diff --git a/samples/custom-consent-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java b/samples/custom-consent-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java index e928607f..8d29e3f5 100644 --- a/samples/custom-consent-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java +++ b/samples/custom-consent-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java @@ -28,14 +28,17 @@ import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; +import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationConsentService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService; import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; +import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration; import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer; import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; import org.springframework.security.oauth2.server.authorization.settings.ProviderSettings; @@ -72,6 +75,7 @@ public class AuthorizationServerConfig { .exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")) ) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) .apply(authorizationServerConfigurer); return http.build(); } @@ -89,6 +93,7 @@ public class AuthorizationServerConfig { .redirectUri("http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc") .redirectUri("http://127.0.0.1:8080/authorized") .scope(OidcScopes.OPENID) + .scope(OidcScopes.PROFILE) .scope("message.read") .scope("message.write") .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()) @@ -104,6 +109,11 @@ public class AuthorizationServerConfig { return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet); } + @Bean + public JwtDecoder jwtDecoder(JWKSource jwkSource) { + return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource); + } + @Bean public ProviderSettings providerSettings() { return ProviderSettings.builder().issuer("http://localhost:9000").build(); diff --git a/samples/custom-consent-authorizationserver/src/main/java/sample/web/AuthorizationConsentController.java b/samples/custom-consent-authorizationserver/src/main/java/sample/web/AuthorizationConsentController.java index 18c50c4b..c98327d7 100644 --- a/samples/custom-consent-authorizationserver/src/main/java/sample/web/AuthorizationConsentController.java +++ b/samples/custom-consent-authorizationserver/src/main/java/sample/web/AuthorizationConsentController.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,7 @@ import java.util.Map; import java.util.Set; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; @@ -66,6 +67,9 @@ public class AuthorizationConsentController { authorizedScopes = Collections.emptySet(); } for (String requestedScope : StringUtils.delimitedListToStringArray(scope, " ")) { + if (OidcScopes.OPENID.equals(requestedScope)) { + continue; + } if (authorizedScopes.contains(requestedScope)) { previouslyApprovedScopes.add(requestedScope); } else { @@ -95,6 +99,10 @@ public class AuthorizationConsentController { private static final String DEFAULT_DESCRIPTION = "UNKNOWN SCOPE - We cannot provide information about this permission, use caution when granting this."; private static final Map scopeDescriptions = new HashMap<>(); static { + scopeDescriptions.put( + OidcScopes.PROFILE, + "This application will be able to read your profile information." + ); scopeDescriptions.put( "message.read", "This application will be able to read your message." diff --git a/samples/custom-consent-authorizationserver/src/test/java/sample/CustomConsentAuthorizationServerTests.java b/samples/custom-consent-authorizationserver/src/test/java/sample/CustomConsentAuthorizationServerTests.java index dadd36c8..cfa24c5f 100644 --- a/samples/custom-consent-authorizationserver/src/test/java/sample/CustomConsentAuthorizationServerTests.java +++ b/samples/custom-consent-authorizationserver/src/test/java/sample/CustomConsentAuthorizationServerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -95,7 +95,7 @@ public class CustomConsentAuthorizationServerTests { assertThat(scope.isChecked()).isTrue(); scopeIds.add(scope.getId()); }); - assertThat(scopeIds).containsExactlyInAnyOrder("openid", "message.read", "message.write"); + assertThat(scopeIds).containsExactlyInAnyOrder("message.read", "message.write"); DomElement submitConsentButton = consentPage.querySelector("button[id='submit-consent']"); this.webClient.getOptions().setRedirectEnabled(false); diff --git a/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java b/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java index f231b38d..784871ed 100644 --- a/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java +++ b/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java @@ -32,9 +32,11 @@ import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase; import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder; import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; +import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService; import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService; @@ -63,7 +65,8 @@ public class AuthorizationServerConfig { http .exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")) - ); + ) + .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); // @formatter:on return http.build(); } @@ -81,6 +84,7 @@ public class AuthorizationServerConfig { .redirectUri("http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc") .redirectUri("http://127.0.0.1:8080/authorized") .scope(OidcScopes.OPENID) + .scope(OidcScopes.PROFILE) .scope("message.read") .scope("message.write") .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()) @@ -111,6 +115,11 @@ public class AuthorizationServerConfig { return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet); } + @Bean + public JwtDecoder jwtDecoder(JWKSource jwkSource) { + return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource); + } + @Bean public ProviderSettings providerSettings() { return ProviderSettings.builder().issuer("http://localhost:9000").build(); diff --git a/samples/federated-identity-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java b/samples/federated-identity-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java index 1fc10039..cb0b37ea 100644 --- a/samples/federated-identity-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java +++ b/samples/federated-identity-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java @@ -34,9 +34,11 @@ import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase; import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder; import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; +import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService; import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService; @@ -62,6 +64,7 @@ public class AuthorizationServerConfig { @Order(Ordered.HIGHEST_PRECEDENCE) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); + http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); http.apply(new FederatedIdentityConfigurer()); return http.build(); } @@ -84,6 +87,7 @@ public class AuthorizationServerConfig { .redirectUri("http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc") .redirectUri("http://127.0.0.1:8080/authorized") .scope(OidcScopes.OPENID) + .scope(OidcScopes.PROFILE) .scope("message.read") .scope("message.write") .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()) @@ -114,6 +118,11 @@ public class AuthorizationServerConfig { return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet); } + @Bean + public JwtDecoder jwtDecoder(JWKSource jwkSource) { + return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource); + } + @Bean public ProviderSettings providerSettings() { return ProviderSettings.builder().issuer("http://localhost:9000").build(); diff --git a/samples/messages-client/src/main/resources/application.yml b/samples/messages-client/src/main/resources/application.yml index 6623277a..a7f212dd 100644 --- a/samples/messages-client/src/main/resources/application.yml +++ b/samples/messages-client/src/main/resources/application.yml @@ -22,7 +22,7 @@ spring: client-secret: secret authorization-grant-type: authorization_code redirect-uri: "http://127.0.0.1:8080/login/oauth2/code/{registrationId}" - scope: openid + scope: openid, profile client-name: messaging-client-oidc messaging-client-authorization-code: provider: spring