new configuration version

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/k8s-nai-6ec6739e824c8e56d9633622.yaml

@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-71775049d1b10051f9c0e6e4dddf3df7d5c11ceb"
+    tag: "r-0a6159baadd19be08f28d31d47ba6c6ca4945921"
     dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/esauth4.xml

@@ -58,6 +58,8 @@
             <Entry method="authenticate" state="cossa_realm_AuthorizationServer_New_OAuth_2.0_Authorization_Server_OpenID_Provider" selector="${request:currentResource:^http[s]?\u003A//[^/]+/oauth/authorize($|\?.*)$:true}"/>
             <Entry method="authenticate" state="cossa_realm_AuthorizationServer_New_OAuth_2.0_Authorization_Server_OpenID_Provider" selector="${request:currentResource:^http[s]?\u003A//[^/]+/oauth/token($|\?.*)$:true}"/>
             <Entry method="authenticate" state="cossa_realm_TokenExchangeEndpoint" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
+            <Entry method="logout" state="cossa_realm_AuthorizationServer"/>
+            <Entry method="logout" state="cossa_realm_AuthorizationServer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
             <Entry method="stepup" state="cossa_realm_Selector"/>
             <Entry method="stepup" state="cossa_realm_AuthorizationServer_New_OAuth_2.0_Authorization_Server_OpenID_Provider" selector="${request:currentResource:^http[s]?\u003A//[^/]+/oauth/authorize($|\?.*)$:true}"/>
             <Entry method="stepup" state="cossa_realm_AuthorizationServer_New_OAuth_2.0_Authorization_Server_OpenID_Provider" selector="${request:currentResource:^http[s]?\u003A//[^/]+/oauth/token($|\?.*)$:true}"/>
@@ -120,14 +122,14 @@
             <property name="keyobjectref" value="New_nevisAuth_KeyObject"/>
         </AuthState>
         <AuthState name="cossa_realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
-            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0, pattern://b67f81a971e4c08aa79040a2 -->
             <ResultCond name="default" next="cossa_realm_02_CheckConsent_New_OAuth_2.0_Authorization_Server_OpenID_Provider"/>
-            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0, pattern://b67f81a971e4c08aa79040a2 -->
             <Response value="AUTH_DONE">
-                <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+                <!-- source: pattern://e02a36447ce2d3c66d8d81c0, pattern://b67f81a971e4c08aa79040a2 -->
                 <Gui name="ContinueResponse"/>
             </Response>
-            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0, pattern://b67f81a971e4c08aa79040a2 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
         </AuthState>
         <AuthState name="cossa_realm_02_CheckConsent_New_OAuth_2.0_Authorization_Server_OpenID_Provider" class="ch.nevis.esauth.auth.states.oauth2.consentstate.ConsentState" final="false">
@@ -162,9 +164,9 @@
             <property name="nevismeta.location" value="https://sdfsdfdf.ch:443/nevismeta/rest/modules/oauthv2/setups/Setup_00000000000000000000000000000000/entities"/>
         </AuthState>
         <AuthState name="cossa_realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
-            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0, pattern://b67f81a971e4c08aa79040a2 -->
             <Response value="AUTH_DONE">
-                <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+                <!-- source: pattern://e02a36447ce2d3c66d8d81c0, pattern://b67f81a971e4c08aa79040a2 -->
                 <Gui name="ContinueResponse"/>
             </Response>
         </AuthState>
@@ -285,6 +287,98 @@
                 <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
             </Response>
         </AuthState>
+        <AuthState name="cossa_realm_AuthorizationServer" class="ch.nevis.esauth.auth.states.oauth2.AuthorizationServer" final="false" resumeState="true">
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="authenticate:valid-authorization-request" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-authorization-request" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-client" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-redirect-uri" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-token-request" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="stepup:valid-authorization-request" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="keystoreref" value="Store_New_OAuth_2.0_Authorization_Server_OpenID_Provider"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="keyobjectref" value="Signer_New_OAuth_2.0_Authorization_Server_OpenID_Provider"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="keyID" value="Signer_New_OAuth_2.0_Authorization_Server_OpenID_Provider"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="openid.idTokenLifetime" value="600"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="authCodeLifetime" value="60"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="propagationScope" value="session"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="dataSource" value="nevismeta"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="openid.support" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="openid.issuerId" value="https://cossa.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.clientCredentialsFlowPolicy" value="true"/>
+        </AuthState>
     </AuthEngine>
     <!-- source: pattern://0daf10449dab098fcc4b9311 -->
     <RESTService name="New OAuth 2.0 / OpenID Connect Token Introspection Endpoint" class="ch.nevis.esauth.rest.service.tokenintrospection.TokenIntrospectionService" path="/oauth/introspect">