Add client credentials authentication filter

Fixes gh-5
This commit is contained in:
Tom van den Berge 2020-05-06 09:25:09 +02:00 committed by Joe Grandja
parent 4c8f89af5c
commit 18b09af3e9
4 changed files with 219 additions and 2 deletions

View File

@ -44,11 +44,11 @@ public class OAuth2ClientAuthenticationToken extends AbstractAuthenticationToken
@Override @Override
public Object getCredentials() { public Object getCredentials() {
return null; return this.clientSecret;
} }
@Override @Override
public Object getPrincipal() { public Object getPrincipal() {
return null; return this.clientId;
} }
} }

View File

@ -4,6 +4,7 @@ dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'com.nimbusds:oauth2-oidc-sdk' implementation 'com.nimbusds:oauth2-oidc-sdk'
implementation project(':spring-authorization-server-core')
testImplementation('org.springframework.boot:spring-boot-starter-test') { testImplementation('org.springframework.boot:spring-boot-starter-test') {
exclude group: 'org.junit.vintage', module: 'junit-vintage-engine' exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'

View File

@ -0,0 +1,103 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.Charset;
import java.util.Base64;
import static java.nio.charset.StandardCharsets.UTF_8;
/**
* A filter to perform client authentication for the Token Endpoint.
*
* See <a href="https://tools.ietf.org/html/rfc6749#section-2.3.1">RFC-6749 2.3.1</a>.
*/
public class ClientCredentialsAuthenticationFilter extends OncePerRequestFilter {
private final AuthenticationManager authenticationManager;
private final RequestMatcher requestMatcher = new AntPathRequestMatcher("/oauth2/token", HttpMethod.POST.name());
public ClientCredentialsAuthenticationFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
if (this.requestMatcher.matches(request)) {
String[] credentials = extractBasicAuthenticationCredentials(request);
String clientId = credentials[0];
String clientSecret = credentials[1];
OAuth2ClientAuthenticationToken authenticationToken = new OAuth2ClientAuthenticationToken(clientId, clientSecret);
Authentication authentication = this.authenticationManager.authenticate(authenticationToken);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
chain.doFilter(request, response);
}
private String[] extractBasicAuthenticationCredentials(HttpServletRequest request) {
String header = request.getHeader("Authorization");
if (header != null && header.toLowerCase().startsWith("basic ")) {
return extractAndDecodeHeader(header, request);
}
throw new BadCredentialsException("Missing basic authentication header");
}
// Taken from BasicAuthenticationFilter (spring-security-web)
private String[] extractAndDecodeHeader(String header, HttpServletRequest request) {
byte[] base64Token = header.substring(6).getBytes(UTF_8);
byte[] decoded;
try {
decoded = Base64.getDecoder().decode(base64Token);
}
catch (IllegalArgumentException e) {
throw new BadCredentialsException("Failed to decode basic authentication token");
}
String token = new String(decoded, getCredentialsCharset(request));
int delim = token.indexOf(":");
if (delim == -1) {
throw new BadCredentialsException("Invalid basic authentication token");
}
return new String[] { token.substring(0, delim), token.substring(delim + 1) };
}
protected Charset getCredentialsCharset(HttpServletRequest httpRequest) {
return UTF_8;
}
}

View File

@ -0,0 +1,113 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.util.Assert;
import static java.net.URI.create;
import static java.nio.charset.StandardCharsets.UTF_8;
import static java.util.Base64.getEncoder;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
public class ClientCredentialsAuthenticationFilterTests {
private static final String CLIENT_ID = "myclientid";
private static final String CLIENT_SECRET = "myclientsecret";
private final AuthenticationManager authenticationManager = authentication -> {
Assert.isInstanceOf(OAuth2ClientAuthenticationToken.class, authentication);
OAuth2ClientAuthenticationToken token = (OAuth2ClientAuthenticationToken) authentication;
if (CLIENT_ID.equals(token.getPrincipal()) && CLIENT_SECRET.equals(token.getCredentials())) {
authentication.setAuthenticated(true);
return authentication;
}
throw new BadCredentialsException("Bad credentials");
};
private final ClientCredentialsAuthenticationFilter filter = new ClientCredentialsAuthenticationFilter(this.authenticationManager);
@BeforeEach
public void setup() {
SecurityContextHolder.clearContext();
}
@Test
public void doFilterWhenUrlDoesNotMatchThenDontAuthenticate() throws Exception {
MockHttpServletRequest request = post(create("/someotherendpoint")).buildRequest(new MockServletContext());
request.addHeader("Authorization", basicAuthHeader(CLIENT_ID, CLIENT_SECRET));
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
}
@Test
public void doFilterWhenRequestMatchesThenAuthenticate() throws Exception {
MockHttpServletRequest request = post(create("/oauth2/token")).buildRequest(new MockServletContext());
request.addHeader("Authorization", basicAuthHeader(CLIENT_ID, CLIENT_SECRET));
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isTrue();
}
@Test
public void doFilterWhenBasicAuthenticationHeaderIsMissingThenThrowBadCredentialsException() {
MockHttpServletRequest request = post(create("/oauth2/token")).buildRequest(new MockServletContext());
assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() ->
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()));
}
@Test
public void doFilterWhenBasicAuthenticationHeaderHasInvalidSyntaxThenThrowBadCredentialsException() {
MockHttpServletRequest request = post(create("/oauth2/token")).buildRequest(new MockServletContext());
request.addHeader("Authorization", "Basic invalid");
assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() ->
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()));
}
@Test
public void doFilterWhenBasicAuthenticationProvidesIncorrectSecretThenThrowBadCredentialsException() {
MockHttpServletRequest request = post(create("/oauth2/token")).buildRequest(new MockServletContext());
request.addHeader("Authorization", basicAuthHeader(CLIENT_ID, "incorrectsecret"));
assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() ->
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()));
}
@Test
public void doFilterWhenBasicAuthenticationProvidesIncorrectClientIdThenThrowBadCredentialsException() {
MockHttpServletRequest request = post(create("/oauth2/token")).buildRequest(new MockServletContext());
request.addHeader("Authorization", basicAuthHeader("anotherclientid", CLIENT_SECRET));
assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() ->
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()));
}
private static String basicAuthHeader(String clientId, String clientSecret) {
return "Basic " + getEncoder().encodeToString((clientId + ":" + clientSecret).getBytes(UTF_8));
}
}