Resource Request Signing at the UserInfo Endpoint

- `UserInfoEndpoint` class
  - Add request parameters related to HTTP Message Signatures.

- `pom.xml`
  - Update the version of authlete-java-common from 4.9 to 4.12.
  - Update the version of authlete-java-jaxrs from 2.79 to 2.80.

Author: TakahikoKawasaki

pom.xml

@@ -12,8 +12,8 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-    <authlete.java.common.version>4.9</authlete.java.common.version>
-    <authlete.java.jaxrs.version>2.79</authlete.java.jaxrs.version>
+    <authlete.java.common.version>4.12</authlete.java.common.version>
+    <authlete.java.jaxrs.version>2.80</authlete.java.jaxrs.version>
     <authlete.cbor.version>1.18</authlete.cbor.version>
     <javax.servlet-api.version>3.0.1</javax.servlet-api.version>
     <jersey.version>2.30.1</jersey.version>

src/main/java/com/authlete/jaxrs/server/api/UserInfoEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2022 Authlete, Inc.
+ * Copyright (C) 2016-2024 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,7 +22,6 @@
 import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
-import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
@@ -61,7 +60,7 @@ public Response get(
         String accessToken = extractAccessToken(authorization, null);
 
         // Handle the userinfo request.
-        return handle(request, accessToken, dpop);
+        return handle(request, /*body*/null, accessToken, dpop);
     }
 
 
@@ -98,7 +97,7 @@ public Response post(
         accessToken = extractAccessToken(authorization, accessToken);
 
         // Handle the userinfo request.
-        return handle(request, accessToken, dpop);
+        return handle(request, body, accessToken, dpop);
     }
 
 
@@ -119,17 +118,20 @@ private static String extractFormParameter(HttpServletRequest request, String bo
     /**
      * Handle the userinfo request.
      */
-    private Response handle(HttpServletRequest request, String accessToken, String dpop)
+    private Response handle(
+            HttpServletRequest request, String body,
+            String accessToken, String dpop)
     {
-        Params params = buildParams(request, accessToken, dpop);
+        Params params = buildParams(request, body, accessToken, dpop);
 
         return handle(AuthleteApiFactory.getDefaultApi(),
                 new UserInfoRequestHandlerSpiImpl(), params);
     }
 
 
     private Params buildParams(
-            HttpServletRequest request, String accessToken, String dpop)
+            HttpServletRequest request, String body,
+            String accessToken, String dpop)
     {
         Params params = new Params();
 
@@ -156,6 +158,29 @@ private Params buildParams(
         // setHtu(String) method here intentionally. Note that this means you
         // have to set "userInfoEndpoint" properly to support DPoP.
 
+        // HTTP Message Signatures
+        params.setHeaders(extractHeadersAsPairs(request))
+              .setRequestBodyContained(body != null)
+              //.setTargetUri(targetUri)
+              ;
+
+        // We can reconstruct the target URI using request.getRequestURL() and
+        // request.getQueryString() and set it to params by the setTargetUri(URI)
+        // method. However, behind proxies, the constructed URI may be different
+        // from the original one.
+        //
+        // If the "targetUri" parameter is omitted, the value of the "htu"
+        // parameter is used. The "htu" parameter represents the URL of the
+        // userinfo endpoint, which usually serves as the target URI of the
+        // userinfo request. The only exception is when the access token is
+        // specified as a query parameter, as defined in RFC 6750 Section 2.3.
+        // However, RFC 6750 states that this method "SHOULD NOT be used"
+        // unless other methods are not viable.
+        //
+        // If neither the "targetUri" parameter nor the "htu" parameter is
+        // specified, the "userInfoEndpoint" property of the service is used
+        // as a fallback.
+
         return params;
     }
 }