diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java index ab16038..6ebafb3 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java @@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication; import java.security.Principal; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.Map; import java.util.Set; @@ -147,7 +146,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica JoseHeader.Builder headersBuilder = JwtUtils.headers(); JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims( registeredClient, issuer, authorization.getPrincipalName(), - excludeOpenidIfNecessary(authorizedScopes)); + authorizedScopes); // @formatter:off JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder) @@ -169,7 +168,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(), - jwtAccessToken.getExpiresAt(), excludeOpenidIfNecessary(authorizedScopes)); + jwtAccessToken.getExpiresAt(), authorizedScopes); OAuth2RefreshToken refreshToken = null; if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) { @@ -245,15 +244,6 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters); } - private static Set excludeOpenidIfNecessary(Set scopes) { - if (!scopes.contains(OidcScopes.OPENID)) { - return scopes; - } - scopes = new HashSet<>(scopes); - scopes.remove(OidcScopes.OPENID); - return scopes; - } - @Override public boolean supports(Class authentication) { return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java index ef8d469..080e34c 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java @@ -311,7 +311,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests { assertThat(accessTokenContext.getClaims()).isNotNull(); Map claims = new HashMap<>(); accessTokenContext.getClaims().claims(claims::putAll); - assertThat(claims.containsKey(OidcScopes.OPENID)).isFalse(); + assertThat(claims).flatExtracting(OAuth2ParameterNames.SCOPE) + .containsExactlyInAnyOrder(OidcScopes.OPENID, "scope1"); // ID Token context JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1); assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient); @@ -335,7 +336,6 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests { assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken()); Set accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)); - accessTokenScopes.remove(OidcScopes.OPENID); assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes); assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull(); assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());