[maven-release-plugin][skip ci] prepare for next development iteration

(cherry picked from commit d163410e3d)

.github/workflows/ci.yml

@@ -44,14 +44,10 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
-      - id: changed-files
+      - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.16.0
-        uses: Alfresco/alfresco-build-tools/.github/actions/github-list-changes@v8.13.0
-        with:
-          write-list-to-env: true
-      - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v8.13.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Prepare maven cache and check compilation"
@@ -69,12 +65,12 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
-      - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v8.16.0
         continue-on-error: true
         with:
           srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
@@ -92,10 +88,10 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/github-download-file@v8.16.0
         with:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           repository: "Alfresco/veracode-baseline-archive"
@@ -148,10 +144,10 @@ jobs:
       !contains(github.event.head_commit.message, '[skip tests]') &&
       !contains(github.event.head_commit.message, '[force]')
     steps:
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
-      - uses: Alfresco/ya-pmd-scan@v4.1.0
+      - uses: Alfresco/ya-pmd-scan@v4.3.0
         with:
           classpath-build-command: "mvn test-compile -ntp -Pags -pl \"-:alfresco-community-repo-docker\""
 
@@ -181,14 +177,14 @@ jobs:
             testAttributes: "-Dtest=AllMmtUnitTestSuite"
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testModule }}
@@ -219,7 +215,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -261,9 +257,9 @@ jobs:
       REQUIRES_INSTALLED_ARTIFACTS: true
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Build"
         timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
         run: |
@@ -276,7 +272,7 @@ jobs:
         run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }}
@@ -307,7 +303,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -340,9 +336,9 @@ jobs:
         version: ['10.5', '10.6']
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: Run MariaDB ${{ matrix.version }} database
@@ -351,7 +347,7 @@ jobs:
           MARIADB_VERSION: ${{ matrix.version }}
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.version }}
@@ -382,7 +378,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -411,9 +407,9 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run MariaDB 10.11 database"
@@ -422,7 +418,7 @@ jobs:
           MARIADB_VERSION: 10.11
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -453,7 +449,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -482,9 +478,9 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run MySQL 8 database"
@@ -493,7 +489,7 @@ jobs:
           MYSQL_VERSION: 8
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -524,7 +520,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -552,9 +548,9 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run PostgreSQL 14.15 database"
@@ -563,7 +559,7 @@ jobs:
           POSTGRES_VERSION: 14.15
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -594,7 +590,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -622,9 +618,9 @@ jobs:
             !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run PostgreSQL 15.10 database"
@@ -633,7 +629,7 @@ jobs:
           POSTGRES_VERSION: 15.10
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -664,7 +660,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -692,9 +688,9 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run PostgreSQL 16.6 database"
@@ -703,7 +699,7 @@ jobs:
           POSTGRES_VERSION: 16.6
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -734,7 +730,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -760,16 +756,16 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run ActiveMQ"
         run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile activemq up -d
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -800,7 +796,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -860,9 +856,9 @@ jobs:
             mvn-options: '-Dencryption.ssl.keystore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.keystore -Dencryption.ssl.truststore.location=${CI_WORKSPACE}/keystores/alfresco/alfresco.truststore'
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Set transformers tag"
@@ -885,7 +881,7 @@ jobs:
         run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile ${{ matrix.compose-profile }} up -d
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.testSuite }} ${{ matrix.idp }}
@@ -916,7 +912,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -974,9 +970,9 @@ jobs:
       REQUIRES_LOCAL_IMAGES: true
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Build"
         timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
         run: |
@@ -992,7 +988,7 @@ jobs:
         run: mvn install -pl :alfresco-community-repo-integration-test -am -DskipTests -Pall-tas-tests
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} - ${{ matrix.test-name }}
@@ -1030,7 +1026,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.tests.outcome }}
@@ -1056,16 +1052,16 @@ jobs:
       !contains(github.event.head_commit.message, '[force')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Init"
         run: bash ./scripts/ci/init.sh
       - name: "Run Postgres 16.6 database"
         run: docker compose -f ./scripts/ci/docker-compose/docker-compose.yaml --profile postgres up -d
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -1096,7 +1092,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -1130,9 +1126,9 @@ jobs:
       REQUIRES_INSTALLED_ARTIFACTS: true
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Build"
         timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
         run: |
@@ -1140,7 +1136,7 @@ jobs:
           bash ./scripts/ci/build.sh
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (PostgreSQL) ${{ matrix.test-name }}
@@ -1176,9 +1172,9 @@ jobs:
       REQUIRES_INSTALLED_ARTIFACTS: true
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Build"
         timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
         run: |
@@ -1186,7 +1182,7 @@ jobs:
           bash ./scripts/ci/build.sh
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }} 0${{ matrix.part }} - (MySQL) ${{ matrix.test-name }}
@@ -1218,9 +1214,9 @@ jobs:
       REQUIRES_LOCAL_IMAGES: true
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Build"
         timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
         run: |
@@ -1234,7 +1230,7 @@ jobs:
           mvn -B install -pl :alfresco-governance-services-automation-community-rest-api -am -Pags -Pall-tas-tests -DskipTests
       - name: "Prepare Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-prepare@v8.16.0
         id: rp-prepare
         with:
           rp-launch-prefix: ${{ env.RP_LAUNCH_PREFIX }}
@@ -1266,7 +1262,7 @@ jobs:
         continue-on-error: true
       - name: "Summarize Report Portal"
         if: github.ref_name == 'master'
-        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.13.0
+        uses: Alfresco/alfresco-build-tools/.github/actions/reportportal-summarize@v8.16.0
         id: rp-summarize
         with:
           tests-outcome: ${{ steps.run-tests.outcome }}
@@ -1308,9 +1304,9 @@ jobs:
       !contains(github.event.head_commit.message, '[force]')
     steps:
       - uses: actions/checkout@v4
-      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/free-hosted-runner-disk-space@v8.16.0
-      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.13.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v8.16.0
       - name: "Build"
         timeout-minutes: ${{ fromJSON(env.GITHUB_ACTIONS_DEPLOY_TIMEOUT) }}
         run: |

.secrets.baseline

@@ -133,21 +133,21 @@
         "filename": ".github/workflows/ci.yml",
         "hashed_secret": "b86dc2f033a63f2b7b9e7d270ab806d2910d7572",
         "is_verified": false,
-        "line_number": 299
+        "line_number": 295
       },
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/ci.yml",
         "hashed_secret": "1bfb0e20f886150ba59b853bcd49dea893e00966",
         "is_verified": false,
-        "line_number": 374
+        "line_number": 370
       },
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/ci.yml",
         "hashed_secret": "128f14373ccfaff49e3664045d3a11b50cbb7b39",
         "is_verified": false,
-        "line_number": 908
+        "line_number": 904
       }
     ],
     ".github/workflows/master_release.yml": [
@@ -1607,7 +1607,7 @@
         "filename": "repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacadeUnitTest.java",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 46,
+        "line_number": 48,
         "is_secret": false
       }
     ],
@@ -1868,5 +1868,5 @@
       }
     ]
   },
-  "generated_at": "2025-02-26T15:13:52Z"
+  "generated_at": "2025-05-13T13:17:41Z"
 }

amps/ags/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo-amps</artifactId>
-      <version>25.1.0.71</version>
+      <version>25.1.2.6-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>25.1.0.71</version>
+      <version>25.1.2.6-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-automation-community-repo</artifactId>
-      <version>25.1.0.71</version>
+      <version>25.1.2.6-SNAPSHOT</version>
    </parent>
 
    <build>

amps/ags/rm-automation/rm-automation-community-rest-api/src/test/java/org/alfresco/rest/rm/community/hold/AddToHoldsBulkV1Tests.java

@@ -131,6 +131,16 @@ public class AddToHoldsBulkV1Tests extends BaseRMRestTest
             .until(() -> getRestAPIFactory().getSearchAPI(null).search(searchRequest).getPagination()
                 .getTotalItems() == NUMBER_OF_FILES);
 
+        RestRequestQueryModel ancestorReq = getContentFromFolderAndAllSubfoldersQuery(rootFolder.getNodeRefWithoutVersion());
+        SearchRequest ancestorSearchRequest = new SearchRequest();
+        ancestorSearchRequest.setQuery(ancestorReq);
+
+        STEP("Wait until paths are indexed.");
+        // to improve stability on CI - seems that sometimes during big load we need to wait longer for the condition
+        await().atMost(120, TimeUnit.SECONDS)
+                .until(() -> getRestAPIFactory().getSearchAPI(null).search(ancestorSearchRequest).getPagination()
+                        .getTotalItems() == NUMBER_OF_FILES);
+
         holdBulkOperation = HoldBulkOperation.builder()
             .query(queryReq)
             .op(HoldBulkOperationType.ADD).build();

amps/ags/rm-community/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>25.1.0.71</version>
+      <version>25.1.2.6-SNAPSHOT</version>
    </parent>
 
    <modules>

amps/ags/rm-community/rm-community-repo/pom.xml

@@ -8,7 +8,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-      <version>25.1.0.71</version>
+      <version>25.1.2.6-SNAPSHOT</version>
    </parent>
 
    <properties>

amps/ags/rm-community/rm-community-repo/test/resources/alfresco/version.properties

@@ -5,7 +5,7 @@
 # Version label
 version.major=25
 version.minor=1
-version.revision=0
+version.revision=1
 version.label=
 
 # Edition label

amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <build>

amps/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <modules>

amps/share-services/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-amps</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <properties>

core/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo</artifactId>
-      <version>25.1.0.71</version>
+      <version>25.1.2.6-SNAPSHOT</version>
    </parent>
 
    <dependencies>

data-model/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <properties>

mmt/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <dependencies>

packaging/distribution/pom.xml

@@ -9,6 +9,6 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 </project>

packaging/docker-alfresco/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <properties>

packaging/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <modules>

packaging/tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <modules>

packaging/tests/tas-cmis/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <organization>

packaging/tests/tas-email/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/tests/tas-integration/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/tests/tas-restapi/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <properties>

packaging/tests/tas-webdav/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <developers>

packaging/war/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <properties>

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>alfresco-community-repo</artifactId>
-    <version>25.1.0.71</version>
+    <version>25.1.2.6-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>Alfresco Community Repo Parent</name>
 
@@ -25,7 +25,7 @@
     <properties>
         <acs.version.major>25</acs.version.major>
         <acs.version.minor>1</acs.version.minor>
-        <acs.version.revision>0</acs.version.revision>
+        <acs.version.revision>2</acs.version.revision>
         <acs.version.label />
         <amp.min.version>${acs.version.major}.0.0</amp.min.version>
 
@@ -155,7 +155,7 @@
         <connection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</connection>
         <developerConnection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</developerConnection>
         <url>https://github.com/Alfresco/alfresco-community-repo</url>
-        <tag>25.1.0.71</tag>
+        <tag>HEAD</tag>
     </scm>
 
     <distributionManagement>
@@ -410,7 +410,7 @@
             <dependency>
                 <groupId>commons-beanutils</groupId>
                 <artifactId>commons-beanutils</artifactId>
-                <version>1.9.4</version>
+                <version>1.11.0</version>
             </dependency>
             <dependency>
                 <groupId>commons-codec</groupId>

remote-api/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <dependencies>

repository/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>25.1.0.71</version>
+        <version>25.1.2.6-SNAPSHOT</version>
     </parent>
 
     <dependencies>

repository/src/main/java/org/alfresco/repo/action/executer/AddFeaturesActionExecuter.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software.
  * If the software was purchased under a paid Alfresco license, the terms of
@@ -31,6 +31,7 @@ import java.util.List;
 import java.util.Map;
 
 import org.alfresco.repo.action.ParameterDefinitionImpl;
+import org.alfresco.repo.action.access.ActionAccessRestriction;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
 import org.alfresco.service.cmr.action.Action;
 import org.alfresco.service.cmr.action.ParameterDefinition;
@@ -65,7 +66,8 @@ public class AddFeaturesActionExecuter extends ActionExecuterAbstractBase
     /**
      * Set the node service
      *
-     * @param nodeService  the node service 
+     * @param nodeService
+     *            the node service
      */
     public void setNodeService(NodeService nodeService)
     {
@@ -75,7 +77,8 @@ public class AddFeaturesActionExecuter extends ActionExecuterAbstractBase
     /**
      * Set the transaction service
      *
-     * @param transactionService    the transaction service
+     * @param transactionService
+     *            the transaction service
      */
     public void setTransactionService(TransactionService transactionService)
     {
@@ -99,14 +102,13 @@ public class AddFeaturesActionExecuter extends ActionExecuterAbstractBase
         if (this.nodeService.exists(actionedUponNodeRef))
         {
             transactionService.getRetryingTransactionHelper().doInTransaction(
-              new RetryingTransactionCallback<Void>()
+                    new RetryingTransactionCallback<Void>() {
-              {
                         public Void execute() throws Throwable
                         {
                             Map<QName, Serializable> properties = new HashMap<QName, Serializable>();
                             QName aspectQName = null;
 
-                     if(! nodeService.exists(actionedUponNodeRef))
+                            if (!nodeService.exists(actionedUponNodeRef))
                             {
                                 // Node has gone away, skip
                                 return null;
@@ -114,11 +116,12 @@ public class AddFeaturesActionExecuter extends ActionExecuterAbstractBase
 
                             // Build the aspect details
                             Map<String, Serializable> paramValues = ruleAction.getParameterValues();
+                            removeActionContextParameter(paramValues);
                             for (Map.Entry<String, Serializable> entry : paramValues.entrySet())
                             {
                                 if (entry.getKey().equals(PARAM_ASPECT_NAME) == true)
                                 {
-                             aspectQName = (QName)entry.getValue();
+                                    aspectQName = (QName) entry.getValue();
                                 }
                                 else
                                 {
@@ -133,8 +136,7 @@ public class AddFeaturesActionExecuter extends ActionExecuterAbstractBase
                             nodeService.addAspect(actionedUponNodeRef, aspectQName, properties);
                             return null;
                         }
-              }
+                    });
-           );
         }
     }
 
@@ -147,4 +149,11 @@ public class AddFeaturesActionExecuter extends ActionExecuterAbstractBase
         paramList.add(new ParameterDefinitionImpl(PARAM_ASPECT_NAME, DataTypeDefinition.QNAME, true, getParamDisplayLabel(PARAM_ASPECT_NAME), false, "ac-aspects"));
     }
 
+    /**
+     * Remove actionContext from the parameter values to declassify as an adhoc property
+     */
+    private void removeActionContextParameter(Map<String, Serializable> paramValues)
+    {
+        paramValues.remove(ActionAccessRestriction.ACTION_CONTEXT_PARAM_NAME);
+    }
 }

repository/src/main/java/org/alfresco/repo/event2/EventGenerator.java

@@ -542,10 +542,7 @@ public class EventGenerator extends AbstractLifecycleBean implements Initializin
     @Override
     protected void onShutdown(ApplicationEvent applicationEvent)
     {
-        if (eventSender != null)
+        // NOOP
-        {
-            eventSender.destroy();
-        }
     }
 
     protected class EventTransactionListener extends TransactionListenerAdapter

repository/src/main/java/org/alfresco/repo/event2/EventSender.java

@@ -52,7 +52,7 @@ public interface EventSender
     }
 
     /**
-     * It's called when the application context is closing, allowing {@link org.alfresco.repo.event2.EventGenerator} to perform cleanup operations.
+     * It's called when the bean instance is destroyed, allowing to perform cleanup operations.
      */
     default void destroy()
     {

repository/src/main/java/org/alfresco/repo/event2/EventSenderFactoryBean.java

@@ -25,15 +25,16 @@
  */
 package org.alfresco.repo.event2;
 
+import java.util.Optional;
+import java.util.concurrent.Executor;
 import jakarta.annotation.Nonnull;
-import org.alfresco.util.PropertyCheck;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.beans.factory.config.AbstractFactoryBean;
 import org.springframework.core.env.PropertyResolver;
 
-import java.util.Optional;
+import org.alfresco.util.PropertyCheck;
-import java.util.concurrent.Executor;
 
 public class EventSenderFactoryBean extends AbstractFactoryBean<EventSender>
 {
@@ -155,4 +156,13 @@ public class EventSenderFactoryBean extends AbstractFactoryBean<EventSender>
     {
         return event2MessageProducer;
     }
+
+    @Override
+    protected void destroyInstance(EventSender eventSender)
+    {
+        if (eventSender != null)
+        {
+            eventSender.destroy();
+        }
+    }
 }

repository/src/main/java/org/alfresco/repo/rendition2/LocalTransformClient.java

@@ -37,6 +37,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.transform.config.CoreFunction;
 import org.alfresco.util.PropertyCheck;
+import com.google.common.util.concurrent.ThreadFactoryBuilder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.InitializingBean;
@@ -46,6 +47,7 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
+import java.util.concurrent.ThreadFactory;
 
 import static org.alfresco.model.ContentModel.PROP_CONTENT;
 import static org.alfresco.transform.common.RequestParamMap.DIRECT_ACCESS_URL;
@@ -68,6 +70,7 @@ public class LocalTransformClient implements TransformClient, InitializingBean
     private ContentService contentService;
     private RenditionService2Impl renditionService2;
     private boolean directAccessUrlEnabled;
+    private int threadPoolSize;
 
     private ExecutorService executorService;
     private ThreadLocal<LocalTransform> transform = new ThreadLocal<>();
@@ -97,6 +100,11 @@ public class LocalTransformClient implements TransformClient, InitializingBean
         this.directAccessUrlEnabled = directAccessUrlEnabled;
     }
 
+    public void setThreadPoolSize(int threadPoolSize)
+    {
+        this.threadPoolSize = threadPoolSize;
+    }
+
     public void setExecutorService(ExecutorService executorService)
     {
         this.executorService = executorService;
@@ -110,9 +118,11 @@ public class LocalTransformClient implements TransformClient, InitializingBean
         PropertyCheck.mandatory(this, "contentService", contentService);
         PropertyCheck.mandatory(this, "renditionService2", renditionService2);
         PropertyCheck.mandatory(this, "directAccessUrlEnabled", directAccessUrlEnabled);
+        PropertyCheck.mandatory(this, "threadPoolSize", threadPoolSize);
         if (executorService == null)
         {
-            executorService = Executors.newCachedThreadPool();
+            ThreadFactory threadFactory = new ThreadFactoryBuilder().setNameFormat("local-transform-%d").build();
+            executorService = Executors.newFixedThreadPool(threadPoolSize, threadFactory);
         }
     }
 

repository/src/main/java/org/alfresco/repo/rendition2/RenditionService2Impl.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software.
  * If the software was purchased under a paid Alfresco license, the terms of
@@ -25,6 +25,24 @@
  */
 package org.alfresco.repo.rendition2;
 
+import static org.alfresco.model.ContentModel.PROP_CONTENT;
+import static org.alfresco.model.RenditionModel.PROP_RENDITION_CONTENT_HASH_CODE;
+import static org.alfresco.service.namespace.QName.createQName;
+
+import java.io.InputStream;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.InitializingBean;
+
 import org.alfresco.model.ContentModel;
 import org.alfresco.model.RenditionModel;
 import org.alfresco.repo.content.ContentServicePolicies;
@@ -51,23 +69,6 @@ import org.alfresco.service.namespace.QName;
 import org.alfresco.service.namespace.RegexQNamePattern;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.PropertyCheck;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
-
-import java.io.InputStream;
-import java.io.Serializable;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-import static org.alfresco.model.ContentModel.PROP_CONTENT;
-import static org.alfresco.model.RenditionModel.PROP_RENDITION_CONTENT_HASH_CODE;
-import static org.alfresco.service.namespace.QName.createQName;
 
 /**
  * The Async Rendition service. Replaces the original deprecated RenditionService.
@@ -80,11 +81,19 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
 
     public static final QName DEFAULT_RENDITION_CONTENT_PROP = ContentModel.PROP_CONTENT;
     public static final String DEFAULT_MIMETYPE = MimetypeMap.MIMETYPE_TEXT_PLAIN;
+    public static final String MIMETYPE_METADATA_EXTRACT = "alfresco-metadata-extract";
+    public static final String MIMETYPE_METADATA_EMBED = "alfresco-metadata-embed";
     public static final String DEFAULT_ENCODING = "UTF-8";
 
     public static final int SOURCE_HAS_NO_CONTENT = -1;
     public static final int RENDITION2_DOES_NOT_EXIST = -2;
 
+    // Allowed mimetypes to support text or metadata extract transforms when thumbnails are disabled.
+    private static final Set<String> ALLOWED_MIMETYPES = Set.of(
+            MimetypeMap.MIMETYPE_TEXT_PLAIN,
+            MIMETYPE_METADATA_EXTRACT,
+            MIMETYPE_METADATA_EMBED);
+
     private static Log logger = LogFactory.getLog(RenditionService2Impl.class);
 
     // As Async transforms and renditions are so similar, this class provides a way to provide the code that is different.
@@ -95,12 +104,10 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
         abstract RenditionDefinition2 getRenditionDefinition();
 
         void handleUnsupported(UnsupportedOperationException e)
-        {
+        {}
-        }
 
         void throwIllegalStateExceptionIfAlreadyDone(int sourceContentHashCode)
-        {
+        {}
-        }
     }
 
     private TransactionService transactionService;
@@ -217,8 +224,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     @Override
     public void transform(NodeRef sourceNodeRef, TransformDefinition transformDefinition)
     {
-        requestAsyncTransformOrRendition(sourceNodeRef, new RenderOrTransformCallBack()
+        requestAsyncTransformOrRendition(sourceNodeRef, new RenderOrTransformCallBack() {
-        {
             @Override
             public String getName()
             {
@@ -237,8 +243,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     @Override
     public void render(NodeRef sourceNodeRef, String renditionName)
     {
-        requestAsyncTransformOrRendition(sourceNodeRef, new RenderOrTransformCallBack()
+        requestAsyncTransformOrRendition(sourceNodeRef, new RenderOrTransformCallBack() {
-        {
             @Override
             public String getName()
             {
@@ -277,7 +282,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
                 int renditionContentHashCode = getRenditionContentHashCode(renditionNode);
                 if (logger.isDebugEnabled())
                 {
-                    logger.debug(getName() + ": Source " + sourceContentHashCode + " rendition " + renditionContentHashCode+ " hashCodes");
+                    logger.debug(getName() + ": Source " + sourceContentHashCode + " rendition " + renditionContentHashCode + " hashCodes");
                 }
                 if (renditionContentHashCode == sourceContentHashCode)
                 {
@@ -291,7 +296,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     {
         try
         {
-            if (!isEnabled())
+            if (!isAsyncAllowed(renderOrTransform))
             {
                 throw new RenditionService2Exception("Async transforms and renditions are disabled " +
                         "(system.thumbnail.generate=false or renditionService2.enabled=false).");
@@ -299,14 +304,14 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
 
             if (!nodeService.exists(sourceNodeRef))
             {
-                throw new IllegalArgumentException(renderOrTransform.getName()+ ": The supplied sourceNodeRef "+sourceNodeRef+" does not exist.");
+                throw new IllegalArgumentException(renderOrTransform.getName() + ": The supplied sourceNodeRef " + sourceNodeRef + " does not exist.");
             }
 
             RenditionDefinition2 renditionDefinition = renderOrTransform.getRenditionDefinition();
 
             if (logger.isDebugEnabled())
             {
-                logger.debug(renderOrTransform.getName()+ ": transform " +sourceNodeRef);
+                logger.debug(renderOrTransform.getName() + ": transform " + sourceNodeRef);
             }
 
             AtomicBoolean supported = new AtomicBoolean(true);
@@ -328,14 +333,13 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
             }
 
             String user = AuthenticationUtil.getRunAsUser();
-            RetryingTransactionHelper.RetryingTransactionCallback callback = () ->
+            RetryingTransactionHelper.RetryingTransactionCallback callback = () -> {
-            {
                 int sourceContentHashCode = getSourceContentHashCode(sourceNodeRef);
                 if (!supported.get())
                 {
                     if (logger.isDebugEnabled())
                     {
-                        logger.debug(renderOrTransform.getName() +" is not supported. " +
+                        logger.debug(renderOrTransform.getName() + " is not supported. " +
                                 "The content might be too big or the source mimetype cannot be converted.");
                     }
                     failure(sourceNodeRef, renditionDefinition, sourceContentHashCode);
@@ -372,9 +376,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     public void failure(NodeRef sourceNodeRef, RenditionDefinition2 renditionDefinition, int transformContentHashCode)
     {
         // The original transaction may have already have failed
-        AuthenticationUtil.runAsSystem((AuthenticationUtil.RunAsWork<Void>) () ->
+        AuthenticationUtil.runAsSystem((AuthenticationUtil.RunAsWork<Void>) () -> transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-                transactionService.getRetryingTransactionHelper().doInTransaction(() ->
-                {
             consume(sourceNodeRef, null, renditionDefinition, transformContentHashCode);
             return null;
         }, false, true));
@@ -386,12 +388,12 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
         int sourceContentHashCode = getSourceContentHashCode(sourceNodeRef);
         if (logger.isDebugEnabled())
         {
-            logger.debug("Consume: Source " + sourceContentHashCode + " and transform's source " + transformContentHashCode+" hashcodes");
+            logger.debug("Consume: Source " + sourceContentHashCode + " and transform's source " + transformContentHashCode + " hashcodes");
         }
 
         if (renditionDefinition instanceof TransformDefinition)
         {
-            TransformDefinition transformDefinition = (TransformDefinition)renditionDefinition;
+            TransformDefinition transformDefinition = (TransformDefinition) renditionDefinition;
             String targetMimetype = transformDefinition.getTargetMimetype();
             if (AsynchronousExtractor.isMetadataExtractMimetype(targetMimetype))
             {
@@ -484,9 +486,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     }
 
     /**
-     *  Takes a transformation (InputStream) and attaches it as a rendition to the source node.
+     * Takes a transformation (InputStream) and attaches it as a rendition to the source node. Does nothing if there is already a newer rendition. If the transformInputStream is null, this is taken to be a transform failure.
-     *  Does nothing if there is already a newer rendition.
-     *  If the transformInputStream is null, this is taken to be a transform failure.
      */
     private void consumeRendition(NodeRef sourceNodeRef, int sourceContentHashCode, InputStream transformInputStream,
             RenditionDefinition2 renditionDefinition, int transformContentHashCode)
@@ -507,9 +507,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
                         (transformInputStream == null ? " to null as the transform failed" : " to the transform result"));
             }
 
-            AuthenticationUtil.runAsSystem((AuthenticationUtil.RunAsWork<Void>) () ->
+            AuthenticationUtil.runAsSystem((AuthenticationUtil.RunAsWork<Void>) () -> transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-                    transactionService.getRetryingTransactionHelper().doInTransaction(() ->
-                    {
                 // Ensure that the creation of a rendition does not cause updates to the modified, modifier properties on the source node
                 NodeRef renditionNode = getRenditionNode(sourceNodeRef, renditionName);
                 boolean createRenditionNode = renditionNode == null;
@@ -555,7 +553,8 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
                             long sizeOfRendition = contentReader.getSize();
                             if (sizeOfRendition > 0L)
                             {
-                                        if (logger.isDebugEnabled()) {
+                                if (logger.isDebugEnabled())
+                                {
                                     logger.debug("Set rendition hashcode for " + renditionName);
                                 }
                                 nodeService.setProperty(renditionNode, RenditionModel.PROP_RENDITION_CONTENT_HASH_CODE, transformContentHashCode);
@@ -634,14 +633,14 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
 
         if (logger.isTraceEnabled())
         {
-            logger.trace("Setting thumbnail last modified date to " + lastModifiedValue +" on source node: " + sourceNodeRef);
+            logger.trace("Setting thumbnail last modified date to " + lastModifiedValue + " on source node: " + sourceNodeRef);
         }
 
         if (nodeService.hasAspect(sourceNodeRef, ContentModel.ASPECT_THUMBNAIL_MODIFICATION))
         {
             List<String> thumbnailMods = (List<String>) nodeService.getProperty(sourceNodeRef, ContentModel.PROP_LAST_THUMBNAIL_MODIFICATION_DATA);
             String target = null;
-            for (String currThumbnailMod: thumbnailMods)
+            for (String currThumbnailMod : thumbnailMods)
             {
                 if (currThumbnailMod.startsWith(prefix))
                 {
@@ -665,8 +664,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     }
 
     /**
-     * Returns the hash code of the source node's content url. As transformations may be returned in a different
+     * Returns the hash code of the source node's content url. As transformations may be returned in a different sequences to which they were requested, this is used work out if a rendition should be replaced.
-     * sequences to which they were requested, this is used work out if a rendition should be replaced.
      */
     private int getSourceContentHashCode(NodeRef sourceNodeRef)
     {
@@ -675,7 +673,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
         if (contentData != null)
         {
             // Originally we used the contentData URL, but that is not enough if the mimetype changes.
-            String contentString = contentData.getContentUrl()+contentData.getMimetype();
+            String contentString = contentData.getContentUrl() + contentData.getMimetype();
             if (contentString != null)
             {
                 hashCode = contentString.hashCode();
@@ -685,13 +683,11 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     }
 
     /**
-     * Returns the hash code of source node's content url on the rendition node (node may be null) if it does not exist.
+     * Returns the hash code of source node's content url on the rendition node (node may be null) if it does not exist. Used work out if a rendition should be replaced. {@code -2} is returned if the rendition does not exist or was not created by RenditionService2. {@code -1} is returned if there was no source content or the rendition failed.
-     * Used work out if a rendition should be replaced. {@code -2} is returned if the rendition does not exist or was
-     * not created by RenditionService2. {@code -1} is returned if there was no source content or the rendition failed.
      */
     private int getRenditionContentHashCode(NodeRef renditionNode)
     {
-        if ( renditionNode == null || !nodeService.hasAspect(renditionNode, RenditionModel.ASPECT_RENDITION2))
+        if (renditionNode == null || !nodeService.hasAspect(renditionNode, RenditionModel.ASPECT_RENDITION2))
         {
             return RENDITION2_DOES_NOT_EXIST;
         }
@@ -699,7 +695,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
         Serializable hashCode = nodeService.getProperty(renditionNode, PROP_RENDITION_CONTENT_HASH_CODE);
         return hashCode == null
                 ? SOURCE_HAS_NO_CONTENT
-                : (int)hashCode;
+                : (int) hashCode;
     }
 
     private NodeRef getRenditionNode(NodeRef sourceNodeRef, String renditionName)
@@ -773,11 +769,12 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     }
 
     /**
-     * This method checks whether the specified source node is of a content class which has been registered for
+     * This method checks whether the specified source node is of a content class which has been registered for rendition prevention.
-     * rendition prevention.
      *
-     * @param sourceNode the node to check.
+     * @param sourceNode
-     * @throws RenditionService2PreventedException if the source node is configured for rendition prevention.
+     *            the node to check.
+     * @throws RenditionService2PreventedException
+     *             if the source node is configured for rendition prevention.
      */
     // This code is based on the old RenditionServiceImpl.checkSourceNodeForPreventionClass(...)
     private void checkSourceNodeForPreventionClass(NodeRef sourceNode)
@@ -833,8 +830,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
     }
 
     /**
-     * Indicates if the rendition is available. Failed renditions (there was an error) don't have a contentUrl
+     * Indicates if the rendition is available. Failed renditions (there was an error) don't have a contentUrl and out of date renditions or those still being created don't have a matching contentHashCode.
-     * and out of date renditions or those still being created don't have a matching contentHashCode.
      */
     public boolean isRenditionAvailable(NodeRef sourceNodeRef, NodeRef renditionNode)
     {
@@ -852,7 +848,7 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
                 int renditionContentHashCode = getRenditionContentHashCode(renditionNode);
                 if (logger.isDebugEnabled())
                 {
-                    logger.debug("isRenditionAvailable source " + sourceContentHashCode + " and rendition " + renditionContentHashCode+" hashcodes");
+                    logger.debug("isRenditionAvailable source " + sourceContentHashCode + " and rendition " + renditionContentHashCode + " hashcodes");
                 }
                 if (sourceContentHashCode != renditionContentHashCode)
                 {
@@ -892,16 +888,14 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
             }
             ChildAssociationRef childAssoc = renditions.get(0);
             NodeRef renditionNode = childAssoc.getChildRef();
-            return !isRenditionAvailable(sourceNodeRef, renditionNode) ? null: childAssoc;
+            return !isRenditionAvailable(sourceNodeRef, renditionNode) ? null : childAssoc;
         }
     }
 
     @Override
     public void clearRenditionContentDataInTransaction(NodeRef renditionNode)
     {
-        AuthenticationUtil.runAsSystem((AuthenticationUtil.RunAsWork<Void>) () ->
+        AuthenticationUtil.runAsSystem((AuthenticationUtil.RunAsWork<Void>) () -> transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-                transactionService.getRetryingTransactionHelper().doInTransaction(() ->
-                {
             clearRenditionContentData(renditionNode);
             return null;
         }, false, true));
@@ -950,4 +944,23 @@ public class RenditionService2Impl implements RenditionService2, InitializingBea
         }
     }
 
+    // Checks if the given transform callback is a text extract transform for content indexing or metadata extract/embed.
+    private boolean isTextOrMetadataExtractTransform(RenderOrTransformCallBack renderOrTransform)
+    {
+        RenditionDefinition2 renditionDefinition = renderOrTransform.getRenditionDefinition();
+        return renditionDefinition != null && ALLOWED_MIMETYPES.contains(renditionDefinition.getTargetMimetype());
+    }
+
+    private boolean isAsyncAllowed(RenderOrTransformCallBack renderOrTransform)
+    {
+        // If enabled is false, all async transforms/renditions must be blocked
+        if (!enabled)
+        {
+            return false;
+        }
+
+        // If thumbnails are disabled, allow only text extract or metadata extract/embed transforms
+        return thumbnailsEnabled || isTextOrMetadataExtractTransform(renderOrTransform);
+    }
+
 }

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java

@@ -25,22 +25,20 @@
  */
 package org.alfresco.repo.security.authentication.identityservice;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
-import org.apache.commons.logging.Log;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
-import org.apache.commons.logging.LogFactory;
 
 /**
  *
- * Authenticates a user against Identity Service (Keycloak/Authorization Server).
+ * Authenticates a user against Identity Service (Keycloak/Authorization Server). {@link IdentityServiceFacade} is used to verify provided user credentials. User is set as the current user if the user credentials are valid. <br>
- * {@link IdentityServiceFacade} is used to verify provided user credentials. User is set as the current user if the
+ * The {@link IdentityServiceAuthenticationComponent#identityServiceFacade} can be null in which case this authenticator will just fall through to the next one in the chain.
- * user credentials are valid.
- * <br>
- * The {@link IdentityServiceAuthenticationComponent#identityServiceFacade} can be null in which case this authenticator
- * will just fall through to the next one in the chain.
  *
  */
 public class IdentityServiceAuthenticationComponent extends AbstractAuthenticationComponent implements ActivateableBean
@@ -48,7 +46,7 @@ public class IdentityServiceAuthenticationComponent extends AbstractAuthenticati
     private final Log LOGGER = LogFactory.getLog(IdentityServiceAuthenticationComponent.class);
     /** client used to authenticate user credentials against Authorization Server **/
     private IdentityServiceFacade identityServiceFacade;
-    /** enabled flag for the identity service subsystem**/
+    /** enabled flag for the identity service subsystem **/
     private boolean active;
 
     private IdentityServiceJITProvisioningHandler jitProvisioningHandler;

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceConfig.java

@@ -69,6 +69,13 @@ public class IdentityServiceConfig
     private boolean clientIdValidationDisabled;
     private String adminConsoleRedirectPath;
     private String signatureAlgorithms;
+    private String adminConsoleScopes;
+    private String passwordGrantScopes;
+    private String issuerAttribute;
+    private String firstNameAttribute;
+    private String lastNameAttribute;
+    private String emailAttribute;
+    private long jwtClockSkewMs;
 
     /**
      *
@@ -81,7 +88,8 @@ public class IdentityServiceConfig
 
     /**
      *
-     * @param clientConnectionTimeout Client connection timeout in milliseconds.
+     * @param clientConnectionTimeout
+     *            Client connection timeout in milliseconds.
      */
     public void setClientConnectionTimeout(int clientConnectionTimeout)
     {
@@ -99,7 +107,8 @@ public class IdentityServiceConfig
 
     /**
      *
-     * @param clientSocketTimeout Client socket timeout in milliseconds.
+     * @param clientSocketTimeout
+     *            Client socket timeout in milliseconds.
      */
     public void setClientSocketTimeout(int clientSocketTimeout)
     {
@@ -327,4 +336,78 @@ public class IdentityServiceConfig
     {
         this.signatureAlgorithms = signatureAlgorithms;
     }
+
+    public String getIssuerAttribute()
+    {
+        return issuerAttribute;
+    }
+
+    public void setIssuerAttribute(String issuerAttribute)
+    {
+        this.issuerAttribute = issuerAttribute;
+    }
+
+    public Set<String> getAdminConsoleScopes()
+    {
+        return Stream.of(adminConsoleScopes.split(","))
+                .map(String::trim)
+                .collect(Collectors.toUnmodifiableSet());
+    }
+
+    public void setAdminConsoleScopes(String adminConsoleScopes)
+    {
+        this.adminConsoleScopes = adminConsoleScopes;
+    }
+
+    public Set<String> getPasswordGrantScopes()
+    {
+        return Stream.of(passwordGrantScopes.split(","))
+                .map(String::trim)
+                .collect(Collectors.toUnmodifiableSet());
+    }
+
+    public void setPasswordGrantScopes(String passwordGrantScopes)
+    {
+        this.passwordGrantScopes = passwordGrantScopes;
+    }
+
+    public void setFirstNameAttribute(String firstNameAttribute)
+    {
+        this.firstNameAttribute = firstNameAttribute;
+    }
+
+    public void setLastNameAttribute(String lastNameAttribute)
+    {
+        this.lastNameAttribute = lastNameAttribute;
+    }
+
+    public void setEmailAttribute(String emailAttribute)
+    {
+        this.emailAttribute = emailAttribute;
+    }
+
+    public void setJwtClockSkewMs(long jwtClockSkewMs)
+    {
+        this.jwtClockSkewMs = jwtClockSkewMs;
+    }
+
+    public String getFirstNameAttribute()
+    {
+        return firstNameAttribute;
+    }
+
+    public String getLastNameAttribute()
+    {
+        return lastNameAttribute;
+    }
+
+    public String getEmailAttribute()
+    {
+        return emailAttribute;
+    }
+
+    public long getJwtClockSkewMs()
+    {
+        return jwtClockSkewMs;
+    }
 }

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacade.java

@@ -34,6 +34,9 @@ import java.util.Optional;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
 /**
  * Allows to interact with the Identity Service
  */
@@ -41,28 +44,36 @@ public interface IdentityServiceFacade
 {
     /**
      * Returns {@link AccessToken} based authorization for provided {@link AuthorizationGrant}.
-     * @param grant the OAuth2 grant provided by the Resource Owner.
+     * 
+     * @param grant
+     *            the OAuth2 grant provided by the Resource Owner.
      * @return {@link AccessTokenAuthorization} containing access token and optional refresh token.
-     * @throws {@link AuthorizationException} when provided grant cannot be exchanged for the access token.
+     * @throws {@link
+     *             AuthorizationException} when provided grant cannot be exchanged for the access token.
      */
     AccessTokenAuthorization authorize(AuthorizationGrant grant) throws AuthorizationException;
 
     /**
      * Decodes the access token into the {@link DecodedAccessToken} which contains claims connected with a given token.
-     * @param token {@link String} with encoded access token value.
+     * 
+     * @param token
+     *            {@link String} with encoded access token value.
      * @return {@link DecodedAccessToken} containing decoded claims.
-     * @throws {@link TokenDecodingException} when token decoding failed.
+     * @throws {@link
+     *             TokenDecodingException} when token decoding failed.
      */
     DecodedAccessToken decodeToken(String token) throws TokenDecodingException;
 
     /**
-     * Gets claims about the authenticated user,
+     * Gets claims about the authenticated user, such as name and email address, via the UserInfo endpoint of the OpenID provider.
-     * such as name and email address, via the UserInfo endpoint of the OpenID provider.
+     * 
-     * @param token {@link String} with encoded access token value.
+     * @param token
-     * @param principalAttribute {@link String} the attribute name used to access the user's name from the user info response.
+     *            {@link String} with encoded access token value.
-     * @return {@link OIDCUserInfo} containing user claims.
+     * @param userInfoAttrMapping
+     *            {@link UserInfoAttrMapping} containing the mapping of claims.
+     * @return {@link DecodedTokenUser} containing user claims or {@link Optional#empty()} if the token does not contain a username claim.
      */
-    Optional<OIDCUserInfo> getUserInfo(String token, String principalAttribute);
+    Optional<DecodedTokenUser> getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping);
 
     /**
      * Gets a client registration
@@ -129,19 +140,23 @@ public interface IdentityServiceFacade
     {
         /**
          * Required {@link AccessToken}
+         * 
          * @return {@link AccessToken}
          */
         AccessToken getAccessToken();
 
         /**
          * Optional refresh token.
+         * 
          * @return Refresh token or {@code null}
          */
         String getRefreshTokenValue();
     }
 
-    interface AccessToken {
+    interface AccessToken
+    {
         String getTokenValue();
+
         Instant getExpiresAt();
     }
 
@@ -150,7 +165,8 @@ public interface IdentityServiceFacade
         Object getClaim(String claim);
     }
 
-    class AuthorizationGrant {
+    class AuthorizationGrant
+    {
         private final String username;
         private final String password;
         private final String refreshToken;

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java

@@ -72,9 +72,8 @@ import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.id.Identifier;
 import com.nimbusds.oauth2.sdk.id.Issuer;
+import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -98,6 +97,7 @@ import org.springframework.http.client.ClientHttpRequest;
 import org.springframework.http.client.ClientHttpRequestFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.http.converter.FormHttpMessageConverter;
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.security.converter.RsaKeyConverters;
 import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
 import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
@@ -125,6 +125,10 @@ import org.springframework.web.client.RestOperations;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.util.UriComponentsBuilder;
 
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
 /**
  * Creates an instance of {@link IdentityServiceFacade}. <br>
  * This factory can return a null if it is disabled.
@@ -134,6 +138,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
     private static final Log LOGGER = LogFactory.getLog(IdentityServiceFacadeFactoryBean.class);
 
     private static final JOSEObjectType AT_JWT = new JOSEObjectType("at+jwt");
+    private static final String DEFAULT_ISSUER_ATTR = "issuer";
 
     private boolean enabled;
     private SpringBasedIdentityServiceFacadeFactory factory;
@@ -148,8 +153,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         factory = new SpringBasedIdentityServiceFacadeFactory(
                 new HttpClientProvider(identityServiceConfig)::createHttpClient,
                 new ClientRegistrationProvider(identityServiceConfig)::createClientRegistration,
-            new JwtDecoderProvider(identityServiceConfig)::createJwtDecoder
+                new JwtDecoderProvider(identityServiceConfig)::createJwtDecoder);
-        );
     }
 
     @Override
@@ -207,9 +211,9 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         }
 
         @Override
-        public Optional<OIDCUserInfo> getUserInfo(String token, String principalAttribute)
+        public Optional<DecodedTokenUser> getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping)
         {
-            return getTargetFacade().getUserInfo(token, principalAttribute);
+            return getTargetFacade().getUserInfo(token, userInfoAttrMapping);
         }
 
         @Override
@@ -221,8 +225,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         private IdentityServiceFacade getTargetFacade()
         {
             return ofNullable(targetFacade.get())
-                .orElseGet(() -> targetFacade.updateAndGet(prev ->
+                    .orElseGet(() -> targetFacade.updateAndGet(prev -> ofNullable(prev).orElseGet(this::createTargetFacade)));
-                    ofNullable(prev).orElseGet(this::createTargetFacade)));
         }
 
         private IdentityServiceFacade createTargetFacade()
@@ -261,7 +264,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
 
         private IdentityServiceFacade createIdentityServiceFacade()
         {
-            //Here we preserve the behaviour of previously used Keycloak Adapter
+            // Here we preserve the behaviour of previously used Keycloak Adapter
             // * Client is authenticating itself using basic auth
             // * Resource Owner Password Credentials Flow is used to authenticate Resource Owner
 
@@ -279,7 +282,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         private RestTemplate createOAuth2RestTemplate(ClientHttpRequestFactory requestFactory)
         {
             final RestTemplate restTemplate = new RestTemplate(
-                Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
+                    Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter(), new MappingJackson2HttpMessageConverter()));
             restTemplate.setRequestFactory(requestFactory);
             restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
 
@@ -387,8 +390,6 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
     {
         private final IdentityServiceConfig config;
 
-        private static final Set<String> SCOPES = Set.of("openid", "profile", "email");
-
         ClientRegistrationProvider(IdentityServiceConfig config)
         {
             this.config = requireNonNull(config);
@@ -458,12 +459,11 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
                     .map(URI::toASCIIString)
                     .orElse(null);
 
-            final String issuerUri = Optional.of(metadata)
+            var metadataIssuer = getMetadataIssuer(metadata, config);
-                .map(OIDCProviderMetadata::getIssuer)
+            final String issuerUri = metadataIssuer
-                .map(Issuer::getValue)
+                    .orElseGet(() -> (StringUtils.isNotBlank(config.getRealm()) && StringUtils.isBlank(config.getIssuerUrl())) ? config.getAuthServerUrl() : config.getIssuerUrl());
-                .orElseGet(() -> (StringUtils.isNotBlank(config.getRealm()) && StringUtils.isBlank(config.getIssuerUrl())) ?
+
-                    config.getAuthServerUrl() :
+            final var usernameAttribute = StringUtils.isNotBlank(config.getPrincipalAttribute()) ? config.getPrincipalAttribute() : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
-                    config.getIssuerUrl());
 
             return ClientRegistration
                     .withRegistrationId("ids")
@@ -472,6 +472,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
                     .jwkSetUri(metadata.getJWKSetURI().toASCIIString())
                     .issuerUri(issuerUri)
                     .userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString())
+                    .userNameAttributeName(usernameAttribute)
                     .scope(getSupportedScopes(metadata.getScopes()))
                     .providerConfigurationMetadata(createMetadata(metadata))
                     .authorizationGrantType(AuthorizationGrantType.PASSWORD);
@@ -480,11 +481,11 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         private Map<String, Object> createMetadata(OIDCProviderMetadata metadata)
         {
             Map<String, Object> configurationMetadata = new LinkedHashMap<>();
-            if(metadata.getScopes() != null)
+            if (metadata.getScopes() != null)
             {
                 configurationMetadata.put(SCOPES_SUPPORTED.getValue(), metadata.getScopes());
             }
-            if(StringUtils.isNotBlank(config.getAudience()))
+            if (StringUtils.isNotBlank(config.getAudience()))
             {
                 configurationMetadata.put(AUDIENCE.getValue(), config.getAudience());
             }
@@ -505,11 +506,17 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
 
         private Set<String> getSupportedScopes(Scope scopes)
         {
-            return scopes.stream().filter(scope -> SCOPES.contains(scope.getValue()))
+            return scopes.stream()
+                    .filter(this::hasPasswordGrantScope)
                     .map(Identifier::getValue)
                     .collect(Collectors.toSet());
         }
 
+        private boolean hasPasswordGrantScope(Scope.Value scope)
+        {
+            return config.getPasswordGrantScopes().contains(scope.getValue());
+        }
+
         private Optional<OIDCProviderMetadata> extractMetadata(RestOperations rest, URI metadataUri)
         {
             final String response;
@@ -548,9 +555,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
                         "Failed to create ClientRegistration. The values of issuer url and auth server url cannot both be empty.");
             }
 
-            String baseUrl = StringUtils.isNotBlank(config.getAuthServerUrl()) ?
+            String baseUrl = StringUtils.isNotBlank(config.getAuthServerUrl()) ? config.getAuthServerUrl() : config.getIssuerUrl();
-                config.getAuthServerUrl() :
-                config.getIssuerUrl();
 
             return List.of(UriComponentsBuilder.fromUriString(baseUrl)
                     .pathSegment(".well-known", "openid-configuration")
@@ -558,6 +563,18 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         }
     }
 
+    private static Optional<String> getMetadataIssuer(OIDCProviderMetadata metadata, IdentityServiceConfig config)
+    {
+        return DEFAULT_ISSUER_ATTR.equals(config.getIssuerAttribute()) ? Optional.of(metadata)
+                .map(OIDCProviderMetadata::getIssuer)
+                .map(Issuer::getValue)
+                : Optional.of(metadata)
+                        .map(OIDCProviderMetadata::getCustomParameters)
+                        .map(map -> map.get(config.getIssuerAttribute()))
+                        .filter(String.class::isInstance)
+                        .map(String.class::cast);
+    }
+
     static class JwtDecoderProvider
     {
         private static final SignatureAlgorithm DEFAULT_SIGNATURE_ALGORITHM = SignatureAlgorithm.RS256;
@@ -657,7 +674,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         private OAuth2TokenValidator<Jwt> createJwtTokenValidator(ProviderDetails providerDetails)
         {
             List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
-            validators.add(new JwtTimestampValidator(Duration.of(0, ChronoUnit.MILLIS)));
+            validators.add(new JwtTimestampValidator(Duration.of(config.getJwtClockSkewMs(), ChronoUnit.MILLIS)));
             validators.add(new JwtIssuerValidator(providerDetails.getIssuerUri()));
             if (!config.isClientIdValidationDisabled())
             {
@@ -680,7 +697,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
             {
                 if (isPemFormatException(e))
                 {
-                    //For backward compatibility with Keycloak adapter
+                    // For backward compatibility with Keycloak adapter
                     return tryToParsePublicKey("-----BEGIN PUBLIC KEY-----\n" + pem + "\n-----END PUBLIC KEY-----");
                 }
                 throw e;
@@ -758,11 +775,11 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
             final Object audience = token.getClaim(JwtClaimNames.AUD);
             if (audience != null)
             {
-                if(audience instanceof List && ((List<String>) audience).contains(configuredAudience))
+                if (audience instanceof List && ((List<String>) audience).contains(configuredAudience))
                 {
                     return OAuth2TokenValidatorResult.success();
                 }
-                if(audience instanceof String && audience.equals(configuredAudience))
+                if (audience instanceof String && audience.equals(configuredAudience))
                 {
                     return OAuth2TokenValidatorResult.success();
                 }
@@ -786,10 +803,7 @@ public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentitySer
         @Override
         public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IOException
         {
-            /*
+            /* This is to avoid the Brotli content encoding that is not well-supported by the combination of the Apache Http Client and the Spring RestTemplate */
-             * This is to avoid the Brotli content encoding that is not well-supported by the combination of
-             * the Apache Http Client and the Spring RestTemplate
-             */
             ClientHttpRequest request = super.createRequest(uri, httpMethod);
             request.getHeaders()
                     .add("Accept-Encoding", "gzip, deflate");

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandler.java

@@ -30,54 +30,33 @@ import java.io.Serializable;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
-import java.util.function.BiFunction;
 import java.util.function.Predicate;
 
-import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
+import org.apache.commons.lang3.StringUtils;
-import com.nimbusds.openid.connect.sdk.claims.UserInfo;
 
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken;
+import org.alfresco.repo.security.authentication.identityservice.user.AccessTokenToDecodedTokenUserMapper;
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
+import org.alfresco.repo.security.authentication.identityservice.user.TokenUserToOIDCUserMapper;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.service.transaction.TransactionService;
-import org.apache.commons.lang3.StringUtils;
 
 /**
- * This class handles Just in Time user provisioning. It extracts {@link OIDCUserInfo}
+ * This class handles Just in Time user provisioning. It extracts {@link OIDCUserInfo} from the given bearer token and creates a new user if it does not exist in the repository.
- * from {@link IdentityServiceFacade.DecodedAccessToken} or {@link UserInfo}
- * and creates a new user if it does not exist in the repository.
  */
 public class IdentityServiceJITProvisioningHandler
 {
-    private final IdentityServiceConfig identityServiceConfig;
     private final IdentityServiceFacade identityServiceFacade;
     private final PersonService personService;
     private final TransactionService transactionService;
-
+    private final IdentityServiceConfig identityServiceConfig;
-    private final BiFunction<DecodedAccessToken, String, Optional<? extends OIDCUserInfo>> mapTokenToUserInfoResponse = (token, usernameMappingClaim) -> {
+    private UserInfoAttrMapping userInfoAttrMapping;
-        Optional<String> firstName = Optional.ofNullable(token)
+    private TokenUserToOIDCUserMapper tokenUserToOIDCUserMapper;
-            .map(jwtToken -> jwtToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME))
+    private AccessTokenToDecodedTokenUserMapper tokenToDecodedTokenUserMapper;
-            .filter(String.class::isInstance)
-            .map(String.class::cast);
-        Optional<String> lastName = Optional.ofNullable(token)
-            .map(jwtToken -> jwtToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME))
-            .filter(String.class::isInstance)
-            .map(String.class::cast);
-        Optional<String> email = Optional.ofNullable(token)
-            .map(jwtToken -> jwtToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME))
-            .filter(String.class::isInstance)
-            .map(String.class::cast);
-
-        return Optional.ofNullable(token.getClaim(Optional.ofNullable(usernameMappingClaim)
-                .filter(StringUtils::isNotBlank)
-                .orElse(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)))
-            .filter(String.class::isInstance)
-            .map(String.class::cast)
-            .map(this::normalizeUserId)
-            .map(username -> new OIDCUserInfo(username, firstName.orElse(""), lastName.orElse(""), email.orElse("")));
-    };
 
     public IdentityServiceJITProvisioningHandler(IdentityServiceFacade identityServiceFacade,
             PersonService personService,
@@ -90,32 +69,77 @@ public class IdentityServiceJITProvisioningHandler
         this.identityServiceConfig = identityServiceConfig;
     }
 
+    /**
+     * Extracts {@link OIDCUserInfo} from the given bearer token and creates a new user if it does not exist in the repository. Call to the UserInfo endpoint is made only if the token does not contain a username claim or if user needs to be created and some of the {@link OIDCUserInfo} fields are empty.
+     */
     public Optional<OIDCUserInfo> extractUserInfoAndCreateUserIfNeeded(String bearerToken)
     {
-        Optional<OIDCUserInfo> userInfoResponse = Optional.ofNullable(bearerToken)
+        if (userInfoAttrMapping == null)
-            .filter(Predicate.not(String::isEmpty))
-            .flatMap(token -> extractUserInfoResponseFromAccessToken(token)
-                .filter(userInfo -> StringUtils.isNotEmpty(userInfo.username()))
-                .or(() -> extractUserInfoResponseFromEndpoint(token)));
-
-        if (transactionService.isReadOnly() || userInfoResponse.isEmpty())
         {
-            return userInfoResponse;
+            initMappers(identityServiceConfig);
         }
-        return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Optional<OIDCUserInfo>>()
+
+        Optional<OIDCUserInfo> oidcUserInfo = Optional.ofNullable(bearerToken)
+                .filter(Predicate.not(String::isEmpty))
+                .flatMap(token -> extractUserInfoResponseFromAccessToken(token).filter(decodedTokenUser -> StringUtils.isNotEmpty(decodedTokenUser.username()))
+                        .or(() -> extractUserInfoResponseFromEndpoint(token, userInfoAttrMapping)))
+                .map(tokenUserToOIDCUserMapper::toOIDCUser);
+
+        if (transactionService.isReadOnly() || oidcUserInfo.isEmpty())
         {
+            return oidcUserInfo;
+        }
+        return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<>() {
             @Override
             public Optional<OIDCUserInfo> doWork() throws Exception
             {
-                return userInfoResponse.map(userInfo -> {
+                return oidcUserInfo.map(oidcUser -> {
-                    if (userInfo.username() != null && personService.createMissingPeople()
+                    if (userDoesNotExistsAndCanBeCreated(oidcUser))
-                        && !personService.personExists(userInfo.username()))
                     {
 
-                        if (!userInfo.allFieldsNotEmpty())
+                        if (!oidcUser.allFieldsNotEmpty())
                         {
-                            userInfo = extractUserInfoResponseFromEndpoint(bearerToken).orElse(userInfo);
+                            oidcUser = extractUserInfoResponseFromEndpoint(bearerToken, userInfoAttrMapping)
+                                    .map(tokenUserToOIDCUserMapper::toOIDCUser)
+                                    .orElse(oidcUser);
                         }
+                        createPerson(oidcUser);
+                    }
+                    return oidcUser;
+                });
+            }
+
+        }, AuthenticationUtil.getSystemUserName());
+    }
+
+    private void initMappers(IdentityServiceConfig identityServiceConfig)
+    {
+        this.userInfoAttrMapping = initUserInfoAttrMapping(identityServiceConfig);
+        this.tokenUserToOIDCUserMapper = new TokenUserToOIDCUserMapper(personService);
+        this.tokenToDecodedTokenUserMapper = new AccessTokenToDecodedTokenUserMapper(userInfoAttrMapping);
+    }
+
+    private boolean userDoesNotExistsAndCanBeCreated(OIDCUserInfo userInfo)
+    {
+        return userInfo.username() != null && personService.createMissingPeople()
+                && !personService.personExists(userInfo.username());
+    }
+
+    private Optional<DecodedTokenUser> extractUserInfoResponseFromAccessToken(String bearerToken)
+    {
+        return Optional.ofNullable(bearerToken)
+                .map(identityServiceFacade::decodeToken)
+                .flatMap(tokenToDecodedTokenUserMapper::toDecodedTokenUser);
+    }
+
+    private Optional<DecodedTokenUser> extractUserInfoResponseFromEndpoint(String bearerToken, UserInfoAttrMapping userInfoAttrMapping)
+    {
+        return identityServiceFacade.getUserInfo(bearerToken, userInfoAttrMapping)
+                .filter(userInfo -> userInfo.username() != null && !userInfo.username().isEmpty());
+    }
+
+    private void createPerson(OIDCUserInfo userInfo)
+    {
         Map<QName, Serializable> properties = new HashMap<>();
         properties.put(ContentModel.PROP_USERNAME, userInfo.username());
         properties.put(ContentModel.PROP_FIRSTNAME, userInfo.firstName());
@@ -123,61 +147,17 @@ public class IdentityServiceJITProvisioningHandler
         properties.put(ContentModel.PROP_EMAIL, userInfo.email());
         properties.put(ContentModel.PROP_ORGID, "");
         properties.put(ContentModel.PROP_HOME_FOLDER_PROVIDER, null);
-
         properties.put(ContentModel.PROP_SIZE_CURRENT, 0L);
         properties.put(ContentModel.PROP_SIZE_QUOTA, -1L); // no quota
 
         personService.createPerson(properties);
     }
-                    return userInfo;
-                });
-            }
-        }, AuthenticationUtil.getSystemUserName());
-    }
 
-    private Optional<OIDCUserInfo> extractUserInfoResponseFromAccessToken(String bearerToken)
+    private UserInfoAttrMapping initUserInfoAttrMapping(IdentityServiceConfig identityServiceConfig)
     {
-        return Optional.ofNullable(bearerToken)
+        return new UserInfoAttrMapping(identityServiceFacade.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName(),
-            .map(identityServiceFacade::decodeToken)
+                identityServiceConfig.getFirstNameAttribute(),
-            .flatMap(decodedToken -> mapTokenToUserInfoResponse.apply(decodedToken,
+                identityServiceConfig.getLastNameAttribute(),
-                identityServiceConfig.getPrincipalAttribute()));
+                identityServiceConfig.getEmailAttribute());
     }
-
-    private Optional<OIDCUserInfo> extractUserInfoResponseFromEndpoint(String bearerToken)
-    {
-        return identityServiceFacade.getUserInfo(bearerToken,
-                StringUtils.isNotBlank(identityServiceConfig.getPrincipalAttribute()) ?
-                    identityServiceConfig.getPrincipalAttribute() : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)
-            .filter(userInfo -> userInfo.username() != null && !userInfo.username().isEmpty())
-            .map(userInfo -> new OIDCUserInfo(normalizeUserId(userInfo.username()),
-                Optional.ofNullable(userInfo.firstName()).orElse(""),
-                Optional.ofNullable(userInfo.lastName()).orElse(""),
-                Optional.ofNullable(userInfo.email()).orElse("")));
-    }
-
-    /**
-     * Normalizes a user id, taking into account existing user accounts and case sensitivity settings.
-     *
-     * @param userId the user id
-     * @return the string
-     */
-    private String normalizeUserId(final String userId)
-    {
-        if (userId == null)
-        {
-            return null;
-        }
-
-        String normalized = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>()
-        {
-            @Override
-            public String doWork() throws Exception
-            {
-                return personService.getUserIdentifier(userId);
-            }
-        }, AuthenticationUtil.getSystemUserName());
-
-        return normalized == null ? userId : normalized;
-    }
-
 }

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -25,23 +25,23 @@
  */
 package org.alfresco.repo.security.authentication.identityservice;
 
+import java.util.Optional;
 import jakarta.servlet.http.HttpServletRequest;
 
-import java.util.Optional;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
 
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.IdentityServiceFacadeException;
-import org.apache.commons.logging.Log;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
-import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
 
 /**
- * A {@link RemoteUserMapper} implementation that detects and validates JWTs
+ * A {@link RemoteUserMapper} implementation that detects and validates JWTs issued by the Alfresco Identity Service.
- * issued by the Alfresco Identity Service.
  * 
  * @author Gavin Cornwell
  */
@@ -62,7 +62,8 @@ public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, Activa
     /**
      * Sets the active flag
      * 
-     * @param isEnabled true to enable the subsystem
+     * @param isEnabled
+     *            true to enable the subsystem
      */
     public void setActive(boolean isEnabled)
     {
@@ -72,7 +73,8 @@ public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, Activa
     /**
      * Determines whether token validation failures are silent
      * 
-     * @param silent true to silently fail, false to throw an exception
+     * @param silent
+     *            true to silently fail, false to throw an exception
      */
     public void setValidationFailureSilent(boolean silent)
     {
@@ -89,10 +91,9 @@ public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, Activa
         this.jitProvisioningHandler = jitProvisioningHandler;
     }
 
-    /*
+    /* (non-Javadoc)
-     * (non-Javadoc)
+     * 
-     * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(jakarta.servlet.http.HttpServletRequest)
+     * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(jakarta.servlet.http.HttpServletRequest) */
-     */
     @Override
     public String getRemoteUser(HttpServletRequest request)
     {
@@ -107,7 +108,6 @@ public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, Activa
         {
             String normalizedUserId = extractUserFromHeader(request);
 
-
             if (normalizedUserId != null)
             {
                 // Normalize the user ID taking into account case sensitivity settings
@@ -131,10 +131,9 @@ public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, Activa
         return null;
     }
 
-    /*
+    /* (non-Javadoc)
-     * (non-Javadoc)
+     * 
-     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
+     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive() */
-     */
     public boolean isActive()
     {
         return this.isEnabled;
@@ -143,7 +142,8 @@ public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, Activa
     /**
      * Extracts the user name from the JWT in the given request.
      * 
-     * @param request The request containing the JWT
+     * @param request
+     *            The request containing the JWT
      * @return The username or null if it can not be determined
      */
     private String extractUserFromHeader(HttpServletRequest request)

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.java

@@ -30,21 +30,12 @@ import static java.util.Objects.requireNonNull;
 
 import static org.alfresco.repo.security.authentication.identityservice.IdentityServiceMetadataKey.AUDIENCE;
 
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
 import java.time.Instant;
 import java.util.Map;
 import java.util.Optional;
-import java.util.function.Predicate;
 
-import com.nimbusds.oauth2.sdk.ErrorObject;
+import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
-import com.nimbusds.oauth2.sdk.ParseException;
+import org.apache.commons.lang3.StringUtils;
-import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
-import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
-import com.nimbusds.openid.connect.sdk.UserInfoRequest;
-import com.nimbusds.openid.connect.sdk.UserInfoResponse;
-import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.core.convert.converter.Converter;
@@ -59,27 +50,35 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRe
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
+import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
 import org.springframework.security.oauth2.core.AbstractOAuth2Token;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
+import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestOperations;
 
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
 class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
 {
     private static final Log LOGGER = LogFactory.getLog(SpringBasedIdentityServiceFacade.class);
     private static final Instant SOME_INSIGNIFICANT_DATE_IN_THE_PAST = Instant.MIN.plusSeconds(12345);
     private final Map<AuthorizationGrantType, OAuth2AccessTokenResponseClient> clients;
+    private final DefaultOAuth2UserService defaultOAuth2UserService;
     private final ClientRegistration clientRegistration;
     private final JwtDecoder jwtDecoder;
 
@@ -93,6 +92,7 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
                 AuthorizationGrantType.AUTHORIZATION_CODE, createAuthorizationCodeClient(restOperations),
                 AuthorizationGrantType.REFRESH_TOKEN, createRefreshTokenClient(restOperations),
                 AuthorizationGrantType.PASSWORD, createPasswordClient(restOperations, clientRegistration));
+        this.defaultOAuth2UserService = createOAuth2UserService(restOperations);
     }
 
     @Override
@@ -121,51 +121,18 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
     }
 
     @Override
-    public Optional<OIDCUserInfo> getUserInfo(String tokenParameter, String principalAttribute)
+    public Optional<DecodedTokenUser> getUserInfo(String token, UserInfoAttrMapping userInfoAttrMapping)
     {
-        return Optional.ofNullable(tokenParameter)
-                .filter(Predicate.not(String::isEmpty))
-                .flatMap(token -> Optional.ofNullable(clientRegistration)
-                        .map(ClientRegistration::getProviderDetails)
-                        .map(ClientRegistration.ProviderDetails::getUserInfoEndpoint)
-                        .map(ClientRegistration.ProviderDetails.UserInfoEndpoint::getUri)
-                        .flatMap(uri -> {
         try
         {
-                                return Optional.of(
+            return Optional.ofNullable(defaultOAuth2UserService.loadUser(new OAuth2UserRequest(clientRegistration, getSpringAccessToken(token))))
-                                        new UserInfoRequest(new URI(uri), new BearerAccessToken(token)).toHTTPRequest().send());
+                    .flatMap(oAuth2User -> mapOAuth2UserToDecodedTokenUser(oAuth2User, userInfoAttrMapping));
         }
-                            catch (IOException | URISyntaxException e)
+        catch (OAuth2AuthenticationException exception)
         {
-                                LOGGER.warn("Failed to get user information. Reason: " + e.getMessage());
+            LOGGER.warn("User Info Request failed: " + exception.getMessage());
             return Optional.empty();
         }
-                        })
-                        .flatMap(httpResponse -> {
-                            try
-                            {
-                                UserInfoResponse userInfoResponse = UserInfoResponse.parse(httpResponse);
-
-                                if (userInfoResponse instanceof UserInfoErrorResponse userInfoErrorResponse)
-                                {
-                                    String errorMessage = Optional.ofNullable(userInfoErrorResponse.getErrorObject())
-                                            .map(ErrorObject::getDescription)
-                                            .orElse("No error description found");
-                                    LOGGER.warn("User Info Request failed: " + errorMessage);
-                                    throw new UserInfoException(errorMessage);
-                                }
-                                return Optional.of(userInfoResponse);
-                            }
-                            catch (ParseException e)
-                            {
-                                LOGGER.warn("Failed to parse user info response. Reason: " + e.getMessage());
-                                return Optional.empty();
-                            }
-                        })
-                        .map(UserInfoResponse::toSuccessResponse)
-                        .map(UserInfoSuccessResponse::getUserInfo))
-                .map(userInfo -> new OIDCUserInfo(userInfo.getStringClaim(principalAttribute), userInfo.getGivenName(),
-                        userInfo.getFamilyName(), userInfo.getEmailAddress()));
     }
 
     @Override
@@ -202,11 +169,7 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
 
         if (grant.isRefreshToken())
         {
-            final OAuth2AccessToken expiredAccessToken = new OAuth2AccessToken(
+            final OAuth2AccessToken expiredAccessToken = getSpringAccessToken("JUST_FOR_FULFILLING_THE_SPRING_API");
-                    TokenType.BEARER,
-                    "JUST_FOR_FULFILLING_THE_SPRING_API",
-                    SOME_INSIGNIFICANT_DATE_IN_THE_PAST,
-                    SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1));
             final OAuth2RefreshToken refreshToken = new OAuth2RefreshToken(grant.getRefreshToken(), null);
 
             return new OAuth2RefreshTokenGrantRequest(clientRegistration, expiredAccessToken, refreshToken,
@@ -258,6 +221,26 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
         return client;
     }
 
+    private static DefaultOAuth2UserService createOAuth2UserService(RestOperations rest)
+    {
+        final DefaultOAuth2UserService userService = new DefaultOAuth2UserService();
+        userService.setRestOperations(rest);
+        return userService;
+    }
+
+    private Optional<DecodedTokenUser> mapOAuth2UserToDecodedTokenUser(OAuth2User oAuth2User, UserInfoAttrMapping userInfoAttrMapping)
+    {
+        var preferredUsername = Optional.ofNullable(oAuth2User.getAttribute(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME))
+                .filter(String.class::isInstance)
+                .map(String.class::cast)
+                .filter(StringUtils::isNotEmpty);
+        var userName = Optional.ofNullable(oAuth2User.getName()).filter(username -> !username.isEmpty()).or(() -> preferredUsername);
+        return userName.map(name -> DecodedTokenUser.validateAndCreate(name,
+                oAuth2User.getAttribute(userInfoAttrMapping.firstNameClaim()),
+                oAuth2User.getAttribute(userInfoAttrMapping.lastNameClaim()),
+                oAuth2User.getAttribute(userInfoAttrMapping.emailClaim())));
+    }
+
     private static OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> createPasswordClient(RestOperations rest,
             ClientRegistration clientRegistration)
     {
@@ -288,6 +271,16 @@ class SpringBasedIdentityServiceFacade implements IdentityServiceFacade
         };
     }
 
+    private static OAuth2AccessToken getSpringAccessToken(String token)
+    {
+        // Just for fulfilling the Spring API
+        return new OAuth2AccessToken(
+                TokenType.BEARER,
+                token,
+                SOME_INSIGNIFICANT_DATE_IN_THE_PAST,
+                SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1));
+    }
+
     private static class SpringAccessTokenAuthorization implements AccessTokenAuthorization
     {
         private final OAuth2AccessTokenResponse tokenResponse;

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java

@@ -37,13 +37,19 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.id.Identifier;
 import com.nimbusds.oauth2.sdk.id.State;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
+import org.springframework.web.util.UriComponentsBuilder;
 
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.external.AdminConsoleAuthenticator;
@@ -53,16 +59,9 @@ import org.alfresco.repo.security.authentication.identityservice.IdentityService
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
-import org.apache.commons.lang.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
-import org.springframework.web.util.UriComponentsBuilder;
 
 /**
- * An {@link AdminConsoleAuthenticator} implementation to extract an externally authenticated user ID
+ * An {@link AdminConsoleAuthenticator} implementation to extract an externally authenticated user ID or to initiate the OIDC authorization code flow.
- * or to initiate the OIDC authorization code flow.
  */
 public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAuthenticator, ActivateableBean
 {
@@ -71,7 +70,6 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
     private static final String ALFRESCO_ACCESS_TOKEN = "ALFRESCO_ACCESS_TOKEN";
     private static final String ALFRESCO_REFRESH_TOKEN = "ALFRESCO_REFRESH_TOKEN";
     private static final String ALFRESCO_TOKEN_EXPIRATION = "ALFRESCO_TOKEN_EXPIRATION";
-    private static final Set<String> SCOPES = Set.of("openid", "profile", "email", "offline_access");
 
     private IdentityServiceConfig identityServiceConfig;
     private IdentityServiceFacade identityServiceFacade;
@@ -204,7 +202,7 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
                 .queryParam("scope", String.join("+", getScopes(clientRegistration)))
                 .queryParam("state", state.toString());
 
-        if(StringUtils.isNotBlank(identityServiceConfig.getAudience()))
+        if (StringUtils.isNotBlank(identityServiceConfig.getAudience()))
         {
             authRequestBuilder.queryParam("audience", identityServiceConfig.getAudience());
         }
@@ -226,11 +224,16 @@ public class IdentityServiceAdminConsoleAuthenticator implements AdminConsoleAut
     private Set<String> getSupportedScopes(Scope scopes)
     {
         return scopes.stream()
-            .filter(scope -> SCOPES.contains(scope.getValue()))
+                .filter(this::hasAdminConsoleScope)
                 .map(Identifier::getValue)
                 .collect(Collectors.toSet());
     }
 
+    private boolean hasAdminConsoleScope(Scope.Value scope)
+    {
+        return identityServiceConfig.getAdminConsoleScopes().contains(scope.getValue());
+    }
+
     private String getRedirectUri(String requestURL)
     {
         try

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapper.java

@@ -0,0 +1,66 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import java.util.Optional;
+
+import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
+import org.apache.commons.lang3.StringUtils;
+
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
+
+public class AccessTokenToDecodedTokenUserMapper
+{
+    private static final String DEFAULT_USERNAME_CLAIM = PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
+
+    private final UserInfoAttrMapping userInfoAttrMapping;
+
+    public AccessTokenToDecodedTokenUserMapper(UserInfoAttrMapping userInfoAttrMapping)
+    {
+        this.userInfoAttrMapping = userInfoAttrMapping;
+    }
+
+    /**
+     * Maps the given {@link IdentityServiceFacade.DecodedAccessToken} to a {@link DecodedTokenUser}.
+     *
+     * @param token
+     *            the token to map
+     * @return the mapped {@link DecodedTokenUser} or {@link Optional#empty()} if the token does not contain a username claim
+     */
+    public Optional<DecodedTokenUser> toDecodedTokenUser(IdentityServiceFacade.DecodedAccessToken token)
+    {
+        Object firstName = token.getClaim(userInfoAttrMapping.firstNameClaim());
+        Object lastName = token.getClaim(userInfoAttrMapping.lastNameClaim());
+        Object email = token.getClaim(userInfoAttrMapping.emailClaim());
+
+        return Optional.ofNullable(token.getClaim(Optional.ofNullable(userInfoAttrMapping.usernameClaim())
+                .filter(StringUtils::isNotBlank)
+                .orElse(DEFAULT_USERNAME_CLAIM)))
+                .filter(String.class::isInstance)
+                .map(String.class::cast)
+                .map(username -> DecodedTokenUser.validateAndCreate(username, firstName, lastName, email));
+    }
+}

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/DecodedTokenUser.java

@@ -0,0 +1,44 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import java.util.Optional;
+
+public record DecodedTokenUser(String username, String firstName, String lastName, String email)
+{
+
+    private static final String EMPTY_STRING = "";
+
+    public static DecodedTokenUser validateAndCreate(String username, Object firstName, Object lastName, Object email)
+    {
+        return new DecodedTokenUser(username, getStringVal(firstName), getStringVal(lastName), getStringVal(email));
+    }
+
+    private static String getStringVal(Object firstName)
+    {
+        return Optional.ofNullable(firstName).filter(String.class::isInstance).map(String.class::cast).orElse(EMPTY_STRING);
+    }
+}

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/OIDCUserInfo.java

@@ -23,7 +23,7 @@
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  * #L%
  */
-package org.alfresco.repo.security.authentication.identityservice;
+package org.alfresco.repo.security.authentication.identityservice.user;
 
 import java.util.stream.Stream;
 

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapper.java

@@ -0,0 +1,76 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.service.cmr.security.PersonService;
+
+public class TokenUserToOIDCUserMapper
+{
+    private final PersonService personService;
+
+    public TokenUserToOIDCUserMapper(PersonService personService)
+    {
+        this.personService = personService;
+    }
+
+    /**
+     * Maps a decoded token user to an OIDC user where the user id (username) is normalized.
+     *
+     * @param decodedTokenUser
+     *            the decoded token user
+     * @return the OIDC user
+     */
+    public OIDCUserInfo toOIDCUser(DecodedTokenUser decodedTokenUser)
+    {
+        return new OIDCUserInfo(usernameToUserId(decodedTokenUser.username()), decodedTokenUser.firstName(), decodedTokenUser.lastName(), decodedTokenUser.email());
+    }
+
+    /**
+     * Normalizes a username, taking into account existing user accounts and case sensitivity settings.
+     *
+     * @param caseSensitiveUserName
+     *            the case-sensitive username
+     * @return the string
+     */
+    private String usernameToUserId(final String caseSensitiveUserName)
+    {
+        if (caseSensitiveUserName == null)
+        {
+            return null;
+        }
+
+        String normalized = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>() {
+            @Override
+            public String doWork() throws Exception
+            {
+                return personService.getUserIdentifier(caseSensitiveUserName);
+            }
+        }, AuthenticationUtil.getSystemUserName());
+
+        return normalized == null ? caseSensitiveUserName : normalized;
+    }
+}

repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/user/UserInfoAttrMapping.java

@@ -0,0 +1,41 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+/**
+ * The UserInfoAttrMapping record represents the mapping of claims fetched from the UserInfo endpoint to create an Alfresco user.
+ *
+ * @param usernameClaim
+ *            the claim that represents the username
+ * @param firstNameClaim
+ *            the claim that represents the first name
+ * @param lastNameClaim
+ *            the claim that represents the last name
+ * @param emailClaim
+ *            the claim that represents the email
+ */
+public record UserInfoAttrMapping(String usernameClaim, String firstNameClaim, String lastNameClaim, String emailClaim)
+{}

repository/src/main/resources/alfresco/rendition-services2-context.xml

@@ -82,6 +82,7 @@
         <property name="contentService" ref="contentService" />
         <property name="renditionService2" ref="renditionService2" />
         <property name="directAccessUrlEnabled" value="${local.transform.directAccessUrl.enabled}"/>
+        <property name="threadPoolSize" value="${local.transform.threadPoolSize}" />
     </bean>
 
     <bean id="synchronousTransformClient" parent="localSynchronousTransformClient" />

repository/src/main/resources/alfresco/repository.properties

@@ -1351,6 +1351,9 @@ restApi.directAccessUrl.defaultExpiryTimeInSec=30
 # Controls whether direct access url URLs may be used in transforms.
 local.transform.directAccessUrl.enabled=true
 
+# Controls size of thread pool used for transforms.
+local.transform.threadPoolSize=8
+
 # Creates additional indexes on alf_node and alf_transaction. Recommended for large repositories.
 system.new-node-transaction-indexes.ignored=true
 

repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication-context.xml

@@ -149,6 +149,15 @@
       <property name="principalAttribute">
          <value>${identity-service.principal-attribute:preferred_username}</value>
       </property>
+      <property name="firstNameAttribute">
+          <value>${identity-service.first-name-attribute:given_name}</value>
+      </property>
+       <property name="lastNameAttribute">
+           <value>${identity-service.last-name-attribute:family_name}</value>
+       </property>
+       <property name="emailAttribute">
+           <value>${identity-service.email-attribute:email}</value>
+       </property>
       <property name="clientIdValidationDisabled">
          <value>${identity-service.client-id.validation.disabled:true}</value>
       </property>
@@ -158,6 +167,18 @@
       <property name="signatureAlgorithms">
          <value>${identity-service.signature-algorithms:RS256,PS256}</value>
       </property>
+       <property name="adminConsoleScopes">
+           <value>${identity-service.admin-console.scopes:openid,profile,email,offline_access}</value>
+       </property>
+       <property name="passwordGrantScopes">
+           <value>${identity-service.password-grant.scopes:openid,profile,email}</value>
+       </property>
+       <property name="issuerAttribute">
+           <value>${identity-service.issuer-attribute:issuer}</value>
+       </property>
+       <property name="jwtClockSkewMs">
+           <value>${identity-service.jwt-clock-skew-ms:0}</value>
+       </property>
    </bean>
 
    <!-- Enable control over mapping between request and user ID -->

repository/src/main/resources/alfresco/subsystems/Authentication/identity-service/identity-service-authentication.properties

@@ -13,3 +13,10 @@ identity-service.credentials.secret=
 identity-service.public-client=true
 identity-service.admin-console.redirect-path=/alfresco/s/admin/admin-communitysummary
 identity-service.signature-algorithms=RS256,PS256
+identity-service.first-name-attribute=given_name
+identity-service.last-name-attribute=family_name
+identity-service.email-attribute=email
+identity-service.admin-console.scopes=openid,profile,email,offline_access
+identity-service.password-grant.scopes=openid,profile,email
+identity-service.issuer-attribute=issuer
+identity-service.jwt-clock-skew-ms=0

repository/src/test/java/org/alfresco/AllUnitTestsSuite.java

@@ -25,6 +25,10 @@
  */
 package org.alfresco;
 
+import org.junit.experimental.categories.Categories;
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+
 import org.alfresco.repo.security.authentication.identityservice.ClientRegistrationProviderUnitTest;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBeanTest;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceJITProvisioningHandlerUnitTest;
@@ -33,19 +37,17 @@ import org.alfresco.repo.security.authentication.identityservice.SpringBasedIden
 import org.alfresco.repo.security.authentication.identityservice.admin.AdminConsoleAuthenticationCookiesServiceUnitTest;
 import org.alfresco.repo.security.authentication.identityservice.admin.AdminConsoleHttpServletRequestWrapperUnitTest;
 import org.alfresco.repo.security.authentication.identityservice.admin.IdentityServiceAdminConsoleAuthenticatorUnitTest;
+import org.alfresco.repo.security.authentication.identityservice.user.AccessTokenToDecodedTokenUserMapperUnitTest;
+import org.alfresco.repo.security.authentication.identityservice.user.TokenUserToOIDCUserMapperUnitTest;
 import org.alfresco.util.testing.category.DBTests;
 import org.alfresco.util.testing.category.NonBuildTests;
-import org.junit.experimental.categories.Categories;
-import org.junit.runner.RunWith;
-import org.junit.runners.Suite;
 
 /**
- * All Repository project UNIT test classes (no application context) should be added to this test suite.
+ * All Repository project UNIT test classes (no application context) should be added to this test suite. Tests marked as DBTests are automatically excluded and are run as part of {@link AllDBTestsTestSuite}.
- * Tests marked as DBTests are automatically excluded and are run as part of {@link AllDBTestsTestSuite}.
  */
 @RunWith(Categories.class)
 @Categories.ExcludeCategory({DBTests.class, NonBuildTests.class})
-@Suite.SuiteClasses({
+@Suite.SuiteClasses(value = {
         org.alfresco.repo.site.SiteMembershipTest.class,
         org.alfresco.encryption.EncryptorTest.class,
         org.alfresco.encryption.KeyStoreKeyProviderTest.class,
@@ -149,6 +151,8 @@ import org.junit.runners.Suite;
         LazyInstantiatingIdentityServiceFacadeUnitTest.class,
         SpringBasedIdentityServiceFacadeUnitTest.class,
         IdentityServiceJITProvisioningHandlerUnitTest.class,
+        AccessTokenToDecodedTokenUserMapperUnitTest.class,
+        TokenUserToOIDCUserMapperUnitTest.class,
         AdminConsoleAuthenticationCookiesServiceUnitTest.class,
         AdminConsoleHttpServletRequestWrapperUnitTest.class,
         IdentityServiceAdminConsoleAuthenticatorUnitTest.class,
@@ -265,5 +269,4 @@ import org.junit.runners.Suite;
         org.alfresco.repo.serviceaccount.ServiceAccountRegistryImplTest.class
 })
 public class AllUnitTestsSuite
-{
+{}
-}

repository/src/test/java/org/alfresco/repo/action/executer/AddFeaturesActionExecuterTest.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software.
  * If the software was purchased under a paid Alfresco license, the terms of
@@ -28,8 +28,14 @@ package org.alfresco.repo.action.executer;
 import java.util.List;
 import java.util.Locale;
 
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.extensions.surf.util.I18NUtil;
+import org.springframework.transaction.annotation.Transactional;
+
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.action.ActionImpl;
+import org.alfresco.repo.action.access.ActionAccessRestriction;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.service.cmr.action.ActionDefinition;
 import org.alfresco.service.cmr.action.ParameterDefinition;
@@ -39,10 +45,6 @@ import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.BaseSpringTest;
 import org.alfresco.util.GUID;
-import org.junit.Before;
-import org.junit.Test;
-import org.springframework.extensions.surf.util.I18NUtil;
-import org.springframework.transaction.annotation.Transactional;
 
 /**
  * Add features action execution test
@@ -52,45 +54,40 @@ import org.springframework.transaction.annotation.Transactional;
 @Transactional
 public class AddFeaturesActionExecuterTest extends BaseSpringTest
 {
+    /**
+     * Id used to identify the test action created
+     */
+    private final static String ID = GUID.generate();
     /**
      * The node service
      */
     private NodeService nodeService;
-    
     /**
      * The store reference
      */
     private StoreRef testStoreRef;
-    
     /**
      * The root node reference
      */
     private NodeRef rootNodeRef;
-    
     /**
      * The test node reference
      */
     private NodeRef nodeRef;
-    
     /**
      * The add features action executer
      */
     private AddFeaturesActionExecuter executer;
 
-    /**
-     * Id used to identify the test action created
-     */
-    private final static String ID = GUID.generate();
-    
     /**
      * Called at the begining of all tests
      */
     @Before
     public void before() throws Exception
     {
-        this.nodeService = (NodeService)this.applicationContext.getBean("nodeService");
+        this.nodeService = (NodeService) this.applicationContext.getBean("nodeService");
 
-        AuthenticationComponent authenticationComponent = (AuthenticationComponent)applicationContext.getBean("authenticationComponent");
+        AuthenticationComponent authenticationComponent = (AuthenticationComponent) applicationContext.getBean("authenticationComponent");
         authenticationComponent.setCurrentUser(authenticationComponent.getSystemUserName());
 
         // Create the store and get the root node
@@ -107,7 +104,7 @@ public class AddFeaturesActionExecuterTest extends BaseSpringTest
                 ContentModel.TYPE_CONTENT).getChildRef();
 
         // Get the executer instance
-        this.executer = (AddFeaturesActionExecuter)this.applicationContext.getBean(AddFeaturesActionExecuter.NAME);
+        this.executer = (AddFeaturesActionExecuter) this.applicationContext.getBean(AddFeaturesActionExecuter.NAME);
     }
 
     /**
@@ -161,4 +158,20 @@ public class AddFeaturesActionExecuterTest extends BaseSpringTest
         I18NUtil.setLocale(Locale.getDefault());
 
     }
+
+    /**
+     * Test check actionContext param is removed from adhoc properties
+     */
+    @Test
+    public void testCheckActionContext()
+    {
+        // Execute the action
+        ActionImpl action = new ActionImpl(null, ID, AddFeaturesActionExecuter.NAME, null);
+        action.setParameterValue(ActionAccessRestriction.ACTION_CONTEXT_PARAM_NAME, ActionAccessRestriction.V1_ACTION_CONTEXT);
+        action.setParameterValue(AddFeaturesActionExecuter.PARAM_ASPECT_NAME, ContentModel.ASPECT_CLASSIFIABLE);
+        this.executer.execute(action, this.nodeRef);
+
+        // Ensure the actionContext parameter has been removed
+        assertFalse(nodeService.getProperties(this.nodeRef).containsKey(QName.createQName(ActionAccessRestriction.ACTION_CONTEXT_PARAM_NAME)));
+    }
 }

repository/src/test/java/org/alfresco/repo/rendition2/RenditionService2IntegrationTest.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2022 Alfresco Software Limited
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software.
  * If the software was purchased under a paid Alfresco license, the terms of
@@ -25,16 +25,21 @@
  */
 package org.alfresco.repo.rendition2;
 
-import static org.alfresco.model.ContentModel.PROP_CONTENT;
 import static org.junit.Assert.assertNotEquals;
 
+import static org.alfresco.model.ContentModel.PROP_CONTENT;
+
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.junit.BeforeClass;
+import org.junit.Test;
+
 import org.alfresco.model.ContentModel;
 import org.alfresco.model.RenditionModel;
+import org.alfresco.repo.content.MimetypeMap;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.service.cmr.repository.ChildAssociationRef;
@@ -44,8 +49,6 @@ import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
-import org.junit.BeforeClass;
-import org.junit.Test;
 
 /**
  * Integration tests for {@link RenditionService2}
@@ -158,8 +161,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
 
         clearContent(ADMIN, sourceNodeRef);
         render(ADMIN, sourceNodeRef, DOC_LIB);
-        ChildAssociationRef assoc = AuthenticationUtil.runAs(() ->
+        ChildAssociationRef assoc = AuthenticationUtil.runAs(() -> renditionService2.getRenditionByName(sourceNodeRef, DOC_LIB), ADMIN);
-                renditionService2.getRenditionByName(sourceNodeRef, DOC_LIB), ADMIN);
         waitForRendition(ADMIN, sourceNodeRef, DOC_LIB, false);
         assertNull("There should be no rendition as there was no content", assoc);
     }
@@ -190,8 +192,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
 
         clearContent(ADMIN, sourceNodeRef);
         render(ADMIN, sourceNodeRef, DOC_LIB);
-        ChildAssociationRef assoc = AuthenticationUtil.runAs(() ->
+        ChildAssociationRef assoc = AuthenticationUtil.runAs(() -> renditionService2.getRenditionByName(sourceNodeRef, DOC_LIB), ADMIN);
-                renditionService2.getRenditionByName(sourceNodeRef, DOC_LIB), ADMIN);
         waitForRendition(ADMIN, sourceNodeRef, DOC_LIB, false);
         assertNull("There should be no rendition as there was no content", assoc);
 
@@ -216,8 +217,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
         String ownerUserName = createRandomUser();
         NodeRef sourceNodeRef = createSource(ownerUserName, "quick.jpg");
         String otherUserName = createRandomUser();
-        transactionService.getRetryingTransactionHelper().doInTransaction(() ->
+        transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-        {
             permissionService.setPermission(sourceNodeRef, otherUserName, PermissionService.READ, true);
             return null;
         });
@@ -236,8 +236,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
         String ownerUserName = createRandomUser();
         NodeRef sourceNodeRef = createSource(ownerUserName, "quick.jpg");
         String otherUserName = createRandomUser();
-        transactionService.getRetryingTransactionHelper().doInTransaction(() ->
+        transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-        {
             permissionService.setPermission(sourceNodeRef, otherUserName, PermissionService.READ, true);
             return null;
         });
@@ -257,8 +256,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
         NodeRef sourceNodeRef = createSource(ownerUserName, "quick.jpg");
         render(ownerUserName, sourceNodeRef, DOC_LIB);
         String noPermissionsUser = createRandomUser();
-        transactionService.getRetryingTransactionHelper().doInTransaction(() ->
+        transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-        {
             permissionService.setPermission(sourceNodeRef, noPermissionsUser, PermissionService.ALL_PERMISSIONS, false);
             return null;
         });
@@ -280,12 +278,9 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
         NodeRef sourceNodeRef = createSource(ownerUserName, "quick.jpg");
         final QName doclibRendDefQName = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "doclib");
         transactionService.getRetryingTransactionHelper()
-                .doInTransaction(() ->
+                .doInTransaction(() -> AuthenticationUtil.runAs(() -> renditionService.render(sourceNodeRef, doclibRendDefQName), ownerUserName));
-                AuthenticationUtil.runAs(() ->
-                        renditionService.render(sourceNodeRef, doclibRendDefQName), ownerUserName));
 
-        NodeRef oldRendition = AuthenticationUtil.runAs(() ->
+        NodeRef oldRendition = AuthenticationUtil.runAs(() -> renditionService.getRenditionByName(sourceNodeRef, doclibRendDefQName).getChildRef(), ownerUserName);
-                renditionService.getRenditionByName(sourceNodeRef, doclibRendDefQName).getChildRef(), ownerUserName);
         assertFalse("The rendition should be generated by old Rendition Service",
                 AuthenticationUtil.runAs(() -> nodeService.hasAspect(oldRendition, RenditionModel.ASPECT_RENDITION2), ownerUserName));
 
@@ -335,9 +330,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
         renditionService2.setEnabled(false);
 
         // Call 'clearRenditionContentData' method directly to prove rendition content will be cleaned
-        AuthenticationUtil.runAs((AuthenticationUtil.RunAsWork<Void>) () ->
+        AuthenticationUtil.runAs((AuthenticationUtil.RunAsWork<Void>) () -> transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
-            transactionService.getRetryingTransactionHelper().doInTransaction(() ->
-            {
             renditionService2.clearRenditionContentData(sourceNodeRef, DOC_LIB);
             return null;
         }), ADMIN);
@@ -356,8 +349,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
     /**
      * Tests if a rendition without content (but with contentHashCode) can be generated again.
      * <p>
-     * If the rendition consumption receives a null InputStream, the contentHashCode should be cleaned from the
+     * If the rendition consumption receives a null InputStream, the contentHashCode should be cleaned from the rendition node, allowing new requests to generate the rendition.
-     * rendition node, allowing new requests to generate the rendition.
      * </p>
      */
     @Test
@@ -369,8 +361,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
     /**
      * Tests if a rendition without content (but with contentHashCode) can be generated again.
      * <p>
-     * If the rendition consumption receives a zero length InputStream, the contentHashCode should be cleaned from the
+     * If the rendition consumption receives a zero length InputStream, the contentHashCode should be cleaned from the rendition node, allowing new requests to generate the rendition.
-     * rendition node, allowing new requests to generate the rendition.
      * </p>
      */
     @Test
@@ -492,22 +483,16 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
             NodeRef sourceNodeRef = createSource(ADMIN, "quick.jpg");
             final QName doclibRendDefQName = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "doclib");
             transactionService.getRetryingTransactionHelper()
-                    .doInTransaction(() ->
+                    .doInTransaction(() -> AuthenticationUtil.runAs(() -> renditionService.render(sourceNodeRef, doclibRendDefQName), ADMIN));
-                            AuthenticationUtil.runAs(() ->
-                                    renditionService.render(sourceNodeRef, doclibRendDefQName), ADMIN));
             assertNotNull("The old renditions service did not render", waitForRendition(ADMIN, sourceNodeRef, DOC_LIB, true));
             List<String> lastThumbnailModification = transactionService.getRetryingTransactionHelper()
-                    .doInTransaction(() ->
+                    .doInTransaction(() -> AuthenticationUtil.runAs(() -> (List<String>) nodeService.getProperty(sourceNodeRef, ContentModel.PROP_LAST_THUMBNAIL_MODIFICATION_DATA), ADMIN));
-                            AuthenticationUtil.runAs(() ->
-                                    (List<String>) nodeService.getProperty(sourceNodeRef, ContentModel.PROP_LAST_THUMBNAIL_MODIFICATION_DATA), ADMIN));
             updateContent(ADMIN, sourceNodeRef, "quick.png");
             List<String> newThumbnailModification = null;
             for (int i = 0; i < 5; i++)
             {
                 newThumbnailModification = transactionService.getRetryingTransactionHelper()
-                        .doInTransaction(() ->
+                        .doInTransaction(() -> AuthenticationUtil.runAs(() -> (List<String>) nodeService.getProperty(sourceNodeRef, ContentModel.PROP_LAST_THUMBNAIL_MODIFICATION_DATA), ADMIN));
-                                AuthenticationUtil.runAs(() ->
-                                        (List<String>) nodeService.getProperty(sourceNodeRef, ContentModel.PROP_LAST_THUMBNAIL_MODIFICATION_DATA), ADMIN));
                 if (!newThumbnailModification.equals(lastThumbnailModification))
                 {
                     break;
@@ -579,9 +564,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
             NodeRef sourceNodeRef = createSource(ADMIN, "quick.jpg");
             final QName doclibRendDefQName = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "doclib");
             transactionService.getRetryingTransactionHelper()
-                    .doInTransaction(() ->
+                    .doInTransaction(() -> AuthenticationUtil.runAs(() -> renditionService.render(sourceNodeRef, doclibRendDefQName), ADMIN));
-                            AuthenticationUtil.runAs(() ->
-                                    renditionService.render(sourceNodeRef, doclibRendDefQName), ADMIN));
             waitForRendition(ADMIN, sourceNodeRef, DOC_LIB, true);
 
             renditionService2.setEnabled(true);
@@ -652,9 +635,7 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
             NodeRef sourceNodeRef = createSource(ADMIN, "quick.jpg");
             final QName doclibRendDefQName = QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, "doclib");
             transactionService.getRetryingTransactionHelper()
-                    .doInTransaction(() ->
+                    .doInTransaction(() -> AuthenticationUtil.runAs(() -> renditionService.render(sourceNodeRef, doclibRendDefQName), ADMIN));
-                            AuthenticationUtil.runAs(() ->
-                                    renditionService.render(sourceNodeRef, doclibRendDefQName), ADMIN));
             waitForRendition(ADMIN, sourceNodeRef, DOC_LIB, true);
 
             renditionService2.setEnabled(true);
@@ -682,4 +663,57 @@ public class RenditionService2IntegrationTest extends AbstractRenditionIntegrati
             renditionService2.setEnabled(true);
         }
     }
+
+    @Test
+    public void testTextExtractTransformAllowedWhenThumbnailDisabled()
+    {
+        // create a source node
+        NodeRef sourceNodeRef = createSource(ADMIN, "quick.pdf");
+        assertNotNull("Node not generated", sourceNodeRef);
+        String replyQueue = "org.test.queue";
+        String targetMimetype = MimetypeMap.MIMETYPE_TEXT_PLAIN;
+
+        TransformDefinition textExtractTransform = new TransformDefinition(
+                targetMimetype,
+                java.util.Collections.emptyMap(),
+                "clientData",
+                replyQueue,
+                "requestId");
+
+        renditionService2.setThumbnailsEnabled(false);
+        try
+        {
+            // Should NOT throw, as this is a text extract transform
+            AuthenticationUtil.runAs(() -> {
+                transactionService.getRetryingTransactionHelper().doInTransaction(() -> {
+                    renditionService2.transform(sourceNodeRef, textExtractTransform);
+                    return null;
+                });
+                return null;
+            }, ADMIN);
+        }
+        finally
+        {
+            renditionService2.setThumbnailsEnabled(true);
+        }
+    }
+
+    @Test
+    public void testMetadataExtractTransformAllowedWhenThumbnailDisabled()
+    {
+        // create a source node
+        NodeRef sourceNodeRef = createSource(ADMIN, "quick.pdf");
+        assertNotNull("Node not generated", sourceNodeRef);
+        renditionService2.setThumbnailsEnabled(false);
+        try
+        {
+            // Should NOT throw, as this is a metadata extract transform
+            extract(ADMIN, sourceNodeRef);
+            waitForExtract(ADMIN, sourceNodeRef, true);
+        }
+        finally
+        {
+            renditionService2.setThumbnailsEnabled(true);
+        }
+    }
 }

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/ClientRegistrationProviderUnitTest.java

@@ -38,8 +38,7 @@ import java.util.Set;
 import com.nimbusds.oauth2.sdk.ParseException;
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-
+import net.minidev.json.JSONObject;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean.ClientRegistrationProvider;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
@@ -51,12 +50,17 @@ import org.springframework.http.ResponseEntity;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.web.client.RestTemplate;
 
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean.ClientRegistrationProvider;
+
 public class ClientRegistrationProviderUnitTest
 {
     private static final String CLIENT_ID = "alfresco";
     private static final String OPENID_CONFIGURATION = "{\"token_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/token\",\"token_endpoint_auth_methods_supported\":[\"client_secret_post\",\"private_key_jwt\",\"client_secret_basic\"],\"jwks_uri\":\"https://login.serviceonline.alfresco/common/discovery/v2.0/keys\",\"response_modes_supported\":[\"query\",\"fragment\",\"form_post\"],\"subject_types_supported\":[\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"RS256\"],\"response_types_supported\":[\"code\",\"id_token\",\"code id_token\",\"id_token token\"],\"scopes_supported\":[\"openid\",\"profile\",\"email\",\"offline_access\"],\"issuer\":\"https://login.serviceonline.alfresco/alfresco/v2.0\",\"request_uri_parameter_supported\":false,\"userinfo_endpoint\":\"https://graph.service.alfresco/oidc/userinfo\",\"authorization_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/authorize\",\"device_authorization_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/devicecode\",\"http_logout_supported\":true,\"frontchannel_logout_supported\":true,\"end_session_endpoint\":\"https://login.serviceonline.alfresco/common/oauth2/v2.0/logout\",\"claims_supported\":[\"sub\",\"iss\",\"cloud_instance_name\",\"cloud_instance_host_name\",\"cloud_graph_host_name\",\"msgraph_host\",\"aud\",\"exp\",\"iat\",\"auth_time\",\"acr\",\"nonce\",\"preferred_username\",\"name\",\"tid\",\"ver\",\"at_hash\",\"c_hash\",\"email\"],\"kerberos_endpoint\":\"https://login.serviceonline.alfresco/common/kerberos\",\"tenant_region_scope\":null,\"cloud_instance_name\":\"serviceonline.alfresco\",\"cloud_graph_host_name\":\"graph.oidc.net\",\"msgraph_host\":\"graph.service.alfresco\",\"rbac_url\":\"https://pas.oidc.alfresco\"}";
     private static final String DISCOVERY_PATH_SEGMENTS = "/.well-known/openid-configuration";
     private static final String AUTH_SERVER = "https://login.serviceonline.alfresco";
+    private static final String ADMIN_CONSOLE_SCOPES = "openid,email,profile,offline_access";
+    private static final String PSSWD_GRANT_SCOPES = "openid,email,profile";
+    private static final String ISSUER_ATRR = "issuer";
 
     private IdentityServiceConfig config;
     private RestTemplate restTemplate;
@@ -70,6 +74,9 @@ public class ClientRegistrationProviderUnitTest
         config = new IdentityServiceConfig();
         config.setAuthServerUrl(AUTH_SERVER);
         config.setResource(CLIENT_ID);
+        config.setAdminConsoleScopes(ADMIN_CONSOLE_SCOPES);
+        config.setPasswordGrantScopes(PSSWD_GRANT_SCOPES);
+        config.setIssuerAttribute(ISSUER_ATRR);
 
         restTemplate = mock(RestTemplate.class);
         ResponseEntity responseEntity = mock(ResponseEntity.class);
@@ -263,4 +270,42 @@ public class ClientRegistrationProviderUnitTest
                     "https://login.serviceonline.alfresco/alfresco/v2.0" + DISCOVERY_PATH_SEGMENTS);
         }
     }
+
+    @Test
+    public void shouldUseDefaultIssuerAttribute()
+    {
+        config.setIssuerUrl(null);
+        try (MockedStatic<OIDCProviderMetadata> providerMetadata = Mockito.mockStatic(OIDCProviderMetadata.class))
+        {
+            providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
+
+            ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
+                    restTemplate);
+            assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isEqualTo("https://login.serviceonline.alfresco/alfresco/v2.0");
+
+        }
+    }
+
+    @Test
+    public void shouldUseCustomIssuerAttribute()
+    {
+        try (MockedStatic<OIDCProviderMetadata> providerMetadata = Mockito.mockStatic(OIDCProviderMetadata.class))
+        {
+            config.setIssuerAttribute("access_token_issuer");
+            when(oidcResponse.getCustomParameters()).thenReturn(createJSONObject("access_token_issuer", "https://login.serviceonline.alfresco/alfresco/v2.0/at_trust"));
+            providerMetadata.when(() -> OIDCProviderMetadata.parse(any(String.class))).thenReturn(oidcResponse);
+
+            ClientRegistration clientRegistration = new ClientRegistrationProvider(config).createClientRegistration(
+                    restTemplate);
+            assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isEqualTo("https://login.serviceonline.alfresco/alfresco/v2.0/at_trust");
+
+        }
+    }
+
+    private static JSONObject createJSONObject(String fieldName, String fieldValue)
+    {
+        JSONObject jsonObject = new JSONObject();
+        jsonObject.appendField(fieldName, fieldValue);
+        return jsonObject;
+    }
 }

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponentTest.java

@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2023 Alfresco Software Limited
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software.
  * If the software was purchased under a paid Alfresco license, the terms of
@@ -32,21 +32,23 @@ import static org.mockito.Mockito.when;
 import java.net.ConnectException;
 import java.util.Optional;
 
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+
 import org.alfresco.error.ExceptionStackUtil;
 import org.alfresco.repo.security.authentication.AuthenticationContext;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
 import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.BaseSpringTest;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.springframework.beans.factory.annotation.Autowired;
 
 public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
 {
@@ -67,7 +69,6 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
     @Autowired
     private PersonService personService;
 
-
     private IdentityServiceJITProvisioningHandler jitProvisioning;
     private IdentityServiceFacade mockIdentityServiceFacade;
 
@@ -92,7 +93,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
         authenticationContext.clearCurrentSecurityContext();
     }
 
-    @Test (expected=AuthenticationException.class)
+    @Test(expected = AuthenticationException.class)
     public void testAuthenticationFail()
     {
         final AuthorizationGrant grant = AuthorizationGrant.password("username", "password");
@@ -122,7 +123,7 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
         }
     }
 
-    @Test (expected=AuthenticationException.class)
+    @Test(expected = AuthenticationException.class)
     public void testAuthenticationFail_otherException()
     {
         final AuthorizationGrant grant = AuthorizationGrant.password("username", "password");
@@ -150,10 +151,10 @@ public class IdentityServiceAuthenticationComponentTest extends BaseSpringTest
         authComponent.authenticateImpl("username", "password".toCharArray());
 
         // Check that the authenticated user has been set
-        assertEquals("User has not been set as expected.","username", authenticationContext.getCurrentUserName());
+        assertEquals("User has not been set as expected.", "username", authenticationContext.getCurrentUserName());
     }
 
-    @Test (expected= AuthenticationException.class)
+    @Test(expected = AuthenticationException.class)
     public void testFallthroughWhenIdentityServiceFacadeIsNull()
     {
         authComponent.setIdentityServiceFacade(null);

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandlerTest.java

@@ -25,29 +25,29 @@
  */
 package org.alfresco.repo.security.authentication.identityservice;
 
-import static org.mockito.Mockito.atLeast;
+import static org.mockito.Mockito.*;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
 
 import java.lang.reflect.Field;
 import java.util.Optional;
 
 import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
 import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.BaseSpringTest;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
 
 @SuppressWarnings("PMD.AvoidAccessibilityAlteration")
 public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
@@ -95,8 +95,7 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
     {
         assertFalse(personService.personExists(IDS_USERNAME));
 
-        IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization =
+        IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
-            identityServiceFacade.authorize(
                 IdentityServiceFacade.AuthorizationGrant.password(IDS_USERNAME, userPassword));
 
         Optional<OIDCUserInfo> userInfoOptional = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
@@ -125,14 +124,17 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
         assertFalse(personService.personExists(IDS_USERNAME));
 
         String principalAttribute = isAuth0Enabled ? PersonClaims.NICKNAME_CLAIM_NAME : PersonClaims.PREFERRED_USERNAME_CLAIM_NAME;
-        IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization =
+        IdentityServiceFacade.AccessTokenAuthorization accessTokenAuthorization = identityServiceFacade.authorize(
-            identityServiceFacade.authorize(
                 IdentityServiceFacade.AuthorizationGrant.password(IDS_USERNAME, userPassword));
+        UserInfoAttrMapping userInfoAttrMapping = new UserInfoAttrMapping(principalAttribute, "given_name", "family_name", "email");
 
         String accessToken = accessTokenAuthorization.getAccessToken().getTokenValue();
+        ClientRegistration clientRegistration = mock(ClientRegistration.class, RETURNS_DEEP_STUBS);
+        when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(principalAttribute);
         IdentityServiceFacade idsServiceFacadeMock = mock(IdentityServiceFacade.class);
         when(idsServiceFacadeMock.decodeToken(accessToken)).thenReturn(null);
-        when(idsServiceFacadeMock.getUserInfo(accessToken, principalAttribute)).thenReturn(identityServiceFacade.getUserInfo(accessToken, principalAttribute));
+        when(idsServiceFacadeMock.getUserInfo(accessToken, userInfoAttrMapping)).thenReturn(identityServiceFacade.getUserInfo(accessToken, userInfoAttrMapping));
+        when(idsServiceFacadeMock.getClientRegistration()).thenReturn(clientRegistration);
 
         // Replace the original facade with a mocked one to prevent user information from being extracted from the access token.
         Field declaredField = jitProvisioningHandler.getClass()
@@ -153,7 +155,7 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
         assertEquals("johndoe123@alfresco.com", userInfoOptional.get().email());
         assertEquals("johndoe123@alfresco.com", nodeService.getProperty(person, ContentModel.PROP_EMAIL));
         verify(idsServiceFacadeMock).decodeToken(accessToken);
-        verify(idsServiceFacadeMock, atLeast(1)).getUserInfo(accessToken, principalAttribute);
+        verify(idsServiceFacadeMock, atLeast(1)).getUserInfo(accessToken, userInfoAttrMapping);
         if (!isAuth0Enabled)
         {
             assertEquals("John", userInfoOptional.get().firstName());
@@ -166,8 +168,7 @@ public class IdentityServiceJITProvisioningHandlerTest extends BaseSpringTest
     @After
     public void tearDown()
     {
-        AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>()
+        AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>() {
-        {
             @Override
             public Void doWork() throws Exception
             {

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceJITProvisioningHandlerUnitTest.java

@@ -38,12 +38,17 @@ import static org.mockito.MockitoAnnotations.initMocks;
 import java.util.Optional;
 
 import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
-
-import org.alfresco.service.cmr.security.PersonService;
-import org.alfresco.service.transaction.TransactionService;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.Answers;
 import org.mockito.Mock;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+
+import org.alfresco.repo.security.authentication.identityservice.user.DecodedTokenUser;
+import org.alfresco.repo.security.authentication.identityservice.user.OIDCUserInfo;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+import org.alfresco.service.cmr.security.PersonService;
+import org.alfresco.service.transaction.TransactionService;
 
 public class IdentityServiceJITProvisioningHandlerUnitTest
 {
@@ -51,6 +56,9 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
     @Mock
     private IdentityServiceFacade identityServiceFacade;
 
+    @Mock(answer = Answers.RETURNS_DEEP_STUBS)
+    private ClientRegistration clientRegistration;
+
     @Mock
     private PersonService personService;
 
@@ -64,11 +72,22 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
     private IdentityServiceConfig identityServiceConfig;
 
     @Mock
-    private OIDCUserInfo userInfo;
+    private DecodedTokenUser decodedTokenUser;
 
     private IdentityServiceJITProvisioningHandler jitProvisioningHandler;
 
+    private UserInfoAttrMapping expectedMapping;
+
     private static final String JWT_TOKEN = "myToken";
+    private static final String USERNAME = "johny123";
+    private static final String FIRST_NAME = "John";
+    private static final String LAST_NAME = "Doe";
+    private static final String EMAIL = "johny123@email.com";
+
+    public static final String USERNAME_CLAIM = "nickname";
+    public static final String EMAIL_CLAIM = "email";
+    public static final String FIRST_NAME_CLAIM = "given_name";
+    public static final String LAST_NAME_CLAIM = "family_name";
 
     @Before
     public void setup()
@@ -78,149 +97,147 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
         when(transactionService.isReadOnly()).thenReturn(false);
         when(identityServiceFacade.decodeToken(JWT_TOKEN)).thenReturn(decodedAccessToken);
         when(personService.createMissingPeople()).thenReturn(true);
-        jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade,
+        when(identityServiceFacade.getClientRegistration()).thenReturn(clientRegistration);
-            personService, transactionService, identityServiceConfig);
+        when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(USERNAME_CLAIM);
+        when(identityServiceConfig.getEmailAttribute()).thenReturn(EMAIL_CLAIM);
+        when(identityServiceConfig.getFirstNameAttribute()).thenReturn(FIRST_NAME_CLAIM);
+        when(identityServiceConfig.getLastNameAttribute()).thenReturn(LAST_NAME_CLAIM);
+        expectedMapping = new UserInfoAttrMapping(USERNAME_CLAIM, FIRST_NAME_CLAIM, LAST_NAME_CLAIM, EMAIL_CLAIM);
+        jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, personService, transactionService, identityServiceConfig);
     }
 
     @Test
     public void shouldExtractUserInfoForExistingUser()
     {
-        when(personService.personExists("johny123")).thenReturn(true);
+        when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
-        when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("johny123");
+        when(personService.personExists(USERNAME)).thenReturn(true);
+        when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(USERNAME);
 
+        jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, personService, transactionService, identityServiceConfig);
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertTrue(result.isPresent());
-        assertEquals("johny123", result.get().username());
+        assertEquals(USERNAME, result.get().username());
         assertFalse(result.get().allFieldsNotEmpty());
-        verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
     public void shouldExtractUserInfoForExistingUserWithProviderPrincipalAttribute()
     {
-        when(identityServiceConfig.getPrincipalAttribute()).thenReturn("nickname");
+        when(identityServiceConfig.getPrincipalAttribute()).thenReturn(USERNAME_CLAIM);
-        when(personService.personExists("johny123")).thenReturn(true);
+        when(personService.personExists(USERNAME)).thenReturn(true);
-        when(decodedAccessToken.getClaim("nickname")).thenReturn("johny123");
+        when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn(USERNAME);
 
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertTrue(result.isPresent());
-        assertEquals("johny123", result.get().username());
+        assertEquals(USERNAME, result.get().username());
         assertFalse(result.get().allFieldsNotEmpty());
-        verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, "nickname");
+        verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
     public void shouldExtractUserInfoFromAccessTokenAndCreateUser()
     {
-        when(personService.personExists("johny123")).thenReturn(false);
+        when(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).thenReturn(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
-
+        when(personService.personExists(USERNAME)).thenReturn(false);
-        when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("johny123");
+        when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(USERNAME);
-        when(decodedAccessToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME)).thenReturn("John");
+        when(decodedAccessToken.getClaim(PersonClaims.GIVEN_NAME_CLAIM_NAME)).thenReturn(FIRST_NAME);
-        when(decodedAccessToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME)).thenReturn("Doe");
+        when(decodedAccessToken.getClaim(PersonClaims.FAMILY_NAME_CLAIM_NAME)).thenReturn(LAST_NAME);
-        when(decodedAccessToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME)).thenReturn("johny123@email.com");
+        when(decodedAccessToken.getClaim(PersonClaims.EMAIL_CLAIM_NAME)).thenReturn(EMAIL);
 
+        jitProvisioningHandler = new IdentityServiceJITProvisioningHandler(identityServiceFacade, personService, transactionService, identityServiceConfig);
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertTrue(result.isPresent());
-        assertEquals("johny123", result.get().username());
+        assertEquals(USERNAME, result.get().username());
-        assertEquals("John", result.get().firstName());
+        assertEquals(FIRST_NAME, result.get().firstName());
-        assertEquals("Doe", result.get().lastName());
+        assertEquals(LAST_NAME, result.get().lastName());
-        assertEquals("johny123@email.com", result.get().email());
+        assertEquals(EMAIL, result.get().email());
         assertTrue(result.get().allFieldsNotEmpty());
         verify(personService).createPerson(any());
-        verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade, never()).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
     public void shouldExtractUserInfoFromUserInfoEndpointAndCreateUser()
     {
-        when(userInfo.username()).thenReturn("johny123");
+        when(decodedTokenUser.username()).thenReturn(USERNAME);
-        when(userInfo.firstName()).thenReturn("John");
+        when(decodedTokenUser.firstName()).thenReturn(FIRST_NAME);
-        when(userInfo.lastName()).thenReturn("Doe");
+        when(decodedTokenUser.lastName()).thenReturn(LAST_NAME);
-        when(userInfo.email()).thenReturn("johny123@email.com");
+        when(decodedTokenUser.email()).thenReturn(EMAIL);
-
+        when(personService.personExists(USERNAME)).thenReturn(false);
-        when(personService.personExists("johny123")).thenReturn(false);
+        when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(USERNAME);
-
+        when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(decodedTokenUser));
-        when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("johny123");
-        when(identityServiceFacade.getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(Optional.of(userInfo));
 
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertTrue(result.isPresent());
-        assertEquals("johny123", result.get().username());
+        assertEquals(USERNAME, result.get().username());
-        assertEquals("John", result.get().firstName());
+        assertEquals(FIRST_NAME, result.get().firstName());
-        assertEquals("Doe", result.get().lastName());
+        assertEquals(LAST_NAME, result.get().lastName());
-        assertEquals("johny123@email.com", result.get().email());
+        assertEquals(EMAIL, result.get().email());
         assertTrue(result.get().allFieldsNotEmpty());
         verify(personService).createPerson(any());
-        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
     public void shouldReturnEmptyOptionalIfUsernameNotExtracted()
     {
-
+        when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(decodedTokenUser));
-        when(identityServiceFacade.getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(Optional.of(userInfo));
 
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertFalse(result.isPresent());
         verify(personService, never()).createPerson(any());
-        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
     public void shouldCallUserInfoEndpointToGetUsername()
     {
-        when(personService.personExists("johny123")).thenReturn(true);
+        when(personService.personExists(USERNAME)).thenReturn(true);
-
         when(decodedAccessToken.getClaim(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn("");
-
+        when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(DecodedTokenUser.validateAndCreate(USERNAME, null, null, null)));
-        when(userInfo.username()).thenReturn("johny123");
-        when(identityServiceFacade.getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME)).thenReturn(Optional.of(userInfo));
-
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertTrue(result.isPresent());
-        assertEquals("johny123", result.get().username());
+        assertEquals(USERNAME, result.get().username());
         assertEquals("", result.get().firstName());
         assertEquals("", result.get().lastName());
         assertEquals("", result.get().email());
         assertFalse(result.get().allFieldsNotEmpty());
         verify(personService, never()).createPerson(any());
-        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
     public void shouldCallUserInfoEndpointToGetUsernameWithProvidedPrincipalAttribute()
     {
-        when(identityServiceConfig.getPrincipalAttribute()).thenReturn("nickname");
+        when(identityServiceConfig.getPrincipalAttribute()).thenReturn(USERNAME_CLAIM);
-        when(personService.personExists("johny123")).thenReturn(true);
+        when(personService.personExists(USERNAME)).thenReturn(true);
-
+        when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn("");
-        when(decodedAccessToken.getClaim("nickname")).thenReturn("");
+        when(identityServiceFacade.getUserInfo(JWT_TOKEN, expectedMapping)).thenReturn(Optional.of(DecodedTokenUser.validateAndCreate(USERNAME, null, null, null)));
-
-        when(userInfo.username()).thenReturn("johny123");
-        when(identityServiceFacade.getUserInfo(JWT_TOKEN, "nickname")).thenReturn(Optional.of(userInfo));
 
         Optional<OIDCUserInfo> result = jitProvisioningHandler.extractUserInfoAndCreateUserIfNeeded(
                 JWT_TOKEN);
 
         assertTrue(result.isPresent());
-        assertEquals("johny123", result.get().username());
+        assertEquals(USERNAME, result.get().username());
         assertEquals("", result.get().firstName());
         assertEquals("", result.get().lastName());
         assertEquals("", result.get().email());
         assertFalse(result.get().allFieldsNotEmpty());
         verify(personService, never()).createPerson(any());
-        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, "nickname");
+        verify(identityServiceFacade).getUserInfo(JWT_TOKEN, expectedMapping);
     }
 
     @Test
@@ -232,8 +249,8 @@ public class IdentityServiceJITProvisioningHandlerUnitTest
         verify(personService, never()).createPerson(any());
         verify(identityServiceFacade, never()).decodeToken(null);
         verify(identityServiceFacade, never()).decodeToken("");
-        verify(identityServiceFacade, never()).getUserInfo(null, PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade, never()).getUserInfo(null, expectedMapping);
-        verify(identityServiceFacade, never()).getUserInfo("", PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
+        verify(identityServiceFacade, never()).getUserInfo(null, expectedMapping);
     }
 
 }

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapperTest.java

@@ -34,17 +34,18 @@ import java.time.Instant;
 import java.util.Map;
 import java.util.Vector;
 import java.util.function.Supplier;
+import jakarta.servlet.http.HttpServletRequest;
 
 import com.nimbusds.openid.connect.sdk.claims.PersonClaims;
-
-import jakarta.servlet.http.HttpServletRequest;
 import junit.framework.TestCase;
+import org.mockito.Mockito;
+import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
+
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken;
 import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.transaction.TransactionService;
-import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
 
 /**
  * Tests the Identity Service based authentication subsystem.
@@ -68,7 +69,9 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
 
     public void testWrongTokenWithSilentValidation()
     {
-        final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {throw new TokenDecodingException("Expected ");}));
+        final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {
+            throw new TokenDecodingException("Expected ");
+        }));
         mapper.setValidationFailureSilent(true);
 
         HttpServletRequest mockRequest = createMockTokenRequest("WrOnG-ToKeN");
@@ -79,7 +82,9 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
 
     public void testWrongTokenWithoutSilentValidation()
     {
-        final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {throw new TokenDecodingException("Expected");}));
+        final IdentityServiceRemoteUserMapper mapper = givenMapper(Map.of("WrOnG-ToKeN", () -> {
+            throw new TokenDecodingException("Expected");
+        }));
         mapper.setValidationFailureSilent(false);
 
         HttpServletRequest mockRequest = createMockTokenRequest("WrOnG-ToKeN");
@@ -92,12 +97,14 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
     private IdentityServiceRemoteUserMapper givenMapper(Map<String, Supplier<String>> tokenToUser)
     {
         final TransactionService transactionService = mock(TransactionService.class);
-        final IdentityServiceFacade facade = mock(IdentityServiceFacade.class);
+        final IdentityServiceFacade facade = mock(IdentityServiceFacade.class, Mockito.RETURNS_DEEP_STUBS);
         final PersonService personService = mock(PersonService.class);
         final IdentityServiceConfig identityServiceConfig = mock(IdentityServiceConfig.class);
         when(transactionService.isReadOnly()).thenReturn(true);
         when(facade.decodeToken(anyString()))
                 .thenAnswer(i -> new TestDecodedToken(tokenToUser.get(i.getArgument(0, String.class))));
+        when(facade.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName())
+                .thenReturn(PersonClaims.PREFERRED_USERNAME_CLAIM_NAME);
 
         when(personService.getUserIdentifier(anyString())).thenAnswer(i -> i.getArgument(0, String.class));
 
@@ -108,14 +115,14 @@ public class IdentityServiceRemoteUserMapperTest extends TestCase
         mapper.setActive(true);
         mapper.setBearerTokenResolver(new DefaultBearerTokenResolver());
 
-
         return mapper;
     }
 
     /**
      * Utility method for creating a mocked Servlet request with a token.
      * 
-     * @param token The token to add to the Authorization header
+     * @param token
+     *            The token to add to the Authorization header
      * @return The mocked request object
      */
     private HttpServletRequest createMockTokenRequest(String token)

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacadeUnitTest.java

@@ -31,20 +31,23 @@ import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException;
 import org.junit.Test;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.web.client.RestOperations;
 
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.TokenDecodingException;
+import org.alfresco.repo.security.authentication.identityservice.user.UserInfoAttrMapping;
+
 public class SpringBasedIdentityServiceFacadeUnitTest
 {
     private static final String USER_NAME = "user";
     private static final String PASSWORD = "password";
     private static final String TOKEN = "tEsT-tOkEn";
+    private static final UserInfoAttrMapping USER_INFO_ATTR_MAPPING = new UserInfoAttrMapping("preferred_username", "given_name", "family_name", "email");
 
     @Test
     public void shouldThrowVerificationExceptionOnFailure()
@@ -74,7 +77,6 @@ public class SpringBasedIdentityServiceFacadeUnitTest
                 .havingCause().withNoCause().withMessage("Expected");
     }
 
-
     @Test
     public void shouldReturnEmptyOptionalOnFailure()
     {
@@ -82,8 +84,7 @@ public class SpringBasedIdentityServiceFacadeUnitTest
         final JwtDecoder jwtDecoder = mock(JwtDecoder.class);
         final SpringBasedIdentityServiceFacade facade = new SpringBasedIdentityServiceFacade(restOperations, testRegistration(), jwtDecoder);
 
-
+        assertThat(facade.getUserInfo(TOKEN, USER_INFO_ATTR_MAPPING).isEmpty()).isTrue();
-        assertThat(facade.getUserInfo(TOKEN, "preferred_username").isEmpty()).isTrue();
     }
 
     private ClientRegistration testRegistration()

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticatorUnitTest.java

@@ -38,18 +38,11 @@ import java.io.IOException;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.Map;
-
+import java.util.Set;
-import com.nimbusds.oauth2.sdk.Scope;
-
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
+
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceConfig;
+import com.nimbusds.oauth2.sdk.Scope;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessToken;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
-import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
@@ -58,6 +51,14 @@ import org.mockito.Mock;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails;
 
+import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceConfig;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessToken;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationException;
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AuthorizationGrant;
+
 @SuppressWarnings("PMD.AvoidStringBufferField")
 public class IdentityServiceAdminConsoleAuthenticatorUnitTest
 {
@@ -155,6 +156,7 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
     {
         String redirectPath = "/alfresco/s/admin/admin-communitysummary";
 
+        when(identityServiceConfig.getAdminConsoleScopes()).thenReturn(Set.of("openid", "email", "profile", "offline_access"));
         when(identityServiceConfig.getAdminConsoleRedirectPath()).thenReturn("/alfresco/s/admin/admin-communitysummary");
         ArgumentCaptor<String> authenticationRequest = ArgumentCaptor.forClass(String.class);
         String expectedUri = "http://localhost:8999/auth?client_id=alfresco&redirect_uri=%s%s&response_type=code&scope="
@@ -178,6 +180,7 @@ public class IdentityServiceAdminConsoleAuthenticatorUnitTest
         String redirectPath = "/alfresco/s/admin/admin-communitysummary";
         when(identityServiceConfig.getAudience()).thenReturn(audience);
         when(identityServiceConfig.getAdminConsoleRedirectPath()).thenReturn(redirectPath);
+        when(identityServiceConfig.getAdminConsoleScopes()).thenReturn(Set.of("openid", "email", "profile", "offline_access"));
         ArgumentCaptor<String> authenticationRequest = ArgumentCaptor.forClass(String.class);
         String expectedUri = "http://localhost:8999/auth?client_id=alfresco&redirect_uri=%s%s&response_type=code&scope="
                 .formatted("http://localhost:8080", redirectPath);

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/user/AccessTokenToDecodedTokenUserMapperUnitTest.java

@@ -0,0 +1,109 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
+
+import java.util.Optional;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+
+import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
+
+public class AccessTokenToDecodedTokenUserMapperUnitTest
+{
+
+    @Mock
+    private IdentityServiceFacade.DecodedAccessToken decodedAccessToken;
+
+    private AccessTokenToDecodedTokenUserMapper tokenToDecodedTokenUserMapper;
+
+    public static final String USERNAME_CLAIM = "nickname";
+    public static final String EMAIL_CLAIM = "email";
+    public static final String FIRST_NAME_CLAIM = "given_name";
+    public static final String LAST_NAME_CLAIM = "family_name";
+
+    @Before
+    public void setup()
+    {
+        initMocks(this);
+        UserInfoAttrMapping userInfoAttrMapping = new UserInfoAttrMapping(USERNAME_CLAIM, FIRST_NAME_CLAIM, LAST_NAME_CLAIM, EMAIL_CLAIM);
+        tokenToDecodedTokenUserMapper = new AccessTokenToDecodedTokenUserMapper(userInfoAttrMapping);
+    }
+
+    @Test
+    public void shouldMapToDecodedTokenUserWithAllFieldsPopulated()
+    {
+        when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn("johny123");
+        when(decodedAccessToken.getClaim(FIRST_NAME_CLAIM)).thenReturn("John");
+        when(decodedAccessToken.getClaim(LAST_NAME_CLAIM)).thenReturn("Doe");
+        when(decodedAccessToken.getClaim(EMAIL_CLAIM)).thenReturn("johny123@email.com");
+
+        Optional<DecodedTokenUser> result = tokenToDecodedTokenUserMapper.toDecodedTokenUser(decodedAccessToken);
+
+        assertTrue(result.isPresent());
+        assertEquals("johny123", result.get().username());
+        assertEquals("John", result.get().firstName());
+        assertEquals("Doe", result.get().lastName());
+        assertEquals("johny123@email.com", result.get().email());
+    }
+
+    @Test
+    public void shouldMapToDecodedTokenUserWithSomeFieldsEmpty()
+    {
+        when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn("johny123");
+        when(decodedAccessToken.getClaim(FIRST_NAME_CLAIM)).thenReturn("");
+        when(decodedAccessToken.getClaim(LAST_NAME_CLAIM)).thenReturn("Doe");
+        when(decodedAccessToken.getClaim(EMAIL_CLAIM)).thenReturn("");
+
+        Optional<DecodedTokenUser> result = tokenToDecodedTokenUserMapper.toDecodedTokenUser(decodedAccessToken);
+
+        assertTrue(result.isPresent());
+        assertEquals("johny123", result.get().username());
+        assertEquals("", result.get().firstName());
+        assertEquals("Doe", result.get().lastName());
+        assertEquals("", result.get().email());
+    }
+
+    @Test
+    public void shouldReturnEmptyOptionalForNullUsername()
+    {
+        when(decodedAccessToken.getClaim(USERNAME_CLAIM)).thenReturn(null);
+        when(decodedAccessToken.getClaim(FIRST_NAME_CLAIM)).thenReturn("John");
+        when(decodedAccessToken.getClaim(LAST_NAME_CLAIM)).thenReturn("Doe");
+        when(decodedAccessToken.getClaim(EMAIL_CLAIM)).thenReturn("johny123@email.com");
+
+        Optional<DecodedTokenUser> result = tokenToDecodedTokenUserMapper.toDecodedTokenUser(decodedAccessToken);
+
+        assertFalse(result.isPresent());
+    }
+}

repository/src/test/java/org/alfresco/repo/security/authentication/identityservice/user/TokenUserToOIDCUserMapperUnitTest.java

@@ -0,0 +1,95 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2025 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.security.authentication.identityservice.user;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.mockito.Mockito.when;
+import static org.mockito.MockitoAnnotations.initMocks;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+
+import org.alfresco.service.cmr.security.PersonService;
+
+public class TokenUserToOIDCUserMapperUnitTest
+{
+
+    @Mock
+    private PersonService personService;
+
+    @InjectMocks
+    private TokenUserToOIDCUserMapper tokenUserToOIDCUserMapper;
+
+    @Before
+    public void setup()
+    {
+        initMocks(this);
+    }
+
+    @Test
+    public void shouldMapToOIDCUserWithAllFieldsPopulated()
+    {
+        DecodedTokenUser decodedTokenUser = new DecodedTokenUser("JOHNY123", "John", "Doe", "johny123@email.com");
+        when(personService.getUserIdentifier("JOHNY123")).thenReturn("johny123");
+
+        OIDCUserInfo oidcUserInfo = tokenUserToOIDCUserMapper.toOIDCUser(decodedTokenUser);
+
+        assertEquals("johny123", oidcUserInfo.username());
+        assertEquals("John", oidcUserInfo.firstName());
+        assertEquals("Doe", oidcUserInfo.lastName());
+        assertEquals("johny123@email.com", oidcUserInfo.email());
+    }
+
+    @Test
+    public void shouldMapToOIDCUserWithSomeFieldsEmpty()
+    {
+        DecodedTokenUser decodedTokenUser = new DecodedTokenUser("johny123", "", "Doe", "");
+        when(personService.getUserIdentifier("johny123")).thenReturn("johny123");
+
+        OIDCUserInfo oidcUserInfo = tokenUserToOIDCUserMapper.toOIDCUser(decodedTokenUser);
+
+        assertEquals("johny123", oidcUserInfo.username());
+        assertEquals("", oidcUserInfo.firstName());
+        assertEquals("Doe", oidcUserInfo.lastName());
+        assertEquals("", oidcUserInfo.email());
+    }
+
+    @Test
+    public void shouldReturnNullForNullUsername()
+    {
+        DecodedTokenUser decodedTokenUser = new DecodedTokenUser(null, "John", "Doe", "johny123@email.com");
+
+        OIDCUserInfo oidcUserInfo = tokenUserToOIDCUserMapper.toOIDCUser(decodedTokenUser);
+
+        assertNull(oidcUserInfo.username());
+        assertEquals("John", oidcUserInfo.firstName());
+        assertEquals("Doe", oidcUserInfo.lastName());
+        assertEquals("johny123@email.com", oidcUserInfo.email());
+    }
+}

repository/src/test/resources/alfresco-global.properties

@@ -28,6 +28,9 @@ identity-service.register-node-at-startup=true
 identity-service.register-node-period=50
 identity-service.token-store=SESSION
 identity-service.principal-attribute=preferred_username
+identity-service.first-name-attribute=given_name
+identity-service.last-name-attribute=family_name
+identity-service.email-attribute=email
 identity-service.turn-off-change-session-id-on-login=true
 identity-service.token-minimum-time-to-live=10
 identity-service.min-time-between-jwks-requests=60