Remove is_federated client property

Author: cicnavi

docker/conformance.sql

@@ -30,6 +30,7 @@ INSERT INTO oidc_migration_versions VALUES('20250917163000');
 INSERT INTO oidc_migration_versions VALUES('20251021000001');
 INSERT INTO oidc_migration_versions VALUES('20251021000002');
 INSERT INTO oidc_migration_versions VALUES('20260109000001');
+INSERT INTO oidc_migration_versions VALUES('20260218163000');
 CREATE TABLE oidc_user (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             claims TEXT,
@@ -59,17 +60,16 @@ CREATE TABLE oidc_client (
             updated_at TIMESTAMP NULL DEFAULT NULL,
             created_at TIMESTAMP NULL DEFAULT NULL,
             expires_at TIMESTAMP NULL DEFAULT NULL,
-            is_federated BOOLEAN NOT NULL DEFAULT false,
             is_generic BOOLEAN NOT NULL DEFAULT false,
             extra_metadata TEXT NULL
 );
 -- Used 'httpd' host for back-channel logout url (https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout)
 -- since this is the hostname of conformance server while running in container environment
-INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
-INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
-INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
-INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
-INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, NULL);
+INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, NULL);
+INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, NULL);
+INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, NULL);
+INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, NULL);
 CREATE TABLE oidc_access_token (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             scopes TEXT,

src/Controllers/Admin/ClientController.php

@@ -348,7 +348,6 @@ protected function buildClientEntityFromFormData(
         $jwksUri = empty($data[ClientEntity::KEY_JWKS_URI]) ? null : (string)$data[ClientEntity::KEY_JWKS_URI];
         $signedJwksUri = empty($data[ClientEntity::KEY_SIGNED_JWKS_URI]) ?
         null : (string)$data[ClientEntity::KEY_SIGNED_JWKS_URI];
-        $isFederated = (bool)$data[ClientEntity::KEY_IS_FEDERATED];
 
         $idTokenSignedResponseAlg = isset($data[ClaimsEnum::IdTokenSignedResponseAlg->value]) &&
         is_string($data[ClaimsEnum::IdTokenSignedResponseAlg->value]) ?
@@ -382,7 +381,6 @@ protected function buildClientEntityFromFormData(
             $updatedAt,
             $createdAt,
             $expiresAt,
-            $isFederated,
             $isGeneric,
             $extraMetadata,
         );

src/Entities/ClientEntity.php

@@ -51,7 +51,6 @@ class ClientEntity implements ClientEntityInterface
     public const KEY_UPDATED_AT = 'updated_at';
     public const KEY_CREATED_AT = 'created_at';
     public const KEY_EXPIRES_AT = 'expires_at';
-    public const KEY_IS_FEDERATED = 'is_federated';
     public const KEY_IS_GENERIC = 'is_generic';
     public const KEY_EXTRA_METADATA = 'extra_metadata';
 
@@ -95,7 +94,6 @@ class ClientEntity implements ClientEntityInterface
     private ?DateTimeImmutable $updatedAt;
     private ?DateTimeImmutable $createdAt;
     private ?DateTimeImmutable $expiresAt;
-    private bool $isFederated;
     private bool $isGeneric;
     private ?array $extraMetadata;
 
@@ -130,7 +128,6 @@ public function __construct(
         ?DateTimeImmutable $updatedAt = null,
         ?DateTimeImmutable $createdAt = null,
         ?DateTimeImmutable $expiresAt = null,
-        bool $isFederated = false,
         bool $isGeneric = false,
         ?array $extraMetadata = null,
     ) {
@@ -156,7 +153,6 @@ public function __construct(
         $this->updatedAt = $updatedAt;
         $this->createdAt = $createdAt;
         $this->expiresAt = $expiresAt;
-        $this->isFederated = $isFederated;
         $this->isGeneric = $isGeneric;
         $this->extraMetadata = $extraMetadata;
     }
@@ -196,7 +192,6 @@ public function getState(): array
             self::KEY_UPDATED_AT => $this->getUpdatedAt()?->format('Y-m-d H:i:s'),
             self::KEY_CREATED_AT => $this->getCreatedAt()?->format('Y-m-d H:i:s'),
             self::KEY_EXPIRES_AT => $this->getExpiresAt()?->format('Y-m-d H:i:s'),
-            self::KEY_IS_FEDERATED => $this->isFederated(),
             self::KEY_IS_GENERIC => $this->isGeneric(),
             self::KEY_EXTRA_METADATA => is_null($this->extraMetadata) ?
                 null :
@@ -229,7 +224,6 @@ public function toArray(): array
             self::KEY_UPDATED_AT => $this->updatedAt,
             self::KEY_CREATED_AT => $this->createdAt,
             self::KEY_EXPIRES_AT => $this->expiresAt,
-            self::KEY_IS_FEDERATED => $this->isFederated,
             self::KEY_IS_GENERIC => $this->isGeneric,
 
             // Extra metadata
@@ -368,11 +362,6 @@ public function isExpired(): bool
         return $this->expiresAt !== null && $this->expiresAt < new DateTimeImmutable();
     }
 
-    public function isFederated(): bool
-    {
-        return $this->isFederated;
-    }
-
     public function isGeneric(): bool
     {
         return $this->isGeneric;

src/Entities/Interfaces/ClientEntityInterface.php

@@ -78,7 +78,6 @@ public function getUpdatedAt(): ?DateTimeImmutable;
     public function getCreatedAt(): ?DateTimeImmutable;
     public function getExpiresAt(): ?DateTimeImmutable;
     public function isExpired(): bool;
-    public function isFederated(): bool;
     public function isGeneric(): bool;
 
     public function getExtraMetadata(): array;

src/Factories/Entities/ClientEntityFactory.php

@@ -61,7 +61,6 @@ public function fromData(
         ?DateTimeImmutable $updatedAt = null,
         ?DateTimeImmutable $createdAt = null,
         ?DateTimeImmutable $expiresAt = null,
-        bool $isFederated = false,
         bool $isGeneric = false,
         ?array $extraMetadata = null,
     ): ClientEntityInterface {
@@ -88,7 +87,6 @@ public function fromData(
             $updatedAt,
             $createdAt,
             $expiresAt,
-            $isFederated,
             $isGeneric,
             $extraMetadata,
         );
@@ -189,7 +187,6 @@ public function fromRegistrationData(
 
 //        $expiresAt = $expiresAt;
 
-        $isFederated = $existingClient?->isFederated() ?? false;
         $isGeneric = $existingClient?->isGeneric() ?? false;
 
         $extraMetadata = $existingClient?->getExtraMetadata() ?? [];
@@ -229,7 +226,6 @@ public function fromRegistrationData(
             $updatedAt,
             $createdAt,
             $expiresAt,
-            $isFederated,
             $isGeneric,
             $extraMetadata,
         );
@@ -360,7 +356,6 @@ public function fromState(array $state): ClientEntityInterface
         $expiresAt = empty($state[ClientEntity::KEY_EXPIRES_AT]) ? null :
         $this->helpers->dateTime()->getUtc((string)$state[ClientEntity::KEY_EXPIRES_AT]);
 
-        $isFederated = (bool)$state[ClientEntity::KEY_IS_FEDERATED];
         $isGeneric = (bool)$state[ClientEntity::KEY_IS_GENERIC];
 
         /** @var ?mixed[] $extraMetadata */
@@ -391,7 +386,6 @@ public function fromState(array $state): ClientEntityInterface
             $updatedAt,
             $createdAt,
             $expiresAt,
-            $isFederated,
             $isGeneric,
             $extraMetadata,
         );

src/Forms/ClientForm.php

@@ -417,9 +417,6 @@ protected function buildForm(): void
         $this->addText('signed_jwks_uri', 'Signed JWKS URI')
             ->setHtmlAttribute('class', 'full-width');
 
-        $this->addCheckbox('is_federated', '{oidc:client:is_federated}')
-            ->setHtmlAttribute('class', 'full-width');
-
         // TODO mivanci Properly fetch the list of supported algos
         $this->addSelect('id_token_signed_response_alg', Translate::noop('ID Token Signing Algorithm'))
             ->setHtmlAttribute('class', 'full-width')

src/Repositories/ClientRepository.php

@@ -199,7 +199,6 @@ public function findFederatedByEntityIdentifier(
         if (
             is_null($clientEntity->getEntityIdentifier()) ||
             (! $clientEntity->isEnabled()) ||
-            (! $clientEntity->isFederated()) ||
             (!is_array($clientEntity->getFederationJwks())) ||
             $clientEntity->isExpired()
         ) {
@@ -270,12 +269,10 @@ public function findAllFederated(?string $owner = null): array
             WHERE
                 entity_identifier IS NOT NULL AND
                 federation_jwks IS NOT NULL AND
-                is_enabled = :is_enabled AND
-                is_federated = :is_federated
+                is_enabled = :is_enabled
             EOS,
             [
                 'is_enabled' => [true, PDO::PARAM_BOOL],
-                'is_federated' => [true, PDO::PARAM_BOOL],
             ],
             $owner,
         );
@@ -361,7 +358,6 @@ public function add(ClientEntityInterface $client): void
                 updated_at,
                 created_at,
                 expires_at,
-                is_federated,
                 is_generic,
                 extra_metadata
             )
@@ -388,7 +384,6 @@ public function add(ClientEntityInterface $client): void
                 :updated_at,
                 :created_at,
                 :expires_at,
-                :is_federated,
                 :is_generic,
                 :extra_metadata
             )
@@ -462,7 +457,6 @@ public function update(ClientEntityInterface $client, ?string $owner = null): vo
                 updated_at = :updated_at,
                 created_at = :created_at,
                 expires_at = :expires_at,
-                is_federated = :is_federated,
                 is_generic = :is_generic,
                 extra_metadata = :extra_metadata
             WHERE id = :id
@@ -557,12 +551,10 @@ protected function preparePdoState(array $state): array
     {
         $isEnabled = (bool)($state[ClientEntity::KEY_IS_ENABLED] ?? false);
         $isConfidential = (bool)($state[ClientEntity::KEY_IS_CONFIDENTIAL] ?? false);
-        $isFederated = (bool)($state[ClientEntity::KEY_IS_FEDERATED] ?? false);
         $isGeneric = (bool)($state[ClientEntity::KEY_IS_GENERIC] ?? false);
 
         $state[ClientEntity::KEY_IS_ENABLED] = [$isEnabled, PDO::PARAM_BOOL];
         $state[ClientEntity::KEY_IS_CONFIDENTIAL] = [$isConfidential, PDO::PARAM_BOOL];
-        $state[ClientEntity::KEY_IS_FEDERATED] = [$isFederated, PDO::PARAM_BOOL];
         $state[ClientEntity::KEY_IS_GENERIC] = [$isGeneric, PDO::PARAM_BOOL];
 
         return $state;

src/Services/DatabaseMigration.php

@@ -214,6 +214,11 @@ public function migrate(): void
             $this->version20260109000001();
             $this->database->write("INSERT INTO $versionsTablename (version) VALUES ('20260109000001')");
         }
+
+        if (!in_array('20260218163000', $versions, true)) {
+            $this->version20260218163000();
+            $this->database->write("INSERT INTO $versionsTablename (version) VALUES ('20260218163000')");
+        }
     }
 
     private function versionsTableName(): string
@@ -723,6 +728,17 @@ private function version20260109000001(): void
             ,);
     }
 
+
+    private function version20260218163000(): void
+    {
+        $clientTableName = $this->database->applyPrefix(ClientRepository::TABLE_NAME);
+        $this->database->write(<<< EOT
+        ALTER TABLE {$clientTableName}
+            DROP COLUMN is_federated;
+EOT
+            ,);
+    }
+
     /**
      * @param string[] $columnNames
      */

templates/clients/includes/form.twig

@@ -152,27 +152,6 @@
 
         <br>
         <h4>{{ 'OpenID Federation Related Properties'|trans }}</h4>
-            <span class="pure-form-message">
-                {% trans %}In order for an entity to participate in federation contexts (for example, to be listed as subordinate to this OP), it must have an Entity Identifier and Federation JWKS set. {% endtrans %}
-            </span>
-        <label for="">{{ 'Is Federated'|trans }}</label>
-        <label for="radio-option-federated-yes" class="pure-radio">
-            <input type="radio"
-                   name="is_federated"
-                   id="radio-option-federated-yes"
-                   {% if form.is_federated.value %}checked=""{% endif %}
-                   value="1" /> {{ 'Yes'|trans }}
-        </label>
-        <label for="radio-option-federated-no" class="pure-radio">
-            <input type="radio"
-                   name="is_federated"
-                   id="radio-option-federated-no"
-                   {% if not form.is_federated.value %}checked=""{% endif %}
-                   value="0" /> {{ 'No'|trans }}
-        </label>
-        <span class="pure-form-message">
-            {% trans %}Choose if the client is allowed to participate in federation context or not.{% endtrans %}
-        </span>
 
         <label for="frm-entity_identifier">{{ 'Entity Identifier'|trans }}</label>
         {{ form.entity_identifier.control | raw }}

templates/clients/show.twig

@@ -234,14 +234,6 @@
                 <col class="">
             </colgroup>
             <tbody>
-            <tr>
-                <td class="client-col col-property">
-                    {{ 'Is Federated'|trans }}
-                </td>
-                <td>
-                    {{ (client.isFederated ? 'Yes' : 'No')|trans }}
-                </td>
-            </tr>
             <tr>
                 <td class="client-col col-property">
                     {{ 'Entity Identifier'|trans }}