cubetiq/spring-authorization-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: cubetiq:d11ac9a2ee23b5fceaaa7e11d85c931ecf1dff3e
Branches Tags
cubetiq:master
cubetiq:0.1.0
cubetiq:0.0.3
cubetiq:0.0.2
cubetiq:0.0.1
...
compare: cubetiq:7d3acd887a7a54ab262f3b57b7bc429643488e1b
Branches Tags
cubetiq:master
cubetiq:0.1.0
cubetiq:0.0.3
cubetiq:0.0.2
cubetiq:0.0.1

6 Commits
d11ac9a2ee ... 7d3acd887a

Author SHA1 Message Date
Sambo Chea
7d3acd887a Merge branch 'master' of https://git.cubetiqs.com/CUBETIQ/spring-authorization-server 2021-03-26 08:06:09 +07:00
Norbert Nowak
658b186381 Fix download artifacts link 
Closes gh-263
 2021-03-19 14:06:49 -04:00
Joe Grandja
d33ec32017 Update gh issue template config.yml 2021-03-18 04:05:38 -04:00
Daniel Garnier-Moiroux
59040a4c3d Use nimbus-jose-jwt and oauth2-oidc-sdk versions from spring-security 
- Spring Security 5.4.5 downgraded nimbus-jose-jwt to 8.+ from 9.+,
  which breaks NimbusJwsEncoder.
- Bump Security to 5.4.5, and Boot to 2.4.3 to match Security

Closes gh-256
 2021-03-16 10:04:42 -04:00
Joshua Casey
3b0938883b Scope "openid" should be in access token response scope 
- Still does not require user consent

Closes gh-252
 2021-03-15 12:00:44 -04:00
Daniel Garnier-Moiroux
1962b9c5b7 Bump Jacoco to 0.8.6 to support Java 15 2021-03-12 16:09:38 -05:00
8 changed files with 10 additions and 24 deletions
Show Stats Expand all files Collapse all files

3
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@ -3,6 +3,3 @@ contact_links:
- name: Community Support - name: Community Support
url: https://stackoverflow.com/questions/tagged/spring-security url: https://stackoverflow.com/questions/tagged/spring-security
about: Please ask and answer questions on StackOverflow with the tag `spring-security`. about: Please ask and answer questions on StackOverflow with the tag `spring-security`.
- name: Security Issues
url: https://pivotal.io/security#reporting
about: Please report security vulnerabilities here.

2
README.adoc
View File

@ -45,7 +45,7 @@ This project adheres to the Contributor Covenant link:CODE_OF_CONDUCT.adoc[code
By participating, you are expected to uphold this code. Please report unacceptable behavior to spring-code-of-conduct@pivotal.io. By participating, you are expected to uphold this code. Please report unacceptable behavior to spring-code-of-conduct@pivotal.io.
== Downloading Artifacts == Downloading Artifacts
See https://github.com/spring-projects/spring-framework/wiki/Downloading-Spring-artifacts[downloading Spring artifacts] for Maven repository information. See https://github.com/spring-projects/spring-framework/wiki/Spring-Framework-Artifacts[downloading Spring artifacts] for Maven repository information.
== Building from Source == Building from Source
Spring Authorization Server uses a https://gradle.org[Gradle]-based build system. Spring Authorization Server uses a https://gradle.org[Gradle]-based build system.

2
gradle.properties
View File

@ -1,5 +1,5 @@
version=0.1.1-SNAPSHOT version=0.1.1-SNAPSHOT
springBootVersion=2.4.2 springBootVersion=2.4.3
org.gradle.jvmargs=-Xmx3g -XX:MaxPermSize=2048m -XX:+HeapDumpOnOutOfMemoryError org.gradle.jvmargs=-Xmx3g -XX:MaxPermSize=2048m -XX:+HeapDumpOnOutOfMemoryError
org.gradle.parallel=true org.gradle.parallel=true
org.gradle.caching=true org.gradle.caching=true

4
gradle/dependency-management.gradle
View File

@ -3,7 +3,7 @@ if (!project.hasProperty("springVersion")) {
} }
if (!project.hasProperty("springSecurityVersion")) { if (!project.hasProperty("springSecurityVersion")) {
ext.springSecurityVersion = "5.4.2" ext.springSecurityVersion = "5.4.5"
} }
if (!project.hasProperty("reactorVersion")) { if (!project.hasProperty("reactorVersion")) {
@ -25,8 +25,6 @@ dependencyManagement {
} }
dependencies { dependencies {
dependency "com.nimbusds:oauth2-oidc-sdk:8.23.1"
dependency "com.nimbusds:nimbus-jose-jwt:9.1.3"
dependency "javax.servlet:javax.servlet-api:4.0.1" dependency "javax.servlet:javax.servlet-api:4.0.1"
dependency 'junit:junit:4.13.1' dependency 'junit:junit:4.13.1'
dependency 'org.assertj:assertj-core:3.18.1' dependency 'org.assertj:assertj-core:3.18.1'

2
oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle
View File

@ -20,5 +20,5 @@ dependencies {
} }
jacoco { jacoco {
toolVersion = '0.8.5' toolVersion = '0.8.6'
} }

3
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwsEncoder.java
View File

@ -43,6 +43,7 @@ import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT; import com.nimbusds.jwt.SignedJWT;
import net.minidev.json.JSONObject;
import org.springframework.core.convert.converter.Converter; import org.springframework.core.convert.converter.Converter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils; import org.springframework.util.CollectionUtils;
@ -197,7 +198,7 @@ public final class NimbusJwsEncoder implements JwtEncoder {
Map<String, Object> jwk = headers.getJwk(); Map<String, Object> jwk = headers.getJwk();
if (!CollectionUtils.isEmpty(jwk)) { if (!CollectionUtils.isEmpty(jwk)) {
try { try {
builder.jwk(JWK.parse(jwk)); builder.jwk(JWK.parse(new JSONObject(jwk)));
} }
catch (Exception ex) { catch (Exception ex) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE,

14
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
View File

@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
import java.security.Principal; import java.security.Principal;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -147,7 +146,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
JoseHeader.Builder headersBuilder = JwtUtils.headers(); JoseHeader.Builder headersBuilder = JwtUtils.headers();
JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims( JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims(
registeredClient, issuer, authorization.getPrincipalName(), registeredClient, issuer, authorization.getPrincipalName(),
excludeOpenidIfNecessary(authorizedScopes)); authorizedScopes);
// @formatter:off // @formatter:off
JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder) JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder)
@ -169,7 +168,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(), jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), excludeOpenidIfNecessary(authorizedScopes)); jwtAccessToken.getExpiresAt(), authorizedScopes);
OAuth2RefreshToken refreshToken = null; OAuth2RefreshToken refreshToken = null;
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) { if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
@ -245,15 +244,6 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters); registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters);
} }
private static Set<String> excludeOpenidIfNecessary(Set<String> scopes) {
if (!scopes.contains(OidcScopes.OPENID)) {
return scopes;
}
scopes = new HashSet<>(scopes);
scopes.remove(OidcScopes.OPENID);
return scopes;
}
@Override @Override
public boolean supports(Class<?> authentication) { public boolean supports(Class<?> authentication) {
return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication); return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);

4
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java
View File

@ -311,7 +311,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
assertThat(accessTokenContext.getClaims()).isNotNull(); assertThat(accessTokenContext.getClaims()).isNotNull();
Map<String, Object> claims = new HashMap<>(); Map<String, Object> claims = new HashMap<>();
accessTokenContext.getClaims().claims(claims::putAll); accessTokenContext.getClaims().claims(claims::putAll);
assertThat(claims.containsKey(OidcScopes.OPENID)).isFalse(); assertThat(claims).flatExtracting(OAuth2ParameterNames.SCOPE)
.containsExactlyInAnyOrder(OidcScopes.OPENID, "scope1");
// ID Token context // ID Token context
JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1); JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1);
assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient); assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
@ -335,7 +336,6 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken()); assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)); Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
accessTokenScopes.remove(OidcScopes.OPENID);
assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes); assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes);
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull(); assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken()); assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());