Merge pull request #748 from wultra/develop

Prepare release 0.23.0

.travis.yml

@@ -1,13 +1,13 @@
 language: java
 jdk:
-  - oraclejdk8
+  - openjdk11
 branches:
   only:
     - master
     - coverity_scan
 env:
   global:
-    - secure: "VP4tgKnWZ3NoaXeaL2PfCCVvltddXrUl9BygxdPncmoFIYiTtb+cjpCwg7HdFYE0yRlM1lASQATUcAVOF988ow0wK4phLbma+fzKXWl3nQOMsESRkxo78dmRDSJrbiTe8PU2ocKOUkiGOt/pLWirUUHL5OUgRCT8C4gXnGsfOsiOgDCj7+YOMq4J3GUw+TVgP3Mvgoe7eVIFJcW1fQeI2I2GOPcRo4J6vgWYk2odxslaSloXMbHS7WMgdGIeM3Eo+MrDDATUMfEr39jlGtDSFuP+HnVNgScnt+pyeJn38kE9jqoX16sV3uGpNQV3SDiABJOFVrJOa3O9b3xUUU+F1Gq3TWPVT6sgGcjDXXWfdWBm25RP5GAfCDgeBKHtIFpTeZBWHEJqzTzWhoM0DmKPnaHzhD+atCHYC7ABqohQV7O70CzEjQxFS1x9qKm9T1Kx8F3XyK+s2hJRvNfHL6U0x4KnuZgKyt/1WG12j5ouFmW4JFipRAizUr4gtmXtf+Bza8Yt22LQwUH4xOmpI1htK5X8vZkxjUnldG7BBMljKymjeCkCdqQ/WPsWtA1zPFPEE8R5VmH3osqs1gS9HFO9R1BW10Z7S/SkijZZzy+WhV2Eg38A6m70XQnk9yAOS4YvF9W8AkxvLo3DwDFFP6aCuHmOVrvUOIIX2cKIExfI1k8="
+    - secure: "U+RrKhdImhnpzPM/m/fC14B96MCI6gfPzClhakmgVVRNHYe5YDc2+xNwdY2QEM5k6HY2Jm3u84l/RlAY8A8qijKlwMqXpXE9bnMl02ONpdknN1lX1vds5OhEGPCoXvjMTN7RpR/0/5UBIDH+mpq2hN+FjLa1yO8FhvrrcNiLQEv03abe4uJZqRQhoL73oxjJDh80hqFQ2PHfsWz8Mkgw1vEs3WGE5UDWM/N5XE15bJdoq4Lx7/1+dgc6CjoRQCEHt2P5rI4NHckts+8Dplf8Ae+gLCI1dQm/cNSxBYmSZF+KXRLZWPvnNSGqh0BYFeEUIRmDQyl1Yi4t5MQqSvXz0oF0HX+EOUUVo7amo0swpevRQdrTutUU5NZvM0Xsizb5oxcZqe51NIQPIUySlwDJLhgZVtMcXNqKhRb1IhOl6qNwz6e8+FVOCTejaDSIjNq6pRVF4v/kbSWaaGykqbtuZmSLAHufAYA5tH4l96wFm1BzJSL/XFnscHAJzyM++v+nm8fIR7jHL7KnBoUAFpnpqe1R9azGQiPi3IWcgp9tUbd1rNULHEFHpuMIyjJ4Ew6TCvurVtj74I4HHu/5LjgCB9Nrj6QzASNVvoaJ0spnc+nyX//w9Yj1u8qFDHU3AE22JX41ikUrvuiTsRlIBp+w2YP59rULzBEVf3Ekn/9ly3s="
 
 before_install:
   - echo -n | openssl s_client -connect https://scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca-

docs/Basic-Definitions.md

@@ -78,6 +78,7 @@ The operation may fail due to different reasons, such as:
 - Maximum number of attempts is reached causing authentication method to fail.
 - Operation times out.
 - User cancels the operation.
+- User refreshes the browser, navigates to another URL or closes the browser window. 
 
 ### Operation ID
 
@@ -162,7 +163,7 @@ Whenever operation progresses to the next step, previous status of operation is
 
 ### Operation review
 
-Operation review is a special authentication step which handles review of operation form data and next authentication method choice. This step is executed after user is authenticated and the next step is an authorization step.
+Operation review is a special non-SCA authentication step which handles review of operation form data and next authentication method choice. This step is executed after user is authenticated and the next step is an authorization step.
 
 ### Organization
 
@@ -177,7 +178,11 @@ See chapter [Configuring Next Step Definitions](./Configuring-Next-Step-Definiti
 
 ### Authentication method choice
 
-The user becomes authenticated and there are multiple choices available for the next authentication method (which is usually performing authorization, not authentication). The next authentication method is executed based on user choice.
+The user becomes authenticated and there are multiple choices available for the next authentication method (which is usually performing authorization, not authentication). The next authentication method is executed based on user choice. This approach is used in non-SCA authentication methods.
+
+### Authentication instrument
+
+The user has a choice of using different authentication instruments (SMS, mobile token, hardware token, etc.). The chosen authentication instrument influences how authentication / authorization is done. This approach is used in SCA authentication methods.
 
 ### Next step of an operation
 
@@ -195,7 +200,7 @@ See chapter [Configuring Next Step Definitions](./Configuring-Next-Step-Definiti
 
 ### Next step user preferences
 
-Next step user preferences store configuration for different authentication methods.
+Next step user preferences store configuration for different authentication methods, for instance activation configured for mobile token.
 
 ### Authorization failure count
 
@@ -216,7 +221,7 @@ The effective number of remaining attempts is the lower of the two above mention
 The HTTP session is used in Web Flow in following ways:
 - A client may create an operation with operation data before the OAuth 2.0 authentication is started and store assigned operationId in HTTP session in the `operationId` attribute. This attribute is picked when authentication is started and Web Flow continues an already existing operation. In case the `operationId` attribute is not found, Web Flow creates a new login operation with default operation data.
 - During the authentication process, the `PENDING_AUTH_OBJECT` attribute stored in HTTP session is updated with OAuth 2.0 `UserOperationAuthentication` token which contains the most current state of authentication.
-- When the authentication process is succcessfully completed, the HTTP session becomes authenticated with the OAuth 2.0 `UserOperationAuthentication` token.
+- When the authentication process is successfully completed, the HTTP session becomes authenticated with the OAuth 2.0 `UserOperationAuthentication` token.
 - When the authentication process fails, the `PENDING_AUTH_OBJECT` attribute is removed from HTTP session. The HTTP session does not become authenticated.
 
 The HTTP session is also used for storing temporary data during operation.
@@ -238,3 +243,11 @@ Web Flow contains message resources which can be localized to different language
 ### Resource translation
 
 Web Flow supports translation of resources which contain references to values of operation form data. This process is called resource translation.
+
+### Anti-fraud system integration
+
+Anti-fraud System (AFS) integration is available for Web Flow. Web Flow triggers AFS actions during login
+and approval steps both when the step is initialized and when step authentication is performed.
+The AFS integration allows authentication step-down (e.g. using 1 factor instead of 2 factors or even no factors at all). 
+The AFS is also informed about completed, timed out and interrupted operations. 
+The communication with AFS is handled in Data Adapter. 

docs/Compilation,-Packaging-and-Deployment.md

@@ -8,6 +8,7 @@ Web Flow can be deployed to any Java web container (such as Tomcat) using war ar
 
 In order to build Web Flow using Maven, following PowerAuth dependencies need to be satisfied:
 
+* [powerauth-server](https://github.com/wultra/powerauth-server) - dependency **powerauth-java-client-spring**
 * [powerauth-push-server](https://github.com/wultra/powerauth-push-server) - dependency **powerauth-push-client**
 * [powerauth-restful-integration](https://github.com/wultra/powerauth-restful-integration) - dependency **powerauth-restful-security-spring**
 * [powerauth-crypto](https://github.com/wultra/powerauth-crypto) - dependency **powerauth-java-crypto**
@@ -37,35 +38,6 @@ The whole installation process is described in the [Web Flow Installation Manual
 
 You can test the web flow demo application by navigating to: http://localhost:8080/powerauth-webflow-client
 
-* Use the "Login" action to test the user authentication. The Credential Server Sample project uses "test" as password for any username.
+* Use the "Login" action to test the user authentication. The Data Adapter sample project uses "test" as password for any username.
 * Use the "Payment (DEMO)" action to test payment authorization. You will need to enable POWERAUTH_TOKEN authentication method for the user who will authorize the payment (using [Next Step REST API](./Next-Step-Server-REST-API-Reference.md#enable-an-authentication-method-for-given-user)).
 * Use the "Authorization" action to test operation authorization. In order to test this action you will need to create an operation and obtain its operationId (using [Next Step REST API](./Next-Step-Server-REST-API-Reference.md#create-an-operation)).
-
-## Maven Profiles (Advanced)
-
-There are following Maven profiles defined:
-* **prod** - used for deployment to a production environment (default profile)
-* **fast** - used for fast redeployment to a development environment (do not use when dependencies change, in this case prod build is required)
-* **dev** - used for development in the IDE (mainly for debugging)
-
-Path to the pom.xml file:
-
-`powerauth-webflow/powerauth-webflow/pom.xml`
-
-## Development
-
-During development you can start the backend and the frontend separately for easier continuous redeployment.
-
-### Backend
-To start the backend part in the IDE, simply point the IDE to run Main class:
-
-`io.getlime.security.powerauth.app.webflow.PowerAuthWebFlowApplication`
-
-You should see a Spring boot console in IDE log and the last message should start with "Started PowerAuthWebFlowApplication". To redeploy, trigger a build in the IDE and Maven should redeploy changes automatically.
-
-### Frontend
-To start the frontend part in the IDE, use the **package** phase with the "dev" Maven profile:
-
-`mvn package -P dev`
-
-Maven builds the application and stops the deployment in the moment when webpack starts watching for changes. When you make any change in JavaScript code, you should see a message from compiler and bundle.js in target folder should be redeployed automatically using the WebpackDeployPlugin (see [webpack.config.js](../powerauth-webflow/webpack.config.js) and [webpack-deploy.js](../powerauth-webflow/src/main/js/webpack-deploy.js)). Note that bundle.js is built in full debug mode, hence the large size of the output of the compiler. Compiled frontend code is located in target/classes/static/built/bundle.js

docs/Components.md

@@ -60,6 +60,7 @@ Data Adapter handles following use cases:
 * Verify consent form options selected by the user.
 * Save consent form options selected by the user.
 * Verify authorization SMS code and user password.
+* Execute an anti-fraud system (AFS) action and react on response from AFS.
 
 For more information see the [Web Flow customization project](https://github.com/wultra/powerauth-webflow-customization)
 

docs/Customizing-Operation-Form-Data.md

@@ -222,7 +222,7 @@ ApplicationContext applicationContext = new ApplicationContext();
 applicationContext.setId("DEMO");
 applicationContext.setName("Demo application");
 applicationContext.setDescription("Web Flow demo application");
-applicationContext.getExtras().put("_requestedScopes", Collections.singletonList("AISP"));
+applicationContext.getOriginalScopes().add("aisp");
 applicationContext.getExtras().put("applicationOwner", "Wultra");
 ```