Revert "Support resolving issuer from current request"
This reverts commit 666d569b48.
This commit is contained in:
Joe Grandja
@@ -216,17 +216,9 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
|
||||
|
||||
@Override
|
||||
public void configure(B builder) {
|
||||
ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
|
||||
|
||||
// IMPORTANT:
|
||||
// This filter must be registered first as it resolves the current issuer identifier and
|
||||
// sets it as a request attribute under WebAttributes.ISSUER, which may be used by upstream components.
|
||||
OAuth2AuthorizationServerMetadataEndpointFilter authorizationServerMetadataEndpointFilter =
|
||||
new OAuth2AuthorizationServerMetadataEndpointFilter(providerSettings);
|
||||
builder.addFilterBefore(postProcess(authorizationServerMetadataEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
|
||||
|
||||
this.configurers.values().forEach(configurer -> configurer.configure(builder));
|
||||
|
||||
ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
|
||||
AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
|
||||
|
||||
OAuth2TokenIntrospectionEndpointFilter tokenIntrospectionEndpointFilter =
|
||||
@@ -246,6 +238,12 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
|
||||
OAuth2ConfigurerUtils.getJwkSource(builder),
|
||||
providerSettings.getJwkSetEndpoint());
|
||||
builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
|
||||
|
||||
if (providerSettings.getIssuer() != null) {
|
||||
OAuth2AuthorizationServerMetadataEndpointFilter authorizationServerMetadataEndpointFilter =
|
||||
new OAuth2AuthorizationServerMetadataEndpointFilter(providerSettings);
|
||||
builder.addFilterBefore(postProcess(authorizationServerMetadataEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
|
||||
}
|
||||
}
|
||||
|
||||
private Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> createConfigurers() {
|
||||
|
||||
@@ -85,13 +85,16 @@ public final class OidcConfigurer extends AbstractOAuth2Configurer {
|
||||
}
|
||||
|
||||
List<RequestMatcher> requestMatchers = new ArrayList<>();
|
||||
requestMatchers.add(new AntPathRequestMatcher(
|
||||
"/.well-known/openid-configuration", HttpMethod.GET.name()));
|
||||
ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
|
||||
if (providerSettings.getIssuer() != null) {
|
||||
requestMatchers.add(new AntPathRequestMatcher(
|
||||
"/.well-known/openid-configuration", HttpMethod.GET.name()));
|
||||
}
|
||||
requestMatchers.add(this.userInfoEndpointConfigurer.getRequestMatcher());
|
||||
if (this.clientRegistrationEndpointConfigurer != null) {
|
||||
requestMatchers.add(this.clientRegistrationEndpointConfigurer.getRequestMatcher());
|
||||
}
|
||||
this.requestMatcher = new OrRequestMatcher(requestMatchers);
|
||||
this.requestMatcher = requestMatchers.size() > 1 ? new OrRequestMatcher(requestMatchers) : requestMatchers.get(0);
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -102,9 +105,11 @@ public final class OidcConfigurer extends AbstractOAuth2Configurer {
|
||||
}
|
||||
|
||||
ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
|
||||
OidcProviderConfigurationEndpointFilter oidcProviderConfigurationEndpointFilter =
|
||||
new OidcProviderConfigurationEndpointFilter(providerSettings);
|
||||
builder.addFilterBefore(postProcess(oidcProviderConfigurationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
|
||||
if (providerSettings.getIssuer() != null) {
|
||||
OidcProviderConfigurationEndpointFilter oidcProviderConfigurationEndpointFilter =
|
||||
new OidcProviderConfigurationEndpointFilter(providerSettings);
|
||||
builder.addFilterBefore(postProcess(oidcProviderConfigurationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -26,6 +26,7 @@ import java.util.Set;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
@@ -86,6 +87,7 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
private final JwtEncoder jwtEncoder;
|
||||
private OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = (context) -> {};
|
||||
private Supplier<String> refreshTokenGenerator = DEFAULT_REFRESH_TOKEN_GENERATOR::generateKey;
|
||||
private ProviderSettings providerSettings;
|
||||
|
||||
/**
|
||||
* Constructs an {@code OAuth2AuthorizationCodeAuthenticationProvider} using the provided parameters.
|
||||
@@ -122,8 +124,9 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
this.refreshTokenGenerator = refreshTokenGenerator;
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Autowired(required = false)
|
||||
protected void setProviderSettings(ProviderSettings providerSettings) {
|
||||
this.providerSettings = providerSettings;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -164,7 +167,7 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
|
||||
}
|
||||
|
||||
String issuer = authorizationCodeAuthentication.getIssuer();
|
||||
String issuer = this.providerSettings != null ? this.providerSettings.getIssuer() : null;
|
||||
Set<String> authorizedScopes = authorization.getAttribute(
|
||||
OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME);
|
||||
|
||||
|
||||
@@ -43,9 +43,7 @@ public class OAuth2AuthorizationCodeAuthenticationToken extends OAuth2Authorizat
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param redirectUri the redirect uri
|
||||
* @param additionalParameters the additional parameters
|
||||
* @deprecated Use {@link #OAuth2AuthorizationCodeAuthenticationToken(String, String, Authentication, String, Map)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public OAuth2AuthorizationCodeAuthenticationToken(String code, Authentication clientPrincipal,
|
||||
@Nullable String redirectUri, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(AuthorizationGrantType.AUTHORIZATION_CODE, clientPrincipal, additionalParameters);
|
||||
@@ -54,24 +52,6 @@ public class OAuth2AuthorizationCodeAuthenticationToken extends OAuth2Authorizat
|
||||
this.redirectUri = redirectUri;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs an {@code OAuth2AuthorizationCodeAuthenticationToken} using the provided parameters.
|
||||
*
|
||||
* @param issuer the issuer identifier
|
||||
* @param code the authorization code
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param redirectUri the redirect uri
|
||||
* @param additionalParameters the additional parameters
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public OAuth2AuthorizationCodeAuthenticationToken(String issuer, String code, Authentication clientPrincipal,
|
||||
@Nullable String redirectUri, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(AuthorizationGrantType.AUTHORIZATION_CODE, issuer, clientPrincipal, additionalParameters);
|
||||
Assert.hasText(code, "code cannot be empty");
|
||||
this.code = code;
|
||||
this.redirectUri = redirectUri;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the authorization code.
|
||||
*
|
||||
|
||||
@@ -39,7 +39,6 @@ import org.springframework.util.Assert;
|
||||
public class OAuth2AuthorizationGrantAuthenticationToken extends AbstractAuthenticationToken {
|
||||
private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
|
||||
private final AuthorizationGrantType authorizationGrantType;
|
||||
private final String issuer;
|
||||
private final Authentication clientPrincipal;
|
||||
private final Map<String, Object> additionalParameters;
|
||||
|
||||
@@ -49,40 +48,13 @@ public class OAuth2AuthorizationGrantAuthenticationToken extends AbstractAuthent
|
||||
* @param authorizationGrantType the authorization grant type
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param additionalParameters the additional parameters
|
||||
* @deprecated Use {@link #OAuth2AuthorizationGrantAuthenticationToken(AuthorizationGrantType, String, Authentication, Map)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
protected OAuth2AuthorizationGrantAuthenticationToken(AuthorizationGrantType authorizationGrantType,
|
||||
Authentication clientPrincipal, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(Collections.emptyList());
|
||||
Assert.notNull(authorizationGrantType, "authorizationGrantType cannot be null");
|
||||
Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
|
||||
this.authorizationGrantType = authorizationGrantType;
|
||||
this.issuer = null;
|
||||
this.clientPrincipal = clientPrincipal;
|
||||
this.additionalParameters = Collections.unmodifiableMap(
|
||||
additionalParameters != null ?
|
||||
new HashMap<>(additionalParameters) :
|
||||
Collections.emptyMap());
|
||||
}
|
||||
|
||||
/**
|
||||
* Sub-class constructor.
|
||||
*
|
||||
* @param authorizationGrantType the authorization grant type
|
||||
* @param issuer the issuer identifier
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param additionalParameters the additional parameters
|
||||
* @since 0.2.1
|
||||
*/
|
||||
protected OAuth2AuthorizationGrantAuthenticationToken(AuthorizationGrantType authorizationGrantType,
|
||||
String issuer, Authentication clientPrincipal, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(Collections.emptyList());
|
||||
Assert.notNull(authorizationGrantType, "authorizationGrantType cannot be null");
|
||||
Assert.hasText(issuer, "issuer cannot be empty");
|
||||
Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
|
||||
this.authorizationGrantType = authorizationGrantType;
|
||||
this.issuer = issuer;
|
||||
this.clientPrincipal = clientPrincipal;
|
||||
this.additionalParameters = Collections.unmodifiableMap(
|
||||
additionalParameters != null ?
|
||||
@@ -99,16 +71,6 @@ public class OAuth2AuthorizationGrantAuthenticationToken extends AbstractAuthent
|
||||
return this.authorizationGrantType;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the issuer identifier.
|
||||
*
|
||||
* @return the issuer identifier
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public String getIssuer() {
|
||||
return this.issuer;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.clientPrincipal;
|
||||
|
||||
@@ -19,6 +19,7 @@ import java.util.LinkedHashSet;
|
||||
import java.util.Set;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
@@ -61,6 +62,7 @@ public final class OAuth2ClientCredentialsAuthenticationProvider implements Auth
|
||||
private final OAuth2AuthorizationService authorizationService;
|
||||
private final JwtEncoder jwtEncoder;
|
||||
private OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = (context) -> {};
|
||||
private ProviderSettings providerSettings;
|
||||
|
||||
/**
|
||||
* Constructs an {@code OAuth2ClientCredentialsAuthenticationProvider} using the provided parameters.
|
||||
@@ -88,8 +90,9 @@ public final class OAuth2ClientCredentialsAuthenticationProvider implements Auth
|
||||
this.jwtCustomizer = jwtCustomizer;
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Autowired(required = false)
|
||||
protected void setProviderSettings(ProviderSettings providerSettings) {
|
||||
this.providerSettings = providerSettings;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -115,7 +118,7 @@ public final class OAuth2ClientCredentialsAuthenticationProvider implements Auth
|
||||
authorizedScopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
|
||||
}
|
||||
|
||||
String issuer = clientCredentialsAuthentication.getIssuer();
|
||||
String issuer = this.providerSettings != null ? this.providerSettings.getIssuer() : null;
|
||||
|
||||
JoseHeader.Builder headersBuilder = JwtUtils.headers();
|
||||
JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims(
|
||||
|
||||
@@ -41,9 +41,7 @@ public class OAuth2ClientCredentialsAuthenticationToken extends OAuth2Authorizat
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param scopes the requested scope(s)
|
||||
* @param additionalParameters the additional parameters
|
||||
* @deprecated Use {@link #OAuth2ClientCredentialsAuthenticationToken(String, Authentication, Set, Map)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal,
|
||||
@Nullable Set<String> scopes, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(AuthorizationGrantType.CLIENT_CREDENTIALS, clientPrincipal, additionalParameters);
|
||||
@@ -51,22 +49,6 @@ public class OAuth2ClientCredentialsAuthenticationToken extends OAuth2Authorizat
|
||||
scopes != null ? new HashSet<>(scopes) : Collections.emptySet());
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
|
||||
*
|
||||
* @param issuer the issuer identifier
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param scopes the requested scope(s)
|
||||
* @param additionalParameters the additional parameters
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public OAuth2ClientCredentialsAuthenticationToken(String issuer, Authentication clientPrincipal,
|
||||
@Nullable Set<String> scopes, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(AuthorizationGrantType.CLIENT_CREDENTIALS, issuer, clientPrincipal, additionalParameters);
|
||||
this.scopes = Collections.unmodifiableSet(
|
||||
scopes != null ? new HashSet<>(scopes) : Collections.emptySet());
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the requested scope(s).
|
||||
*
|
||||
|
||||
@@ -26,6 +26,7 @@ import java.util.Set;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
@@ -79,6 +80,7 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic
|
||||
private final JwtEncoder jwtEncoder;
|
||||
private OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = (context) -> {};
|
||||
private Supplier<String> refreshTokenGenerator = DEFAULT_REFRESH_TOKEN_GENERATOR::generateKey;
|
||||
private ProviderSettings providerSettings;
|
||||
|
||||
/**
|
||||
* Constructs an {@code OAuth2RefreshTokenAuthenticationProvider} using the provided parameters.
|
||||
@@ -116,8 +118,9 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic
|
||||
this.refreshTokenGenerator = refreshTokenGenerator;
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Autowired(required = false)
|
||||
protected void setProviderSettings(ProviderSettings providerSettings) {
|
||||
this.providerSettings = providerSettings;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -163,7 +166,7 @@ public final class OAuth2RefreshTokenAuthenticationProvider implements Authentic
|
||||
scopes = authorizedScopes;
|
||||
}
|
||||
|
||||
String issuer = refreshTokenAuthentication.getIssuer();
|
||||
String issuer = this.providerSettings != null ? this.providerSettings.getIssuer() : null;
|
||||
|
||||
JoseHeader.Builder headersBuilder = JwtUtils.headers();
|
||||
JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims(
|
||||
|
||||
@@ -44,9 +44,7 @@ public class OAuth2RefreshTokenAuthenticationToken extends OAuth2AuthorizationGr
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param scopes the requested scope(s)
|
||||
* @param additionalParameters the additional parameters
|
||||
* @deprecated Use {@link #OAuth2RefreshTokenAuthenticationToken(String, String, Authentication, Set, Map)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public OAuth2RefreshTokenAuthenticationToken(String refreshToken, Authentication clientPrincipal,
|
||||
@Nullable Set<String> scopes, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(AuthorizationGrantType.REFRESH_TOKEN, clientPrincipal, additionalParameters);
|
||||
@@ -56,25 +54,6 @@ public class OAuth2RefreshTokenAuthenticationToken extends OAuth2AuthorizationGr
|
||||
scopes != null ? new HashSet<>(scopes) : Collections.emptySet());
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs an {@code OAuth2RefreshTokenAuthenticationToken} using the provided parameters.
|
||||
*
|
||||
* @param issuer the issuer identifier
|
||||
* @param refreshToken the refresh token
|
||||
* @param clientPrincipal the authenticated client principal
|
||||
* @param scopes the requested scope(s)
|
||||
* @param additionalParameters the additional parameters
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public OAuth2RefreshTokenAuthenticationToken(String issuer, String refreshToken, Authentication clientPrincipal,
|
||||
@Nullable Set<String> scopes, @Nullable Map<String, Object> additionalParameters) {
|
||||
super(AuthorizationGrantType.REFRESH_TOKEN, issuer, clientPrincipal, additionalParameters);
|
||||
Assert.hasText(refreshToken, "refreshToken cannot be empty");
|
||||
this.refreshToken = refreshToken;
|
||||
this.scopes = Collections.unmodifiableSet(
|
||||
scopes != null ? new HashSet<>(scopes) : Collections.emptySet());
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the refresh token.
|
||||
*
|
||||
|
||||
@@ -178,11 +178,9 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe
|
||||
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
|
||||
}
|
||||
|
||||
OidcClientRegistration clientRegistration = buildRegistration(
|
||||
registeredClient, clientRegistrationAuthentication.getIssuer())
|
||||
.build();
|
||||
OidcClientRegistration clientRegistration = buildRegistration(registeredClient).build();
|
||||
|
||||
return new OidcClientRegistrationAuthenticationToken(clientRegistrationAuthentication.getIssuer(),
|
||||
return new OidcClientRegistrationAuthenticationToken(
|
||||
(Authentication) clientRegistrationAuthentication.getPrincipal(), clientRegistration);
|
||||
}
|
||||
|
||||
@@ -200,8 +198,7 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe
|
||||
RegisteredClient registeredClient = createClient(clientRegistrationAuthentication.getClientRegistration());
|
||||
this.registeredClientRepository.save(registeredClient);
|
||||
|
||||
OAuth2Authorization registeredClientAuthorization = registerAccessToken(
|
||||
registeredClient, clientRegistrationAuthentication.getIssuer());
|
||||
OAuth2Authorization registeredClientAuthorization = registerAccessToken(registeredClient);
|
||||
|
||||
// Invalidate the "initial" access token as it can only be used once
|
||||
authorization = OidcAuthenticationProviderUtils.invalidate(authorization, authorizedAccessToken.getToken());
|
||||
@@ -210,22 +207,21 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe
|
||||
}
|
||||
this.authorizationService.save(authorization);
|
||||
|
||||
OidcClientRegistration clientRegistration = buildRegistration(
|
||||
registeredClient, clientRegistrationAuthentication.getIssuer())
|
||||
OidcClientRegistration clientRegistration = buildRegistration(registeredClient)
|
||||
.registrationAccessToken(registeredClientAuthorization.getAccessToken().getToken().getTokenValue())
|
||||
.build();
|
||||
|
||||
return new OidcClientRegistrationAuthenticationToken(clientRegistrationAuthentication.getIssuer(),
|
||||
return new OidcClientRegistrationAuthenticationToken(
|
||||
(Authentication) clientRegistrationAuthentication.getPrincipal(), clientRegistration);
|
||||
}
|
||||
|
||||
private OAuth2Authorization registerAccessToken(RegisteredClient registeredClient, String issuer) {
|
||||
private OAuth2Authorization registerAccessToken(RegisteredClient registeredClient) {
|
||||
JoseHeader headers = JwtUtils.headers().build();
|
||||
|
||||
Set<String> authorizedScopes = Collections.singleton(DEFAULT_CLIENT_CONFIGURATION_AUTHORIZED_SCOPE);
|
||||
|
||||
JwtClaimsSet claims = JwtUtils.accessTokenClaims(
|
||||
registeredClient, issuer, registeredClient.getClientId(), authorizedScopes)
|
||||
registeredClient, this.providerSettings.getIssuer(), registeredClient.getClientId(), authorizedScopes)
|
||||
.build();
|
||||
|
||||
Jwt registrationAccessToken = this.jwtEncoder.encode(headers, claims);
|
||||
@@ -250,7 +246,7 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe
|
||||
return registeredClientAuthorization;
|
||||
}
|
||||
|
||||
private OidcClientRegistration.Builder buildRegistration(RegisteredClient registeredClient, String issuer) {
|
||||
private OidcClientRegistration.Builder buildRegistration(RegisteredClient registeredClient) {
|
||||
// @formatter:off
|
||||
OidcClientRegistration.Builder builder = OidcClientRegistration.builder()
|
||||
.clientId(registeredClient.getClientId())
|
||||
@@ -274,7 +270,7 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe
|
||||
scopes.addAll(registeredClient.getScopes()));
|
||||
}
|
||||
|
||||
String registrationClientUri = UriComponentsBuilder.fromUriString(issuer)
|
||||
String registrationClientUri = UriComponentsBuilder.fromUriString(this.providerSettings.getIssuer())
|
||||
.path(this.providerSettings.getOidcClientRegistrationEndpoint())
|
||||
.queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
|
||||
.toUriString();
|
||||
|
||||
@@ -36,7 +36,6 @@ import org.springframework.util.Assert;
|
||||
*/
|
||||
public class OidcClientRegistrationAuthenticationToken extends AbstractAuthenticationToken {
|
||||
private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
|
||||
private final String issuer;
|
||||
private final Authentication principal;
|
||||
private final OidcClientRegistration clientRegistration;
|
||||
private final String clientId;
|
||||
@@ -46,14 +45,11 @@ public class OidcClientRegistrationAuthenticationToken extends AbstractAuthentic
|
||||
*
|
||||
* @param principal the authenticated principal
|
||||
* @param clientRegistration the client registration
|
||||
* @deprecated Use {@link #OidcClientRegistrationAuthenticationToken(String, Authentication, OidcClientRegistration)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public OidcClientRegistrationAuthenticationToken(Authentication principal, OidcClientRegistration clientRegistration) {
|
||||
super(Collections.emptyList());
|
||||
Assert.notNull(principal, "principal cannot be null");
|
||||
Assert.notNull(clientRegistration, "clientRegistration cannot be null");
|
||||
this.issuer = null;
|
||||
this.principal = principal;
|
||||
this.clientRegistration = clientRegistration;
|
||||
this.clientId = null;
|
||||
@@ -63,53 +59,20 @@ public class OidcClientRegistrationAuthenticationToken extends AbstractAuthentic
|
||||
/**
|
||||
* Constructs an {@code OidcClientRegistrationAuthenticationToken} using the provided parameters.
|
||||
*
|
||||
* @param issuer the issuer identifier
|
||||
* @param principal the authenticated principal
|
||||
* @param clientRegistration the client registration
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public OidcClientRegistrationAuthenticationToken(String issuer, Authentication principal, OidcClientRegistration clientRegistration) {
|
||||
super(Collections.emptyList());
|
||||
Assert.hasText(issuer, "issuer cannot be empty");
|
||||
Assert.notNull(principal, "principal cannot be null");
|
||||
Assert.notNull(clientRegistration, "clientRegistration cannot be null");
|
||||
this.issuer = issuer;
|
||||
this.principal = principal;
|
||||
this.clientRegistration = clientRegistration;
|
||||
this.clientId = null;
|
||||
setAuthenticated(principal.isAuthenticated());
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs an {@code OidcClientRegistrationAuthenticationToken} using the provided parameters.
|
||||
*
|
||||
* @param issuer the issuer identifier
|
||||
* @param principal the authenticated principal
|
||||
* @param clientId the client identifier
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public OidcClientRegistrationAuthenticationToken(String issuer, Authentication principal, String clientId) {
|
||||
public OidcClientRegistrationAuthenticationToken(Authentication principal, String clientId) {
|
||||
super(Collections.emptyList());
|
||||
Assert.hasText(issuer, "issuer cannot be empty");
|
||||
Assert.notNull(principal, "principal cannot be null");
|
||||
Assert.hasText(clientId, "clientId cannot be empty");
|
||||
this.issuer = issuer;
|
||||
this.principal = principal;
|
||||
this.clientRegistration = null;
|
||||
this.clientId = clientId;
|
||||
setAuthenticated(principal.isAuthenticated());
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the issuer identifier.
|
||||
*
|
||||
* @return the issuer identifier
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public String getIssuer() {
|
||||
return this.issuer;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.principal;
|
||||
|
||||
@@ -38,7 +38,6 @@ import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMe
|
||||
import org.springframework.security.oauth2.core.oidc.OidcClientRegistration;
|
||||
import org.springframework.security.oauth2.core.oidc.http.converter.OidcClientRegistrationHttpMessageConverter;
|
||||
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
import org.springframework.security.web.util.matcher.AndRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
@@ -149,10 +148,7 @@ public final class OidcClientRegistrationEndpointFilter extends OncePerRequestFi
|
||||
if ("POST".equals(request.getMethod())) {
|
||||
OidcClientRegistration clientRegistration = this.clientRegistrationHttpMessageConverter.read(
|
||||
OidcClientRegistration.class, new ServletServerHttpRequest(request));
|
||||
|
||||
String issuer = (String) request.getAttribute(WebAttributes.ISSUER);
|
||||
|
||||
return new OidcClientRegistrationAuthenticationToken(issuer, principal, clientRegistration);
|
||||
return new OidcClientRegistrationAuthenticationToken(principal, clientRegistration);
|
||||
}
|
||||
|
||||
// client_id (REQUIRED)
|
||||
@@ -162,9 +158,7 @@ public final class OidcClientRegistrationEndpointFilter extends OncePerRequestFi
|
||||
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
|
||||
}
|
||||
|
||||
String issuer = (String) request.getAttribute(WebAttributes.ISSUER);
|
||||
|
||||
return new OidcClientRegistrationAuthenticationToken(issuer, principal, clientId);
|
||||
return new OidcClientRegistrationAuthenticationToken(principal, clientId);
|
||||
}
|
||||
|
||||
private void sendClientRegistrationResponse(HttpServletResponse response, HttpStatus httpStatus, OidcClientRegistration clientRegistration) throws IOException {
|
||||
|
||||
@@ -15,13 +15,6 @@
|
||||
*/
|
||||
package org.springframework.security.oauth2.server.authorization.oidc.web;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.server.ServletServerHttpResponse;
|
||||
@@ -33,13 +26,18 @@ import org.springframework.security.oauth2.core.oidc.OidcScopes;
|
||||
import org.springframework.security.oauth2.core.oidc.http.converter.OidcProviderConfigurationHttpMessageConverter;
|
||||
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
import org.springframework.web.util.UriComponentsBuilder;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* A {@code Filter} that processes OpenID Provider Configuration Requests.
|
||||
*
|
||||
@@ -78,15 +76,13 @@ public final class OidcProviderConfigurationEndpointFilter extends OncePerReques
|
||||
return;
|
||||
}
|
||||
|
||||
String issuer = (String) request.getAttribute(WebAttributes.ISSUER);
|
||||
|
||||
OidcProviderConfiguration providerConfiguration = OidcProviderConfiguration.builder()
|
||||
.issuer(issuer)
|
||||
.authorizationEndpoint(asUrl(issuer, this.providerSettings.getAuthorizationEndpoint()))
|
||||
.tokenEndpoint(asUrl(issuer, this.providerSettings.getTokenEndpoint()))
|
||||
.issuer(this.providerSettings.getIssuer())
|
||||
.authorizationEndpoint(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getAuthorizationEndpoint()))
|
||||
.tokenEndpoint(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getTokenEndpoint()))
|
||||
.tokenEndpointAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue())
|
||||
.tokenEndpointAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue())
|
||||
.jwkSetUrl(asUrl(issuer, this.providerSettings.getJwkSetEndpoint()))
|
||||
.jwkSetUrl(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getJwkSetEndpoint()))
|
||||
.responseType(OAuth2AuthorizationResponseType.CODE.getValue())
|
||||
.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
|
||||
.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
|
||||
@@ -104,5 +100,4 @@ public final class OidcProviderConfigurationEndpointFilter extends OncePerReques
|
||||
private static String asUrl(String issuer, String endpoint) {
|
||||
return UriComponentsBuilder.fromUriString(issuer).path(endpoint).build().toUriString();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -33,7 +33,6 @@ import org.springframework.security.oauth2.core.OAuth2AuthorizationServerMetadat
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
|
||||
import org.springframework.security.oauth2.core.http.converter.OAuth2AuthorizationServerMetadataHttpMessageConverter;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
|
||||
import org.springframework.security.web.util.UrlUtils;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
@@ -44,7 +43,6 @@ import org.springframework.web.util.UriComponentsBuilder;
|
||||
* A {@code Filter} that processes OAuth 2.0 Authorization Server Metadata Requests.
|
||||
*
|
||||
* @author Daniel Garnier-Moiroux
|
||||
* @author Joe Grandja
|
||||
* @since 0.1.1
|
||||
* @see OAuth2AuthorizationServerMetadata
|
||||
* @see ProviderSettings
|
||||
@@ -74,32 +72,24 @@ public final class OAuth2AuthorizationServerMetadataEndpointFilter extends OnceP
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
// Resolve the current issuer identifier
|
||||
String issuer = this.providerSettings.getIssuer();
|
||||
if (issuer == null) {
|
||||
issuer = resolveIssuer(request);
|
||||
}
|
||||
// Set the current issuer identifier as a request attribute (for use by upstream components)
|
||||
request.setAttribute(WebAttributes.ISSUER, issuer);
|
||||
|
||||
if (!this.requestMatcher.matches(request)) {
|
||||
filterChain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
OAuth2AuthorizationServerMetadata authorizationServerMetadata = OAuth2AuthorizationServerMetadata.builder()
|
||||
.issuer(issuer)
|
||||
.authorizationEndpoint(asUrl(issuer, this.providerSettings.getAuthorizationEndpoint()))
|
||||
.tokenEndpoint(asUrl(issuer, this.providerSettings.getTokenEndpoint()))
|
||||
.issuer(this.providerSettings.getIssuer())
|
||||
.authorizationEndpoint(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getAuthorizationEndpoint()))
|
||||
.tokenEndpoint(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getTokenEndpoint()))
|
||||
.tokenEndpointAuthenticationMethods(clientAuthenticationMethods())
|
||||
.jwkSetUrl(asUrl(issuer, this.providerSettings.getJwkSetEndpoint()))
|
||||
.jwkSetUrl(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getJwkSetEndpoint()))
|
||||
.responseType(OAuth2AuthorizationResponseType.CODE.getValue())
|
||||
.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
|
||||
.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
|
||||
.grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue())
|
||||
.tokenRevocationEndpoint(asUrl(issuer, this.providerSettings.getTokenRevocationEndpoint()))
|
||||
.tokenRevocationEndpoint(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getTokenRevocationEndpoint()))
|
||||
.tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods())
|
||||
.tokenIntrospectionEndpoint(asUrl(issuer, this.providerSettings.getTokenIntrospectionEndpoint()))
|
||||
.tokenIntrospectionEndpoint(asUrl(this.providerSettings.getIssuer(), this.providerSettings.getTokenIntrospectionEndpoint()))
|
||||
.tokenIntrospectionEndpointAuthenticationMethods(clientAuthenticationMethods())
|
||||
.codeChallengeMethod("plain")
|
||||
.codeChallengeMethod("S256")
|
||||
@@ -110,17 +100,6 @@ public final class OAuth2AuthorizationServerMetadataEndpointFilter extends OnceP
|
||||
authorizationServerMetadata, MediaType.APPLICATION_JSON, httpResponse);
|
||||
}
|
||||
|
||||
private static String resolveIssuer(HttpServletRequest request) {
|
||||
// @formatter:off
|
||||
return UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
|
||||
.replacePath(request.getContextPath())
|
||||
.replaceQuery(null)
|
||||
.fragment(null)
|
||||
.build()
|
||||
.toUriString();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
private static Consumer<List<String>> clientAuthenticationMethods() {
|
||||
return (authenticationMethods) -> {
|
||||
authenticationMethods.add(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue());
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
/*
|
||||
* Copyright 2020-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.oauth2.server.authorization.web;
|
||||
|
||||
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
|
||||
|
||||
/**
|
||||
* Well-known attribute names which are used to store information in request or session scope.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 0.2.1
|
||||
*/
|
||||
public final class WebAttributes {
|
||||
|
||||
private WebAttributes() {
|
||||
}
|
||||
|
||||
/**
|
||||
* The {@link javax.servlet.http.HttpServletRequest#getAttribute(String) request attribute} name that holds the current issuer identifier.
|
||||
* The issuer identifier is resolved from {@link ProviderSettings#getIssuer()} or dynamically from the current {@link javax.servlet.http.HttpServletRequest}.
|
||||
*/
|
||||
public static final String ISSUER = WebAttributes.class.getName().concat(".ISSUER");
|
||||
|
||||
}
|
||||
@@ -28,7 +28,6 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
import org.springframework.security.web.authentication.AuthenticationConverter;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.util.StringUtils;
|
||||
@@ -89,10 +88,8 @@ public final class OAuth2AuthorizationCodeAuthenticationConverter implements Aut
|
||||
}
|
||||
});
|
||||
|
||||
String issuer = (String) request.getAttribute(WebAttributes.ISSUER);
|
||||
|
||||
return new OAuth2AuthorizationCodeAuthenticationToken(
|
||||
issuer, code, clientPrincipal, redirectUri, additionalParameters);
|
||||
code, clientPrincipal, redirectUri, additionalParameters);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -31,7 +31,6 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
import org.springframework.security.web.authentication.AuthenticationConverter;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.util.StringUtils;
|
||||
@@ -84,10 +83,7 @@ public final class OAuth2ClientCredentialsAuthenticationConverter implements Aut
|
||||
}
|
||||
});
|
||||
|
||||
String issuer = (String) request.getAttribute(WebAttributes.ISSUER);
|
||||
|
||||
return new OAuth2ClientCredentialsAuthenticationToken(
|
||||
issuer, clientPrincipal, requestedScopes, additionalParameters);
|
||||
clientPrincipal, requestedScopes, additionalParameters);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -31,7 +31,6 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
import org.springframework.security.web.authentication.AuthenticationConverter;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.util.StringUtils;
|
||||
@@ -95,10 +94,7 @@ public final class OAuth2RefreshTokenAuthenticationConverter implements Authenti
|
||||
}
|
||||
});
|
||||
|
||||
String issuer = (String) request.getAttribute(WebAttributes.ISSUER);
|
||||
|
||||
return new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, refreshToken, clientPrincipal, requestedScopes, additionalParameters);
|
||||
refreshToken, clientPrincipal, requestedScopes, additionalParameters);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -213,11 +213,10 @@ public class OAuth2ClientCredentialsGrantTests {
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
|
||||
this.registeredClientRepository.save(registeredClient);
|
||||
|
||||
String issuer = "https://example.com/issuer1";
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
|
||||
new OAuth2ClientCredentialsAuthenticationToken(issuer, clientPrincipal, null, null);
|
||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null, null);
|
||||
when(authenticationConverter.convert(any())).thenReturn(clientCredentialsAuthentication);
|
||||
|
||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(
|
||||
|
||||
@@ -88,10 +88,9 @@ public class JwtEncodingContextTests {
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
String issuer = "https://provider.com";
|
||||
OAuth2AuthorizationCodeAuthenticationToken authorizationGrant =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(
|
||||
issuer, "code", clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
"code", clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
JwtEncodingContext context = JwtEncodingContext.with(headers, claims)
|
||||
.registeredClient(registeredClient)
|
||||
|
||||
@@ -34,7 +34,6 @@ import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
|
||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
||||
@@ -49,6 +48,7 @@ import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
||||
import org.springframework.security.oauth2.jwt.JwtEncoder;
|
||||
import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
|
||||
import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
|
||||
@@ -74,7 +74,6 @@ import static org.mockito.Mockito.when;
|
||||
* @author Daniel Garnier-Moiroux
|
||||
*/
|
||||
public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
private static final String ISSUER = "https://example.com/issuer1";
|
||||
private static final String AUTHORIZATION_CODE = "code";
|
||||
private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.CODE);
|
||||
private OAuth2AuthorizationService authorizationService;
|
||||
@@ -131,7 +130,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken(
|
||||
registeredClient.getClientId(), registeredClient.getClientSecret());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
|
||||
@@ -145,7 +144,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient.getClientId(), ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret(), null);
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
|
||||
@@ -159,7 +158,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
|
||||
@@ -177,7 +176,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, null, null);
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
|
||||
@@ -204,7 +203,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri() + "-invalid", null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri() + "-invalid", null);
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
|
||||
@@ -228,7 +227,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -254,7 +253,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -275,7 +274,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
|
||||
|
||||
@@ -331,7 +330,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
|
||||
|
||||
@@ -405,7 +404,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
|
||||
|
||||
@@ -468,7 +467,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
Instant accessTokenIssuedAt = Instant.now();
|
||||
Instant accessTokenExpiresAt = accessTokenIssuedAt.plus(accessTokenTTL);
|
||||
@@ -507,7 +506,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
|
||||
|
||||
@@ -540,7 +539,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
||||
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
|
||||
OAuth2AuthorizationRequest.class.getName());
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(ISSUER, AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
|
||||
@@ -35,7 +35,6 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
* @author Daniel Garnier-Moiroux
|
||||
*/
|
||||
public class OAuth2AuthorizationCodeAuthenticationTokenTests {
|
||||
private String issuer = "https://example.com/issuer1";
|
||||
private String code = "code";
|
||||
private RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
private OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
@@ -43,23 +42,16 @@ public class OAuth2AuthorizationCodeAuthenticationTokenTests {
|
||||
private String redirectUri = "redirectUri";
|
||||
private Map<String, Object> additionalParameters = Collections.singletonMap("param1", "value1");
|
||||
|
||||
@Test
|
||||
public void constructorWhenIssuerNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2AuthorizationCodeAuthenticationToken(null, this.code, this.clientPrincipal, this.redirectUri, null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("issuer cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenCodeNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2AuthorizationCodeAuthenticationToken(this.issuer, null, this.clientPrincipal, this.redirectUri, null))
|
||||
assertThatThrownBy(() -> new OAuth2AuthorizationCodeAuthenticationToken(null, this.clientPrincipal, this.redirectUri, null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("code cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2AuthorizationCodeAuthenticationToken(this.issuer, this.code, null, this.redirectUri, null))
|
||||
assertThatThrownBy(() -> new OAuth2AuthorizationCodeAuthenticationToken(this.code, null, this.redirectUri, null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("clientPrincipal cannot be null");
|
||||
}
|
||||
@@ -67,9 +59,8 @@ public class OAuth2AuthorizationCodeAuthenticationTokenTests {
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalProvidedThenCreated() {
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication = new OAuth2AuthorizationCodeAuthenticationToken(
|
||||
this.issuer, this.code, this.clientPrincipal, this.redirectUri, this.additionalParameters);
|
||||
this.code, this.clientPrincipal, this.redirectUri, this.additionalParameters);
|
||||
assertThat(authentication.getGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
|
||||
assertThat(authentication.getIssuer()).isEqualTo(this.issuer);
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getCode()).isEqualTo(this.code);
|
||||
@@ -80,7 +71,7 @@ public class OAuth2AuthorizationCodeAuthenticationTokenTests {
|
||||
@Test
|
||||
public void getAdditionalParametersWhenUpdateThenThrowUnsupportedOperationException() {
|
||||
OAuth2AuthorizationCodeAuthenticationToken authentication = new OAuth2AuthorizationCodeAuthenticationToken(
|
||||
this.issuer, this.code, this.clientPrincipal, this.redirectUri, this.additionalParameters);
|
||||
this.code, this.clientPrincipal, this.redirectUri, this.additionalParameters);
|
||||
assertThatThrownBy(() -> authentication.getAdditionalParameters().put("another_key", 1))
|
||||
.isInstanceOf(UnsupportedOperationException.class);
|
||||
assertThatThrownBy(() -> authentication.getAdditionalParameters().remove("some_key"))
|
||||
|
||||
@@ -36,12 +36,12 @@ import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
|
||||
import org.springframework.security.oauth2.jwt.JoseHeaderNames;
|
||||
import org.springframework.security.oauth2.jwt.Jwt;
|
||||
import org.springframework.security.oauth2.jwt.JwtEncoder;
|
||||
import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||
import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
@@ -105,12 +105,11 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
|
||||
TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken(
|
||||
registeredClient.getClientId(), registeredClient.getClientSecret());
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication =
|
||||
new OAuth2ClientCredentialsAuthenticationToken(issuer, clientPrincipal, null, null);
|
||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -121,12 +120,11 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient.getClientId(), ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret(), null);
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication =
|
||||
new OAuth2ClientCredentialsAuthenticationToken(issuer, clientPrincipal, null, null);
|
||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -137,14 +135,13 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientNotAuthorizedToRequestTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2()
|
||||
.authorizationGrantTypes(grantTypes -> grantTypes.remove(AuthorizationGrantType.CLIENT_CREDENTIALS))
|
||||
.build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication =
|
||||
new OAuth2ClientCredentialsAuthenticationToken(issuer, clientPrincipal, null, null);
|
||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -155,12 +152,11 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenInvalidScopeThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
|
||||
issuer, clientPrincipal, Collections.singleton("invalid-scope"), null);
|
||||
clientPrincipal, Collections.singleton("invalid-scope"), null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -171,13 +167,12 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenScopeRequestedThenAccessTokenContainsScope() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
Set<String> requestedScope = Collections.singleton("scope1");
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication =
|
||||
new OAuth2ClientCredentialsAuthenticationToken(issuer, clientPrincipal, requestedScope, null);
|
||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope, null);
|
||||
|
||||
when(this.jwtEncoder.encode(any(), any()))
|
||||
.thenReturn(createJwt(Collections.singleton("mapped-scoped")));
|
||||
@@ -189,12 +184,11 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidAuthenticationThenReturnAccessToken() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication =
|
||||
new OAuth2ClientCredentialsAuthenticationToken(issuer, clientPrincipal, null, null);
|
||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null, null);
|
||||
|
||||
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt(registeredClient.getScopes()));
|
||||
|
||||
|
||||
@@ -35,23 +35,15 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
* @author Alexey Nesterov
|
||||
*/
|
||||
public class OAuth2ClientCredentialsAuthenticationTokenTests {
|
||||
private String issuer = "https://example.com/issuer1";
|
||||
private final RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
private final OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
this.registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, this.registeredClient.getClientSecret());
|
||||
private Set<String> scopes = Collections.singleton("scope1");
|
||||
private Map<String, Object> additionalParameters = Collections.singletonMap("param1", "value1");
|
||||
|
||||
@Test
|
||||
public void constructorWhenIssuerNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(null, this.clientPrincipal, this.scopes, this.additionalParameters))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("issuer cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(this.issuer, null, this.scopes, this.additionalParameters))
|
||||
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(null, this.scopes, this.additionalParameters))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("clientPrincipal cannot be null");
|
||||
}
|
||||
@@ -59,10 +51,9 @@ public class OAuth2ClientCredentialsAuthenticationTokenTests {
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalProvidedThenCreated() {
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
|
||||
this.issuer, this.clientPrincipal, this.scopes, this.additionalParameters);
|
||||
this.clientPrincipal, this.scopes, this.additionalParameters);
|
||||
|
||||
assertThat(authentication.getGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
|
||||
assertThat(authentication.getIssuer()).isEqualTo(this.issuer);
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getScopes()).isEqualTo(this.scopes);
|
||||
@@ -74,10 +65,9 @@ public class OAuth2ClientCredentialsAuthenticationTokenTests {
|
||||
Set<String> expectedScopes = Collections.singleton("test-scope");
|
||||
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
|
||||
this.issuer, this.clientPrincipal, expectedScopes, this.additionalParameters);
|
||||
this.clientPrincipal, expectedScopes, this.additionalParameters);
|
||||
|
||||
assertThat(authentication.getGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
|
||||
assertThat(authentication.getIssuer()).isEqualTo(this.issuer);
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getScopes()).isEqualTo(expectedScopes);
|
||||
|
||||
@@ -132,7 +132,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidRefreshTokenThenReturnAccessToken() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
||||
when(this.authorizationService.findByToken(
|
||||
@@ -143,7 +142,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
@@ -177,7 +176,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidRefreshTokenThenReturnIdToken() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scope(OidcScopes.OPENID).build();
|
||||
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
||||
when(this.authorizationService.findByToken(
|
||||
@@ -188,7 +186,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
@@ -245,7 +243,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenReuseRefreshTokensFalseThenReturnNewRefreshToken() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
|
||||
.tokenSettings(TokenSettings.builder().reuseRefreshTokens(false).build())
|
||||
.build();
|
||||
@@ -258,7 +255,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
@@ -273,7 +270,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenRequestedScopesAuthorizedThenAccessTokenIncludesScopes() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
|
||||
.scope("scope2")
|
||||
.scope("scope3")
|
||||
@@ -290,7 +286,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
Set<String> requestedScopes = new HashSet<>(authorizedScopes);
|
||||
requestedScopes.remove("scope1");
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes, null);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
@@ -300,7 +296,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenCustomRefreshTokenGeneratorThenUsed() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
|
||||
.tokenSettings(TokenSettings.builder().reuseRefreshTokens(false).build())
|
||||
.build();
|
||||
@@ -322,7 +317,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
@@ -333,7 +328,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenRequestedScopesNotAuthorizedThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
||||
when(this.authorizationService.findByToken(
|
||||
@@ -347,7 +341,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
Set<String> requestedScopes = new HashSet<>(authorizedScopes);
|
||||
requestedScopes.add("unauthorized");
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -358,12 +352,11 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenInvalidRefreshTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, "invalid", clientPrincipal, null, null);
|
||||
"invalid", clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -374,12 +367,11 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken(
|
||||
registeredClient.getClientId(), registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, "refresh-token", clientPrincipal, null, null);
|
||||
"refresh-token", clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -390,12 +382,11 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient.getClientId(), ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret(), null);
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, "refresh-token", clientPrincipal, null, null);
|
||||
"refresh-token", clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -406,7 +397,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenRefreshTokenIssuedToAnotherClientThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
||||
when(this.authorizationService.findByToken(
|
||||
@@ -418,7 +408,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient2, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient2.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -429,7 +419,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientNotAuthorizedToRefreshTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
|
||||
.authorizationGrantTypes(grantTypes -> grantTypes.remove(AuthorizationGrantType.REFRESH_TOKEN))
|
||||
.build();
|
||||
@@ -442,7 +431,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -453,7 +442,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenExpiredRefreshTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
||||
OAuth2RefreshToken expiredRefreshToken = new OAuth2RefreshToken(
|
||||
@@ -467,7 +455,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -478,7 +466,6 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenRevokedRefreshTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
OAuth2RefreshToken refreshToken = new OAuth2RefreshToken(
|
||||
"refresh-token", Instant.now().minusSeconds(120), Instant.now().plusSeconds(1000));
|
||||
@@ -493,7 +480,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
issuer, authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
|
||||
@@ -36,33 +36,25 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
* @since 0.0.3
|
||||
*/
|
||||
public class OAuth2RefreshTokenAuthenticationTokenTests {
|
||||
private String issuer = "https://example.com/issuer1";
|
||||
private RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
private OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
this.registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, this.registeredClient.getClientSecret());
|
||||
private Set<String> scopes = Collections.singleton("scope1");
|
||||
private Map<String, Object> additionalParameters = Collections.singletonMap("param1", "value1");
|
||||
|
||||
@Test
|
||||
public void constructorWhenIssuerNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken(null, "refresh-token", this.clientPrincipal, this.scopes, this.additionalParameters))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("issuer cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenRefreshTokenNullOrEmptyThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken(this.issuer, null, this.clientPrincipal, this.scopes, this.additionalParameters))
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken(null, this.clientPrincipal, this.scopes, this.additionalParameters))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("refreshToken cannot be empty");
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken(this.issuer, "", this.clientPrincipal, this.scopes, this.additionalParameters))
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken("", this.clientPrincipal, this.scopes, this.additionalParameters))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("refreshToken cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken(this.issuer, "refresh-token", null, this.scopes, this.additionalParameters))
|
||||
assertThatThrownBy(() -> new OAuth2RefreshTokenAuthenticationToken("refresh-token", null, this.scopes, this.additionalParameters))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("clientPrincipal cannot be null");
|
||||
}
|
||||
@@ -70,9 +62,8 @@ public class OAuth2RefreshTokenAuthenticationTokenTests {
|
||||
@Test
|
||||
public void constructorWhenScopesProvidedThenCreated() {
|
||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||
this.issuer, "refresh-token", this.clientPrincipal, this.scopes, this.additionalParameters);
|
||||
"refresh-token", this.clientPrincipal, this.scopes, this.additionalParameters);
|
||||
assertThat(authentication.getGrantType()).isEqualTo(AuthorizationGrantType.REFRESH_TOKEN);
|
||||
assertThat(authentication.getIssuer()).isEqualTo(this.issuer);
|
||||
assertThat(authentication.getRefreshToken()).isEqualTo("refresh-token");
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
|
||||
@@ -83,7 +83,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
this.registeredClientRepository = mock(RegisteredClientRepository.class);
|
||||
this.authorizationService = mock(OAuth2AuthorizationService.class);
|
||||
this.jwtEncoder = mock(JwtEncoder.class);
|
||||
this.providerSettings = ProviderSettings.builder().build();
|
||||
this.providerSettings = ProviderSettings.builder().issuer("https://auth-server:9000").build();
|
||||
this.authenticationProvider = new OidcClientRegistrationAuthenticationProvider(
|
||||
this.registeredClientRepository, this.authorizationService, this.jwtEncoder);
|
||||
this.authenticationProvider.setProviderSettings(this.providerSettings);
|
||||
@@ -117,14 +117,13 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenPrincipalNotOAuth2TokenAuthenticationTokenThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
TestingAuthenticationToken principal = new TestingAuthenticationToken("principal", "credentials");
|
||||
OidcClientRegistration clientRegistration = OidcClientRegistration.builder()
|
||||
.redirectUri("https://client.example.com")
|
||||
.build();
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -134,14 +133,13 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
JwtAuthenticationToken principal = new JwtAuthenticationToken(createJwtClientRegistration());
|
||||
OidcClientRegistration clientRegistration = OidcClientRegistration.builder()
|
||||
.redirectUri("https://client.example.com")
|
||||
.build();
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -151,7 +149,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenAccessTokenNotFoundThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientRegistration();
|
||||
JwtAuthenticationToken principal = new JwtAuthenticationToken(
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.create"));
|
||||
@@ -160,7 +157,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
.build();
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -172,7 +169,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenAccessTokenNotActiveThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientRegistration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -192,7 +188,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
.build();
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -204,7 +200,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientRegistrationRequestAndAccessTokenNotAuthorizedThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwt(Collections.singleton("unauthorized.scope"));
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -223,7 +218,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
.build();
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -235,7 +230,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientRegistrationRequestAndAccessTokenContainsRequiredScopeAndAdditionalScopeThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwt(new HashSet<>(Arrays.asList("client.create", "scope1")));
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -254,7 +248,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
.build();
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -266,7 +260,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientRegistrationRequestAndInvalidRedirectUriThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientRegistration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -287,7 +280,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
// @formatter:on
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -299,7 +292,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientRegistrationRequestAndRedirectUriContainsFragmentThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientRegistration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -320,7 +312,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
// @formatter:on
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
principal, clientRegistration);
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -332,7 +324,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientRegistrationRequestAndValidAccessTokenThenReturnClientRegistration() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientRegistration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -359,8 +350,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
// @formatter:on
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, clientRegistration);
|
||||
|
||||
principal, clientRegistration);
|
||||
OidcClientRegistrationAuthenticationToken authenticationResult =
|
||||
(OidcClientRegistrationAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
|
||||
@@ -425,7 +415,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
assertThat(clientRegistrationResult.getIdTokenSignedResponseAlgorithm())
|
||||
.isEqualTo(registeredClientResult.getTokenSettings().getIdTokenSignatureAlgorithm().getName());
|
||||
|
||||
String expectedRegistrationClientUrl = UriComponentsBuilder.fromUriString(issuer)
|
||||
String expectedRegistrationClientUrl = UriComponentsBuilder.fromUriString(this.providerSettings.getIssuer())
|
||||
.path(this.providerSettings.getOidcClientRegistrationEndpoint())
|
||||
.queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClientResult.getClientId()).toUriString();
|
||||
|
||||
@@ -435,7 +425,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientConfigurationRequestAndAccessTokenNotAuthorizedThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwt(Collections.singleton("unauthorized.scope"));
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -451,7 +440,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_unauthorized.scope"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, registeredClient.getClientId());
|
||||
principal, registeredClient.getClientId());
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -463,7 +452,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientConfigurationRequestAndAccessTokenContainsRequiredScopeAndAdditionalScopeThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwt(new HashSet<>(Arrays.asList("client.read", "scope1")));
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -479,7 +467,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.read", "SCOPE_scope1"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, registeredClient.getClientId());
|
||||
principal, registeredClient.getClientId());
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -491,7 +479,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientConfigurationRequestAndRegisteredClientNotFoundThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientConfiguration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -507,7 +494,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.read"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, registeredClient.getClientId());
|
||||
principal, registeredClient.getClientId());
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -521,7 +508,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientConfigurationRequestClientIdNotEqualToAuthorizedClientThenThrowOAuth2AuthenticationException() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientConfiguration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -541,7 +527,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.read"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, registeredClient.getClientId());
|
||||
principal, registeredClient.getClientId());
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class)
|
||||
@@ -555,7 +541,6 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
|
||||
@Test
|
||||
public void authenticateWhenClientConfigurationRequestAndValidAccessTokenThenReturnClientRegistration() {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwtClientConfiguration();
|
||||
OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
jwt.getTokenValue(), jwt.getIssuedAt(),
|
||||
@@ -575,7 +560,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.read"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
issuer, principal, registeredClient.getClientId());
|
||||
principal, registeredClient.getClientId());
|
||||
|
||||
OidcClientRegistrationAuthenticationToken authenticationResult =
|
||||
(OidcClientRegistrationAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||
@@ -612,7 +597,7 @@ public class OidcClientRegistrationAuthenticationProviderTests {
|
||||
assertThat(clientRegistrationResult.getIdTokenSignedResponseAlgorithm())
|
||||
.isEqualTo(registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm().getName());
|
||||
|
||||
String expectedRegistrationClientUrl = UriComponentsBuilder.fromUriString(issuer)
|
||||
String expectedRegistrationClientUrl = UriComponentsBuilder.fromUriString(this.providerSettings.getIssuer())
|
||||
.path(this.providerSettings.getOidcClientRegistrationEndpoint())
|
||||
.queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId()).toUriString();
|
||||
|
||||
|
||||
@@ -29,52 +29,43 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
|
||||
* @author Joe Grandja
|
||||
*/
|
||||
public class OidcClientRegistrationAuthenticationTokenTests {
|
||||
private String issuer = "https://example.com/issuer1";
|
||||
private TestingAuthenticationToken principal = new TestingAuthenticationToken("principal", "credentials");
|
||||
private OidcClientRegistration clientRegistration = OidcClientRegistration.builder()
|
||||
.redirectUri("https://client.example.com").build();
|
||||
|
||||
@Test
|
||||
public void constructorWhenIssuerNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(null, this.principal, this.clientRegistration))
|
||||
.withMessage("issuer cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenPrincipalNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.issuer, null, this.clientRegistration))
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(null, this.clientRegistration))
|
||||
.withMessage("principal cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientRegistrationNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.issuer, this.principal, (OidcClientRegistration) null))
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.principal, (OidcClientRegistration) null))
|
||||
.withMessage("clientRegistration cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientIdNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.issuer, this.principal, (String) null))
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.principal, (String) null))
|
||||
.withMessage("clientId cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientIdEmptyThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.issuer, this.principal, ""))
|
||||
.isThrownBy(() -> new OidcClientRegistrationAuthenticationToken(this.principal, ""))
|
||||
.withMessage("clientId cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenOidcClientRegistrationProvidedThenCreated() {
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
this.issuer, this.principal, this.clientRegistration);
|
||||
this.principal, this.clientRegistration);
|
||||
|
||||
assertThat(authentication.getIssuer()).isEqualTo(this.issuer);
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.principal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getClientRegistration()).isEqualTo(this.clientRegistration);
|
||||
@@ -85,9 +76,8 @@ public class OidcClientRegistrationAuthenticationTokenTests {
|
||||
@Test
|
||||
public void constructorWhenClientIdProvidedThenCreated() {
|
||||
OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(
|
||||
this.issuer, this.principal, "client-1");
|
||||
this.principal, "client-1");
|
||||
|
||||
assertThat(authentication.getIssuer()).isEqualTo(this.issuer);
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.principal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getClientRegistration()).isNull();
|
||||
|
||||
@@ -53,7 +53,6 @@ import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
||||
import org.springframework.security.oauth2.jwt.TestJoseHeaders;
|
||||
import org.springframework.security.oauth2.jwt.TestJwtClaimsSets;
|
||||
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
@@ -189,7 +188,6 @@ public class OidcClientRegistrationEndpointFilterTests {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
writeClientRegistrationRequest(request, clientRegistrationRequest);
|
||||
request.setAttribute(WebAttributes.ISSUER, "https://example.com/issuer1");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
@@ -227,13 +225,12 @@ public class OidcClientRegistrationEndpointFilterTests {
|
||||
.build();
|
||||
// @formatter:on
|
||||
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwt("client.create");
|
||||
JwtAuthenticationToken principal = new JwtAuthenticationToken(
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.create"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken clientRegistrationAuthenticationResult =
|
||||
new OidcClientRegistrationAuthenticationToken(issuer, principal, expectedClientRegistrationResponse);
|
||||
new OidcClientRegistrationAuthenticationToken(principal, expectedClientRegistrationResponse);
|
||||
|
||||
when(this.authenticationManager.authenticate(any())).thenReturn(clientRegistrationAuthenticationResult);
|
||||
|
||||
@@ -245,7 +242,6 @@ public class OidcClientRegistrationEndpointFilterTests {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
writeClientRegistrationRequest(request, clientRegistrationRequest);
|
||||
request.setAttribute(WebAttributes.ISSUER, issuer);
|
||||
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
@@ -374,7 +370,6 @@ public class OidcClientRegistrationEndpointFilterTests {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
request.setParameter(OAuth2ParameterNames.CLIENT_ID, "client1");
|
||||
request.setAttribute(WebAttributes.ISSUER, "https://example.com/issuer1");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
@@ -407,13 +402,12 @@ public class OidcClientRegistrationEndpointFilterTests {
|
||||
.build();
|
||||
// @formatter:on
|
||||
|
||||
String issuer = "https://example.com/issuer1";
|
||||
Jwt jwt = createJwt("client.read");
|
||||
JwtAuthenticationToken principal = new JwtAuthenticationToken(
|
||||
jwt, AuthorityUtils.createAuthorityList("SCOPE_client.read"));
|
||||
|
||||
OidcClientRegistrationAuthenticationToken clientConfigurationAuthenticationResult =
|
||||
new OidcClientRegistrationAuthenticationToken(issuer, principal, expectedClientRegistrationResponse);
|
||||
new OidcClientRegistrationAuthenticationToken(principal, expectedClientRegistrationResponse);
|
||||
|
||||
when(this.authenticationManager.authenticate(any())).thenReturn(clientConfigurationAuthenticationResult);
|
||||
|
||||
@@ -425,7 +419,6 @@ public class OidcClientRegistrationEndpointFilterTests {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
request.setParameter(OAuth2ParameterNames.CLIENT_ID, expectedClientRegistrationResponse.getClientId());
|
||||
request.setAttribute(WebAttributes.ISSUER, issuer);
|
||||
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
@@ -25,7 +25,6 @@ import org.springframework.http.MediaType;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
|
||||
import org.springframework.security.oauth2.server.authorization.web.WebAttributes;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
@@ -99,7 +98,6 @@ public class OidcProviderConfigurationEndpointFilterTests {
|
||||
String requestUri = DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
request.setAttribute(WebAttributes.ISSUER, providerSettings.getIssuer());
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
@@ -132,7 +130,6 @@ public class OidcProviderConfigurationEndpointFilterTests {
|
||||
String requestUri = DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
request.setAttribute(WebAttributes.ISSUER, providerSettings.getIssuer());
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
|
||||
@@ -146,36 +146,4 @@ public class OAuth2AuthorizationServerMetadataEndpointFilterTests {
|
||||
.withMessage("issuer must be a valid URL");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenProviderSettingsWithIssuerNotSetThenIssuerResolvesFromRequest() throws Exception {
|
||||
ProviderSettings providerSettings = ProviderSettings.builder().build();
|
||||
OAuth2AuthorizationServerMetadataEndpointFilter filter =
|
||||
new OAuth2AuthorizationServerMetadataEndpointFilter(providerSettings);
|
||||
|
||||
String requestUri = DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI;
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
|
||||
filter.doFilter(request, response, filterChain);
|
||||
|
||||
verifyNoInteractions(filterChain);
|
||||
|
||||
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
|
||||
String authorizationServerMetadataResponse = response.getContentAsString();
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"issuer\":\"http://localhost\"");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"authorization_endpoint\":\"http://localhost/oauth2/authorize\"");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"token_endpoint\":\"http://localhost/oauth2/token\"");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\"]");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"jwks_uri\":\"http://localhost/oauth2/jwks\"");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"response_types_supported\":[\"code\"]");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"grant_types_supported\":[\"authorization_code\",\"client_credentials\",\"refresh_token\"]");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"revocation_endpoint\":\"http://localhost/oauth2/revoke\"");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"revocation_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\"]");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"introspection_endpoint\":\"http://localhost/oauth2/introspect\"");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"introspection_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\"]");
|
||||
assertThat(authorizationServerMetadataResponse).contains("\"code_challenge_methods_supported\":[\"plain\",\"S256\"]");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -489,13 +489,12 @@ public class OAuth2TokenEndpointFilterTests {
|
||||
|
||||
@Test
|
||||
public void doFilterWhenCustomAuthenticationConverterThenUsed() throws Exception {
|
||||
String issuer = "https://example.com/issuer1";
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(
|
||||
registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
|
||||
|
||||
OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication =
|
||||
new OAuth2AuthorizationCodeAuthenticationToken(issuer, "code", clientPrincipal, null, null);
|
||||
new OAuth2AuthorizationCodeAuthenticationToken("code", clientPrincipal, null, null);
|
||||
|
||||
AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
|
||||
when(authenticationConverter.convert(any())).thenReturn(authorizationCodeAuthentication);
|
||||
@@ -614,8 +613,6 @@ public class OAuth2TokenEndpointFilterTests {
|
||||
request.addParameter(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId());
|
||||
request.addParameter("custom-param-1", "custom-value-1");
|
||||
|
||||
request.setAttribute(WebAttributes.ISSUER, "https://example.com/issuer1");
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
@@ -630,8 +627,6 @@ public class OAuth2TokenEndpointFilterTests {
|
||||
StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " "));
|
||||
request.addParameter("custom-param-1", "custom-value-1");
|
||||
|
||||
request.setAttribute(WebAttributes.ISSUER, "https://example.com/issuer1");
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
@@ -647,8 +642,6 @@ public class OAuth2TokenEndpointFilterTests {
|
||||
StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " "));
|
||||
request.addParameter("custom-param-1", "custom-value-1");
|
||||
|
||||
request.setAttribute(WebAttributes.ISSUER, "https://example.com/issuer1");
|
||||
|
||||
return request;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -39,6 +39,7 @@ import org.springframework.security.oauth2.server.authorization.client.InMemoryR
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
@@ -100,6 +101,11 @@ public class AuthorizationServerConfig {
|
||||
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("http://auth-server:9000").build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public OAuth2AuthorizationConsentService authorizationConsentService() {
|
||||
// Will be used by the ConsentController
|
||||
|
||||
@@ -45,6 +45,7 @@ import org.springframework.security.oauth2.server.authorization.client.JdbcRegis
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
|
||||
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
|
||||
/**
|
||||
@@ -104,6 +105,11 @@ public class AuthorizationServerConfig {
|
||||
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("http://auth-server:9000").build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public EmbeddedDatabase embeddedDatabase() {
|
||||
// @formatter:off
|
||||
|
||||
Reference in New Issue
Block a user