From 960ede2c5f7dd4bf8410f5907d4d681928ea87b1 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Thu, 15 Apr 2021 18:01:12 +0200
Subject: [PATCH 01/12] quick fix for GET request on userinfo endpoint

---
 .../pwm/http/servlet/oauth/OAuthMachine.java  | 67 ++++++++++++++++++-
 1 file changed, 66 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
index 1c556c8eb8..4087638c19 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
@@ -233,7 +233,7 @@ String makeOAuthGetUserInfoRequest(
             final Map<String, String> requestParams = new HashMap<>();
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
-            restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken );
+            restResults = makeHttpGetRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken );
         }
 
         final String resultBody = restResults.getBody();
@@ -320,6 +320,71 @@ private static PwmHttpClientResponse makeHttpRequest(
         return pwmHttpClientResponse;
     }
 
+    private static PwmHttpClientResponse makeHttpGetRequest(
+            final PwmRequest pwmRequest,
+            final String debugText,
+            final OAuthSettings settings,
+            final String requestUrl,
+            final Map<String, String> requestParams,
+            final String accessToken
+    )
+            throws PwmUnrecoverableException
+    {
+        final String requestBody = PwmURL.encodeParametersToFormBody( requestParams );
+        final List<X509Certificate> certs = settings.getCertificates();
+
+        final PwmHttpClientRequest pwmHttpClientRequest;
+        {
+            final Map<String, String> headers = new HashMap<>( );
+            if ( StringUtil.isEmpty(  accessToken ) )
+            {
+                headers.put( HttpHeader.Authorization.getHttpName(),
+                        new BasicAuthInfo( settings.getClientID(), settings.getSecret() ).toAuthHeader() );
+            }
+            else
+            {
+                headers.put( HttpHeader.Authorization.getHttpName(),
+                        "Bearer " + accessToken );
+            }
+            headers.put( HttpHeader.ContentType.getHttpName(), HttpContentType.form.getHeaderValueWithEncoding() );
+
+            pwmHttpClientRequest = PwmHttpClientRequest.builder()
+                    .method( HttpMethod.GET )
+                    .url( requestUrl )
+                    .body( requestBody )
+                    .headers( headers )
+                    .build();
+        }
+
+        final PwmHttpClientResponse pwmHttpClientResponse;
+        try
+        {
+            final PwmHttpClientConfiguration config = PwmHttpClientConfiguration.builder()
+                    .trustManagerType( PwmHttpClientConfiguration.TrustManagerType.configuredCertificates )
+                    .certificates( JavaHelper.isEmpty( certs ) ? null : certs )
+                    .maskBodyDebugOutput( true )
+                    .build();
+            final PwmHttpClient pwmHttpClient = pwmRequest.getPwmApplication().getHttpClientService().getPwmHttpClient( config );
+            pwmHttpClientResponse = pwmHttpClient.makeRequest( pwmHttpClientRequest, pwmRequest.getLabel() );
+        }
+        catch ( final PwmException e )
+        {
+            final String errorMsg = "error during " + debugText + " http request to oauth server, remote error: " + e.getErrorInformation().toDebugStr();
+            throw new PwmUnrecoverableException( new ErrorInformation( PwmError.ERROR_OAUTH_ERROR, errorMsg ) );
+        }
+
+
+        if ( pwmHttpClientResponse.getStatusCode() != HttpStatus.SC_OK )
+        {
+            throw new PwmUnrecoverableException( new ErrorInformation(
+                    PwmError.ERROR_OAUTH_ERROR,
+                    "unexpected HTTP status code (" + pwmHttpClientResponse.getStatusCode() + ") during " + debugText + " request to " + requestUrl
+            ) );
+        }
+
+        return pwmHttpClientResponse;
+    }
+
     private static String figureOauthSelfEndPointUrl( final PwmRequest pwmRequest )
     {
         final String debugSource;

From 288a757c771e56c700e65a1fd2864f57900d3c1b Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Fri, 16 Apr 2021 11:15:05 +0200
Subject: [PATCH 02/12] simplified GET requests for userinfo endpoint

---
 .../pwm/http/servlet/oauth/OAuthMachine.java  | 80 +++----------------
 1 file changed, 9 insertions(+), 71 deletions(-)

diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
index 4087638c19..404af32c1c 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
@@ -171,7 +171,7 @@ OAuthResolveResults makeOAuthResolveRequest(
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_ID ), clientID );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_CLIENT_SECRET ), settings.getSecret().getStringValue() );
 
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "oauth code resolver", settings, requestUrl, requestParams, null );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "oauth code resolver", settings, requestUrl, requestParams, null, HttpMethod.POST );
 
         final OAuthResolveResults results = resolveResultsFromResponseBody( pwmRequest, restResults.getBody() );
 
@@ -215,7 +215,7 @@ private OAuthResolveResults makeOAuthRefreshRequest(
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_REFRESH_TOKEN ), refreshCode );
         requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_GRANT_TYPE ), grantType );
 
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth refresh resolver", settings, requestUrl, requestParams, null );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth refresh resolver", settings, requestUrl, requestParams, null, HttpMethod.POST );
 
         return resolveResultsFromResponseBody( pwmRequest, restResults.getBody() );
     }
@@ -231,9 +231,10 @@ String makeOAuthGetUserInfoRequest(
             final Configuration config = pwmRequest.getConfig();
             final String requestUrl = settings.getAttributesUrl();
             final Map<String, String> requestParams = new HashMap<>();
+            final HttpMethod method = HttpMethod.GET;
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
-            restResults = makeHttpGetRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken );
+            restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken, method );
         }
 
         final String resultBody = restResults.getBody();
@@ -261,72 +262,8 @@ private static PwmHttpClientResponse makeHttpRequest(
             final OAuthSettings settings,
             final String requestUrl,
             final Map<String, String> requestParams,
-            final String accessToken
-    )
-            throws PwmUnrecoverableException
-    {
-        final String requestBody = PwmURL.encodeParametersToFormBody( requestParams );
-        final List<X509Certificate> certs = settings.getCertificates();
-
-        final PwmHttpClientRequest pwmHttpClientRequest;
-        {
-            final Map<String, String> headers = new HashMap<>( );
-            if ( StringUtil.isEmpty(  accessToken ) )
-            {
-                headers.put( HttpHeader.Authorization.getHttpName(),
-                        new BasicAuthInfo( settings.getClientID(), settings.getSecret() ).toAuthHeader() );
-            }
-            else
-            {
-                headers.put( HttpHeader.Authorization.getHttpName(),
-                        "Bearer " + accessToken );
-            }
-            headers.put( HttpHeader.ContentType.getHttpName(), HttpContentType.form.getHeaderValueWithEncoding() );
-
-            pwmHttpClientRequest = PwmHttpClientRequest.builder()
-                    .method( HttpMethod.POST )
-                    .url( requestUrl )
-                    .body( requestBody )
-                    .headers( headers )
-                    .build();
-        }
-
-        final PwmHttpClientResponse pwmHttpClientResponse;
-        try
-        {
-            final PwmHttpClientConfiguration config = PwmHttpClientConfiguration.builder()
-                    .trustManagerType( PwmHttpClientConfiguration.TrustManagerType.configuredCertificates )
-                    .certificates( JavaHelper.isEmpty( certs ) ? null : certs )
-                    .maskBodyDebugOutput( true )
-                    .build();
-            final PwmHttpClient pwmHttpClient = pwmRequest.getPwmApplication().getHttpClientService().getPwmHttpClient( config );
-            pwmHttpClientResponse = pwmHttpClient.makeRequest( pwmHttpClientRequest, pwmRequest.getLabel() );
-        }
-        catch ( final PwmException e )
-        {
-            final String errorMsg = "error during " + debugText + " http request to oauth server, remote error: " + e.getErrorInformation().toDebugStr();
-            throw new PwmUnrecoverableException( new ErrorInformation( PwmError.ERROR_OAUTH_ERROR, errorMsg ) );
-        }
-
-
-        if ( pwmHttpClientResponse.getStatusCode() != HttpStatus.SC_OK )
-        {
-            throw new PwmUnrecoverableException( new ErrorInformation(
-                    PwmError.ERROR_OAUTH_ERROR,
-                    "unexpected HTTP status code (" + pwmHttpClientResponse.getStatusCode() + ") during " + debugText + " request to " + requestUrl
-            ) );
-        }
-
-        return pwmHttpClientResponse;
-    }
-
-    private static PwmHttpClientResponse makeHttpGetRequest(
-            final PwmRequest pwmRequest,
-            final String debugText,
-            final OAuthSettings settings,
-            final String requestUrl,
-            final Map<String, String> requestParams,
-            final String accessToken
+            final String accessToken,
+            final HttpMethod method
     )
             throws PwmUnrecoverableException
     {
@@ -349,7 +286,7 @@ private static PwmHttpClientResponse makeHttpGetRequest(
             headers.put( HttpHeader.ContentType.getHttpName(), HttpContentType.form.getHeaderValueWithEncoding() );
 
             pwmHttpClientRequest = PwmHttpClientRequest.builder()
-                    .method( HttpMethod.GET )
+                    .method( method )
                     .url( requestUrl )
                     .body( requestBody )
                     .headers( headers )
@@ -546,7 +483,8 @@ private String figureUsernameGrantParam(
         }
 
         LOGGER.debug( sessionLabel, () -> "preparing to send username to OAuth /sign endpoint for future injection to /grant redirect" );
-        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth pre-inject username signing service", settings, signUrl, requestPayload, null );
+        final PwmHttpClientResponse restResults = makeHttpRequest( pwmRequest, "OAuth pre-inject username signing service", settings,
+                                                                    signUrl, requestPayload, null, HttpMethod.POST );
 
         final String resultBody = restResults.getBody();
         final Map<String, String> resultBodyMap = JsonUtil.deserializeStringMap( resultBody );

From 0bfd4b77a5022bd79dcfcf115a79953b8012ad4e Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Fri, 16 Apr 2021 13:38:31 +0200
Subject: [PATCH 03/12] added option to send either POST or GET requests to
 oauth userinfo endpoint

---
 .../password/pwm/config/Configuration.java     | 14 ++++++++++++++
 .../java/password/pwm/config/PwmSetting.java   |  4 ++++
 .../pwm/http/servlet/oauth/OAuthMachine.java   |  4 ++--
 .../pwm/http/servlet/oauth/OAuthSettings.java  |  3 +++
 .../password/pwm/config/PwmSetting.xml         | 18 ++++++++++++++++++
 .../password/pwm/i18n/PwmSetting.properties    |  4 ++++
 .../password/pwm/util/java/XmlFactoryTest.java |  2 +-
 .../config/stored/ConfigurationCleanerTest.xml |  8 ++++++++
 .../password/pwm/util/java/XmlFactoryTest.xml  |  8 ++++++++
 9 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/server/src/main/java/password/pwm/config/Configuration.java b/server/src/main/java/password/pwm/config/Configuration.java
index 0dacd170fc..2bedea14d6 100644
--- a/server/src/main/java/password/pwm/config/Configuration.java
+++ b/server/src/main/java/password/pwm/config/Configuration.java
@@ -70,6 +70,7 @@
 import password.pwm.util.secure.PwmRandom;
 import password.pwm.util.secure.PwmSecurityKey;
 import password.pwm.util.secure.SecureService;
+import password.pwm.http.HttpMethod;
 
 import java.lang.reflect.InvocationTargetException;
 import java.security.cert.X509Certificate;
@@ -363,6 +364,19 @@ public PrivateKeyCertificate readSettingAsPrivateKey( final PwmSetting setting )
         return ( PrivateKeyCertificate ) readStoredValue( setting ).toNativeObject();
     }
 
+    public HttpMethod readSettingAsHttpMethod( final PwmSetting setting )
+    {
+        final password.pwm.config.option.HttpMethod method = readSettingAsEnum( setting, password.pwm.config.option.HttpMethod.class );
+        if ( method == password.pwm.config.option.HttpMethod.POST )
+        {
+            return HttpMethod.POST;
+        }
+        else
+        {
+            return HttpMethod.GET;
+        }
+    }
+
     private PwmSecurityKey tempInstanceKey = null;
 
     public PwmSecurityKey getSecurityKey( ) throws PwmUnrecoverableException
diff --git a/server/src/main/java/password/pwm/config/PwmSetting.java b/server/src/main/java/password/pwm/config/PwmSetting.java
index 8e815c1335..e4dd11a644 100644
--- a/server/src/main/java/password/pwm/config/PwmSetting.java
+++ b/server/src/main/java/password/pwm/config/PwmSetting.java
@@ -810,6 +810,8 @@ public enum PwmSetting
             "recovery.oauth.idserver.codeResolveUrl", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH ),
     RECOVERY_OAUTH_ID_ATTRIBUTES_URL(
             "recovery.oauth.idserver.attributesUrl", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH ),
+    RECOVERY_OAUTH_ID_ATTRIBUTES_METHOD(
+            "recovery.oauth.idserver.attributesMethod", PwmSettingSyntax.SELECT, PwmSettingCategory.RECOVERY_OAUTH ),
     RECOVERY_OAUTH_ID_CERTIFICATE(
             "recovery.oauth.idserver.serverCerts", PwmSettingSyntax.X509CERT, PwmSettingCategory.RECOVERY_OAUTH ),
     RECOVERY_OAUTH_ID_CLIENTNAME(
@@ -1178,6 +1180,8 @@ public enum PwmSetting
             "oauth.idserver.codeResolveUrl", PwmSettingSyntax.STRING, PwmSettingCategory.OAUTH ),
     OAUTH_ID_ATTRIBUTES_URL(
             "oauth.idserver.attributesUrl", PwmSettingSyntax.STRING, PwmSettingCategory.OAUTH ),
+    OAUTH_ID_ATTRIBUTES_METHOD(
+            "oauth.idserver.attributesMethod", PwmSettingSyntax.SELECT, PwmSettingCategory.OAUTH ),
     OAUTH_ID_CERTIFICATE(
             "oauth.idserver.serverCerts", PwmSettingSyntax.X509CERT, PwmSettingCategory.OAUTH ),
     OAUTH_ID_CLIENTNAME(
diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
index 404af32c1c..ec24d8bc96 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
@@ -230,11 +230,11 @@ String makeOAuthGetUserInfoRequest(
         {
             final Configuration config = pwmRequest.getConfig();
             final String requestUrl = settings.getAttributesUrl();
+            final HttpMethod requestMethod = settings.getAttributesMethod();
             final Map<String, String> requestParams = new HashMap<>();
-            final HttpMethod method = HttpMethod.GET;
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ACCESS_TOKEN ), accessToken );
             requestParams.put( config.readAppProperty( AppProperty.HTTP_PARAM_OAUTH_ATTRIBUTES ), settings.getDnAttributeName() );
-            restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken, method );
+            restResults = makeHttpRequest( pwmRequest, "OAuth userinfo", settings, requestUrl, requestParams, accessToken, requestMethod );
         }
 
         final String resultBody = restResults.getBody();
diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java
index 443c7e6300..159c7d9662 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java
@@ -26,6 +26,7 @@
 import password.pwm.config.PwmSetting;
 import password.pwm.config.profile.ForgottenPasswordProfile;
 import password.pwm.util.PasswordData;
+import password.pwm.http.HttpMethod;
 
 import java.io.Serializable;
 import java.security.cert.X509Certificate;
@@ -38,6 +39,7 @@ public class OAuthSettings implements Serializable
     private String loginURL;
     private String codeResolveUrl;
     private String attributesUrl;
+    private HttpMethod attributesMethod;
     private String scope;
     private String clientID;
     private PasswordData secret;
@@ -62,6 +64,7 @@ public static OAuthSettings forSSOAuthentication( final Configuration config )
                 .loginURL( config.readSettingAsString( PwmSetting.OAUTH_ID_LOGIN_URL ) )
                 .codeResolveUrl( config.readSettingAsString( PwmSetting.OAUTH_ID_CODERESOLVE_URL ) )
                 .attributesUrl( config.readSettingAsString( PwmSetting.OAUTH_ID_ATTRIBUTES_URL ) )
+                .attributesMethod( config.readSettingAsHttpMethod( PwmSetting.OAUTH_ID_ATTRIBUTES_METHOD ) )
                 .clientID( config.readSettingAsString( PwmSetting.OAUTH_ID_CLIENTNAME ) )
                 .secret( config.readSettingAsPassword( PwmSetting.OAUTH_ID_SECRET ) )
                 .dnAttributeName( config.readSettingAsString( PwmSetting.OAUTH_ID_DN_ATTRIBUTE_NAME ) )
diff --git a/server/src/main/resources/password/pwm/config/PwmSetting.xml b/server/src/main/resources/password/pwm/config/PwmSetting.xml
index bbc5074dfd..95758bd099 100644
--- a/server/src/main/resources/password/pwm/config/PwmSetting.xml
+++ b/server/src/main/resources/password/pwm/config/PwmSetting.xml
@@ -2471,6 +2471,15 @@
         <example>https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes</example>
         <default/>
     </setting>
+    <setting hidden="false" key="recovery.oauth.idserver.attributesMethod" level="2" required="true">
+        <default>
+            <value>POST</value>
+        </default>
+        <options>
+            <option value="POST">POST</option>
+            <option value="GET">GET</option>
+        </options>
+    </setting>
     <setting hidden="false" key="recovery.oauth.idserver.serverCerts" level="2">
         <default/>
         <properties>
@@ -4064,6 +4073,15 @@
         <example>https://oauthserver.example.com/osp/a/idm/auth/oauth2/getattributes</example>
         <default/>
     </setting>
+    <setting hidden="false" key="oauth.idserver.attributesMethod" level="2" required="true">
+        <default>
+            <value>POST</value>
+        </default>
+        <options>
+            <option value="POST">POST</option>
+            <option value="GET">GET</option>
+        </options>
+    </setting>
     <setting hidden="false" key="oauth.idserver.serverCerts" level="2">
         <default/>
         <properties>
diff --git a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
index af17259ef0..deba2d95c2 100644
--- a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
+++ b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
@@ -530,6 +530,7 @@ Setting_Description_newUser.username.definition=<p>Specify the display name, or
 Setting_Description_newUser.writeAttributes=Specify the actions the system takes when it creates a user.  The actions will be executed just after the user is created in the LDAP directory.    You can use macros in this setting.
 Setting_Description_notes.noteText=Specify any configuration notes about your system. This option allows you to keep notes about any specific configuration options you have made with the system.
 Setting_Description_oauth.idserver.attributesUrl=Specify the URL of the web service provided by the identity server to return attribute data about the user.
+Setting_Description_oauth.idserver.attributesMethod=Select the HTTP method to use when calling the Attributes URL
 Setting_Description_oauth.idserver.scope=Specify the optional OAuth scope. The OAuth identity service provider(IdP) provides this value.  The scope provided, if any, must contain the user attribute to be read for authentication.
 Setting_Description_oauth.idserver.clientName=Specify the OAuth client ID. The OAuth identity service provider(IdP) provides this value.
 Setting_Description_oauth.idserver.codeResolveUrl=Specify the OAuth Code Resolve Service URL. The system uses this web service URL to resolve the artifact returned by the OAuth identity server.
@@ -664,6 +665,7 @@ Setting_Description_recovery.enable=Enable this option to have the forgotten pas
 Setting_Description_recovery.form=Specify the form fields for the activate user module. @PwmAppName@ requires the users to enter each attribute. Ideally, @PwmAppName@ requires the users to enter some personal data that is not publicly known.
 Setting_Description_recovery.minimumPasswordLifetimeOptions=Options to control behavior when a user attempts to use the forgotten password module while their password is within the minimum password policy lifetime window of their effective password policy.  These options are only relevant if the user has an effective minimum password lifetime as part of their password policy.
 Setting_Description_recovery.oauth.idserver.attributesUrl=Specify the web service URL provided by the identity server to return attribute data about the user.
+Setting_Description_recovery.oauth.idserver.attributesMethod=Select the HTTP method to use when calling the Attributes URL
 Setting_Description_recovery.oauth.idserver.clientName=Specify the OAuth client ID. The OAuth identity service provider gives you this value.
 Setting_Description_recovery.oauth.idserver.codeResolveUrl=Specify the OAuth Token / Code Resolve Service URL. @PwmAppName@ uses this web service URL to resolve the artifact returned by the OAuth identity server.
 Setting_Description_recovery.oauth.idserver.dnAttributeName=Specify the attribute to request from the OAuth server that @PwmAppName@ uses as the user name for local authentication. @PwmAppName@ then resolves this value the same as if the user had typed the password at the local authentication page.
@@ -1064,6 +1066,7 @@ Setting_Label_newUser.username.definition=LDAP Entry ID Definition
 Setting_Label_newUser.writeAttributes=New User Actions
 Setting_Label_notes.noteText=Configuration Notes
 Setting_Label_oauth.idserver.attributesUrl=OAuth Profile/UserInfo Service URL
+Setting_Label_oauth.idserver.attributesMethod=OAuth Profile/UserInfo Service HTTP Method
 Setting_Label_oauth.idserver.scope=OAuth Scope
 Setting_Label_oauth.idserver.clientName=OAuth Client ID
 Setting_Label_oauth.idserver.codeResolveUrl=OAuth Token / Code Resolve Service URL
@@ -1198,6 +1201,7 @@ Setting_Label_recovery.enable=Enable Forgotten Password
 Setting_Label_recovery.form=Forgotten Password User Search Form
 Setting_Label_recovery.minimumPasswordLifetimeOptions=Minimum Password Lifetime Options
 Setting_Label_recovery.oauth.idserver.attributesUrl=OAuth Profile Service URL
+Setting_Label_recovery.oauth.idserver.attributesMethod=Select the HTTP method to use when calling the Attributes URL
 Setting_Label_recovery.oauth.idserver.clientName=OAuth Client ID
 Setting_Label_recovery.oauth.idserver.codeResolveUrl=OAuth Code Resolve Service URL
 Setting_Label_recovery.oauth.idserver.dnAttributeName=OAuth User Name/DN Login Attribute
diff --git a/server/src/test/java/password/pwm/util/java/XmlFactoryTest.java b/server/src/test/java/password/pwm/util/java/XmlFactoryTest.java
index 4063159cf7..07835c4237 100644
--- a/server/src/test/java/password/pwm/util/java/XmlFactoryTest.java
+++ b/server/src/test/java/password/pwm/util/java/XmlFactoryTest.java
@@ -41,6 +41,6 @@ public void testLoadXml()
         Assert.assertTrue( configIsEditable.isPresent() );
         Assert.assertEquals( "false", configIsEditable.get().getText() );
         final List<XmlElement> allSettings = xmlDocument.evaluateXpathToElements( "//setting" );
-        Assert.assertEquals( 279, allSettings.size() );
+        Assert.assertEquals( 281, allSettings.size() );
     }
 }
diff --git a/server/src/test/resources/password/pwm/config/stored/ConfigurationCleanerTest.xml b/server/src/test/resources/password/pwm/config/stored/ConfigurationCleanerTest.xml
index 167f8635c9..f4d36fb525 100644
--- a/server/src/test/resources/password/pwm/config/stored/ConfigurationCleanerTest.xml
+++ b/server/src/test/resources/password/pwm/config/stored/ConfigurationCleanerTest.xml
@@ -681,6 +681,10 @@
             <label>OAuth Profile Service URL</label>
             <value><![CDATA[http://ldap.example.com:8180/osp/a/idm/auth/oauth2/getattributes]]></value>
         </setting>
+        <setting key="oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+            <label>OAuth Profile Service HTTP Method</label>
+            <value><![CDATA[POST]]></value>
+        </setting>
         <setting key="oauth.idserver.serverCerts" syntax="X509CERT" syntaxVersion="0" modifyTime="2016-11-07T16:57:44Z" modifyUser="default|cn=testuser,ou=example,o=org">
             <default />
         </setting>
@@ -736,6 +740,10 @@
             <label>OAuth Profile Service URL</label>
             <value><![CDATA[https://db.example.org44/osp/a/TOP/auth/oauth2/getattributes]]></value>
         </setting>
+        <setting key="recovery.oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+            <label>OAuth Profile Service HTTP Method</label>
+            <value><![CDATA[POST]]></value>
+        </setting>
         <setting key="recovery.oauth.idserver.clientName" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2016-11-14T19:55:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
             <label>OAuth Client ID</label>
             <value><![CDATA[id-jUE41S73VVGoIetABWUKwBmYzM4B51yb]]></value>
diff --git a/server/src/test/resources/password/pwm/util/java/XmlFactoryTest.xml b/server/src/test/resources/password/pwm/util/java/XmlFactoryTest.xml
index 2913addd20..c9084d44db 100644
--- a/server/src/test/resources/password/pwm/util/java/XmlFactoryTest.xml
+++ b/server/src/test/resources/password/pwm/util/java/XmlFactoryTest.xml
@@ -683,6 +683,10 @@
       <label>OAuth Profile Service URL</label>
       <value><![CDATA[http://ldap.example.com:8180/osp/a/idm/auth/oauth2/getattributes]]></value>
     </setting>
+    <setting key="oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+      <label>OAuth Profile Service HTTP Method</label>
+      <value><![CDATA[POST]]></value>
+    </setting>
     <setting key="oauth.idserver.serverCerts" syntax="X509CERT" syntaxVersion="0" modifyTime="2016-11-07T16:57:44Z" modifyUser="default|cn=testuser,ou=example,o=org">
       <default />
     </setting>
@@ -738,6 +742,10 @@
       <label>OAuth Profile Service URL</label>
       <value><![CDATA[https://db.example.org44/osp/a/TOP/auth/oauth2/getattributes]]></value>
     </setting>
+    <setting key="recovery.oauth.idserver.attributesMethod" syntax="SELECT" syntaxVersion="0" modifyTime="2018-07-11T05:43:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
+      <label>OAuth Profile Service HTTP Method</label>
+      <value><![CDATA[POST]]></value>
+    </setting>
     <setting key="recovery.oauth.idserver.clientName" syntax="STRING" profile="default" syntaxVersion="0" modifyTime="2016-11-14T19:55:23Z" modifyUser="default|cn=testuser,ou=example,o=org">
       <label>OAuth Client ID</label>
       <value><![CDATA[id-jUE41S73VVGoIetABWUKwBmYzM4B51yb]]></value>

From 0a46f946c5cc40852c249e62841831d27ea23e18 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Fri, 16 Apr 2021 13:45:49 +0200
Subject: [PATCH 04/12] updated labels

---
 .../src/main/resources/password/pwm/i18n/PwmSetting.properties  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
index deba2d95c2..740a86fc55 100644
--- a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
+++ b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
@@ -1201,7 +1201,7 @@ Setting_Label_recovery.enable=Enable Forgotten Password
 Setting_Label_recovery.form=Forgotten Password User Search Form
 Setting_Label_recovery.minimumPasswordLifetimeOptions=Minimum Password Lifetime Options
 Setting_Label_recovery.oauth.idserver.attributesUrl=OAuth Profile Service URL
-Setting_Label_recovery.oauth.idserver.attributesMethod=Select the HTTP method to use when calling the Attributes URL
+Setting_Label_recovery.oauth.idserver.attributesMethod=OAuth Profile Service HTTP Method
 Setting_Label_recovery.oauth.idserver.clientName=OAuth Client ID
 Setting_Label_recovery.oauth.idserver.codeResolveUrl=OAuth Code Resolve Service URL
 Setting_Label_recovery.oauth.idserver.dnAttributeName=OAuth User Name/DN Login Attribute

From 0ecff38efb210d111075687325dbecce07bc2d88 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Fri, 16 Apr 2021 14:38:17 +0200
Subject: [PATCH 05/12] simplified method

---
 .../main/java/password/pwm/config/Configuration.java   | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/server/src/main/java/password/pwm/config/Configuration.java b/server/src/main/java/password/pwm/config/Configuration.java
index 2bedea14d6..bc4bea2dc6 100644
--- a/server/src/main/java/password/pwm/config/Configuration.java
+++ b/server/src/main/java/password/pwm/config/Configuration.java
@@ -366,15 +366,7 @@ public PrivateKeyCertificate readSettingAsPrivateKey( final PwmSetting setting )
 
     public HttpMethod readSettingAsHttpMethod( final PwmSetting setting )
     {
-        final password.pwm.config.option.HttpMethod method = readSettingAsEnum( setting, password.pwm.config.option.HttpMethod.class );
-        if ( method == password.pwm.config.option.HttpMethod.POST )
-        {
-            return HttpMethod.POST;
-        }
-        else
-        {
-            return HttpMethod.GET;
-        }
+        return readSettingAsEnum( setting, password.pwm.config.option.HttpMethod.class ) == password.pwm.config.option.HttpMethod.POST ? HttpMethod.POST : HttpMethod.GET;
     }
 
     private PwmSecurityKey tempInstanceKey = null;

From 24e66011b4faf97d62b83253d23c2b5d8d0a3666 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Fri, 16 Apr 2021 16:54:44 +0200
Subject: [PATCH 06/12] added missing class

---
 .../pwm/config/option/HttpMethod.java         | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 server/src/main/java/password/pwm/config/option/HttpMethod.java

diff --git a/server/src/main/java/password/pwm/config/option/HttpMethod.java b/server/src/main/java/password/pwm/config/option/HttpMethod.java
new file mode 100644
index 0000000000..06c065e9c8
--- /dev/null
+++ b/server/src/main/java/password/pwm/config/option/HttpMethod.java
@@ -0,0 +1,27 @@
+/*
+ * Password Management Servlets (PWM)
+ * http://www.pwm-project.org
+ *
+ * Copyright (c) 2006-2009 Novell, Inc.
+ * Copyright (c) 2009-2020 The PWM Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package password.pwm.config.option;
+
+public enum HttpMethod implements ConfigurationOption
+{
+    POST,
+    GET,
+}

From c5b6306a0195a71c7714dfc0f946d3cfae861c81 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Wed, 21 Apr 2021 11:27:18 +0200
Subject: [PATCH 07/12] fixed "invalid" DN error on importing schema into MS
 Active Directory

---
 webapp/src/build/ldif/AD-schema.ldif | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/webapp/src/build/ldif/AD-schema.ldif b/webapp/src/build/ldif/AD-schema.ldif
index 2644d564b7..90f6ac6c14 100644
--- a/webapp/src/build/ldif/AD-schema.ldif
+++ b/webapp/src/build/ldif/AD-schema.ldif
@@ -156,7 +156,7 @@ searchFlags: 1
 #------------------------------------------------------
 #--  Update the schema now
 #------------------------------------------------------
-dn: 
+dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
@@ -192,7 +192,7 @@ adminDescription: pwmUser Auxiliary class
 #------------------------------------------------------
 #--  Update the schema now
 #------------------------------------------------------
-dn: 
+dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1
@@ -222,7 +222,7 @@ mayContain: pwmData
 #------------------------------------------------------
 #--  Update the schema now
 #------------------------------------------------------
-dn: 
+dn:
 changetype: modify
 add: schemaUpdateNow
 schemaUpdateNow: 1

From 0a50c2954b3f526ea1e29698cf72daf1d6960bf9 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Thu, 22 Apr 2021 14:11:25 +0200
Subject: [PATCH 08/12] Returning new password as per
 https://www.pwm-project.org/pwm/public/reference/rest.jsp#rest-setpassword

---
 .../password/pwm/ws/server/rest/RestSetPasswordServer.java     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java b/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
index 99cb364f76..9fbfe957c1 100644
--- a/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
+++ b/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
@@ -212,7 +212,8 @@ private static RestResultBean doSetPassword(
             );
 
             StatisticsManager.incrementStat( restRequest.getPwmApplication(), Statistic.REST_SETPASSWORD );
-            final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(), null, random );
+            final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(), newPassword.getStringValue(), random );
+            LOGGER.debug( () -> "Result data is" + jsonResultData );
             return RestResultBean.forSuccessMessage( jsonResultData, restRequest, Message.Success_PasswordChange );
         }
         catch ( final PwmException e )

From e05ab2b2ea599c005b7a5202956c7a26e6e597d9 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Thu, 22 Apr 2021 14:12:23 +0200
Subject: [PATCH 09/12] Removed obsolete debug output

---
 .../java/password/pwm/ws/server/rest/RestSetPasswordServer.java  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java b/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
index 9fbfe957c1..f0fa6a1eb6 100644
--- a/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
+++ b/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
@@ -213,7 +213,6 @@ private static RestResultBean doSetPassword(
 
             StatisticsManager.incrementStat( restRequest.getPwmApplication(), Statistic.REST_SETPASSWORD );
             final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(), newPassword.getStringValue(), random );
-            LOGGER.debug( () -> "Result data is" + jsonResultData );
             return RestResultBean.forSuccessMessage( jsonResultData, restRequest, Message.Success_PasswordChange );
         }
         catch ( final PwmException e )

From 4dae0e5e17e1104bdeba6e8e6eec9967d1bc046e Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Thu, 23 Sep 2021 21:22:46 +0200
Subject: [PATCH 10/12] only add basePath when redirecting internally

---
 .../main/java/password/pwm/http/PwmResponse.java | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/server/src/main/java/password/pwm/http/PwmResponse.java b/server/src/main/java/password/pwm/http/PwmResponse.java
index a81f36cf49..f1d12fc1ab 100644
--- a/server/src/main/java/password/pwm/http/PwmResponse.java
+++ b/server/src/main/java/password/pwm/http/PwmResponse.java
@@ -289,9 +289,19 @@ public void sendRedirect( final String url, final RedirectType redirectType )
         preCommitActions();
 
         final String basePath = pwmRequest.getBasePath();
-        final String effectiveUrl = url.startsWith( basePath )
-                ? url
-                : basePath + url;
+        final String effectiveUrl;
+
+        // a redirect can either be internal and already include the basePath,
+        // or internal without basePath, in this case we add the basePath
+        // or external with preceding protocol, in this case we use the url as is
+        if ( url.startsWith( basePath ) || url.matches( "^https?://.*" ) )
+        {
+            effectiveUrl  = url;
+        }
+        else
+        {
+            effectiveUrl = basePath + url;
+        }
 
         // http "other" redirect
         final HttpServletResponse resp = pwmRequest.getPwmResponse().getHttpServletResponse();

From e73ce6acfc195bbef6df625c58e99442650b7de7 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Thu, 23 Sep 2021 21:23:18 +0200
Subject: [PATCH 11/12] fixed wrong setting lookup

---
 .../main/java/password/pwm/http/servlet/oauth/OAuthMachine.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
index 6cdadd3cce..ed741f646d 100644
--- a/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
+++ b/server/src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java
@@ -318,7 +318,7 @@ private static String figureOauthSelfEndPointUrl( final PwmRequest pwmRequest )
 
         {
             final String returnUrlOverride = pwmRequest.getDomainConfig().readAppProperty( AppProperty.OAUTH_RETURN_URL_OVERRIDE );
-            final String siteURL = pwmRequest.getDomainConfig().readSettingAsString( PwmSetting.PWM_SITE_URL );
+            final String siteURL = pwmRequest.getAppConfig().readSettingAsString( PwmSetting.PWM_SITE_URL );
             if ( returnUrlOverride != null && !returnUrlOverride.trim().isEmpty() )
             {
                 debugSource = "AppProperty(\"" + AppProperty.OAUTH_RETURN_URL_OVERRIDE.getKey() + "\")";

From c68ea7703fe511e141ef6cd5de839d49eba258d0 Mon Sep 17 00:00:00 2001
From: Florian Buchmeier <florian.buchmeier@audi.de>
Date: Thu, 23 Sep 2021 21:24:12 +0200
Subject: [PATCH 12/12] formatted

---
 server/src/main/java/password/pwm/config/AppConfig.java  | 9 ---------
 .../src/main/java/password/pwm/config/DomainConfig.java  | 7 ++++---
 .../main/java/password/pwm/config/option/HttpMethod.java | 2 +-
 .../pwm/ws/server/rest/RestSetPasswordServer.java        | 6 +++---
 4 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/server/src/main/java/password/pwm/config/AppConfig.java b/server/src/main/java/password/pwm/config/AppConfig.java
index 6a31ccc99d..1655026ae7 100644
--- a/server/src/main/java/password/pwm/config/AppConfig.java
+++ b/server/src/main/java/password/pwm/config/AppConfig.java
@@ -43,7 +43,6 @@
 import password.pwm.util.logging.PwmLogLevel;
 import password.pwm.util.logging.PwmLogger;
 import password.pwm.util.secure.PwmSecurityKey;
-import password.pwm.http.HttpMethod;
 
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -239,14 +238,6 @@ public PrivateKeyCertificate readSettingAsPrivateKey( final PwmSetting setting )
         return settingReader.readSettingAsPrivateKey( setting );
     }
 
-    @Override
-    public HttpMethod readSettingAsHttpMethod(final PwmSetting setting) {
-        return settingReader.readSettingAsEnum(setting,
-                password.pwm.config.option.HttpMethod.class) == password.pwm.config.option.HttpMethod.POST
-                        ? HttpMethod.POST
-                        : HttpMethod.GET;
-    }
-
     @Override
     public <E extends Enum<E>> E readSettingAsEnum( final PwmSetting setting, final Class<E> enumClass )
     {
diff --git a/server/src/main/java/password/pwm/config/DomainConfig.java b/server/src/main/java/password/pwm/config/DomainConfig.java
index 0e8994e1e7..bc16195d76 100644
--- a/server/src/main/java/password/pwm/config/DomainConfig.java
+++ b/server/src/main/java/password/pwm/config/DomainConfig.java
@@ -234,9 +234,10 @@ public PrivateKeyCertificate readSettingAsPrivateKey( final PwmSetting setting )
         return settingReader.readSettingAsPrivateKey( setting );
     }
 
-    public HttpMethod readSettingAsHttpMethod(final PwmSetting setting) {
-        return settingReader.readSettingAsEnum(setting,
-                password.pwm.config.option.HttpMethod.class) == password.pwm.config.option.HttpMethod.POST
+    public HttpMethod readSettingAsHttpMethod( final PwmSetting setting )
+    {
+        return settingReader.readSettingAsEnum( setting,
+                password.pwm.config.option.HttpMethod.class ) == password.pwm.config.option.HttpMethod.POST
                         ? HttpMethod.POST
                         : HttpMethod.GET;
     }
diff --git a/server/src/main/java/password/pwm/config/option/HttpMethod.java b/server/src/main/java/password/pwm/config/option/HttpMethod.java
index 06c065e9c8..080a06f1da 100644
--- a/server/src/main/java/password/pwm/config/option/HttpMethod.java
+++ b/server/src/main/java/password/pwm/config/option/HttpMethod.java
@@ -3,7 +3,7 @@
  * http://www.pwm-project.org
  *
  * Copyright (c) 2006-2009 Novell, Inc.
- * Copyright (c) 2009-2020 The PWM Project
+ * Copyright (c) 2009-2021 The PWM Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java b/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
index 4f69143c6d..58410eaea6 100644
--- a/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
+++ b/server/src/main/java/password/pwm/ws/server/rest/RestSetPasswordServer.java
@@ -210,9 +210,9 @@ private static RestResultBean doSetPassword(
                     newPassword
             );
 
-            StatisticsManager.incrementStat( restRequest.getDomain(), Statistic.REST_SETPASSWORD );
-            final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(), newPassword.getStringValue(), random );
-
+            StatisticsClient.incrementStat( restRequest.getDomain(), Statistic.REST_SETPASSWORD );
+            final JsonInputData jsonResultData = new JsonInputData( targetUserIdentity.getUserIdentity().toDelimitedKey(),
+                            newPassword.getStringValue(), random );
             return RestResultBean.forSuccessMessage( jsonResultData, restRequest, Message.Success_PasswordChange );
         }
         catch ( final PwmException e )