From 7a3a070679e9852243a5d01ae45504c42a7ffa34 Mon Sep 17 00:00:00 2001
From: gary-archer <garyarcher36@gmail.com>
Date: Mon, 23 Jun 2025 19:07:44 +0100
Subject: [PATCH 1/3] Fixed Kong deployment issue

---
 deployments/curity/apigateway/kong/Dockerfile   |  4 ++--
 deployments/curity/idsvr/config-backup.xml      |  5 ++---
 deployments/external/apigateway/kong/Dockerfile |  2 +-
 validate-license.sh                             | 17 +++++++++++++++--
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/deployments/curity/apigateway/kong/Dockerfile b/deployments/curity/apigateway/kong/Dockerfile
index 9cfd489..6b63c75 100644
--- a/deployments/curity/apigateway/kong/Dockerfile
+++ b/deployments/curity/apigateway/kong/Dockerfile
@@ -2,7 +2,7 @@ FROM kong/kong:3.9-ubuntu
 
 USER root
 RUN apt-get update
-RUN apt-get install -y git unzip
+RUN apt-get install -y git unzip wget
 
 #
 # Install luarocks, and set git options if required
@@ -20,4 +20,4 @@ RUN cd /tmp/oauth-proxy && luarocks make oauth-proxy-*.rockspec \
 #
 # Install the Phantom Token plugin and its dependencies
 #
-RUN luarocks install kong-phantom-token 2.0.0
+RUN luarocks install kong-phantom-token 2.0.1
diff --git a/deployments/curity/idsvr/config-backup.xml b/deployments/curity/idsvr/config-backup.xml
index 3bc0d70..45d08e5 100644
--- a/deployments/curity/idsvr/config-backup.xml
+++ b/deployments/curity/idsvr/config-backup.xml
@@ -305,11 +305,10 @@
                 </user-authentication>
                 <capabilities>
                   <code>
+                    <require-pushed-authorization-requests></require-pushed-authorization-requests>
                   </code>
                 </capabilities>
-                <use-pairwise-subject-identifiers>
-                  <sector-identifier>spa-client</sector-identifier>
-                </use-pairwise-subject-identifiers>
+                <require-secured-authorization-response/>
                 <validate-port-on-loopback-interfaces>true</validate-port-on-loopback-interfaces>
               </client>
               <client>
diff --git a/deployments/external/apigateway/kong/Dockerfile b/deployments/external/apigateway/kong/Dockerfile
index 21674f6..769362e 100644
--- a/deployments/external/apigateway/kong/Dockerfile
+++ b/deployments/external/apigateway/kong/Dockerfile
@@ -2,7 +2,7 @@ FROM kong/kong:3.9-ubuntu
 
 USER root
 RUN apt-get update
-RUN apt-get install -y git unzip
+RUN apt-get install -y git unzip wget
 
 #
 # Install luarocks, and set git options if required
diff --git a/validate-license.sh b/validate-license.sh
index a5979d9..1fa4793 100755
--- a/validate-license.sh
+++ b/validate-license.sh
@@ -28,8 +28,21 @@ fi
 LICENSE_DATA=$(cat './license.json')
 LICENSE_JWT=$(echo $LICENSE_DATA | jq -r .License)
 LICENSE_PAYLOAD=$(base64url_decode $(echo $LICENSE_JWT | cut -d '.' -f 2))
-APPLICATIONS_FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "applications")')
-if [ "$APPLICATIONS_FEATURE" == '' ]; then
+
+#
+# Check for token handler permissions
+#
+FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "applications")')
+if [ "$FEATURE" == '' ]; then
   echo 'The license.json file does not include the applications feature'
   exit 1
 fi
+
+#
+# Check for the financial grade package
+#
+FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "financial-grade")')
+if [ "$FEATURE" == '' ]; then
+  echo 'The license.json file does not include the financial-grade feature'
+  exit 1
+fi

From e652af2ec970aa48c3a43b4ab46f807a233d7221 Mon Sep 17 00:00:00 2001
From: gary-archer <garyarcher36@gmail.com>
Date: Mon, 23 Jun 2025 19:09:56 +0100
Subject: [PATCH 2/3] Fixed Kong deployment issue

---
 validate-license.sh | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/validate-license.sh b/validate-license.sh
index 1fa4793..8e03bc3 100755
--- a/validate-license.sh
+++ b/validate-license.sh
@@ -39,10 +39,12 @@ if [ "$FEATURE" == '' ]; then
 fi
 
 #
-# Check for the financial grade package
+# For Curity deployments, check for the financial grade package
 #
-FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "financial-grade")')
-if [ "$FEATURE" == '' ]; then
-  echo 'The license.json file does not include the financial-grade feature'
-  exit 1
+if [ "$DEPLOYMENT" == 'curity' ]; then
+  FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "financial-grade")')
+  if [ "$FEATURE" == '' ]; then
+    echo 'The license.json file does not include the financial-grade feature'
+    exit 1
+  fi
 fi

From b27a2ce5c4ecf10c8c94acee58715900c684468c Mon Sep 17 00:00:00 2001
From: "gary.archer" <gary.archer@curity.io>
Date: Tue, 24 Jun 2025 09:14:49 +0200
Subject: [PATCH 3/3] README updates

---
 DEPLOYMENT.md | 20 ++++++++++++++++----
 deploy.sh     | 16 ++++++++--------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index 69e4952..69d37d8 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -18,9 +18,6 @@ Edit your `/etc/hosts` file and add these entries:
 127.0.0.1 www.product.example bff.product.example login.example.com
 ```
 
-Download a [Trial License](https://developer.curity.io/free-trial) from the developer portal with access to the applications / token handler feature.\
-Rename it to `license.json` and copy it into the root folder of this project.
-
 Use the [Curity developer portal](https://developer.curity.io/releases/token-handler) to download one of the OAuth Proxy zip files to the root folder of this project:
 
 - [Kong OAuth Proxy 2.0.0+](https://developer.curity.io/releases/token-handler?proxy=kong)
@@ -39,6 +36,9 @@ Two example deployments are provided, to explain the moving parts of the end-to-
 
 ### Scenario 1: SPA uses an External Authorization Server
 
+Download a [Trial License](https://developer.curity.io/free-trial) from the developer portal with access to the `applications` feature.\
+Rename the file to `license.json` and copy it into the root folder of this project.
+
 An instance of Keycloak acts as the external authorization server that issues RS256 JWTs as access tokens.\
 The OAuth Agent is deployed as a stateless API that issues cookies to the SPA.\
 Choose an OAuth proxy type of `kong`, `openresty` or `nginx`:
@@ -58,7 +58,19 @@ Wait a few minutes for components to come up and then access components:
 
 ### Scenario 2: SPA uses the Curity Identity Server as the Authorization Server
 
-The Curity Identity Server issues opaque access tokens.\
+Download a [Trial License](https://developer.curity.io/free-trial) from the developer portal with access to the following features.\
+Rename the file to `license.json` and copy it into the root folder of this project.
+
+- applications
+- financial-grade
+
+The Curity Identity Server deployment demonstrates the following additional features.
+
+- Opaque access tokens that help to ensure small cookies.
+- JWT client assertions as an OAuth client credential.
+- Pushed authorization requests (PAR).
+- JWT Secured Authorization Response Mode (JARM).
+
 A single instance of the Docker deployment acts as both authorization server and OAuth Agent.\
 Choose an OAuth proxy type of `kong`, `openresty` or `nginx`:
 
diff --git a/deploy.sh b/deploy.sh
index 29a07a9..782c320 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -2,14 +2,6 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
-#
-# Check that a valid license is available
-#
-./validate-license.sh
-if [ $? -ne 0 ]; then
-  exit 1
-fi
-
 #
 # Validate input
 #
@@ -23,6 +15,14 @@ if [ "$OAUTH_PROXY_TYPE" != 'kong' ] && [ "$OAUTH_PROXY_TYPE" != 'openresty' ] &
   exit 1
 fi
 
+#
+# Check that a valid license is available
+#
+./validate-license.sh
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
 #
 # Dot source a script that creates environment variables used by the docker compose deployment
 #