Modify apple authenticator to enable federation flow in API based Authentication and Nonce validation

[ZiyamSanthosh]

This PR includes the below given changes

• Enables API based authentication with federation flow for Apple authenticator. This supports both Native mode and Redirection mode.
• Enable nonce validation for apple authenticator.

Related issue:

• redirectUrl is missing in Apple Federated Authenticator for API based authentication  wso2/product-is#20584

Merge the PR after merging the below given PR and bumping the oidc version:

• Change authenticator property keys to be specific for different authenticators identity-outbound-auth-oidc#186

Sample Responses

1. Initial /authorize request

{
    "flowId": "44f86b73-55fd-4ec5-8571-c7f4049d3c07",
    "flowStatus": "INCOMPLETE",
    "flowType": "AUTHENTICATION",
    "nextStep": {
        "stepType": "MULTI_OPTIONS_PROMPT",
        "authenticators": [
            {
                "authenticatorId": "R29vZ2xlT0lEQ0F1dGhlbnRpY2F0b3I6R29vZ2xl",
                "authenticator": "Google",
                "idp": "Google",
                "metadata": {
                    "i18nKey": "authenticator.google"
                }
            },
            {
                "authenticatorId": "QXBwbGVPSURDQXV0aGVudGljYXRvcjpBcHBsZQ",
                "authenticator": "Apple",
                "idp": "Apple",
                "metadata": {
                    "i18nKey": "authenticator.apple"
                }
            }
        ]
    },
    "links": [
        {
            "name": "authentication",
            "href": "https://wso2is.com:9443/oauth2/authn",
            "method": "POST"
        }
    ]
}

2. /authn request (Native mode)

{
    "flowId": "44f86b73-55fd-4ec5-8571-c7f4049d3c07",
    "flowStatus": "INCOMPLETE",
    "flowType": "AUTHENTICATION",
    "nextStep": {
        "stepType": "AUTHENTICATOR_PROMPT",
        "authenticators": [
            {
                "authenticatorId": "QXBwbGVPSURDQXV0aGVudGljYXRvcjpBcHBsZQ",
                "authenticator": "Apple",
                "idp": "Apple",
                "metadata": {
                    "i18nKey": "authenticator.apple",
                    "promptType": "INTERNAL_PROMPT",
                    "additionalData": {
                        "clientId": "com.asgupgrade.stage",
                        "scope": "email name"
                    }
                },
                "requiredParams": [
                    "accessToken",
                    "idToken"
                ]
            }
        ]
    },
    "links": [
        {
            "name": "authentication",
            "href": "https://wso2is.com:9443/oauth2/authn",
            "method": "POST"
        }
    ]
}

3. /authn request (Redirection mode)

{
    "flowId": "44f86b73-55fd-4ec5-8571-c7f4049d3c07",
    "flowStatus": "INCOMPLETE",
    "flowType": "AUTHENTICATION",
    "nextStep": {
        "stepType": "AUTHENTICATOR_PROMPT",
        "authenticators": [
            {
                "authenticatorId": "QXBwbGVPSURDQXV0aGVudGljYXRvcjpBcHBsZQ",
                "authenticator": "Apple",
                "idp": "Apple",
                "metadata": {
                    "i18nKey": "authenticator.apple",
                    "promptType": "REDIRECTION_PROMPT",
                    "additionalData": {
                        "state": "43fa600f-0ad3-4170-80e8-d8e615d59e09,OIDC",
                        "redirectUrl": "https://appleid.apple.com/auth/authorize?response_type=code&state=43fa600f-0ad3-4170-80e8-d8e615d59e09%2COIDC&redirect_uri=https%3A%2F%2Fgoogle.com&client_id=com.asgupgrade.stage&scope=email%20name&response_mode=form_post"
                    }
                },
                "requiredParams": [
                    "code",
                    "state"
                ]
            }
        ]
    },
    "links": [
        {
            "name": "authentication",
            "href": "https://wso2is.com:9443/oauth2/authn",
            "method": "POST"
        }
    ]
}

Related links:
[1] https://developer.apple.com/documentation/authenticationservices/asauthorizationopenidrequest/nonce

Sample JWT Payload from apple IDP

{
  "iss": "https://appleid.apple.com",
  "aud": "com.asgupgrade.stage",
  "exp": 1720100111,
  "iat": 1720013711,
  "sub": "001094.77fd79fb64a1413398438254b1a28e64.0535",
  "nonce": "f9945071-859e-4d2a-a6e4-5b435f16d109",
  "at_hash": "LfD82O14Te81Z_jqY6fAuQ",
  "email": "ziyam@wso2.com",
  "email_verified": true,
  "auth_time": 1720013689,
  "nonce_supported": true
}

[CLAassistant]

All committers have signed the CLA.

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9734468257

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9734468257
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/9734468257

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9743477163

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9743477163
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/9743477163

[Thumimku]

LGTM

[pamodaaw]

can't we have line 153 as the else block of this if?

[pamodaaw]

Or we can have getCallbackUrl method in this class and define this logic there

[ZiyamSanthosh]

Addressed in 9f2bc6f

[pamodaaw]

when this IS_API_BASED property is set in the context?

[ZiyamSanthosh]

This is being set at the framework[1].

[1] https://github.com/wso2/carbon-identity-framework/blob/3782fee47c7c612d37f955c12c5f70317c020e4b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/DefaultRequestCoordinator.java#L791-L794

[pamodaaw]

So why can't we use the same constant defined in the framework?

[ZiyamSanthosh]

This concern was addressed with 9f2bc6f

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9772703024

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9773189192

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9772703024
Status: cancelled

[janakamarasena]

Lets add a null check here

[janakamarasena]

also lets take the separators to constants

[ZiyamSanthosh]

This was addressed in both 1a9f83d and 84cbc2f

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9773189192
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/9773189192

[pamodaaw]

https://github.com/wso2-extensions/identity-outbound-auth-oidc/blob/master/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java#L310

Can't we inherit this method from OpenIDConnectAuthenticator

[ZiyamSanthosh]

This was addressed in 1a9f83d

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9789383875

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9789383875
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/9789383875