ b/scitokens-server/src/main/java/org/scitokens/util/STClient.java
@@ -29,6 +29,14 @@ public AuthorizationTemplates getAuthorizationTemplates() {
return authorizationTemplates;
}
+ /**
+ * The name of the claim to use as the username in the {@link org.scitokens.util.claims.TemplateResolver}.
+ * note that this may be null if it is not set. In that case, use the default claim of sub.
+ * @return
+ */
+ public String getUsernameClaimKey(){
+ return STClientConfigurationUtil.getUsernameClaimKey(getConfig());
+ }
protected AuthorizationTemplates authorizationTemplates;
}
diff --git a/scitokens-server/src/main/java/org/scitokens/util/STClientConfigurationUtil.java b/scitokens-server/src/main/java/org/scitokens/util/STClientConfigurationUtil.java
index dc2a06baa..fee87dfc4 100644
--- a/scitokens-server/src/main/java/org/scitokens/util/STClientConfigurationUtil.java
+++ b/scitokens-server/src/main/java/org/scitokens/util/STClientConfigurationUtil.java
@@ -12,6 +12,13 @@
public class STClientConfigurationUtil extends ClientConfigurationUtil {
public static String SCI_TOKENS_KEY = "scitokens";
public static String AUTHORIZATION_TEMPLATES_KEY = "templates";
+ /**
+ * If this is present in the configuration, then the value of this claim is used
+ * as the username for resolving against templates. The default is the sub claim
+ * but any claim may be used. Note that if you specify an non-existent claim, an
+ * exception will be raised, so be sure you have actually set the claim before resolution.
+ */
+ public static String USERNAME_CLAIM_KEY = "usernameClaimKey";
/**
* Return a component in the SciTokens configuration.
@@ -41,4 +48,14 @@ public static void setAuthorizationTemplates(JSONObject config, AuthorizationTem
setThingy(SCI_TOKENS_KEY, config, AUTHORIZATION_TEMPLATES_KEY, authorizationTemplates.toJSON());
}
+
+ public static String getUsernameClaimKey(JSONObject config) {
+ JSONArray stConfig = getSTThingy(config, USERNAME_CLAIM_KEY);
+ // Since the last call always wraps whatever in a JSONArray, this should have a single
+ // element that is the value we want
+ if (!stConfig.isEmpty()) {
+ return stConfig.getString(0);
+ }
+ return null;
+ }
}
diff --git a/scitokens-server/src/main/java/org/scitokens/util/claims/TemplateResolver.java b/scitokens-server/src/main/java/org/scitokens/util/claims/TemplateResolver.java
index abc1a90da..423dda981 100644
--- a/scitokens-server/src/main/java/org/scitokens/util/claims/TemplateResolver.java
+++ b/scitokens-server/src/main/java/org/scitokens/util/claims/TemplateResolver.java
@@ -26,7 +26,7 @@ public class TemplateResolver {
/**
* @param authorizationTemplates
* @param audience The requested audience
- * @param scopes The requested scope in claims format.
+ * @param scopes The requested scope in claims format.
* @return
*/
public List resolve(AuthorizationTemplates authorizationTemplates,
@@ -72,7 +72,6 @@ public TemplateResolver(String username, Groups group) {
Groups group = null;
-
public static final String ST_GROUP_NAME = "group";
public static final String ST_USER_NAME = "user";
@@ -84,25 +83,32 @@ protected boolean hasUsername() {
return username != null;
}
-
+ /**
+ * The template is stored in the configuration. The target is the actual scope passed in by the client in the
+ * request.
+ * @param template
+ * @param target
+ * @return
+ */
public boolean check(String template, String target) {
DebugUtil.dbg(this, "testing " + target + " against template " + template);
ArrayList tests = new ArrayList<>();
boolean un = template.contains("${" + ST_USER_NAME + "}");
if (template.contains("${" + ST_GROUP_NAME + "}")) {
// do replacements
- if (!hasGroups()) {
- throw new IllegalStateException("Error: group requested, but no groups for this user were found");
- }
- for (String key : group.keySet()) {
- HashMap group = new HashMap<>();
- group.put(ST_GROUP_NAME, key);
- if (hasUsername() && un) {
- group.put(ST_USER_NAME, username);
+ // There may be templates configured, but no groups for the user, depending on the IDP.
+ // In the case, skip all of this
+ if (hasGroups()) {
+ for (String key : group.keySet()) {
+ HashMap group = new HashMap<>();
+ group.put(ST_GROUP_NAME, key);
+ if (hasUsername() && un) {
+ group.put(ST_USER_NAME, username);
+ }
+ String replacedString = TemplateUtil.replaceAll(template, group);
+ DebugUtil.dbg(this, template + " --> " + replacedString);
+ tests.add(replacedString);
}
- String replacedString = TemplateUtil.replaceAll(template, group);
- DebugUtil.dbg(this, template + " --> " + replacedString);
- tests.add(replacedString);
}
@@ -141,7 +147,7 @@ public boolean check(String template, String target) {
}
}
}
- System.err.println(" testing: returning NULL");
+ System.err.println(" testing: returning false");
return false;
}
diff --git a/scitokens-server/src/main/resources/condor.json b/scitokens-server/src/main/resources/condor.json
new file mode 100644
index 000000000..402279ad7
--- /dev/null
+++ b/scitokens-server/src/main/resources/condor.json
@@ -0,0 +1,40 @@
+{
+"config": "Surge SciTokens client configuration for the HT Condor credmon",
+"isSaved": true,
+"claims": {
+"sourceConfig": [
+ {"default": {
+ "name": "HTTP header source",
+ "id": "42",
+ "enabled": true,
+ "failOnError": false,
+ "notifyOnFail": false,
+ "omitClaimsList": [
+ "aud",
+ "iss",
+ "exp",
+ "iat",
+ "nonce"
+ ]
+ }}
+],
+"sources": [ {
+ "alias": "headers",
+ "className": "edu.uiuc.ncsa.myproxy.oa4mp.oauth2.claims.HTTPHeaderClaimsSource"
+}],
+"preProcessing":
+{"script":[
+ "set_claim_source('headers','42');"
+ ]}
+},
+"scitokens": {"templates": [
+ {
+ "aud": "https://c077.chtc.wisc.edu:8443/",
+ "paths":
+ [
+ {"operation": "read","path": "/public/**"},
+ {"operation": "write","path": "/public/**"}
+ ]
+ }
+]}
+}
diff --git a/scitokens-server/src/main/resources/demo.json b/scitokens-server/src/main/resources/demo.json
new file mode 100644
index 000000000..4d10745d2
--- /dev/null
+++ b/scitokens-server/src/main/resources/demo.json
@@ -0,0 +1,150 @@
+{
+"config": "Surge SciTokens client demo configuration",
+"isSaved": true,
+"claims": {
+"sourceConfig": [
+ {"default": {
+ "name": "HTTP header source",
+ "id": "42",
+ "enabled": true,
+ "failOnError": false,
+ "notifyOnFail": false,
+ "omitClaimsList": [
+ "aud",
+ "iss",
+ "exp",
+ "iat",
+ "nonce"
+ ]
+ }},
+ {"ldap": {
+ "preProcessing": [ {
+ "$if": ["$true"],
+ "$then": [{"$set": [
+ "foo",
+ {"$drop": [
+ "@ncsa.illinois.edu",
+ "${eppn}"
+ ]}
+ ]}]
+ }],
+ "postProcessing": [ {
+ "$if": ["$true"],
+ "$then": [{"$exclude": ["foo"]}]
+ }],
+ "id": "58a170bfe4a59c05",
+ "name": "58a170bfe4a59c05",
+ "address": "ldap.ncsa.illinois.edu",
+ "port": 636,
+ "enabled": true,
+ "authorizationType": "none",
+ "failOnError": false,
+ "notifyOnFail": false,
+ "searchAttributes": [ {
+ "name": "memberOf",
+ "isGroup": true,
+ "returnAsList": false,
+ "returnName": "isMemberOf"
+ }],
+ "searchBase": "ou=People,dc=ncsa,dc=illinois,dc=edu",
+ "searchName": "foo",
+ "contextName": "",
+ "ssl": {
+ "keystore": {},
+ "tlsVersion": "TLS",
+ "useJavaTrustStore": true,
+ "password": "changeit",
+ "type": "jks"
+ }
+ }}
+],
+"sources": [ {
+ "alias": "headers",
+ "className": "edu.uiuc.ncsa.myproxy.oa4mp.oauth2.claims.HTTPHeaderClaimsSource"
+}],
+"preProcessing": [
+ {
+ "$if": ["$true"],
+ "$then": [{"$set_claim_source": [
+ "headers",
+ "42"
+ ]}]
+ },
+ {
+ "$if": [{"$equals": [
+ {"$get": ["idp"]},
+ "https://idp.ncsa.illinois.edu/idp/shibboleth"
+ ]}],
+ "$then": [{"$set_claim_source": [
+ "LDAP",
+ "58a170bfe4a59c05"
+ ]}]
+ }
+],
+"postProcessing": [ {
+ "$if": [{"$equals": [
+ {"$get": ["idp"]},
+ "https://idp.ncsa.illinois.edu/idp/shibboleth"
+ ]}],
+ "$then": [{"$set": [
+ "sub",
+ {"$drop": [
+ "@ncsa.illinois.edu",
+ {"$get": ["eppn"]}
+ ]}
+ ]}]
+}]
+},
+"scitokens": {"templates": [
+ {
+ "aud": "https://demo.scitokens.org/xrootd",
+ "paths": [
+ {
+ "operation": "read",
+ "path": "/public/**"
+ },
+ {
+ "operation": "write",
+ "path": "/public/**"
+ },
+ {
+ "operation": "read",
+ "path": "/home/${user}/**"
+ },
+ {
+ "operation": "write",
+ "path": "/home/${user}/**"
+ },
+ {
+ "operation": "queue",
+ "path": "/home/${user}/queueit/**"
+ },
+ {
+ "operation": "execute",
+ "path": "/home/${user}/runit/**"
+ }
+ ]
+},
+ {
+ "aud": "https://demo.ncsa.illinois.edu",
+ "paths": [
+ {
+ "operation": "read",
+ "path": "/home/${user}/**"
+ },
+ {
+ "operation": "write",
+ "path": "/home/${user}/**"
+ },
+ {
+ "operation": "read",
+ "path": "/home/${group}/dataset/**"
+ },
+ {
+ "operation": "write",
+ "path": "/home/${group}/${user}/results/**"
+ }
+ ]
+}
+]}
+}
diff --git a/scitokens-server/src/main/resources/minimal.json b/scitokens-server/src/main/resources/minimal.json
index c764fd5a5..afddb5813 100644
--- a/scitokens-server/src/main/resources/minimal.json
+++ b/scitokens-server/src/main/resources/minimal.json
@@ -1,11 +1,11 @@
{
- "config": "Created by converter from old LDAP entry",
+ "config": "Used for testing SciTokens. This will be read by unit tests and parts of it checked to show proper reading.",
"claims": {
"sourceConfig": [
{
"ldap": {
"enabled": true,
- "name": "c82f7d6053c464ea",
+ "id": "c82f7d6053c464ea",
"failOnError": false,
"notifyOnFail": false,
"address": "ldap-test.cilogon.org",
@@ -31,22 +31,19 @@
}
}
}
- ],
- "preProcessing": {
- "logicBlock": [
- {
- "$if": [{"$true": []}],
- "$then": [
- {
- "$set_claim_source": [
- "LDAP",
- "c82f7d6053c464ea"
- ]
- }
- ]
- }
- ]
- }
+ ]
},
- "isSaved": false
+ "isSaved": false,
+ "scitokens": {
+ "usernameClaimKey":"key123",
+ "templates": [
+ {
+ "aud": "https://c077.chtc.wisc.edu:8443/",
+ "paths":
+ [
+ {"operation": "read","path": "/public/**"},
+ {"operation": "write","path": "/public/**"}
+ ]
+ }
+ ]}
}
\ No newline at end of file
diff --git a/scitokens-server/src/main/resources/scratch.json b/scitokens-server/src/main/resources/scratch.json
index 78cf7cf90..b233fef49 100644
--- a/scitokens-server/src/main/resources/scratch.json
+++ b/scitokens-server/src/main/resources/scratch.json
@@ -1,107 +1,71 @@
{
- "config": "Surge SciTokens client demo configuration",
- "isSaved": true,
- "claims":{
- "sourceConfig": [
- {"default": {
- "name": "HTTP header source",
- "id": "42",
- "enabled": true,
- "failOnError": false,
- "notifyOnFail": false,
- "omitClaimsList":["aud","iss","exp","iat","nonce"]
- }},
- {
- "ldap": {
- "preProcessing": [
- {
- "$if": ["$true"],
- "$then": [{"$set": ["foo",{"$drop": ["@ncsa.illinois.edu","${eppn}"]}]}]
- }
- ],
- "postProcessing": [
- {
- "$if": ["$true"],
- "$then": [
- {"$exclude": ["foo"]}
- ]
- }
- ],
- "id": "58a170bfe4a59c05",
- "name": "58a170bfe4a59c05",
- "address": "ldap.ncsa.illinois.edu",
- "port": 636,
- "enabled": true,
- "authorizationType": "none",
- "failOnError": false,
- "notifyOnFail": false,
- "searchAttributes": [
- {
- "name": "memberOf",
- "isGroup": true,
- "returnAsList": false,
- "returnName": "isMemberOf"
- }
- ],
- "searchBase": "ou=People,dc=ncsa,dc=illinois,dc=edu",
- "searchName": "foo",
- "contextName": "",
- "ssl": {
- "keystore": {},
- "tlsVersion": "TLS",
- "useJavaTrustStore": true,
- "password": "changeit",
- "type": "jks"
- }
- }
- }
- ],
- "sources": [ {
- "alias": "headers",
- "className": "edu.uiuc.ncsa.myproxy.oa4mp.oauth2.claims.HTTPHeaderClaimsSource"
- }],
- "preProcessing": [
- {"$if": ["$true"],
- "$then": [{"$set_claim_source":["headers","42"]}]
- },
- {
- "$if": [{"$equals":[{"$get": ["idp"]},"https://idp.ncsa.illinois.edu/idp/shibboleth"]}],
- "$then": [{"$set_claim_source":["LDAP","58a170bfe4a59c05"]}]
- }
- ],
- "postProcessing":[
- {"$if": [{"$equals":[{"$get": ["idp"]},"https://idp.ncsa.illinois.edu/idp/shibboleth"]}],
- "$then": [{"$set":["sub",
- {"$drop": ["@ncsa.illinois.edu",{"$get":["eppn"]}]}
- ]}]
- }
-
+"config": "Surge SciTokens client demo configuration",
+"isSaved": true,
+"claims": {
+"sourceConfig": [
+ {"default": {
+ "name": "HTTP header source",
+ "id": "42",
+ "enabled": true,
+ "failOnError": false,
+ "notifyOnFail": false,
+ "omitClaimsList": [
+ "aud",
+ "iss",
+ "exp",
+ "iat",
+ "nonce"
]
- },
- "scitokens":
- {"templates":[
+ }}
+],
+"sources": [ {
+ "alias": "headers",
+ "className": "edu.uiuc.ncsa.myproxy.oa4mp.oauth2.claims.HTTPHeaderClaimsSource"
+}],
+"preProcessing":
+{"script":[
+ "set_claim_source('headers','42');",
+ "# header claim sources are always in use. If the IDP is NCSA, set it for use later.",
+ "if[",
+ " equals(get('idp'),'https://idp.ncsa.illinois.edu/idp/shibboleth')",
+ " ]then[",
+ " set('foo',drop('@ncsa.illinois.edu',get('eppn')));",
+ " set('eppn','foo');",
+ " set_claim_source('ncsa-default','foo')",
+ "];"
+ ]},
+"postProcessing":
+{"script":[
+ "if[",
+ " equals(get('idp'),'https://idp.ncsa.illinois.edu/idp/shibboleth')",
+ " ]then[",
+ " exclude('foo');",
+ " ]"
+]}
+
+},
+"scitokens": {"templates": [
{
- "aud": "https://demo.scitokens.org/xrootd",
- "paths":
- [
- {"operation": "read","path": "/public/**"},
- {"operation": "write","path": "/public/**"},
- {"operation": "read","path": "/home/${user}/**"},
- {"operation": "write","path": "/home/${user}/**"},
- {"operation": "queue","path": "/home/${user}/queueit/**"},
- {"operation": "execute","path": "/home/${user}/runit/**"}
- ]
- },
+ "aud": "https://demo.scitokens.org/xrootd",
+ "paths": [
+ {"operation": "read","path": "/public/**"},
+ {"operation": "write","path": "/public/**"},
+ {"operation": "read","path": "/home/${user}/**"},
+ {"operation": "write","path": "/home/${user}/**"},
+ {"operation": "queue","path": "/home/${user}/queueit/**"},
+ {"operation": "execute","path": "/home/${user}/runit/**"}
+ ]
+},
{
- "aud": "https://demo.ncsa.illinois.edu",
- "paths":
- [
- {"operation": "read","path": "/home/${user}/**"},
- {"operation": "write","path": "/home/${user}/**"},
- {"operation": "read","path": "/home/${group}/dataset/**"},
- {"operation": "write","path": "/home/${group}/${user}/results/**"}
- ]
- }
+ "aud": "https://demo.ncsa.illinois.edu",
+ "paths": [
+ {"operation": "read","path": "/public/**"},
+ {"operation": "write","path": "/public/**"},
+ {"operation": "read","path": "/home/${user}/**"},
+ {"operation": "write","path": "/home/${user}/**"},
+ {"operation": "read","path": "/home/${group}/dataset/**"},
+ {"operation": "write","path": "/home/${group}/${user}/results/**"}
]
- }
-}
\ No newline at end of file
+}
+]}
+}
diff --git a/scitokens-server/src/test/java/org/scitokens/test/ConfigurationTest.java b/scitokens-server/src/test/java/org/scitokens/test/ConfigurationTest.java
index 9589fc03b..030fcf673 100644
--- a/scitokens-server/src/test/java/org/scitokens/test/ConfigurationTest.java
+++ b/scitokens-server/src/test/java/org/scitokens/test/ConfigurationTest.java
@@ -1,7 +1,10 @@
package org.scitokens.test;
+import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.state.OA2ClientConfigurationUtil;
import edu.uiuc.ncsa.security.core.util.BasicIdentifier;
+import edu.uiuc.ncsa.security.oauth_2_0.server.config.LDAPConfigurationUtil;
import edu.uiuc.ncsa.security.util.TestBase;
+import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.junit.Test;
import org.scitokens.util.STClient;
@@ -65,9 +68,16 @@ public void testConfig() throws Exception {
JSONObject cfg = getTestConfig();
STClient client = new STClient(BasicIdentifier.newID("test:/id/" + System.currentTimeMillis()));
client.setConfig(cfg);
+ JSONArray array = OA2ClientConfigurationUtil.getClaimSourceConfigurations(cfg);
+ assert array.size() == 1;
+ LDAPConfigurationUtil ldapConfigurationUtil = new LDAPConfigurationUtil();
+ client.setLdaps(ldapConfigurationUtil.fromJSON(array));
+
// now we are ready to roll.
STClientConfigurationUtil.setAuthorizationTemplates(client.getConfig(), getTestTemplates());
- System.out.println(client.getConfig().toString(2));
+ assert client.getUsernameClaimKey().equals("key123");
+ assert client.getLdaps().size() == 1;
+ assert client.getLdaps().iterator().next().getId().equals("c82f7d6053c464ea");
}
/**
diff --git a/scitokens-server/src/test/java/org/scitokens/test/TemplateResolverTest.java b/scitokens-server/src/test/java/org/scitokens/test/TemplateResolverTest.java
index f8fac32b4..c1ead837a 100644
--- a/scitokens-server/src/test/java/org/scitokens/test/TemplateResolverTest.java
+++ b/scitokens-server/src/test/java/org/scitokens/test/TemplateResolverTest.java
@@ -71,6 +71,24 @@ public void testBasic() throws Exception {
assert templateResolver.check(PATH_1_WRITE, WRITE_1_TEST);
}
+ /**
+ * For the case that the user is not in any groups. None of the group templates should be
+ * resolved against.
+ * @throws Exception
+ */
+
+ @Test
+ public void testNoGroups() throws Exception {
+ TemplateResolver templateResolver = new TemplateResolver("bob", new Groups());
+ AuthorizationTemplates at = getTemplates();
+ AuthorizationTemplate template = at.get(AUDIENCE_1);
+ assert templateResolver.check(template.getAudience(), AUDIENCE_1);
+
+ // Most basic test to show this works.
+ assert templateResolver.check(PATH_1_READ, READ_1_TEST);
+ assert templateResolver.check(PATH_1_WRITE, WRITE_1_TEST);
+ }
+
@Test
public void testUserAndGroup() throws Exception {
TemplateResolver templateResolver = new TemplateResolver("bob", getTestGroups());